EdgeLock SE050 getting private key via PKCS#11 URI

peter_nt — Tue, 29 Sep 2020 09:03:17 GMT

Hello All!

Is it possible to access a private key stored on a SE050 via the PKCS#11 URI?

I have generated an RSA key, and I can even see it in the output of p11tool:

# p11tool --provider=/usr/local/lib/libsss_pkcs11.so --list-all ... Object 0: URL: pkcs11:model=;manufacturer=NXP;serial=;token=SSS_PKCS11;id=%11%BB%CC%6D;object=sss%3A6DCCBB11;type=private Type: Private key (RSA-1024) Label: sss:6DCCBB11 ID: 11:bb:cc:6d ...

However I cannot access if via the URI:

# openssl req -new -x509 -subj "/CN=Units" -engine e4sss -keyform engine -key "pkcs11:model=;manufacturer=NXP;serial=;token=SSS_PKCS11;id=%11%BB%CC%6D;object=sss%3A6DCCBB11;type=private" -out cer.pem; ssse-flw: EmbSe_Init(): Entry App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1) sss :INFO :atr (Len=35) 00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08 01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41 54 50 4F sss :WARN :Communication channel is Plain. sss :WARN :!!!Not recommended for production use.!!! ssse-flw: Version: 1.0.5 ssse-flw: EmbSe_Init(): Exit engine "e4sss" set. cannot load Private Key from engine 1995698192:error:2609607D:engine routines:ENGINE_load_private_key:no load function:../crypto/engine/eng_pkey.c:72: unable to load Private Key ssse-flw: EmbSe_Finish(): Entry ssse-flw: EmbSe_Finish(): Exit ssse-flw: EmbSe_Destroy(): Entry

It is using the engine configured as follows:

openssl_conf = nxp_engine ... [nxp_engine] engines = engine_section [ engine_section ] e4sss_se050 = e4sss_se050_section [ e4sss_se050_section ] dynamic_path = /usr/local/lib/libsss_engine.so engine_id = e4sss init = 1 default_algorithms = RSA,RAND,EC

The same thing happens with the openssl configured with pkcs11 module:

# openssl req -new -x509 -subj "/CN=Units" -engine pkcs11 -keyform engine -key "pkcs11:model=;manufacturer=NXP;serial=;token=SSS_PKCS11;id=%11%BB%CC%6D;object=sss%3A6DCCBB11;type=private" -out cer.pem; engine "pkcs11" set. Found slot without user PIN Found slot without user PIN PKCS11_get_private_key returned NULL cannot load Private Key from engine 1995464720:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862: 1995464720:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78: unable to load Private Key

with the following openssl config:

The above key was actually generated using `python3 openssl_provisionRSA.py --key_type rsa1024` from the python scripts examples, but the same applies to the keys generated using pkcs11-tool, seTool.

Any help would be greatly appreciated.

best regards,

peter

Re: EdgeLock SE050 getting private key via PKCS#11 URI

Kan_Li — Wed, 30 Sep 2020 09:53:13 GMT

Hi @peter_nt ,

Actually from my point of view, if a private key can be accessed externally , it would lead to security risk, but I am also checking it with the expert, will let you know when I have any more information.

Thanks for your patience!

Best Regards,

Kan

Re: EdgeLock SE050 getting private key via PKCS#11 URI

DarkVeider — Fri, 10 Sep 2021 17:55:37 GMT

That's right, but in this case, How do you encrypt or sign a file?
In fact libengine expose an interface and you can get that interface.
https://github.com/OpenSC/OpenSC/issues/1429

Re: EdgeLock SE050 getting private key via PKCS#11 URI

ahusseis — Wed, 18 May 2022 09:07:31 GMT

You can encrypt and sign using nxp APIs.

You should never be allowed to extract the private keys

topic Re: EdgeLock SE050 getting private key via PKCS#11 URI in Secure Authentication

EdgeLock SE050 getting private key via PKCS#11 URI

Re: EdgeLock SE050 getting private key via PKCS#11 URI

Re: EdgeLock SE050 getting private key via PKCS#11 URI

Re: EdgeLock SE050 getting private key via PKCS#11 URI