CreateCryptoObject fails while doing sss_mac_init

bug_squasher_77 · ‎09-20-2022

I created a simple HMAC calculator which was working fine.

And after couple of days it suddenly stopped working.

Please check logs from accessManager and client application in screenshot below.
It says,

CreateCryptoObject Failed

among other more generic warnings

After further debugging I found out that the sss_mac_init is failing.

I am only using sss_key_*, sss_mac_* and ex_boot_* apis for now. none of them are exposing CryptoObject or requiring it as input.

I was not able to get around this, i had to factory reset the chip with se05x_Delete_and_test_provision and then again provision the key with same keyId

I am not able to reproduce this issue again. Any pointer on what can cause this would be appreciated.

From the documentation it is not clear what CryptoObject is being used for. More details on this would be a great help.

I dug into se05x source and I think the culprit is a missing break; statement.

Notes about the setup,

example <--socket--> accessManager <--i2c--> SE

Kan_Li · ‎09-21-2022

Hi @bug_squasher_77 ,

Actually it is hard to trace the root cause with the log from Access manager, do you have log from the client? If se05x_Delete_and_test_provision can solve this issue, maybe due to running out of memory for secure objects storage, did you create new secure objects in SE051 in your code? Have you deleted them by the end of the program? or have you accidently disabled new objects creation on SE051?

Please kindly clarify.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

bug_squasher_77 · ‎09-21-2022

Thank you for getting back @Kan_Li

I can confirm I have ran following examples
1. se05x_concurrentECC
2. se05x_concurrentSymm
3. se05x_Delete_and_test_provision
4. pkcs11-tool

export PKCS11_MODULE=/usr/lib/libsss_pkcs11.so

pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"
pkcs11-tool --module $PKCS11_MODULE --sign --label sss:20181001 -m SHA256-RSA-PKCS --slot 1 -i in.der -o signature.der
pkcs11-tool --module $PKCS11_MODULE --hash -m SHA256 -i in.der -o hash.der

In my code I am using following for provisioning key and calculation of hmac

ex_sss_boot_open_on_id
sss_key_store_context_init
sss_key_store_allocate
sss_key_object_init
sss_key_object_get_handle
sss_mac_context_init
sss_mac_init - this failed
sss_mac_update
sss_mac_finish

sss_key_store_set_key

sss_mac_context_free
ex_sss_session_close

AFAIK, none of these methods are removing CryptoObject, also CryptoObject handling is abstracted so I can confirm creation of objects was not disabled.

Kan_Li · ‎09-21-2022

Hi @bug_squasher_77 ,

Thanks for the information! I am digging into the source code and suspecting maybe your issue happened there as shown below:

so most likely your code tried to update some secure object created by another user and failed to do that due to the policy.

Please kindly check from your side if the object ID is duplicated .

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

bug_squasher_77 · ‎09-22-2022

Hi @Kan_Li

Assuming, user id in this context is same as auth id used to open connection with accessManager.

Do any of the examples create CryptoObject with different ID?

I gave the list of APIs that I am using, I don't think they create CryptoObject with some different ID.

I have not set any object policy and I am using Auth=None. (authId = 0)

Kan_Li · ‎09-22-2022

Hi @bug_squasher_77 ,

What is the scenario this issue happened? how many client applications were connected with the AccessManager? Were they original concurrent examples or your own application?

Usually we run concurrent demos as below:

You may find the auth IDs and secure object IDs are different.

Please kindly clarify.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

bug_squasher_77 · ‎09-22-2022

Hey @Kan_Li

What is the scenario this issue happened?

I am also trying to figure out what happened and how it happend.
All I can say is, when trying to calculate HMAC in my custom application, I got this error (see in first post)
Before that I had never seen such error.

how many client applications were connected with the AccessManager?

When i first saw the issue, there was only my custom application running.
But I can confirm at maximum, we had 2 applications running simultaneously.
1. se05x_ConcurrentECC
2. my custom applicatoin to calculate HMAC

Kan_Li · ‎09-23-2022

Hi @bug_squasher_77 ,

Thanks for the information!

Actually from the snapshot you shared in the beginning , only one client was talking with the access manager, but it is hard to find the cause by the log from the access manager, do you have the log from the client as well? and how did you run the example of se05x_ConcurrentECC? what were the command parameters you input for se05x_ConcurrentECC?

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

bug_squasher_77 · ‎09-23-2022

Hi @Kan_Li

Yes when i discovered the issue it was only 1 client.

However before discovering this I was running concurrentEcc and my custom app to calculate HMAC

se05x_ConcurrentEcc -authid 0 -keyid 0x20222022-cnt 1 -port 127.0.0.1:8040

Kan_Li · ‎09-25-2022

Hi @bug_squasher_77 ,

Thanks for the information! I didn't find any obvious error from running the se05x_ConcurrentEcc demo, and would like to have a review of your custom application code, I could know how you implemented it from the previous posts, but would be better to know more details such as the parameters input to each sss APIs.

Is it possible to share? Alternatively you may create a private ticket to share the code according to the following video:

https://www.nxp.com/video/tutorial-for-nxp-support-case-portal:NCP-VIDEO

Please kindly let me know the case number when the case is created.

Thanks for your patience!

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

CreateCryptoObject fails while doing sss_mac_init

CreateCryptoObject fails while doing sss_mac_init

SE050