CreateCryptoObject fails while doing sss_mac_init

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CreateCryptoObject fails while doing sss_mac_init

2,492 Views
bug_squasher_77
Contributor I

Hey @Kan_Li 

I created a simple HMAC calculator which was working fine.

And after couple of days it suddenly stopped working.

Please check logs from accessManager and client application in screenshot below. 
It says,

CreateCryptoObject Failed

among other more generic warnings

bug_squasher_77_0-1663677170190.png

After further debugging I found out that the sss_mac_init is failing.

I am only using sss_key_*, sss_mac_* and ex_boot_* apis for now. none of them are exposing CryptoObject or requiring it as input. 

I was not able to get around this, i had to factory reset the chip with se05x_Delete_and_test_provision and then again provision the key with same keyId

 

I am not able to reproduce this issue again. Any pointer on what can cause this would be appreciated.

From the documentation it is not clear what CryptoObject is being used for. More details on this would be a great help.

I dug into se05x source and I think the culprit is a missing break; statement.

bug_squasher_77_1-1663678003726.png

Notes about the setup, 

example <--socket--> accessManager <--i2c--> SE

 

Labels (1)
Tags (1)
0 Kudos
Reply
9 Replies

2,472 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @bug_squasher_77 ,

 

Actually it is hard to trace the root cause with the log from Access manager, do you have log from the client? If  se05x_Delete_and_test_provision can solve this issue, maybe due to running out of memory for secure objects storage, did you create new secure objects in SE051 in your code? Have you deleted them by the end of the program? or have you accidently disabled new objects creation on SE051?

 

Please kindly clarify.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

2,470 Views
bug_squasher_77
Contributor I

Thank you for getting back @Kan_Li 

 

I can confirm I have ran following examples
1. se05x_concurrentECC
2. se05x_concurrentSymm 
3. se05x_Delete_and_test_provision
4. pkcs11-tool

export PKCS11_MODULE=/usr/lib/libsss_pkcs11.so

pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"
pkcs11-tool --module $PKCS11_MODULE --sign --label sss:20181001 -m SHA256-RSA-PKCS --slot 1 -i in.der -o signature.der
pkcs11-tool --module $PKCS11_MODULE --hash -m SHA256 -i in.der -o hash.der

In my code I am using following for provisioning key and calculation of hmac

ex_sss_boot_open_on_id
sss_key_store_context_init
sss_key_store_allocate
sss_key_object_init
sss_key_object_get_handle
sss_mac_context_init
sss_mac_init - this failed
sss_mac_update
sss_mac_finish

sss_key_store_set_key

sss_mac_context_free
ex_sss_session_close
 
AFAIK, none of these methods are removing CryptoObject, also CryptoObject handling is abstracted so I can confirm creation of objects was not disabled.
0 Kudos
Reply

2,453 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @bug_squasher_77 ,

 

Thanks for the information! I am digging into the source code and suspecting maybe your issue happened there as shown below:

Kan_Li_0-1663829673259.png

so most likely your code tried to update some secure object created by another user and failed to do that due to the policy.

 

Please kindly check from your side if the object ID is duplicated .

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

0 Kudos
Reply

2,449 Views
bug_squasher_77
Contributor I

Hi @Kan_Li 

 

Assuming, user id in this context is same as auth id used to open connection with accessManager.

Do any of the examples create CryptoObject with different ID?


I gave the list of APIs that I am using, I don't think they create CryptoObject with some different ID.

I have not set any object policy and I am using Auth=None. (authId = 0)

 

0 Kudos
Reply

2,433 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @bug_squasher_77 ,

 

What is the scenario this issue happened? how many client applications were connected with the AccessManager? Were they original concurrent examples or your own application? 

 

Usually we run concurrent demos as below:

Kan_Li_0-1663905043832.png

You may find the auth IDs and secure object IDs are different.

 

Please kindly clarify.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

2,429 Views
bug_squasher_77
Contributor I

Hey @Kan_Li 

 

What is the scenario this issue happened?

I am also trying to figure out what happened and how it happend.
All I can say is, when trying to calculate HMAC in my custom application, I got this error (see in first post)
Before that I had never seen such error.

 

how many client applications were connected with the AccessManager?

When i first saw the issue, there was only my custom application running.
But I can confirm at maximum, we had 2 applications running simultaneously.
1. se05x_ConcurrentECC
2. my custom applicatoin to calculate HMAC

0 Kudos
Reply

2,417 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @bug_squasher_77 ,

 

Thanks for the information!

 

Actually from the snapshot you shared in the beginning , only one client was talking with the access manager, but it is hard to find the cause by the log from the access manager, do you have the log from the client as well? and how did you run the example of se05x_ConcurrentECC? what were the command parameters you input for se05x_ConcurrentECC? 

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

2,415 Views
bug_squasher_77
Contributor I

Hi @Kan_Li 

Yes when i discovered the issue it was only 1 client.

However before discovering this I was running concurrentEcc and my custom app to calculate HMAC

se05x_ConcurrentEcc -authid 0 -keyid 0x20222022-cnt 1 -port 127.0.0.1:8040

 

0 Kudos
Reply

2,366 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @bug_squasher_77 ,

 

Thanks for the information! I didn't find any obvious error from running the se05x_ConcurrentEcc demo, and would like to have a review of your custom application code, I could know how you implemented it from the previous posts, but would be better to know more details such as the parameters input to each sss APIs. 

 

Is it possible to share? Alternatively you may create a private ticket to share the code according to the following video:

https://www.nxp.com/video/tutorial-for-nxp-support-case-portal:NCP-VIDEO

 

Please kindly let me know the case number when the case is created.

 

Thanks for your patience!

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply