EdgeLock SE050 getting private key via PKCS#11 URI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

EdgeLock SE050 getting private key via PKCS#11 URI

3,268 Views
peter_nt
Contributor I

Hello All!

 Is it possible to access a private key stored on a SE050 via the PKCS#11 URI?

 I have generated an RSA key, and I can even see it in the output of p11tool:

# p11tool  --provider=/usr/local/lib/libsss_pkcs11.so --list-all
...
Object 0:
        URL: pkcs11:model=;manufacturer=NXP;serial=;token=SSS_PKCS11;id=%11%BB%CC%6D;object=sss%3A6DCCBB11;type=private
        Type: Private key (RSA-1024)
        Label: sss:6DCCBB11
        ID: 11:bb:cc:6d
...

 However I cannot access if via the URI:

# openssl req -new -x509 -subj "/CN=Units" -engine e4sss -keyform engine -key "pkcs11:model=;manufacturer=NXP;serial=;token=SSS_PKCS11;id=%11%BB%CC%6D;object=sss%3A6DCCBB11;type=private" -out cer.pem;
ssse-flw: EmbSe_Init(): Entry
App   :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss   :INFO :atr (Len=35)
      00 A0 00 00    03 96 04 03    E8 00 FE 02    0B 03 E8 08
      01 00 00 00    00 64 00 00    0A 4A 43 4F    50 34 20 41
      54 50 4F
sss   :WARN :Communication channel is Plain.
sss   :WARN :!!!Not recommended for production use.!!!
ssse-flw: Version: 1.0.5
ssse-flw: EmbSe_Init(): Exit
engine "e4sss" set.
cannot load Private Key from engine
1995698192:error:2609607D:engine routines:ENGINE_load_private_key:no load function:../crypto/engine/eng_pkey.c:72:
unable to load Private Key
ssse-flw: EmbSe_Finish(): Entry
ssse-flw: EmbSe_Finish(): Exit
ssse-flw: EmbSe_Destroy(): Entry

 

 It is using the engine configured as follows:

openssl_conf            = nxp_engine
...
[nxp_engine]
engines = engine_section

[ engine_section ]
e4sss_se050 = e4sss_se050_section

[ e4sss_se050_section ]
dynamic_path = /usr/local/lib/libsss_engine.so
engine_id = e4sss
init = 1
default_algorithms = RSA,RAND,EC

 The same thing happens with the openssl configured with pkcs11 module:

# openssl req -new -x509 -subj "/CN=Units" -engine pkcs11 -keyform engine -key "pkcs11:model=;manufacturer=NXP;serial=;token=SSS_PKCS11;id=%11%BB%CC%6D;object=sss%3A6DCCBB11;type=private" -out cer.pem;
engine "pkcs11" set.
Found slot without user PIN
Found slot without user PIN
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
1995464720:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862:
1995464720:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load Private Key

with the following openssl config:

openssl_conf            = nxp_engine
...
[nxp_engine]
engines = engine_section

[ engine_section ]
e4sss_se050 = e4sss_se050_section

[ e4sss_se050_section ]
dynamic_path = /usr/local/lib/libsss_pkcs11.so
engine_id = pkcs11
init = 1

 

The above key was actually generated using `python3 openssl_provisionRSA.py --key_type rsa1024` from the python scripts examples, but the same applies to the keys generated using pkcs11-tool, seTool.

 Any help would be greatly appreciated.

best regards,

peter

 

Labels (1)
0 Kudos
3 Replies

3,254 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @peter_nt ,

 

Actually from my point of view, if a private key can be accessed externally , it would lead to security risk, but I am also checking it with the expert, will let you know when I have any more information.

 

Thanks for your patience!

 

Best Regards,

Kan

0 Kudos

2,654 Views
DarkVeider
Contributor I

That's right, but in this case, How do you encrypt or sign a file?
In fact libengine expose an interface and you can get that interface.
https://github.com/OpenSC/OpenSC/issues/1429

0 Kudos

1,909 Views
ahusseis
Contributor I

You can encrypt and sign using nxp APIs. 

You should never be allowed to extract the private keys

0 Kudos