Hello All!
Is it possible to access a private key stored on a SE050 via the PKCS#11 URI?
I have generated an RSA key, and I can even see it in the output of p11tool:
# p11tool --provider=/usr/local/lib/libsss_pkcs11.so --list-all
...
Object 0:
URL: pkcs11:model=;manufacturer=NXP;serial=;token=SSS_PKCS11;id=%11%BB%CC%6D;object=sss%3A6DCCBB11;type=private
Type: Private key (RSA-1024)
Label: sss:6DCCBB11
ID: 11:bb:cc:6d
...
However I cannot access if via the URI:
# openssl req -new -x509 -subj "/CN=Units" -engine e4sss -keyform engine -key "pkcs11:model=;manufacturer=NXP;serial=;token=SSS_PKCS11;id=%11%BB%CC%6D;object=sss%3A6DCCBB11;type=private" -out cer.pem;
ssse-flw: EmbSe_Init(): Entry
App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
ssse-flw: Version: 1.0.5
ssse-flw: EmbSe_Init(): Exit
engine "e4sss" set.
cannot load Private Key from engine
1995698192:error:2609607D:engine routines:ENGINE_load_private_key:no load function:../crypto/engine/eng_pkey.c:72:
unable to load Private Key
ssse-flw: EmbSe_Finish(): Entry
ssse-flw: EmbSe_Finish(): Exit
ssse-flw: EmbSe_Destroy(): Entry
It is using the engine configured as follows:
openssl_conf = nxp_engine
...
[nxp_engine]
engines = engine_section
[ engine_section ]
e4sss_se050 = e4sss_se050_section
[ e4sss_se050_section ]
dynamic_path = /usr/local/lib/libsss_engine.so
engine_id = e4sss
init = 1
default_algorithms = RSA,RAND,EC
The same thing happens with the openssl configured with pkcs11 module:
# openssl req -new -x509 -subj "/CN=Units" -engine pkcs11 -keyform engine -key "pkcs11:model=;manufacturer=NXP;serial=;token=SSS_PKCS11;id=%11%BB%CC%6D;object=sss%3A6DCCBB11;type=private" -out cer.pem;
engine "pkcs11" set.
Found slot without user PIN
Found slot without user PIN
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
1995464720:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862:
1995464720:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load Private Key
with the following openssl config:
openssl_conf = nxp_engine
...
[nxp_engine]
engines = engine_section
[ engine_section ]
e4sss_se050 = e4sss_se050_section
[ e4sss_se050_section ]
dynamic_path = /usr/local/lib/libsss_pkcs11.so
engine_id = pkcs11
init = 1
The above key was actually generated using `python3 openssl_provisionRSA.py --key_type rsa1024` from the python scripts examples, but the same applies to the keys generated using pkcs11-tool, seTool.
Any help would be greatly appreciated.
best regards,
peter
Hi @peter_nt ,
Actually from my point of view, if a private key can be accessed externally , it would lead to security risk, but I am also checking it with the expert, will let you know when I have any more information.
Thanks for your patience!
Best Regards,
Kan
That's right, but in this case, How do you encrypt or sign a file?
In fact libengine expose an interface and you can get that interface.
https://github.com/OpenSC/OpenSC/issues/1429
You can encrypt and sign using nxp APIs.
You should never be allowed to extract the private keys