Error to access SE through libsssProvider + openssl.

CristianeBP · ‎07-03-2024

Hi,

I have some problem to use SE (version B) + libsssProvider + openssl 3.0.13.

I generate a key pair using SETool, but when I tried to access my key to generate a certificate signing request I facing some problem, because my csr is not generate and the command exiting is 1.

I also tried to access my key using the SE index (-key nxp:0x00000020 and -inkey nxp:0x00000020), but also without success.

[root@ABB-ea-a6-d2-59-47-62 cert]# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key nxp:0x00000020 -out server.csr -config csr.conf
[root@ABB-ea-a6-d2-59-47-62 cert]# echo $?
1

[root@ABB-ea-a6-d2-59-47-62 cert]# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key $SERVER.key -out $SERVER.csr -config csr.conf
[root@ABB-ea-a6-d2-59-47-62 cert]# echo $?
1
[root@ABB-ea-a6-d2-59-47-62 cert]# cat server.key
-----BEGIN PRIVATE KEY-----
MIIBPQIBADANBgkqhkiG9w0BAQEFAASCAScwggEjAgEAAoIBAQCoWVZ3r3KbD9Ms
2DmJQL2Zt7B+4J9YhlAlavk3k2FcDyRr268W9OTk3xa1Z97IcnSmFyiYatNOCBGa
DmmzRpRvFuoHfgS4aHIGiLesp/APgwioclLsHadmNOen3fBWlZ0y02G2bW7YtBJa
6d5kKyI83CQUl2zapFnylpZWZEB81Cz3Cbyy/N6v6o1cEDYD8f8Pq2UltD0LGnjp
jZqN1Tyy4QIXT9niKXJYCklordJe55+VVth8qedi40Xq7RSnGu0ujIIrcwnnX7GF
qExtw80UMHwKnJnOpJthmQ4VIPBXH8bokPDwr6g9DE9UP2gUezcUFor6U5j4uHaf
iece/VIBAgMBAAECAQECAQECASACAQECAQECBQClprW2
-----END PRIVATE KEY-----

I use the accessManager (executed with plain option) to access my SE.

Yocto version: kirkstone.

Thanks in advance,

Cristiane Bellenzier Piaia

Kan_Li

Hi @CristianeBP ,

For the 3rd case, As you are using RSA ref key as the rootCA key it is mandatory to load sssProvider at first because the default provider cannot recognize the reference key format.

So the command to generate the certificate is:
#openssl x509 -req –provider /usr/local/lib/libsssProvider.so –provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem

Please kindly refer to the following for more details.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

rodolfoveltrigo · ‎07-10-2024

@Kan_Li : I am writing on behalf of @CristianeBP and Lorenzo Verniani (they got problems to access this thread):

Good morning Kan Li,

thank you very much for your reply.

Your answer is about my 2nd test, and ok, it is a limitation and we need to wait some updates.

RGs: @Lorenzo Verniani (Customer) let us know how severe this limitation is for ABB.

But in the 3rd test, I generated both key pair using SETool, not using OPENSSL, and the verification fails equally. How can you explain that?

Thanks again,

Cristiane Bellenzier Piaia

RGs: I repeat 3rd test here:

3 -both key pairs generated inside the SE using seTool:

#seTool genRSA 2048 0x00000003 127.0.0.1:8040

# seTool getRSARef 0x00000003 a.pem 127.0.0.1:804
# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -x509 -new -nodes -key a.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out a.cer
sssprov-flw: Get random data from SE05x
sssprov-flw: Performing RSA sign using SE05x

#seTool genRSA 2048 0x00000020 127.0.0.1:8040

# seTool getRSARef 0x00000020 b.pem 127.0.0.1:8040

# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key b.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out b.csr
sssprov-flw: Performing RSA sign using SE05x
# openssl x509 -req --provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem
Certificate request self-signature ok
subject=CN = NXP_SE050_TLS_CLIENT_RSA
# openssl verify -partial_chain -trusted a.cer b.cer
CN = NXP_SE050_TLS_CLIENT_RSA
error 7 at 0 depth lookup: certificate signature failure
error b.cer: verification failed
2090F276:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../openssl-3.0.13/crypto/rsa/rsa_pk1.c:75:
2090F276:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../openssl-3.0.13/crypto/rsa/rsa_ossl.c:598:
2090F276:error:1C880004:Provider routines:rsa_verify:RSA lib:../openssl-3.0.13/providers/implementations/signature/rsa_sig.c:774:
2090F276:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../openssl-3.0.13/crypto/asn1/a_verify.c:217:

Kan_Li

Hi @CristianeBP ,

For the 3rd case, As you are using RSA ref key as the rootCA key it is mandatory to load sssProvider at first because the default provider cannot recognize the reference key format.

So the command to generate the certificate is:
#openssl x509 -req –provider /usr/local/lib/libsssProvider.so –provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem

Please kindly refer to the following for more details.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

CristianeBP · ‎07-04-2024

Kan,

just for your knowledge.

The same happens when I generate the keypair using openssl:
# openssl genrsa --provider /usr/lib/libsssProvider.so --provider default -out tls_client_key_ref_0xEF000011.pem 1024
App :INFO :Using PortName='127.0.0.1:8040' (ENV: EX_SSS_BOOT_SSS_PORT=127.0.0.1:8040)
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Warning: generating random key material may take a long time
if the system has a poor entropy source
sssprov-flw: Generate RSA key inside SE05x

# cat tls_client_key_ref_0xEF000011.pem
-----BEGIN PRIVATE KEY-----
MIHSAgEAMA0GCSqGSIb3DQEBAQUABIG9MIG6AgEBAoGAbchhCXBMjOV4xS+6dBjt
4wyjZf3AespjZ37m/DOUxOh41rH6wBDXlGYlpjsHZWBEHAxMV9e9qvqzxcD5+kKY
bShdSA3vl6ZQpzpDvtk0qMXRkLr54QwXUvlbB38eS/TUYhbmeEFJ66CnR2K5/8AY
EJ9DqmVQ0twc7TATgsRS45UCAwEAAQIBAAIBAQIFAO8AABECAQACAQACBQClprW2
MBMwEQIFAO8AABECAQACBQClprW2
-----END PRIVATE KEY-----

# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key tls_client_key_ref_0xEF000011.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out tls_client.csr
App :INFO :Using PortName='127.0.0.1:8040' (ENV: EX_SSS_BOOT_SSS_PORT=127.0.0.1:8040)
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
# echo $?
1
Thanks,

Cristiane Bellenzier Piaia

CristianeBP · ‎07-04-2024

Good morning Kan,

thanks for your reply.

SE version: B

Middleware version: 04.05.03

Linux: Kernel: Linux 5.15.71-5.15.71-2.2.0+g3313732e9984+p5
Architecture: arm

seTool command:# seTool getRSARef 0x00000020 server.key $EX_SSS_BOOT_SSS_PORT
App :INFO :PlugAndTrust_v04.05.03_20240502
App :INFO :Running seTool
App :INFO :Using PortName='127.0.0.1:8040' (CLI)
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
App :INFO :ex_sss Finished
# cat server.key
-----BEGIN PRIVATE KEY-----
MIIBPQIBADANBgkqhkiG9w0BAQEFAASCAScwggEjAgEAAoIBAQDLnqjJfGZVgcGq
zcztezdSbIFYRVQFI4nOJuDgprlvzX/T7K73UAeZvwAiIy5Juyer9/vufpgG7Q56
lmgiEYAyHlIcgetskarxV3JpSG/P+vzYQtFqpbSrHOS+eSF7JS/7pQQVY0sqMiaj
3FrrPfubPfRalS7ztGPq9Ch0YacX70yntDzm+MnIncmOitcPo/+Exr6g8maO8bOI
XzfKMY05klnkDiup5jTY0AGJknuDNLc77u0WVTf+pP3A0xkjZ6yDACWpPuk/6xVd
CUp+ABAfY8BQqncfNGRxihOQ1roqGLvHn9LypON84b+VUQKSxkJabSojCrL/oFTs
mIMiBWwlAgMBAAECAQECAQECASACAQECAQECBQClprW2
-----END PRIVATE KEY-----

# echo $EX_SSS_BOOT_SSS_PORT
127.0.0.1:8040

# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key server.key -out server.csr -config csr.conf
App :INFO :Using PortName='127.0.0.1:8040' (ENV: EX_SSS_BOOT_SSS_PORT=127.0.0.1:8040)
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
# echo $?
1

# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key nxp:0x00000020 -out server.csr -config csr.conf
App :INFO :Using PortName='127.0.0.1:8040' (ENV: EX_SSS_BOOT_SSS_PORT=127.0.0.1:8040)
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
# echo $?
1

Thanks,

Cristiane Bellenzier Piaia

Kan_Li · ‎07-04-2024

Hi @CristianeBP ，

Please give it a try with the github version: https://github.com/NXPPlugNTrust/se05x-openssl-provider , Most of the features are updated over there.

Please kindly have my test result with the libsssProvider.so generated from above.

ubuntu@ubuntu:~/provider_test/rsa_test$ openssl genrsa --provider /usr/local/lib/libsssProvider.so --provider default -out tls_client_key_ref_0xEF000011.pem 1024
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x30100. Got newer 0x60000
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Warning: generating random key material may take a long time
if the system has a poor entropy source
sssprov-flw: Generate RSA key inside SE05x
ubuntu@ubuntu:~/provider_test/rsa_test$ cat tls_client_key_ref_0xEF000011.pem
-----BEGIN PRIVATE KEY-----
MIG+AgEAMA0GCSqGSIb3DQEBAQUABIGpMIGmAgEAAoGBAMOMHJoKSm4V6tDRehUx
Hk81c0u18eL85piCFFzfygUP1qz0aGb4dYn7R/gk6pITJnBF1uoF9L5fLp6cbqTX
YyS3q90W69IRzDRZMWye1/QYer6MNImbqe+Xfj8av64JVsSE634rsUN4iMZCQGbr
JAFQxjUsVFH6gvy2OybL+KQBAgMBAAECAQACAQECBQDvAAARAgEAAgEAAgUApaa1
tg==
-----END PRIVATE KEY-----
ubuntu@ubuntu:~/provider_test/rsa_test$ openssl req -new --provider /usr/local/lib/libsssProvider.so --provider default -key tls_client_key_ref_0xEF000011.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out tls_client.csr
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x30100. Got newer 0x60000
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sssprov-flw: Performing RSA sign using SE05x
ubuntu@ubuntu:~/provider_test/rsa_test$ ls
tls_client.csr tls_client_key_ref_0xEF000011.pem
ubuntu@ubuntu:~/provider_test/rsa_test$ cat tls_client.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBYjCBzAIBADAjMSEwHwYDVQQDDBhOWFBfU0UwNTBfVExTX0NMSUVOVF9SU0Ew
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOMHJoKSm4V6tDRehUxHk81c0u1
8eL85piCFFzfygUP1qz0aGb4dYn7R/gk6pITJnBF1uoF9L5fLp6cbqTXYyS3q90W
69IRzDRZMWye1/QYer6MNImbqe+Xfj8av64JVsSE634rsUN4iMZCQGbrJAFQxjUs
VFH6gvy2OybL+KQBAgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQBxEFr13fnb07Ve
6wTqzUHmb9xAOd2yc0gcm2+JXPweUxw++UV6Sxqp26A7R5yvU2OFtR21G/lJ0Vye
kbtp5YffeDnP/A3z4qCAjD+6y2BjXSbLloDWtS4jRG/mniIBn4KW15GY8rOKS0vP
X1SSXAjHwbgkKiuzSWM84qiv1Cus2w==
-----END CERTIFICATE REQUEST-----
ubuntu@ubuntu:~/provider_test/rsa_test$

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

CristianeBP · ‎07-09-2024

Good morning,

I just finished my tests but I think I found another problem.

The certificate signing fails when both key pairs are generated inside the SE.

My tests are:

1 - generates 1 key pair inside and 1 outside:

# openssl genrsa -out a.pem 1024
# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -x509 -new -nodes -key a.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out a.cer
sssprov-flw: Not a ref key
sssprov-flw: Get random data from SE05x
sssprov-flw: Not a key in secure element. Performing RSA sign operation using host software
sssprov-flw: Get random data from SE05x
# openssl genrsa --provider /usr/lib/libsssProvider.so --provider default -out b.pem 1024
Warning: generating random key material may take a long time
if the system has a poor entropy source
sssprov-flw: Generate RSA key inside SE05x
# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key b.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out b.csr
sssprov-flw: Performing RSA sign using SE05x
[root@ABB-f6-4e-b6-68-0b-a1 ~]# openssl x509 -req --provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem
Certificate request self-signature ok
subject=CN = NXP_SE050_TLS_CLIENT_RSA
# openssl verify -partial_chain -trusted a.cer b.cer
b.cer: OK

2 -both key pairs generated inside the SE using openssl:

# openssl genrsa --provider /usr/lib/libsssProvider.so --provider default -out a.pem 1024
Warning: generating random key material may take a long time
if the system has a poor entropy source
sssprov-flw: Generate RSA key inside SE05x
# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -x509 -new -nodes -key a.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out a.cer
sssprov-flw: Get random data from SE05x
sssprov-flw: Performing RSA sign using SE05x
# openssl genrsa --provider /usr/lib/libsssProvider.so --provider default -out b.pem 1024
Warning: generating random key material may take a long time
if the system has a poor entropy source
sssprov-flw: Generate RSA key inside SE05x
# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key b.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out b.csr
sssprov-flw: Performing RSA sign using SE05x
# openssl x509 -req --provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem
Certificate request self-signature ok
subject=CN = NXP_SE050_TLS_CLIENT_RSA
# openssl verify -partial_chain -trusted a.cer b.cer
CN = NXP_SE050_TLS_CLIENT_RSA
error 7 at 0 depth lookup: certificate signature failure
error b.cer: verification failed
2020F576:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../openssl-3.0.13/crypto/rsa/rsa_pk1.c:75:
2020F576:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../openssl-3.0.13/crypto/rsa/rsa_ossl.c:598:
2020F576:error:1C880004:Provider routines:rsa_verify:RSA lib:../openssl-3.0.13/providers/implementations/signature/rsa_sig.c:774:
2020F576:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../openssl-3.0.13/crypto/asn1/a_verify.c:217:

3 -both key pairs generated inside the SE using seTool:

#seTool genRSA 2048 0x00000003 127.0.0.1:8040

# seTool getRSARef 0x00000003 a.pem 127.0.0.1:804
# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -x509 -new -nodes -key a.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out a.cer
sssprov-flw: Get random data from SE05x
sssprov-flw: Performing RSA sign using SE05x

#seTool genRSA 2048 0x00000020 127.0.0.1:8040

# seTool getRSARef 0x00000020 b.pem 127.0.0.1:8040

# openssl req -new --provider /usr/lib/libsssProvider.so --provider default -key b.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out b.csr
sssprov-flw: Performing RSA sign using SE05x
# openssl x509 -req --provider default -in b.csr -CAcreateserial -out b.cer -days 5000 -CA a.cer -CAkey a.pem
Certificate request self-signature ok
subject=CN = NXP_SE050_TLS_CLIENT_RSA
# openssl verify -partial_chain -trusted a.cer b.cer
CN = NXP_SE050_TLS_CLIENT_RSA
error 7 at 0 depth lookup: certificate signature failure
error b.cer: verification failed
2090F276:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../openssl-3.0.13/crypto/rsa/rsa_pk1.c:75:
2090F276:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../openssl-3.0.13/crypto/rsa/rsa_ossl.c:598:
2090F276:error:1C880004:Provider routines:rsa_verify:RSA lib:../openssl-3.0.13/providers/implementations/signature/rsa_sig.c:774:
2090F276:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../openssl-3.0.13/crypto/asn1/a_verify.c:217:

Thanks,

Cristiane Bellenzier Piaia

Kan_Li · ‎07-09-2024

Hi @CristianeBP ,

The openssl command has some limitation for rsa generation, which doesn't have a "-name" option as ecc generation, so that the current provider implementation uses a default key ID hard coded in the source file , so in your case, only one RSA ref key was generated inside the SE indeed. We have to wait for openssl updated to some version which allows to specify the rsa key name.

Sorry for the inconvenience that might cause.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Kan_Li · ‎07-04-2024

Hi @CristianeBP ,

Would you please share more details regarding the SE and the platform? also how did you create the key with SeTool? I may try to reproduce this issue here.

Thanks for your patience!

Best Regards,

Kan