FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

OpenSSL Provider with SE052F for RNG

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OpenSSL Provider with SE052F for RNG

Thursday
75 Views
sam123
Contributor I

We have a requirement to use the SE052F as a FIPS compliant source for random number generation. We require OpenSSL to use the SE052F, and in turn, all applications that use the openssl libraries to use the SE052F for RNG.

I understand we must use the NXP MW accessManager and the OpenSSL Provider.
I am using: SE-PLUG-TRUST-MW_04.07.01
I have followed the instructions in:
AN14028.pdf
SE-PLUG-TRUST-MW_04.07.01/simw-top/doc/hostlib/hostLib/accessManager/doc/accessManager.html
and the README info here (but not using this repo): https://github.com/NXPPlugNTrust/se05x-openssl-provider

accessManager built with the following cmake options:

NXP_SE_MW_CONF_OPTS += -DWithSharedLIB=OFF -DPTMW_Host=Raspbian -DPTMW_SMCOM=T1oI2C -DPTMW_Applet=SE05X_C \
	-DPTMW_FIPS=None -DPTMW_SE05X_Ver=07_02 -DPTMW_SE05X_Auth=PlatfSCP03 -DPTMW_SCP=SCP03_SSS -DSE05X_EN_PIN=582 -DSE_RESET_LOGIC=0 \
	-DPAHO_BUILD_SHARED=FALSE -DPAHO_BUILD_STATIC=TRUE

 

OpenSSL Provider built with the following cmake options:

NXP_SE_MW2_CONF_OPTS += -DWithSharedLIB=ON -DPTMW_HostCrypto=OPENSSL -DPTMW_Host=Raspbian -DPTMW_SMCOM=JRCP_V1_AM -DPTMW_SE05X_Auth=None

 

openssl.cnf modified as follows:

[provider_sect]
nxp_prov = nxp_sect
default = default_sect

[nxp_sect]
identity = nxp_prov
module = /usr/lib/libsssProvider.so
activate = 1

[default_sect]
activate = 1

 

The accessManager starts:

Starting accessManager (Rev.1.1).
  Protect Link between accessManager and SE: YES.
accessManager JRCPv1 (T1oI2C SE side)
******************************************************************************
Server: waiting for connections on port 8040.
Server: only localhost based processes can connect.

 

RNG using openssl from the command line seems to work OK:

# openssl rand -hex 64
sssprov-dbg: Enter - OSSL_provider_init 
App   :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault)
App   :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
New client connection from 127.0.0.1. Client ID: 5
Command 0x00 from client 5
DUMMY_ATR=0x01.A0.00.00.03.96.04.03.E8.00.FE.02.0B.03.E8.00.01.00.00.00.00.64.13.88.0A.00.65.53.45.30.35.31.00.00.00.
Replacing *_ATR by default (pre-cooked) ATR.
ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.
Command 0x01 from client 5
SM_EstablishPlatformSCP03Am (Entry)
App   :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt)
SE051 connected.
SM_EstablishPlatformSCP03Am (Exit); Status = 0x9000
sss   :INFO :Newer version of Applet Found
sss   :INFO :Compiled for 0x70200. Got newer 0x70216
sss   :WARN :Communication channel is Plain.
sss   :WARN :!!!Not recommended for production use.!!!
sssprov-dbg: Enter - sss_rand_newctx 
sssprov-dbg: Enter - sss_rand_instantiate 
sssprov-dbg: Enter - sss_rand_enable_locking 
sssprov-dbg: Enter - sss_rand_newctx 
sssprov-dbg: Enter - sss_rand_instantiate 
sssprov-dbg: Enter - sss_rand_get_ctx_params 
sssprov-dbg: Enter - sss_rand_generate 
sssprov-flw: Get random data from SE05x 
Command 0x01 from client 5
SM_SendAPDUAm: smStatus = 0x9000
5f0f4d63e4ec771b8cfd46dd50c497b7e4e56e203ad5bc6eca9f8c28d23f39aa2d4a807915e3c60cf2e6a833794cb1208554f3e635811354eadd7b2c911c60da
sssprov-dbg: Enter - sss_rand_freectx 
sssprov-dbg: Enter - sss_rand_freectx 
sssprov-dbg: Enter - sss_teardown 
Received 0 byte from client 5 (Message Header Phase) .

 

But, starting the ssh daemon fails:

# /usr/sbin/sshd &
sssprov-dbg: Enter - OSSL_provider_init 
App   :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault)
App   :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
New client connection from 127.0.0.1. Client ID: 5
Command 0x00 from client 5
ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.
Command 0x01 from client 5
Pre-cooked response (rspAppletSelect)
sss   :INFO :Newer version of Applet Found
sss   :INFO :Compiled for 0x70200. Got newer 0x70216
sss   :WARN :Communication channel is Plain.
sss   :WARN :!!!Not recommended for production use.!!!
sssprov-dbg: Enter - sss_rand_newctx 
sssprov-dbg: Enter - sss_rand_instantiate 
sssprov-dbg: Enter - sss_rand_enable_locking 
sssprov-dbg: Enter - sss_rand_get_ctx_params 
PRNG is not seeded
Received 0 byte from client 5 (Message Header Phase) .
[2]+  Done(255)                  /usr/sbin/sshd

 

I'd be very grateful for any help,

Sam

 

0 Kudos
Reply
0 Replies
%3CLINGO-SUB%20id%3D%22lingo-sub-2365478%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EOpenSSL%20Provider%20with%20SE052F%20for%20RNG%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2365478%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EWe%20have%20a%20requirement%20to%20use%20the%20SE052F%20as%20a%20FIPS%20compliant%20source%20for%20random%20number%20generation.%20We%20require%20OpenSSL%20to%20use%20the%20SE052F%2C%20and%20in%20turn%2C%20all%20applications%20that%20use%20the%20openssl%20libraries%20to%20use%20the%20SE052F%20for%20RNG.%3C%2FP%3E%3CP%3EI%20understand%20we%20must%20use%20the%20NXP%20MW%20accessManager%20and%20the%20OpenSSL%20Provider.%3CBR%20%2F%3EI%20am%20using%3A%20SE-PLUG-TRUST-MW_04.07.01%3CBR%20%2F%3EI%20have%20followed%20the%20instructions%20in%3A%3CBR%20%2F%3EAN14028.pdf%3CBR%20%2F%3ESE-PLUG-TRUST-MW_04.07.01%2Fsimw-top%2Fdoc%2Fhostlib%2FhostLib%2FaccessManager%2Fdoc%2FaccessManager.html%3CBR%20%2F%3Eand%20the%20README%20info%20here%20(but%20not%20using%20this%20repo)%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FNXPPlugNTrust%2Fse05x-openssl-provider%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FNXPPlugNTrust%2Fse05x-openssl-provider%3C%2FA%3E%3C%2FP%3E%3CP%3EaccessManager%20built%20with%20the%20following%20cmake%20options%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3ENXP_SE_MW_CONF_OPTS%20%2B%3D%20-DWithSharedLIB%3DOFF%20-DPTMW_Host%3DRaspbian%20-DPTMW_SMCOM%3DT1oI2C%20-DPTMW_Applet%3DSE05X_C%20%5C%0A%09-DPTMW_FIPS%3DNone%20-DPTMW_SE05X_Ver%3D07_02%20-DPTMW_SE05X_Auth%3DPlatfSCP03%20-DPTMW_SCP%3DSCP03_SSS%20-DSE05X_EN_PIN%3D582%20-DSE_RESET_LOGIC%3D0%20%5C%0A%09-DPAHO_BUILD_SHARED%3DFALSE%20-DPAHO_BUILD_STATIC%3DTRUE%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EOpenSSL%20Provider%20built%20with%20the%20following%20cmake%20options%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3ENXP_SE_MW2_CONF_OPTS%20%2B%3D%20-DWithSharedLIB%3DON%20-DPTMW_HostCrypto%3DOPENSSL%20-DPTMW_Host%3DRaspbian%20-DPTMW_SMCOM%3DJRCP_V1_AM%20-DPTMW_SE05X_Auth%3DNone%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3Eopenssl.cnf%20modified%20as%20follows%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%5Bprovider_sect%5D%0Anxp_prov%20%3D%20nxp_sect%0Adefault%20%3D%20default_sect%0A%0A%5Bnxp_sect%5D%0Aidentity%20%3D%20nxp_prov%0Amodule%20%3D%20%2Fusr%2Flib%2FlibsssProvider.so%0Aactivate%20%3D%201%0A%0A%5Bdefault_sect%5D%0Aactivate%20%3D%201%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EThe%20accessManager%20starts%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EStarting%20accessManager%20(Rev.1.1).%0A%20%20Protect%20Link%20between%20accessManager%20and%20SE%3A%20YES.%0AaccessManager%20JRCPv1%20(T1oI2C%20SE%20side)%0A******************************************************************************%0AServer%3A%20waiting%20for%20connections%20on%20port%208040.%0AServer%3A%20only%20localhost%20based%20processes%20can%20connect.%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3ERNG%20using%20openssl%20from%20the%20command%20line%20seems%20to%20work%20OK%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%23%20openssl%20rand%20-hex%2064%0Asssprov-dbg%3A%20Enter%20-%20OSSL_provider_init%20%0AApp%20%20%20%3AINFO%20%3AUsing%20PortName%3D'127.0.0.1%3A8040'%20(gszSocketPortDefault)%0AApp%20%20%20%3AINFO%20%3AIf%20you%20want%20to%20over-ride%20the%20selection%2C%20use%20ENV%3DEX_SSS_BOOT_SSS_PORT%20or%20pass%20in%20command%20line%20arguments.%0ANew%20client%20connection%20from%20127.0.0.1.%20Client%20ID%3A%205%0ACommand%200x00%20from%20client%205%0ADUMMY_ATR%3D0x01.A0.00.00.03.96.04.03.E8.00.FE.02.0B.03.E8.00.01.00.00.00.00.64.13.88.0A.00.65.53.45.30.35.31.00.00.00.%0AReplacing%20*_ATR%20by%20default%20(pre-cooked)%20ATR.%0AATR%3D0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.%0ACommand%200x01%20from%20client%205%0ASM_EstablishPlatformSCP03Am%20(Entry)%0AApp%20%20%20%3AWARN%20%3AUsing%20SCP03%20keys%20from%3A'%2Ftmp%2FSE05X%2Fplain_scp.txt'%20(FILE%3D%2Ftmp%2FSE05X%2Fplain_scp.txt)%0ASE051%20connected.%0ASM_EstablishPlatformSCP03Am%20(Exit)%3B%20Status%20%3D%200x9000%0Asss%20%20%20%3AINFO%20%3ANewer%20version%20of%20Applet%20Found%0Asss%20%20%20%3AINFO%20%3ACompiled%20for%200x70200.%20Got%20newer%200x70216%0Asss%20%20%20%3AWARN%20%3ACommunication%20channel%20is%20Plain.%0Asss%20%20%20%3AWARN%20%3A!!!Not%20recommended%20for%20production%20use.!!!%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_newctx%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_instantiate%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_enable_locking%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_newctx%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_instantiate%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_get_ctx_params%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_generate%20%0Asssprov-flw%3A%20Get%20random%20data%20from%20SE05x%20%0ACommand%200x01%20from%20client%205%0ASM_SendAPDUAm%3A%20smStatus%20%3D%200x9000%0A5f0f4d63e4ec771b8cfd46dd50c497b7e4e56e203ad5bc6eca9f8c28d23f39aa2d4a807915e3c60cf2e6a833794cb1208554f3e635811354eadd7b2c911c60da%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_freectx%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_freectx%20%0Asssprov-dbg%3A%20Enter%20-%20sss_teardown%20%0AReceived%200%20byte%20from%20client%205%20(Message%20Header%20Phase)%20.%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EBut%2C%20starting%20the%20ssh%20daemon%20fails%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%23%20%2Fusr%2Fsbin%2Fsshd%20%26amp%3B%0Asssprov-dbg%3A%20Enter%20-%20OSSL_provider_init%20%0AApp%20%20%20%3AINFO%20%3AUsing%20PortName%3D'127.0.0.1%3A8040'%20(gszSocketPortDefault)%0AApp%20%20%20%3AINFO%20%3AIf%20you%20want%20to%20over-ride%20the%20selection%2C%20use%20ENV%3DEX_SSS_BOOT_SSS_PORT%20or%20pass%20in%20command%20line%20arguments.%0ANew%20client%20connection%20from%20127.0.0.1.%20Client%20ID%3A%205%0ACommand%200x00%20from%20client%205%0AATR%3D0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.%0ACommand%200x01%20from%20client%205%0APre-cooked%20response%20(rspAppletSelect)%0Asss%20%20%20%3AINFO%20%3ANewer%20version%20of%20Applet%20Found%0Asss%20%20%20%3AINFO%20%3ACompiled%20for%200x70200.%20Got%20newer%200x70216%0Asss%20%20%20%3AWARN%20%3ACommunication%20channel%20is%20Plain.%0Asss%20%20%20%3AWARN%20%3A!!!Not%20recommended%20for%20production%20use.!!!%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_newctx%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_instantiate%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_enable_locking%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_get_ctx_params%20%0APRNG%20is%20not%20seeded%0AReceived%200%20byte%20from%20client%205%20(Message%20Header%20Phase)%20.%0A%5B2%5D%2B%20%20Done(255)%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2Fusr%2Fsbin%2Fsshd%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EI'd%20be%20very%20grateful%20for%20any%20help%2C%3C%2FP%3E%3CP%3ESam%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E