ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

OpenSSL Provider with SE052F for RNG

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

OpenSSL Provider with SE052F for RNG

木曜日
76件の閲覧回数
sam123
Contributor I

We have a requirement to use the SE052F as a FIPS compliant source for random number generation. We require OpenSSL to use the SE052F, and in turn, all applications that use the openssl libraries to use the SE052F for RNG.

I understand we must use the NXP MW accessManager and the OpenSSL Provider.
I am using: SE-PLUG-TRUST-MW_04.07.01
I have followed the instructions in:
AN14028.pdf
SE-PLUG-TRUST-MW_04.07.01/simw-top/doc/hostlib/hostLib/accessManager/doc/accessManager.html
and the README info here (but not using this repo): https://github.com/NXPPlugNTrust/se05x-openssl-provider

accessManager built with the following cmake options:

NXP_SE_MW_CONF_OPTS += -DWithSharedLIB=OFF -DPTMW_Host=Raspbian -DPTMW_SMCOM=T1oI2C -DPTMW_Applet=SE05X_C \
	-DPTMW_FIPS=None -DPTMW_SE05X_Ver=07_02 -DPTMW_SE05X_Auth=PlatfSCP03 -DPTMW_SCP=SCP03_SSS -DSE05X_EN_PIN=582 -DSE_RESET_LOGIC=0 \
	-DPAHO_BUILD_SHARED=FALSE -DPAHO_BUILD_STATIC=TRUE

 

OpenSSL Provider built with the following cmake options:

NXP_SE_MW2_CONF_OPTS += -DWithSharedLIB=ON -DPTMW_HostCrypto=OPENSSL -DPTMW_Host=Raspbian -DPTMW_SMCOM=JRCP_V1_AM -DPTMW_SE05X_Auth=None

 

openssl.cnf modified as follows:

[provider_sect]
nxp_prov = nxp_sect
default = default_sect

[nxp_sect]
identity = nxp_prov
module = /usr/lib/libsssProvider.so
activate = 1

[default_sect]
activate = 1

 

The accessManager starts:

Starting accessManager (Rev.1.1).
  Protect Link between accessManager and SE: YES.
accessManager JRCPv1 (T1oI2C SE side)
******************************************************************************
Server: waiting for connections on port 8040.
Server: only localhost based processes can connect.

 

RNG using openssl from the command line seems to work OK:

# openssl rand -hex 64
sssprov-dbg: Enter - OSSL_provider_init 
App   :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault)
App   :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
New client connection from 127.0.0.1. Client ID: 5
Command 0x00 from client 5
DUMMY_ATR=0x01.A0.00.00.03.96.04.03.E8.00.FE.02.0B.03.E8.00.01.00.00.00.00.64.13.88.0A.00.65.53.45.30.35.31.00.00.00.
Replacing *_ATR by default (pre-cooked) ATR.
ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.
Command 0x01 from client 5
SM_EstablishPlatformSCP03Am (Entry)
App   :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt)
SE051 connected.
SM_EstablishPlatformSCP03Am (Exit); Status = 0x9000
sss   :INFO :Newer version of Applet Found
sss   :INFO :Compiled for 0x70200. Got newer 0x70216
sss   :WARN :Communication channel is Plain.
sss   :WARN :!!!Not recommended for production use.!!!
sssprov-dbg: Enter - sss_rand_newctx 
sssprov-dbg: Enter - sss_rand_instantiate 
sssprov-dbg: Enter - sss_rand_enable_locking 
sssprov-dbg: Enter - sss_rand_newctx 
sssprov-dbg: Enter - sss_rand_instantiate 
sssprov-dbg: Enter - sss_rand_get_ctx_params 
sssprov-dbg: Enter - sss_rand_generate 
sssprov-flw: Get random data from SE05x 
Command 0x01 from client 5
SM_SendAPDUAm: smStatus = 0x9000
5f0f4d63e4ec771b8cfd46dd50c497b7e4e56e203ad5bc6eca9f8c28d23f39aa2d4a807915e3c60cf2e6a833794cb1208554f3e635811354eadd7b2c911c60da
sssprov-dbg: Enter - sss_rand_freectx 
sssprov-dbg: Enter - sss_rand_freectx 
sssprov-dbg: Enter - sss_teardown 
Received 0 byte from client 5 (Message Header Phase) .

 

But, starting the ssh daemon fails:

# /usr/sbin/sshd &
sssprov-dbg: Enter - OSSL_provider_init 
App   :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault)
App   :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
New client connection from 127.0.0.1. Client ID: 5
Command 0x00 from client 5
ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.
Command 0x01 from client 5
Pre-cooked response (rspAppletSelect)
sss   :INFO :Newer version of Applet Found
sss   :INFO :Compiled for 0x70200. Got newer 0x70216
sss   :WARN :Communication channel is Plain.
sss   :WARN :!!!Not recommended for production use.!!!
sssprov-dbg: Enter - sss_rand_newctx 
sssprov-dbg: Enter - sss_rand_instantiate 
sssprov-dbg: Enter - sss_rand_enable_locking 
sssprov-dbg: Enter - sss_rand_get_ctx_params 
PRNG is not seeded
Received 0 byte from client 5 (Message Header Phase) .
[2]+  Done(255)                  /usr/sbin/sshd

 

I'd be very grateful for any help,

Sam

 

0 件の賞賛
返信
0 返答(返信)
%3CLINGO-SUB%20id%3D%22lingo-sub-2365478%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERNG%E7%94%A8%E3%81%AESE052F%E3%82%92%E5%82%99%E3%81%88%E3%81%9FOpenSSL%E3%83%97%E3%83%AD%E3%83%90%E3%82%A4%E3%83%80%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2365478%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3ESE052F%E3%82%92FIPS%E6%BA%96%E6%8B%A0%E3%81%AE%E4%B9%B1%E6%95%B0%E7%94%9F%E6%88%90%E5%99%A8%E3%81%A8%E3%81%97%E3%81%A6%E4%BD%BF%E7%94%A8%E3%81%99%E3%82%8B%E5%BF%85%E8%A6%81%E3%81%8C%E3%81%82%E3%82%8B%E3%80%82OpenSSL%E3%81%AB%E3%81%AFSE052F%E3%82%92%E4%BD%BF%E7%94%A8%E3%81%99%E3%82%8B%E3%81%93%E3%81%A8%E3%82%92%E7%BE%A9%E5%8B%99%E4%BB%98%E3%81%91%E3%81%A6%E3%81%8A%E3%82%8A%E3%80%81%E3%81%B2%E3%81%84%E3%81%A6%E3%81%AFopenssl%E3%83%A9%E3%82%A4%E3%83%96%E3%83%A9%E3%83%AA%E3%82%92%E4%BD%BF%E7%94%A8%E3%81%99%E3%82%8B%E3%81%99%E3%81%B9%E3%81%A6%E3%81%AE%E3%82%A2%E3%83%97%E3%83%AA%E3%82%B1%E3%83%BC%E3%82%B7%E3%83%A7%E3%83%B3%E3%81%AB%E3%82%82%E3%80%81%E4%B9%B1%E6%95%B0%E7%99%BA%E7%94%9F%E5%99%A8%E3%81%A8%E3%81%97%E3%81%A6SE052F%E3%82%92%E4%BD%BF%E7%94%A8%E3%81%99%E3%82%8B%E3%81%93%E3%81%A8%E3%82%92%E7%BE%A9%E5%8B%99%E4%BB%98%E3%81%91%E3%81%A6%E3%81%84%E3%81%BE%E3%81%99%E3%80%82%3C%2FP%3E%3CP%3ENXP%20MW%E3%81%AEaccessManager%E3%81%A8OpenSSL%E3%83%97%E3%83%AD%E3%83%90%E3%82%A4%E3%83%80%E3%82%92%E4%BD%BF%E7%94%A8%E3%81%99%E3%82%8B%E5%BF%85%E8%A6%81%E3%81%8C%E3%81%82%E3%82%8B%E3%81%93%E3%81%A8%E3%81%AF%E7%90%86%E8%A7%A3%E3%81%97%E3%81%A6%E3%81%84%E3%81%BE%E3%81%99%E3%80%82%3CBR%20%2F%3E%E4%BD%BF%E7%94%A8%E3%81%97%E3%81%A6%E3%81%84%E3%82%8B%E3%81%AE%E3%81%AF%20SE-PLUG-TRUST-MW_04.07.01%20%E3%81%A7%E3%81%99%E3%80%82%3CBR%20%2F%3E%E7%A7%81%E3%81%AF%E4%BB%A5%E4%B8%8B%E3%81%AE%E6%8C%87%E7%A4%BA%E3%81%AB%E5%BE%93%E3%81%84%E3%81%BE%E3%81%97%E3%81%9F%EF%BC%9A%3CBR%20%2F%3E%20AN14028.pdf%3CBR%20%2F%3ESE-PLUG-TRUST-MW_04.07.01%2Fsimw-top%2Fdoc%2Fhostlib%2FhostLib%2FaccessManager%2Fdoc%2FaccessManager.html%3CBR%20%2F%3E%E3%81%9D%E3%81%97%E3%81%A6%E3%80%81%E3%81%93%E3%81%A1%E3%82%89%E3%81%AEREADME%E6%83%85%E5%A0%B1%EF%BC%88%E3%81%9F%E3%81%A0%E3%81%97%E3%80%81%E3%81%93%E3%81%AE%E3%83%AA%E3%83%9D%E3%82%B8%E3%83%88%E3%83%AA%E3%81%AF%E4%BD%BF%E7%94%A8%E3%81%97%E3%81%A6%E3%81%84%E3%81%BE%E3%81%9B%E3%82%93%EF%BC%89%EF%BC%9A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FNXPPlugNTrust%2Fse05x-openssl-provider%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FNXPPlugNTrust%2Fse05x-openssl-provider%3C%2FA%3E%3C%2FP%3E%3CP%3EaccessManager%E3%81%AF%E4%BB%A5%E4%B8%8B%E3%81%AEcmake%E3%82%AA%E3%83%97%E3%82%B7%E3%83%A7%E3%83%B3%E3%82%92%E4%BD%BF%E7%94%A8%E3%81%97%E3%81%A6%E3%83%93%E3%83%AB%E3%83%89%E3%81%95%E3%82%8C%E3%81%BE%E3%81%97%E3%81%9F%E3%80%82%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%20translate%3D%22no%22%3ENXP_SE_MW_CONF_OPTS%20%2B%3D%20-DWithSharedLIB%3DOFF%20-DPTMW_Host%3DRaspbian%20-DPTMW_SMCOM%3DT1oI2C%20-DPTMW_Applet%3DSE05X_C%20%5C%0A%09-DPTMW_FIPS%3DNone%20-DPTMW_SE05X_Ver%3D07_02%20-DPTMW_SE05X_Auth%3DPlatfSCP03%20-DPTMW_SCP%3DSCP03_SSS%20-DSE05X_EN_PIN%3D582%20-DSE_RESET_LOGIC%3D0%20%5C%0A%09-DPAHO_BUILD_SHARED%3DFALSE%20-DPAHO_BUILD_STATIC%3DTRUE%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3E%E4%BB%A5%E4%B8%8B%E3%81%AEcmake%E3%82%AA%E3%83%97%E3%82%B7%E3%83%A7%E3%83%B3%E3%82%92%E4%BD%BF%E7%94%A8%E3%81%97%E3%81%A6%E3%83%93%E3%83%AB%E3%83%89%E3%81%95%E3%82%8C%E3%81%9FOpenSSL%E3%83%97%E3%83%AD%E3%83%90%E3%82%A4%E3%83%80%EF%BC%9A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%20translate%3D%22no%22%3ENXP_SE_MW2_CONF_OPTS%20%2B%3D%20-DWithSharedLIB%3DON%20-DPTMW_HostCrypto%3DOPENSSL%20-DPTMW_Host%3DRaspbian%20-DPTMW_SMCOM%3DJRCP_V1_AM%20-DPTMW_SE05X_Auth%3DNone%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3Eopenssl.cnf%E3%82%92%E4%BB%A5%E4%B8%8B%E3%81%AE%E3%82%88%E3%81%86%E3%81%AB%E5%A4%89%E6%9B%B4%E3%81%97%E3%81%BE%E3%81%97%E3%81%9F%E3%80%82%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%20translate%3D%22no%22%3E%5Bprovider_sect%5D%0Anxp_prov%20%3D%20nxp_sect%0Adefault%20%3D%20default_sect%0A%0A%5Bnxp_sect%5D%0Aidentity%20%3D%20nxp_prov%0Amodule%20%3D%20%2Fusr%2Flib%2FlibsssProvider.so%0Aactivate%20%3D%201%0A%0A%5Bdefault_sect%5D%0Aactivate%20%3D%201%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EaccessManager%E3%81%8C%E8%B5%B7%E5%8B%95%E3%81%97%E3%81%BE%E3%81%99%E3%80%82%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%20translate%3D%22no%22%3EStarting%20accessManager%20(Rev.1.1).%0A%20%20Protect%20Link%20between%20accessManager%20and%20SE%3A%20YES.%0AaccessManager%20JRCPv1%20(T1oI2C%20SE%20side)%0A******************************************************************************%0AServer%3A%20waiting%20for%20connections%20on%20port%208040.%0AServer%3A%20only%20localhost%20based%20processes%20can%20connect.%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3E%E3%82%B3%E3%83%9E%E3%83%B3%E3%83%89%E3%83%A9%E3%82%A4%E3%83%B3%E3%81%8B%E3%82%89openssl%E3%82%92%E4%BD%BF%E7%94%A8%E3%81%97%E3%81%A6%E4%B9%B1%E6%95%B0%E7%94%9F%E6%88%90%E3%82%92%E8%A1%8C%E3%81%86%E3%81%A8%E3%80%81%E5%95%8F%E9%A1%8C%E3%81%AA%E3%81%8F%E5%8B%95%E4%BD%9C%E3%81%99%E3%82%8B%E3%82%88%E3%81%86%E3%81%A7%E3%81%99%E3%80%82%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%20translate%3D%22no%22%3E%23%20openssl%20rand%20-hex%2064%0Asssprov-dbg%3A%20Enter%20-%20OSSL_provider_init%20%0AApp%20%20%20%3AINFO%20%3AUsing%20PortName%3D'127.0.0.1%3A8040'%20(gszSocketPortDefault)%0AApp%20%20%20%3AINFO%20%3AIf%20you%20want%20to%20over-ride%20the%20selection%2C%20use%20ENV%3DEX_SSS_BOOT_SSS_PORT%20or%20pass%20in%20command%20line%20arguments.%0ANew%20client%20connection%20from%20127.0.0.1.%20Client%20ID%3A%205%0ACommand%200x00%20from%20client%205%0ADUMMY_ATR%3D0x01.A0.00.00.03.96.04.03.E8.00.FE.02.0B.03.E8.00.01.00.00.00.00.64.13.88.0A.00.65.53.45.30.35.31.00.00.00.%0AReplacing%20*_ATR%20by%20default%20(pre-cooked)%20ATR.%0AATR%3D0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.%0ACommand%200x01%20from%20client%205%0ASM_EstablishPlatformSCP03Am%20(Entry)%0AApp%20%20%20%3AWARN%20%3AUsing%20SCP03%20keys%20from%3A'%2Ftmp%2FSE05X%2Fplain_scp.txt'%20(FILE%3D%2Ftmp%2FSE05X%2Fplain_scp.txt)%0ASE051%20connected.%0ASM_EstablishPlatformSCP03Am%20(Exit)%3B%20Status%20%3D%200x9000%0Asss%20%20%20%3AINFO%20%3ANewer%20version%20of%20Applet%20Found%0Asss%20%20%20%3AINFO%20%3ACompiled%20for%200x70200.%20Got%20newer%200x70216%0Asss%20%20%20%3AWARN%20%3ACommunication%20channel%20is%20Plain.%0Asss%20%20%20%3AWARN%20%3A!!!Not%20recommended%20for%20production%20use.!!!%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_newctx%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_instantiate%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_enable_locking%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_newctx%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_instantiate%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_get_ctx_params%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_generate%20%0Asssprov-flw%3A%20Get%20random%20data%20from%20SE05x%20%0ACommand%200x01%20from%20client%205%0ASM_SendAPDUAm%3A%20smStatus%20%3D%200x9000%0A5f0f4d63e4ec771b8cfd46dd50c497b7e4e56e203ad5bc6eca9f8c28d23f39aa2d4a807915e3c60cf2e6a833794cb1208554f3e635811354eadd7b2c911c60da%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_freectx%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_freectx%20%0Asssprov-dbg%3A%20Enter%20-%20sss_teardown%20%0AReceived%200%20byte%20from%20client%205%20(Message%20Header%20Phase)%20.%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3E%E3%81%97%E3%81%8B%E3%81%97%E3%80%81ssh%E3%83%87%E3%83%BC%E3%83%A2%E3%83%B3%E3%81%AE%E8%B5%B7%E5%8B%95%E3%81%AB%E5%A4%B1%E6%95%97%E3%81%97%E3%81%BE%E3%81%99%E3%80%82%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%20translate%3D%22no%22%3E%23%20%2Fusr%2Fsbin%2Fsshd%20%26amp%3B%0Asssprov-dbg%3A%20Enter%20-%20OSSL_provider_init%20%0AApp%20%20%20%3AINFO%20%3AUsing%20PortName%3D'127.0.0.1%3A8040'%20(gszSocketPortDefault)%0AApp%20%20%20%3AINFO%20%3AIf%20you%20want%20to%20over-ride%20the%20selection%2C%20use%20ENV%3DEX_SSS_BOOT_SSS_PORT%20or%20pass%20in%20command%20line%20arguments.%0ANew%20client%20connection%20from%20127.0.0.1.%20Client%20ID%3A%205%0ACommand%200x00%20from%20client%205%0AATR%3D0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.%0ACommand%200x01%20from%20client%205%0APre-cooked%20response%20(rspAppletSelect)%0Asss%20%20%20%3AINFO%20%3ANewer%20version%20of%20Applet%20Found%0Asss%20%20%20%3AINFO%20%3ACompiled%20for%200x70200.%20Got%20newer%200x70216%0Asss%20%20%20%3AWARN%20%3ACommunication%20channel%20is%20Plain.%0Asss%20%20%20%3AWARN%20%3A!!!Not%20recommended%20for%20production%20use.!!!%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_newctx%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_instantiate%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_enable_locking%20%0Asssprov-dbg%3A%20Enter%20-%20sss_rand_get_ctx_params%20%0APRNG%20is%20not%20seeded%0AReceived%200%20byte%20from%20client%205%20(Message%20Header%20Phase)%20.%0A%5B2%5D%2B%20%20Done(255)%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2Fusr%2Fsbin%2Fsshd%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3E%E3%81%A9%E3%82%93%E3%81%AA%E5%8A%A9%E3%81%91%E3%81%A7%E3%82%82%E5%A4%A7%E5%A4%89%E3%81%82%E3%82%8A%E3%81%8C%E3%81%9F%E3%81%84%E3%81%A7%E3%81%99%E3%80%82%3C%2FP%3E%3CP%3ESam%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E