OpenSSL doesn't handle refpem key correctly, nxp scheme is working

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

OpenSSL doesn't handle refpem key correctly, nxp scheme is working

1,184件の閲覧回数
tksec
Contributor II

Hi all,

I'm trying to integrate the SE050 to be used in a node.js webserver. I successfully compiled the middleware including the OpenSSL provider and also got the ssscli to work.

With ssscli I created a keypair, injected it into the SE and created a refpem key. I also adapted the openssl.cnf of the system to match the one in simwtop/demos/linux/common/openssl30_sss_se050.cnf.

But any TLS connection to the server fails in the handshake as OpenSSL uses the reference to the key slot as actual private key instead of calling the SE050 provider.

I also tried to get it to work with OpenSSL CLI, i.e., openssl s_server. I can get a connection using the nxp:<slot> scheme but not using the refpem key file.

The following command leads to the error:

 

 

openssl s_server -accept 12345 -cert server.pem -key server.refpem.key -CAfile root.pem

 

 

 Error:

 

 

SSL3 alert read:fatal:decrypt error
SSL_accept:error in error
ERROR
20203CA4FFFF0000:error:1B80006E:lib(55):ossl_parse_query:trailing characters:../openssl-3.0.13/crypto/property/property_parse.c:454:HERE-->/usr/lib/libsssProvider.so
20203CA4FFFF0000:error:0A00041B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:../openssl-3.0.13/ssl/record/rec_layer_s3.c:1590:SSL alert number 51 
shutting down SSL

 

 

If I use the nxp url scheme, though, I can successfully connect to the server.

 

 

openssl s_server -accept 12345 -cert server.pem -key nxp:0x6789ABCD -CAfile root.pem

 

 

However, I can't specify the nxp:0x6789ABCD key reference in the node.js code but have to use the refpem file. Is there anyway to do that?

I also tried to make OpenSSL prioritize the SE050 provider over the default one by specifiying a propquery in the config file. But no luck so far.

 

 

# Relevant parts from openssl.cnf
[openssl_init]
providers = provider_sect
alg_section = evp_properties

[provider_sect]
default = default_sect
nxp_prov = nxp_prov_sec

[default_sect]
 activate = 1

[nxp_prov_sec]
identity = nxp_prov
module = /usr/local/lib/libsssProvider.so
activate = 1

[evp_properties]
default_properties = ?provider=nxp_prov

 

 

Any help would be highly appreciated!

ラベル(1)
0 件の賞賛
返信
6 返答(返信)

278件の閲覧回数
thomas_ha
Contributor I

Hi @tksec,

have you found a suitable way to use the key reference in node.js?

I have a similar issue. I am using the se05x-openssl-provider (v01.00.03) with OpenSSL 3.0.14 to generate a key pair, but I am unable to use "Reference Keys in file format" as described in the Readme-File of the Github Repo of the openssl provider.
The other two versions (Labels with reference key (Example - nxp:"path to reference key file") and
Labels with key id (Example - nxp:0x12345678) just work fine.

The Readme says the following: "NOTE: When using this method, the sss provider has to be loaded first. This will ensure that the sss provider can decode the key id information present in the reference key."
Unfortunately, I don't know how to do this. Loading the provider by adding it to the openssl.cnf file did not work for me. I still get an decrypt error if I want to use the Reference Key in file format.

Thank you in advance.

Best regards

Thomas

0 件の賞賛
返信

1,058件の閲覧回数
tksec
Contributor II

Hi @Kan_Li 

thanks for clarifying that the refpem key is only useable for the openssl engine. The issue with node.js in particular is that they call the PEM_read_bio_PrivateKey function directly on any key string that is provided, which obviously fails when the key string is not a PEM string or file path but a uri. There is no direct support for OpenSSL providers, yet.

I reverted back to using the OpenSSL engine instead and got into similar problems. While using an EC key is working perfectly, using an RSA key fails again while parsing the PEM file with error:1E08010C:DECODER routines::unsupported from OpenSSL. I debugged the code and could trace the error back to the function PEM_read_bio_PrivateKey which is called from within EmbSe_LoadPrivKey in the engine's code.

Are you aware of such an issue to handle an RSA refpem key in the OpenSSL engine? How can this be solved? For me it looks like the refpem is more invasive for RSA than it is for EC keys which might be an issue?

0 件の賞賛
返信

1,047件の閲覧回数
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @tksec ,

 

How did you generate the refpem for RSA key? by the tool of ssscli? which version of MW are you using now? Please kindly clarify.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 件の賞賛
返信

1,036件の閲覧回数
tksec
Contributor II

Hi @Kan_Li ,

yes, I used the ssscli tool. I'm running MW v4.05.00. I created the original key with OpenSSL on a different system. Loaded it into SE using ssscli set command and created the refpem with ssscli refpem command. The key can successfully be used and parsed when using the openssl commands like s_client, s_server, rsa, etc. It can also be converted to a EVP_PKEY using OSSL_STORE API (what the openssl commands do internally) but it fails to parse using PEM_read_bio_PrivateKey which is used by both the NXP engine (in EmbSe_LoadPrivKey) and node.js.

Thanks!

0 件の賞賛
返信

1,030件の閲覧回数
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @tksec ,

 

Thanks for the information! What is the use case you are using with refpem file? sign&verify? I may try to reproduce this issue here.

 

Best Regards,

Kan

0 件の賞賛
返信

1,165件の閲覧回数
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @tksec ,

 

The refpem key file is only for openssl engine, but since you use openssl 3.xx with provider, please use "nxp:key_id" instead. You may compare "se05x_mw_v04.05.01\simw-top\demos\linux\tls_client\scripts\tlsSeClient.sh" with "se05x_mw_v04.05.01\simw-top\demos\linux\tls_client\scripts\tlsSeClient_3_0.sh" to check the difference.  and I am also wondering if you have any security concern regarding this, actually from my option, it is just a string should be accepted by most of the scripts, why not able to specify the nxp:0x6789ABCD key reference in the node.js code? Please kindly clarify.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

0 件の賞賛
返信