PKCS#11 not working on SE050

msalvinik · ‎10-26-2023

Hi all,

I'm testing PKCS#11 on SE050 chip using a OM-SE050ARD board (SE050C chip mounted on it) connected through I2C to a i.MX8MN custom SoM. I'm using the Plug & Trust MW v04.03.01 with OpenSC 0.22 (PKCS#11 v.2.40).

I'm following the documentation contained in the middleware package (simw-top/doc/plugins/pkcs11.html, "8.8. PKCS#11 Standalone Library").

When I try to sign a file with SHA256-RSA-PKCS (as reported in documentation) I get the error

error: PKCS11 function C_SignUpdate failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)

Here are the commands executed:

# chip reset
ssscli connect se05x t1oi2c /dev/i2c-2
ssscli se05x reset
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
ssscli disconnect
# example file creation
echo Hello > myfile
# needed exports
export EX_SSS_BOOT_SSS_PORT=/dev/i2c-2
export PKCS11_MODULE=/usr/lib/libsss_pkcs11.so
# keypair generation
pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"
Using slot 0 with a present token (0x1)
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Key pair generated:
Private Key Object; RSA
label: sss:20202020
ID: 20202020
Usage: decrypt, sign
Access: sensitive, always sensitive
Allowed mechanisms: RSA-PKCS,SHA1-RSA-PKCS,SHA224-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS,RSA-PKCS-OAEP
Public Key Object; RSA 1024 bits
label: sss:20202020
ID: 20202020
Usage: none
Access: none
# signing
pkcs11-tool --module $PKCS11_MODULE --sign --label sss:20202020 -m SHA256-RSA-PKCS --slot 1 -i myfile -o myfile.sig
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Using signature algorithm SHA256-RSA-PKCS
error: PKCS11 function C_SignUpdate failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.

Attached the cmake configuration used to build the middleware.

How can I solve this issue?

Thanks in advance

Mauro

msalvinik · ‎10-26-2023

I found this thread https://community.nxp.com/t5/Secure-Authentication/Broken-pkcs11-sign-and-verify-in-SDK-SE05x-MW-v04... where @vishwanchandapu got the same error.

As @Kan_Li stated, hash+encrypt in one step is not supported at the moment. Then I split the hash and encryption steps separately, as @Kan_Li suggested, and commands worked properly. I suggest to update the documentation.

Symmetrically I suppose that also verification does not work and should be done in two steps: signature decryption and resulting hash comparison with original one.

But trying to decrypt the signature using RSA-PCKS results in the following error:

pkcs11-tool --module $PKCS11_MODULE --decrypt --label sss:20202020 -m RSA-PKCS -i myfile.signature -o myfile.decrypted
Using slot 0 with a present token (0x1)
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Using decrypt algorithm RSA-PKCS
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:7026 Function:sss_se05x_TXn
PKCS11:ERROR:sss_asymmetric_decrypt failed
error: PKCS11 function C_Decrypt failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.

Any suggestions?

Kan_Li · ‎10-27-2023

Hi @msalvinik ,

Your question has been submitted to our expert team for analyzation. Thanks for your patience!

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

marcocavallini · ‎11-04-2023

Hello,

We are looking forward to receiving a response.

Thank you

--

Marco Cavallini | KOAN sas
Bergamo - Italia
embedded software engineering
https://KoanSoftware.com

Kan_Li · ‎11-06-2023

Hi @marcocavallini @msalvinik ,

This is confirmed as an issue in PKCS11 library, and we are working on to fix it, but not sure if it meets your timeline, for a quick solution, maybe you can use some older MW version instead, in our tests MW version 04.01.01 is working.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

msalvinik · ‎11-10-2023

Hi @Kan_Li ,

thank you for your update.

Where can we download the 04.01.01 middleware version? On the NXP site there is only the current version 04.03.01.

Thank you

Kan_Li · ‎11-13-2023

Hi @msalvinik ,

Actually it is not available on the public web, but if you need it you may create a ticket via the case portal. We may share with you then.

Please kindly refer to https://www.nxp.com/video/tutorial-for-nxp-support-case-portal:NCP-VIDEO for more details.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

marcocavallini · ‎11-13-2023

I can't find where to create a ticket via the case portal

Kan_Li · ‎11-13-2023

Hi @marcocavallini ,

Please kindly refer to the following for details.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------