PKCS#11 not working on SE050

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

PKCS#11 not working on SE050

2,426 次查看
msalvinik
Contributor III

Hi all,

I'm testing PKCS#11 on SE050 chip using a OM-SE050ARD board (SE050C chip mounted on it) connected through I2C to a i.MX8MN custom SoM. I'm using the Plug & Trust MW v04.03.01 with OpenSC 0.22 (PKCS#11 v.2.40).

I'm following the documentation contained in the middleware package (simw-top/doc/plugins/pkcs11.html, "8.8. PKCS#11 Standalone Library").

When I try to sign a file with SHA256-RSA-PKCS (as reported in documentation) I get the error

error: PKCS11 function C_SignUpdate failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)

Here are the commands executed:

# chip reset

ssscli connect se05x t1oi2c /dev/i2c-2

ssscli se05x reset
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!

ssscli disconnect

# example file creation

echo Hello > myfile

# needed exports

export EX_SSS_BOOT_SSS_PORT=/dev/i2c-2

export PKCS11_MODULE=/usr/lib/libsss_pkcs11.so

# keypair generation
pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"
Using slot 0 with a present token (0x1)
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Key pair generated:
Private Key Object; RSA
label: sss:20202020
ID: 20202020
Usage: decrypt, sign
Access: sensitive, always sensitive
Allowed mechanisms: RSA-PKCS,SHA1-RSA-PKCS,SHA224-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS,RSA-PKCS-OAEP
Public Key Object; RSA 1024 bits
label: sss:20202020
ID: 20202020
Usage: none
Access: none

# signing
pkcs11-tool --module $PKCS11_MODULE --sign --label sss:20202020 -m SHA256-RSA-PKCS --slot 1 -i myfile -o myfile.sig
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Using signature algorithm SHA256-RSA-PKCS
error: PKCS11 function C_SignUpdate failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.

Attached the cmake configuration used to build the middleware.

How can I solve this issue?

Thanks in advance

Mauro

 

8 回复数

2,411 次查看
msalvinik
Contributor III

I found this thread https://community.nxp.com/t5/Secure-Authentication/Broken-pkcs11-sign-and-verify-in-SDK-SE05x-MW-v04... where @vishwanchandapu got the same error.

As @Kan_Li stated, hash+encrypt in one step is not supported at the moment. Then I split the hash and encryption steps separately, as @Kan_Li suggested, and commands worked properly. I suggest to update the documentation.

Symmetrically I suppose that also verification does not work and should be done in two steps: signature decryption and resulting hash comparison with original one.

But trying to decrypt the signature using RSA-PCKS results in the following error:

pkcs11-tool --module $PKCS11_MODULE --decrypt --label sss:20202020 -m RSA-PKCS -i myfile.signature -o myfile.decrypted

Using slot 0 with a present token (0x1)
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Using decrypt algorithm RSA-PKCS
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:7026 Function:sss_se05x_TXn
PKCS11:ERROR:sss_asymmetric_decrypt failed
error: PKCS11 function C_Decrypt failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.

 Any suggestions?

0 项奖励
回复

2,391 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @msalvinik ,

 

Your question has been submitted to our expert team for analyzation. Thanks for your patience!

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 项奖励
回复

2,304 次查看
marcocavallini
Contributor V
Hello,
We are looking forward to receiving a response.
Thank you
--

Marco Cavallini | KOAN sas
Bergamo - Italia
embedded software engineering
https://KoanSoftware.com

 

0 项奖励
回复

2,264 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @marcocavallini @msalvinik ,

 

This is confirmed as an issue in PKCS11 library, and we are working on to fix it, but not sure if it meets your timeline, for a quick solution, maybe you can use some older MW version instead, in our tests MW version 04.01.01 is working.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 项奖励
回复

2,184 次查看
msalvinik
Contributor III

Hi @Kan_Li ,

thank you for your update.

Where can we download the 04.01.01 middleware version? On the NXP site there is only the current version 04.03.01.

Thank you

0 项奖励
回复

2,154 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @msalvinik ,

 

Actually it is not available on the public web, but if you need it you may create a ticket via the case portal. We may share with you then.

 

Please kindly refer to https://www.nxp.com/video/tutorial-for-nxp-support-case-portal:NCP-VIDEO for more details.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 项奖励
回复

2,145 次查看
marcocavallini
Contributor V
I can't find where to create a ticket via the case portal
0 项奖励
回复

2,126 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @marcocavallini ,

 

Please kindly refer to the following for details.

Kan_Li_0-1699931014943.png

Kan_Li_1-1699931045658.png

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

 

0 项奖励
回复