Hi all,
I'm testing PKCS#11 on SE050 chip using a OM-SE050ARD board (SE050C chip mounted on it) connected through I2C to a i.MX8MN custom SoM. I'm using the Plug & Trust MW v04.03.01 with OpenSC 0.22 (PKCS#11 v.2.40).
I'm following the documentation contained in the middleware package (simw-top/doc/plugins/pkcs11.html, "8.8. PKCS#11 Standalone Library").
When I try to sign a file with SHA256-RSA-PKCS (as reported in documentation) I get the error
error: PKCS11 function C_SignUpdate failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Here are the commands executed:
# chip reset
ssscli connect se05x t1oi2c /dev/i2c-2
ssscli se05x reset
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!ssscli disconnect
# example file creation
echo Hello > myfile
# needed exports
export EX_SSS_BOOT_SSS_PORT=/dev/i2c-2
export PKCS11_MODULE=/usr/lib/libsss_pkcs11.so
# keypair generation
pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"
Using slot 0 with a present token (0x1)
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Key pair generated:
Private Key Object; RSA
label: sss:20202020
ID: 20202020
Usage: decrypt, sign
Access: sensitive, always sensitive
Allowed mechanisms: RSA-PKCS,SHA1-RSA-PKCS,SHA224-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS,RSA-PKCS-OAEP
Public Key Object; RSA 1024 bits
label: sss:20202020
ID: 20202020
Usage: none
Access: none# signing
pkcs11-tool --module $PKCS11_MODULE --sign --label sss:20202020 -m SHA256-RSA-PKCS --slot 1 -i myfile -o myfile.sig
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Using signature algorithm SHA256-RSA-PKCS
error: PKCS11 function C_SignUpdate failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.
Attached the cmake configuration used to build the middleware.
How can I solve this issue?
Thanks in advance
Mauro
I found this thread https://community.nxp.com/t5/Secure-Authentication/Broken-pkcs11-sign-and-verify-in-SDK-SE05x-MW-v04... where @vishwanchandapu got the same error.
As @Kan_Li stated, hash+encrypt in one step is not supported at the moment. Then I split the hash and encryption steps separately, as @Kan_Li suggested, and commands worked properly. I suggest to update the documentation.
Symmetrically I suppose that also verification does not work and should be done in two steps: signature decryption and resulting hash comparison with original one.
But trying to decrypt the signature using RSA-PCKS results in the following error:
pkcs11-tool --module $PKCS11_MODULE --decrypt --label sss:20202020 -m RSA-PKCS -i myfile.signature -o myfile.decrypted
Using slot 0 with a present token (0x1)
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-2' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Using decrypt algorithm RSA-PKCS
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:7026 Function:sss_se05x_TXn
PKCS11:ERROR:sss_asymmetric_decrypt failed
error: PKCS11 function C_Decrypt failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.
Any suggestions?
Hi @msalvinik ,
Your question has been submitted to our expert team for analyzation. Thanks for your patience!
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Marco Cavallini | KOAN sas
Bergamo - Italia
embedded software engineering
https://KoanSoftware.com
Hi @marcocavallini @msalvinik ,
This is confirmed as an issue in PKCS11 library, and we are working on to fix it, but not sure if it meets your timeline, for a quick solution, maybe you can use some older MW version instead, in our tests MW version 04.01.01 is working.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Hi @msalvinik ,
Actually it is not available on the public web, but if you need it you may create a ticket via the case portal. We may share with you then.
Please kindly refer to https://www.nxp.com/video/tutorial-for-nxp-support-case-portal:NCP-VIDEO for more details.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Hi @marcocavallini ,
Please kindly refer to the following for details.
Hope that helps,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------