- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- Neural Processing UnitsNeural Processing Units
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
- Neural Processing Units
-
- NXP Tech Blogs
- Home
- :
- Identification and Security
- :
- Secure Authentication
- :
- PKCS11 communication to SE050 via OpenSSL
PKCS11 communication to SE050 via OpenSSL
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
PKCS11 communication to SE050 via OpenSSL
a month ago
918 Views
Ryopo0802
Contributor II
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Introduction
We want to access a private key stored on se050 from the mod_ssl (openssl-based) of the Apache web server and perform TLS communication.
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#page-header
# To use a private key from a PKCS#11 token: SSLCertificateKeyFile "pkcs11:token=My%20Token%20Name;id=45"
Hardware
- SE050
Software
- PlugAndTrust: v04.05.01
- openssl: 3.0.12
Tried it
To verify communication with SE050 using pkcs#11, we first attempted to create a key.
# openssl genpkey \
> -provider pkcs11prov \
> -algorithm EC \
> -pkeyopt ec_paramgen_curve:P-256 \
> -pkeyopt pkcs11_id:01 \
> -pkeyopt pkcs11_label:MyNewKey
genpkey: Error setting pkcs11_id:01 parameter:
20001EBB7F000000:error:03000093:digital envelope routines:default_fixup_args:command not supported:crypto/evp/ctrl_params_translate.c:580:[action:2, state:4] name=pkcs11_id, value=01
openssl.cnf :
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect
[default_sect]
activate = 1
[pkcs11_sect]
identity = pkcs11prov
module = /usr/lib/ossl-modules/pkcs11prov.so
pkcs11_module = /usr/lib/libsss_pkcs11.so
activate = 1
Using the "-out" option successfully generated the key, but it was generated as a file.
# openssl genpkey -provider pkcs11prov -provider default \
> -algorithm EC \
> -pkeyopt ec_paramgen_curve:P-256 \
> -out "pkcs11:id=%01;object=MyNewKey"
Questions
- Is it possible to communicate with SE050 using PKCS#11 with openssl3.x (provider-based)? The following is engine-based.
https://docs.nxp.com/bundle/LLDPUG_L6.1.36_2.1.0/page/topics/pkcs_11_based_openssl_engine_third-part... - Are the openssl.cnf file and the libraries being used incorrect?
- Is the command you used to generate the key incorrect?
I look forward to your response.
5 Replies
3 weeks ago
607 Views
db16122
Contributor III
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pkcs11-tool generates 2 private keys for keypairgen Which platform you are using for SE050
3 weeks ago
752 Views
Kan_Li
NXP TechSupport
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Ryopo0802 ,
Which SE05x variant are you testing with? Was it SE050E2? Please kindly clarify.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
3 weeks ago
747 Views
Ryopo0802
Contributor II
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
526 Views
Kan_Li
NXP TechSupport
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Ryopo0802 ,
We checked pkcs#11 provider +nxp pkcs11 plugin is not working , we could replicate the error customer is getting. So it not works for now. Moreover, here: pkcs11-provider/HOWTO.md at main · openssl-projects/pkcs11-provider · GitHub
for key generation they have given recommendation to use tools working with pkcs11 directly such as p11tool for key generation.
However, nxp's openssl provider can be used without pkcs 11: GitHub - NXPPlugNTrust/se05x-openssl-provider: This is the OpenSSL Provider for Se05x. · GitHub
If you don't want to use NXP's Openssl provider, I would be also interested to understand why is that.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Monday
220 Views
Ryopo0802
Contributor II
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, @Kan_Li
> If you don't want to use NXP's Openssl provider, I would be also interested to understand why is that.
I want to use HTTPS communication from an Apache server with a private key in an NXP Secure Element. Apache can only access the private key via PKCS#11 using openssl-based mod_ssl. Therefore, openssl + PKCS#11 is required. Is there a solution?
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
Best regards,
