Good morning,
I am able to generate a RSA key pair with success.
But now I need to access my key pair by the reference key.
Through the seTool demo code I can see the generatation of an ECC reference key.
I need the same thing but to RSA in C. Where I can found this example?
Thanks in advance.
Cristiane Bellenzier Piaia
Solved! Go to Solution.
Hello Cristiane, All,
Please find attached latest seTool. Following sequecne should work:
./seTool genRsa 2048 0x00000020 /dev/i2c-1
./seTool getRsaRef 2048 0x00000020 server.key /dev/i2c-1
export OPENSSL_CONF=~/se_mw_04.03.01/simw-top/demos/linux/common/openssl11_sss_se050.cnf
openssl req -config device.cnf -key server.key -new -sha256 -out server.csr -batch
openssl req -text -noout -verify -in server.csr
./seTool getRsaPublic 2048 0x00000020 PubRsaKey.pem none
Best Regards
Mehdi
Hello Cristiane, All,
Please find attached latest seTool. Following sequecne should work:
./seTool genRsa 2048 0x00000020 /dev/i2c-1
./seTool getRsaRef 2048 0x00000020 server.key /dev/i2c-1
export OPENSSL_CONF=~/se_mw_04.03.01/simw-top/demos/linux/common/openssl11_sss_se050.cnf
openssl req -config device.cnf -key server.key -new -sha256 -out server.csr -batch
openssl req -text -noout -verify -in server.csr
./seTool getRsaPublic 2048 0x00000020 PubRsaKey.pem none
Best Regards
Mehdi
Hi @Kan_Li
Do you have any news? We would not like to use python for this scope.
Thanks in advance, again.
Cristiane Bellenzier Piaia
Hi @CristianeBP ,
Please kindly have the updated version of seTool as attached. Please also refer to the attached .txt for more detailed description.
Hope that helps,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Hi @Kan_Li,
Thanks for your quick reply.
I tried the code sent by you but I think something doesn’t work properly.
First of all, when I tried to generate a reference key, there is no validation that the key pair already exists, so a reference key is generated even if the pair of keys does not exist.
When I tried to use the reference key to validate a CSR, the verification fails.
Commands used to test:
#seTool genRsa 2048 0x00000020 /dev/i2c-1
#seTool getRsaRef 2048 0x00000020 server.key /dev/i2c-1
#openssl req -config device.cnf -key server.key -new -sha256 -out server.csr -batch
#openssl req -text -noout -verify -in server.csr
verify failure
But when I tried the same thing using just openssl everthing works fine.
#openssl genrsa -out server2.key 2048
#openssl req -config device.cnf -key server2.key -new -sha256 -out server2.csr -batch
#openssl req -text -noout -verify -in server2.csr
verify OK
When I compare the piece of code used to generate the RSA reference key with the code used to generate the ECC reference key, the ECC uses it's public key, but not in the RSA. Also in the python code used to generate the RSA reference key uses the public key (generate_openssl_rsa_refkey - pycli/src/sss/util.py). I think this part is missing.
Thanks in advance,
Cristiane Bellenzier Piaia
Hi @CristianeBP ,
Are you using the NXP OpenSSL Engine or Provider? Would you please try to use the ssscli tool for the same sequence? Thanks for your patience!
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Good morning @Kan_Li
yes, we are using the NXP OpenSSL Engine:
[root@ABB-8C-1F-64-CF-3C-18 src]# openssl engine -t
(dynamic) Dynamic engine loading support
[ unavailable ]
(e4sss) se hardware engine support
[ available ]
I just tried the ssscli tool and works perfectly.
Thanks in advance.
Cristiane Bellenzier Piaia