SE050 - How generate a RSA reference key

CristianeBP · ‎09-25-2023

Good morning,

I am able to generate a RSA key pair with success.

But now I need to access my key pair by the reference key.

Through the seTool demo code I can see the generatation of an ECC reference key.

I need the same thing but to RSA in C. Where I can found this example?

Thanks in advance.

Cristiane Bellenzier Piaia

MehdiSOUMHI · ‎10-15-2023

Hello Cristiane, All,

Please find attached latest seTool. Following sequecne should work:

./seTool genRsa 2048 0x00000020 /dev/i2c-1

./seTool getRsaRef 2048 0x00000020 server.key /dev/i2c-1

export OPENSSL_CONF=~/se_mw_04.03.01/simw-top/demos/linux/common/openssl11_sss_se050.cnf

openssl req -config device.cnf -key server.key -new -sha256 -out server.csr -batch

openssl req -text -noout -verify -in server.csr

./seTool getRsaPublic 2048 0x00000020 PubRsaKey.pem none

Best Regards

Mehdi

View solution in original post

rodolfoveltrigo · ‎10-17-2023

Just repeating the suggestion from CAS2:

./seTool genRsa 2048 0x00000020 /dev/i2c-1

./seTool getRsaRef 2048 0x00000020 server.key /dev/i2c-1

export OPENSSL_CONF=~/se_mw_04.03.01/simw-top/demos/linux/common/openssl11_sss_se050.cnf

openssl req -config device.cnf -key server.key -new -sha256 -out server.csr -batch

openssl req -text -noout -verify -in server.csr

./seTool getRsaPublic 2048 0x00000020 PubRsaKey.pem none

MehdiSOUMHI · ‎10-15-2023

Hello Cristiane, All,

Please find attached latest seTool. Following sequecne should work:

./seTool genRsa 2048 0x00000020 /dev/i2c-1

./seTool getRsaRef 2048 0x00000020 server.key /dev/i2c-1

export OPENSSL_CONF=~/se_mw_04.03.01/simw-top/demos/linux/common/openssl11_sss_se050.cnf

openssl req -config device.cnf -key server.key -new -sha256 -out server.csr -batch

openssl req -text -noout -verify -in server.csr

./seTool getRsaPublic 2048 0x00000020 PubRsaKey.pem none

Best Regards

Mehdi

CristianeBP · ‎10-16-2023

Thanks, I just tested and works perfectly.

CristianeBP · ‎10-02-2023

Hi @Kan_Li

Do you have any news? We would not like to use python for this scope.

Thanks in advance, again.

Cristiane Bellenzier Piaia

rodolfoveltrigo · ‎10-12-2023

Hi @CristianeBP,
NXP has escalated your questions to our internal Level 2 support team. We will reply to you soon.
cheers
Rodolfo

Kan_Li · ‎09-26-2023

Hi @CristianeBP ,

Please kindly have the updated version of seTool as attached. Please also refer to the attached .txt for more detailed description.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

CristianeBP · ‎09-27-2023

Hi @Kan_Li,

Thanks for your quick reply.

I tried the code sent by you but I think something doesn’t work properly.

First of all, when I tried to generate a reference key, there is no validation that the key pair already exists, so a reference key is generated even if the pair of keys does not exist.

When I tried to use the reference key to validate a CSR, the verification fails.

Commands used to test:

#seTool genRsa 2048 0x00000020 /dev/i2c-1

#seTool getRsaRef 2048 0x00000020 server.key /dev/i2c-1

#openssl req -config device.cnf -key server.key -new -sha256 -out server.csr -batch

#openssl req -text -noout -verify -in server.csr

verify failure

But when I tried the same thing using just openssl everthing works fine.

#openssl genrsa -out server2.key 2048

#openssl req -config device.cnf -key server2.key -new -sha256 -out server2.csr -batch

#openssl req -text -noout -verify -in server2.csr

verify OK

When I compare the piece of code used to generate the RSA reference key with the code used to generate the ECC reference key, the ECC uses it's public key, but not in the RSA. Also in the python code used to generate the RSA reference key uses the public key (generate_openssl_rsa_refkey - pycli/src/sss/util.py). I think this part is missing.

Thanks in advance,

Cristiane Bellenzier Piaia

Kan_Li · ‎09-28-2023

Hi @CristianeBP ,

Are you using the NXP OpenSSL Engine or Provider? Would you please try to use the ssscli tool for the same sequence? Thanks for your patience!

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

CristianeBP · ‎09-29-2023

Good morning @Kan_Li

yes, we are using the NXP OpenSSL Engine:

[root@ABB-8C-1F-64-CF-3C-18 src]# openssl engine -t
(dynamic) Dynamic engine loading support
[ unavailable ]
(e4sss) se hardware engine support
[ available ]

I just tried the ssscli tool and works perfectly.

Thanks in advance.

Cristiane Bellenzier Piaia