SE050 - How generate a RSA reference key

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SE050 - How generate a RSA reference key

Jump to solution
19,596 Views
CristianeBP
Contributor III

Good morning,

I am able to generate a RSA key pair with success.

But now I need to access my key pair by the reference key.

Through the seTool demo code I can see the generatation of an ECC reference key.

I need the same thing but to RSA in C. Where I can found this example?

Thanks in advance.

Cristiane Bellenzier Piaia

Labels (1)
Tags (2)
0 Kudos
Reply
1 Solution
19,006 Views
MehdiSOUMHI
NXP Employee
NXP Employee

Hello Cristiane, All,

Please find attached latest seTool. Following sequecne should work:

./seTool genRsa 2048 0x00000020 /dev/i2c-1

./seTool getRsaRef 2048 0x00000020 server.key /dev/i2c-1

 

export OPENSSL_CONF=~/se_mw_04.03.01/simw-top/demos/linux/common/openssl11_sss_se050.cnf

 

openssl req -config device.cnf -key server.key -new -sha256 -out server.csr -batch

openssl req -text -noout -verify -in server.csr

./seTool getRsaPublic 2048 0x00000020 PubRsaKey.pem none

Best Regards

Mehdi

View solution in original post

0 Kudos
Reply
9 Replies
18,931 Views
rodolfoveltrigo
NXP Employee
NXP Employee
Just repeating the suggestion from CAS2:


./seTool genRsa 2048 0x00000020 /dev/i2c-1

./seTool getRsaRef 2048 0x00000020 server.key /dev/i2c-1



export OPENSSL_CONF=~/se_mw_04.03.01/simw-top/demos/linux/common/openssl11_sss_se050.cnf



openssl req -config device.cnf -key server.key -new -sha256 -out server.csr -batch

openssl req -text -noout -verify -in server.csr

./seTool getRsaPublic 2048 0x00000020 PubRsaKey.pem none
0 Kudos
Reply
19,007 Views
MehdiSOUMHI
NXP Employee
NXP Employee

Hello Cristiane, All,

Please find attached latest seTool. Following sequecne should work:

./seTool genRsa 2048 0x00000020 /dev/i2c-1

./seTool getRsaRef 2048 0x00000020 server.key /dev/i2c-1

 

export OPENSSL_CONF=~/se_mw_04.03.01/simw-top/demos/linux/common/openssl11_sss_se050.cnf

 

openssl req -config device.cnf -key server.key -new -sha256 -out server.csr -batch

openssl req -text -noout -verify -in server.csr

./seTool getRsaPublic 2048 0x00000020 PubRsaKey.pem none

Best Regards

Mehdi

0 Kudos
Reply
18,968 Views
CristianeBP
Contributor III
Thanks, I just tested and works perfectly.
0 Kudos
Reply
19,406 Views
CristianeBP
Contributor III

Hi @Kan_Li 

Do you have any news? We would not like to use python for this scope.

Thanks in advance, again.

Cristiane Bellenzier Piaia

0 Kudos
Reply
19,040 Views
rodolfoveltrigo
NXP Employee
NXP Employee
Hi @CristianeBP,
NXP has escalated your questions to our internal Level 2 support team. We will reply to you soon.
cheers
Rodolfo
0 Kudos
Reply
19,528 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @CristianeBP ,

 

Please kindly have the updated version of seTool as attached. Please also refer to the attached .txt for more detailed description.

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply
19,492 Views
CristianeBP
Contributor III

Hi @Kan_Li,

Thanks for your quick reply.

I tried the code sent by you but I think something doesn’t work properly.

First of all, when I tried to generate a reference key, there is no validation that the key pair already exists, so a reference key is generated even if the pair of keys does not exist.

When I tried to use the reference key to validate a CSR, the verification fails.

Commands used to test:

#seTool genRsa 2048 0x00000020 /dev/i2c-1

#seTool getRsaRef 2048 0x00000020 server.key /dev/i2c-1

#openssl req -config device.cnf -key server.key -new -sha256 -out server.csr -batch

#openssl req -text -noout -verify -in server.csr

verify failure

But when I tried the same thing using just openssl everthing works fine.

#openssl genrsa -out server2.key 2048

#openssl req -config device.cnf -key server2.key -new -sha256 -out server2.csr -batch

#openssl req -text -noout -verify -in server2.csr

verify OK

When I compare the piece of code used to generate the RSA reference key with the code used to generate the ECC reference key, the ECC uses it's public key, but not in the RSA. Also in the python code used to generate the RSA reference key uses the public key (generate_openssl_rsa_refkey - pycli/src/sss/util.py). I think this part is missing.

Thanks in advance,

Cristiane Bellenzier Piaia

 

 

 

0 Kudos
Reply
19,476 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @CristianeBP ,

 

Are you  using the NXP OpenSSL Engine or Provider? Would you please try to use the ssscli tool for the same sequence? Thanks for your patience!

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply
19,444 Views
CristianeBP
Contributor III

Good morning @Kan_Li 

yes, we are using the NXP OpenSSL Engine:

[root@ABB-8C-1F-64-CF-3C-18 src]# openssl engine -t
(dynamic) Dynamic engine loading support
[ unavailable ]
(e4sss) se hardware engine support
[ available ]

I just tried the ssscli tool and works perfectly. 

Thanks in advance.

Cristiane Bellenzier Piaia

0 Kudos
Reply