FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

openssl provier error when generate key

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

openssl provier error when generate key

Jump to solution
‎11-06-2024 09:10 AM
1,251 Views
chanyoung
Contributor I

hello.

An error occurred while running the test example.

The environment is raspberry pi + OM-SE050ARD0-F + openssl3 + provider

While creating a key pair in se050, the following error occurred and ended.

Could I ask for some advice?

 

mw version : 4.5.1

PTMW_APPLET : SE050_C

 

$ openssl genrsa --provider /usr/local/lib/libsssProvider.so --provider default -out tls_client_key_ref_0xEF000011.pem 2048
App   :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
App   :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt)
sss   :INFO :atr (Len=35)
      00 A0 00 00    03 96 04 03    E8 00 FE 02    0B 03 E8 08
      01 00 00 00    00 64 00 00    0A 4A 43 4F    50 34 20 41
      54 50 4F
App   :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
App   :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt)
sss   :INFO :atr (Len=35)
      00 A0 00 00    03 96 04 03    E8 00 FE 02    0B 03 E8 08
      01 00 00 00    00 64 00 00    0A 4A 43 4F    50 34 20 41
      54 50 4F
sssprov-flw: Generate RSA key inside SE05x
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:7837 Function:sss_se05x_TXn
sss   :WARN :nxEnsure:'status == SM_OK' failed. At Line:4063 Function:sss_se05x_key_store_generate_key
App   :WARN :nxEnsure:'status == kStatus_SSS_Success' failed. At Line:471 Function:sss_keymgmt_rsa_gen
genrsa: Error generating RSA key

 

 

Labels (1)
Labels
0 Kudos
Reply
1 Solution

Jump to solution
‎11-06-2024 11:33 PM
1,223 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @chanyoung ,

 

The openssl provider generates RSA in plain mode by default, which is not supported on SE050F, if you want to use provider to generates RSA CRT instead, just change the following kSSS_CipherType_RSA to kSSS_CipherType_RSA_CRT in sssProvider_main.h .

Kan_Li_0-1730960781906.png

please also note RSA key length <2048 bits is not supported on SE050F either.

 

BTW, as provider doesn't support Key ID as a parameter, the default key ID is set as  "0xEF000011", but you may modify it in sssProvider_key_mgmt_rsa.c. Alternatively you may use SETool instead to generate RSA key pairs in SE050F.

Kan_Li_1-1730961155046.png

Please refer to se05x_mw_v04.05.01/simw-top/doc/demos/se05x/seTool/Readme.html for more details.

 

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

 

View solution in original post

0 Kudos
Reply
3 Replies

Jump to solution
‎11-06-2024 11:33 PM
1,224 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @chanyoung ,

 

The openssl provider generates RSA in plain mode by default, which is not supported on SE050F, if you want to use provider to generates RSA CRT instead, just change the following kSSS_CipherType_RSA to kSSS_CipherType_RSA_CRT in sssProvider_main.h .

Kan_Li_0-1730960781906.png

please also note RSA key length <2048 bits is not supported on SE050F either.

 

BTW, as provider doesn't support Key ID as a parameter, the default key ID is set as  "0xEF000011", but you may modify it in sssProvider_key_mgmt_rsa.c. Alternatively you may use SETool instead to generate RSA key pairs in SE050F.

Kan_Li_1-1730961155046.png

Please refer to se05x_mw_v04.05.01/simw-top/doc/demos/se05x/seTool/Readme.html for more details.

 

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

 

0 Kudos
Reply

Jump to solution
‎11-07-2024 02:57 AM
1,206 Views
chanyoung
Contributor I

thank you for your reply
I modified it according to the advice and confirmed that it was created normally.

But there's one more problem
During the process of creating a CSR by calling the created key pair, the program ends without being created.

Is it impossible to create it with RSA? Or I would like to know if there is another way

Additionally, here is the full script of the example I am referring to.

 

TLS client example using RSA keys

 

# Create Root CA key pair and certificate
openssl genrsa -out tls_rootca_key.pem 2048
openssl req -x509 -new -nodes -key tls_rootca_key.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out tls_rootca.cer


# Create client key inside secure element
openssl genrsa --provider /usr/local/lib/libsssProvider.so --provider default -out tls_client_key_ref_0xEF000011.pem 2048

# Create Client key CSR. Use the provider to access the client key created in the previous file.
openssl req -new --provider /usr/local/lib/libsssProvider.so --provider default -key tls_client_key_ref_0xEF000011.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out tls_client.csr

# Create Client certificate
openssl x509 -req --provider default -in tls_client.csr -CAcreateserial -out tls_client.cer -days 5000 -CA tls_rootca.cer -CAkey tls_rootca_key.pem


# Create Server key pair and certificate
openssl genrsa -out tls_server_key.pem 2048
openssl req -new -key tls_server_key.pem -subj "/CN=NXP_SE050_TLS_SERVER_RSA" -out tls_server.csr
openssl x509 -req -sha256 -days 4380 -in tls_server.csr -CAcreateserial -CA tls_rootca.cer -CAkey tls_rootca_key.pem -out tls_server.cer

0 Kudos
Reply

Jump to solution
‎11-10-2024 07:52 PM
1,148 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @chanyoung ,

 

Yes, it is possible to use RSA in TLS client demo, but if you use ref key instead, you'd better use the access Manager together with the openssl provider. Please kindly refer to simw-top/doc/hostlib/hostLib/accessManager/doc/accessManager.html for more details.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply