帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

openssl provier error when generate key

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

openssl provier error when generate key

跳至解决方案
‎11-06-2024 09:10 AM
1,264 次查看
chanyoung
Contributor I

hello.

An error occurred while running the test example.

The environment is raspberry pi + OM-SE050ARD0-F + openssl3 + provider

While creating a key pair in se050, the following error occurred and ended.

Could I ask for some advice?

 

mw version : 4.5.1

PTMW_APPLET : SE050_C

 

$ openssl genrsa --provider /usr/local/lib/libsssProvider.so --provider default -out tls_client_key_ref_0xEF000011.pem 2048
App   :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
App   :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt)
sss   :INFO :atr (Len=35)
      00 A0 00 00    03 96 04 03    E8 00 FE 02    0B 03 E8 08
      01 00 00 00    00 64 00 00    0A 4A 43 4F    50 34 20 41
      54 50 4F
App   :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
App   :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt)
sss   :INFO :atr (Len=35)
      00 A0 00 00    03 96 04 03    E8 00 FE 02    0B 03 E8 08
      01 00 00 00    00 64 00 00    0A 4A 43 4F    50 34 20 41
      54 50 4F
sssprov-flw: Generate RSA key inside SE05x
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:7837 Function:sss_se05x_TXn
sss   :WARN :nxEnsure:'status == SM_OK' failed. At Line:4063 Function:sss_se05x_key_store_generate_key
App   :WARN :nxEnsure:'status == kStatus_SSS_Success' failed. At Line:471 Function:sss_keymgmt_rsa_gen
genrsa: Error generating RSA key

 

 

标签 (1)
标签
0 项奖励
回复
1 解答

跳至解决方案
‎11-06-2024 11:33 PM
1,236 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @chanyoung ,

 

The openssl provider generates RSA in plain mode by default, which is not supported on SE050F, if you want to use provider to generates RSA CRT instead, just change the following kSSS_CipherType_RSA to kSSS_CipherType_RSA_CRT in sssProvider_main.h .

Kan_Li_0-1730960781906.png

please also note RSA key length <2048 bits is not supported on SE050F either.

 

BTW, as provider doesn't support Key ID as a parameter, the default key ID is set as  "0xEF000011", but you may modify it in sssProvider_key_mgmt_rsa.c. Alternatively you may use SETool instead to generate RSA key pairs in SE050F.

Kan_Li_1-1730961155046.png

Please refer to se05x_mw_v04.05.01/simw-top/doc/demos/se05x/seTool/Readme.html for more details.

 

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

 

在原帖中查看解决方案

0 项奖励
回复
3 回复数

跳至解决方案
‎11-06-2024 11:33 PM
1,237 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @chanyoung ,

 

The openssl provider generates RSA in plain mode by default, which is not supported on SE050F, if you want to use provider to generates RSA CRT instead, just change the following kSSS_CipherType_RSA to kSSS_CipherType_RSA_CRT in sssProvider_main.h .

Kan_Li_0-1730960781906.png

please also note RSA key length <2048 bits is not supported on SE050F either.

 

BTW, as provider doesn't support Key ID as a parameter, the default key ID is set as  "0xEF000011", but you may modify it in sssProvider_key_mgmt_rsa.c. Alternatively you may use SETool instead to generate RSA key pairs in SE050F.

Kan_Li_1-1730961155046.png

Please refer to se05x_mw_v04.05.01/simw-top/doc/demos/se05x/seTool/Readme.html for more details.

 

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

 

0 项奖励
回复

跳至解决方案
‎11-07-2024 02:57 AM
1,219 次查看
chanyoung
Contributor I

thank you for your reply
I modified it according to the advice and confirmed that it was created normally.

But there's one more problem
During the process of creating a CSR by calling the created key pair, the program ends without being created.

Is it impossible to create it with RSA? Or I would like to know if there is another way

Additionally, here is the full script of the example I am referring to.

 

TLS client example using RSA keys

 

# Create Root CA key pair and certificate
openssl genrsa -out tls_rootca_key.pem 2048
openssl req -x509 -new -nodes -key tls_rootca_key.pem -subj "/OU=NXP Plug Trust CA/CN=NXP RootCAvExxx" -days 4380 -out tls_rootca.cer


# Create client key inside secure element
openssl genrsa --provider /usr/local/lib/libsssProvider.so --provider default -out tls_client_key_ref_0xEF000011.pem 2048

# Create Client key CSR. Use the provider to access the client key created in the previous file.
openssl req -new --provider /usr/local/lib/libsssProvider.so --provider default -key tls_client_key_ref_0xEF000011.pem -subj "/CN=NXP_SE050_TLS_CLIENT_RSA" -out tls_client.csr

# Create Client certificate
openssl x509 -req --provider default -in tls_client.csr -CAcreateserial -out tls_client.cer -days 5000 -CA tls_rootca.cer -CAkey tls_rootca_key.pem


# Create Server key pair and certificate
openssl genrsa -out tls_server_key.pem 2048
openssl req -new -key tls_server_key.pem -subj "/CN=NXP_SE050_TLS_SERVER_RSA" -out tls_server.csr
openssl x509 -req -sha256 -days 4380 -in tls_server.csr -CAcreateserial -CA tls_rootca.cer -CAkey tls_rootca_key.pem -out tls_server.cer

0 项奖励
回复

跳至解决方案
‎11-10-2024 07:52 PM
1,161 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @chanyoung ,

 

Yes, it is possible to use RSA in TLS client demo, but if you use ref key instead, you'd better use the access Manager together with the openssl provider. Please kindly refer to simw-top/doc/hostlib/hostLib/accessManager/doc/accessManager.html for more details.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 项奖励
回复