FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

CST - x5092wtls tool doesn't able to access keys from HSM

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

CST - x5092wtls tool doesn't able to access keys from HSM

Jump to solution
‎10-07-2021 11:48 PM
950 Views
bhatnagarashish1998
Contributor I

Hello,

I am in need to convert the X509 certificates into WTLS format for HABv3 PKI tree generation.

Previously the keys are present in some local directories so I am not facing any challenge to use the x5092wtls tool to convert the certificates in WTLS format.

But now the keys are present in HSM and the x5092wtls tool needs to access keys from HSM but I am not able to do it as this tool doesn't support HSM or PKCS#11 engine either.

Kindly provide some solution through which the x5092wtls tool will be able to access keys directly from HSM or provide the source code of the x5092wtls tool so that I can modify this tool as per my requirement.

Thanks and Regards

Ashish Bhatnagar

Labels (1)
Labels
0 Kudos
Reply
1 Solution

Jump to solution
‎11-05-2021 04:26 PM
865 Views
igorpadykov
NXP Employee
NXP Employee

Hi Ashish

 

from team:

-----------------

The source for the tool in question was reviewed by trusted advisors and found to be releasable under NDA. It was provided via email to the support team working with Idemia.

-----------------

Best regards
igor

View solution in original post

0 Kudos
Reply
3 Replies

Jump to solution
‎10-13-2021 05:34 PM
923 Views
igorpadykov
NXP Employee
NXP Employee

Hi Ashish

 

what is processor full part number for this case ?

 

>I am in need to convert the X509 certificates into WTLS format for HABv3 PKI tree generation.

 

what is "HABv3" ?  There is no HAB version 3.

 

Best regards
igor

0 Kudos
Reply

Jump to solution
‎10-13-2021 10:13 PM
920 Views
bhatnagarashish1998
Contributor I

Hello Igor,

In my application, I have an i.MX25 series of processors and in that the secure boot of the device is implemented using the High Assurance Boot version 3 i.e. HABv3 using NXP's Code Signing Tool (CST v3.1.0).

For this, we have to generate one PKI tree using hab3_pki_tree.sh script (comes with CST tool binaries) which creates certificates and private keys. Previously the generation of the PKI tree is done on a local PC so we have no issues with hab3_pki_tree.sh script, it is generating the PKI tree for us and later we generate the CSF source files and put the certificates inside the device.

But now we are using Utimaco's HSM module to securely generate the keys hence now the keys are not present on the local PC instead the keys are present inside the HSM module.

Now, there is a step in hab3_pki_tree.sh script where we need to convert the generated X509 certificates into WTLS format, for this NXP has provided a tool i.e. x5092wtls with the CST v3.1.0 binary. But this tool won't be able to access the private keys from HSM as it didn't support either the OpenSSL or PKCS#11 engine.

I need a solution so that this x5092wtls tool can access the keys from HSM and convert the X509 format certificates into WTLS format. Hence, either NXP will provide a solution for this or NXP can share the source code of the x5092wtls tool and I can modify it as per my need.

Thanks and Regards

Ashish Bhatnagar

0 Kudos
Reply

Jump to solution
‎11-05-2021 04:26 PM
866 Views
igorpadykov
NXP Employee
NXP Employee

Hi Ashish

 

from team:

-----------------

The source for the tool in question was reviewed by trusted advisors and found to be releasable under NDA. It was provided via email to the support team working with Idemia.

-----------------

Best regards
igor

0 Kudos
Reply