FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Encrypted DEK decryption error

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Encrypted DEK decryption error

‎04-01-2021 03:51 AM
1,516 Views
kanimozhi_t
Contributor V

Hi,

We're trying to encrypt the DEK for manufacturing protection following AN 12056

We have encrypted the DEK with CST as follows,

./cst -out csf_encrypt.txt -c CSF1_crt.pem -i csf_encrypt.bin

However when we try to decrypt the encrypted DEK (as produced in above step), we get the following error:

openssl cms -decrypt -in /cst_encrypt_sign/dek_spl.bin -inform DER -out ./dek_spl_dec.bin -binary -inkey /CSF1_1_sha256_2048_65537_v3_usr_key.pem -passin file:/key_pass_in.txt

Error reading S/MIME message\n140193583093056:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149:\n140193583093056:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:309:Type=CMS_ContentInfo\n

 

We're following the NXP app note closely, yet receiving these errors.

What are the steps to be followed for encrypting and decrypting the DEK with CST?

Labels (2)
Labels
0 Kudos
Reply
3 Replies

‎04-08-2021 08:30 AM
1,497 Views
IvanRuiz
NXP Employee
NXP Employee

Hello,

 

Could you please tell me your CST tool version and your OpenSSL version?

 

Thank you,

Ivan.

Reply

‎04-08-2021 10:32 PM
1,488 Views
kanimozhi_t
Contributor V

Hi,

 

We're using

  1. CST version 3.3.1 and
  2. OpenSSL version 1.1.1

and tried on both Ubuntu 18.04 and 20.04 yet no success.

0 Kudos
Reply

‎04-21-2021 02:44 PM
1,462 Views
IvanRuiz
NXP Employee
NXP Employee

Hello,

 

Seems that the front-end code of CST 3.3.1(also for CST3.1) has the issue. "-c" doesn't really work to input the public certification. 

 Need to add a ":" after c in cst.c in front end code and then rebuild the cst tool, then it can work.

IvanRuiz_0-1619041406354.png

 

I tried with below command and it work by updated cst binary.

-----

./cst -o csf_enc.bin -c IMG1_1_sha256_2048_65537_v3_usr_crt.pem -i csf_uboot_enc.txt

 ./openssl cms -decrypt -binary -in dek.bin -inform DER -inkey IMG1_1_sha256_2048_65537_v3_usr_key.pem -out decrypted_dek.bin --passin pass:test

-----

Please note that the dek.bin's size is 439 bytes(not 16 bytes) after you really encrypt the dek by the first command.

 

Hope it helps!

 

BR,

Ivan.

Reply