I am receiving the following error when following directions to build the back end HSM source code from the recently released NXP CST 3.3.1 package (note in the directory listing that I had copied in the libfrontend.a which was built successfully):
osboxes@osboxes:~/cst-3.3.1/code/back_end-hsm/src$ make clean
$ARCH is []
rm -f backend.o config.o e_hsm.o e_hsm_err.o openssl_helper.o *~ core tags *.bak Makefile.bak libbackend.*
osboxes@osboxes:~/cst-3.3.1/code/back_end-hsm/src$ ls -al
total 680
drwxr-xr-x 3 osboxes osboxes 4096 Sep 20 22:46 .
drwxr-xr-x 4 osboxes osboxes 4096 Aug 14 08:53 ..
-rwxr-xr-x 1 osboxes osboxes 38775 Aug 14 08:56 backend.c
-rwxr-xr-x 1 osboxes osboxes 3874 Aug 14 08:56 config.c
-rwxr-xr-x 1 osboxes osboxes 51093 Aug 14 08:56 e_hsm.c
-rwxr-xr-x 1 osboxes osboxes 8670 Aug 14 08:56 e_hsm_err.c
drwxr-xr-x 2 osboxes osboxes 4096 Aug 14 08:53 include
-rwxr-xr-x 1 osboxes osboxes 96914 Sep 20 22:46 lib
-rw-rw-r-- 1 osboxes osboxes 437150 Sep 20 13:25 libfrontend.a
-rwxr-xr-x 1 osboxes osboxes 1937 Sep 20 22:22 Makefile
-rw-r--r-- 1 osboxes osboxes 12288 Sep 20 22:22 .Makefile.swp
-rwxr-xr-x 1 osboxes osboxes 4197 Aug 14 08:56 openssl_helper.c
-rw------- 1 osboxes osboxes 12288 Sep 20 21:34 .swp
osboxes@osboxes:~/cst-3.3.1/code/back_end-hsm/src$ make
$ARCH is []
[Compile] backend.c
[Compile] config.c
[Compile] e_hsm.c
[Compile] e_hsm_err.c
[Compile] openssl_helper.c
[Link (Static) libbackend]
osboxes@osboxes:~/cst-3.3.1/code/back_end-hsm/src$ make all
$ARCH is []
gcc -std=c99 -D_POSIX_C_SOURCE=200809L -Wall -Werror -g -Wall -o cst libfrontend.a libbackend.a -L./lib -I/../openssl/include -mno-ms-bitfields -L/../openssl/lib -lssl -lcrypto -ldl -lpthread -lconfig -fno-builtin -fno-strict-aliasing -fno-common -DREMOVE_ENCRYPTION -Wl,--allow-multiple-definition
/usr/bin/ld: libfrontend.a(csf_cmd_ins_key.o): in function `cmd_handler_installcsfk':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/front_end/src/csf_cmd_ins_key.c:741: undefined reference to `get_der_encoded_certificate_data'
/usr/bin/ld: libfrontend.a(csf_cmd_ins_key.o): in function `cmd_handler_installnocak':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/front_end/src/csf_cmd_ins_key.c:847: undefined reference to `get_der_encoded_certificate_data'
/usr/bin/ld: libfrontend.a(csf_cmd_ins_key.o): in function `cmd_handler_installkey':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/front_end/src/csf_cmd_ins_key.c:992: undefined reference to `get_der_encoded_certificate_data'
collect2: error: ld returned 1 exit status
make: *** [Makefile:77: all] Error 1
I'm not sure how get_der_encoded_certificate_data is supposed to be linked in in the first place. In the back_end-engine source, this function exists in backend.c, but in back_end-hsm backend.c, it does not. Can you please tell me if I'm missing a step?
Solved! Go to Solution.
In addition to your recommendations, I also had to add the following files to back_end-hsm/src (and associated header files for each source file to back_end-hsm/src/include) and the local copies to the back_end-hsm/Makefile:
cst/code/back_end/src/adapt_layer_openssl.c
cst/code/back_end/src/pkey.c
After that, I was able to clean, re-run make, and run make all and build successfully. The cst executable now works, but I cannot yet attest to it working with my HSM as I'd expect. I suppose that means this can be closed since I solved the original linker problem. Thanks for all of the help.
The above script for CentOS 7 worked like a charm, and acted as a great starter for getting everything done for Windows. Thanks!
But if you, like us, needed the CST compiled for Windows (poor soul!), I've managed to get it compiled and running with an HSM backend.
Note that NXP support has informed us that the Dockerfile included in the 3.3.1 release can be used to cross-compile for Windows and has all the dependencies, so that may be easier than the path we took below before receiving that information.
The first important note is that libfrontend.a is no longer included as a binary file in the 3.3.1 release, so you must compile that too. Another note is that you MUST use MinGW32, not MinGW64. Some code changes are necessary to get the CST to use the HSM backend (instead of "engine" backend), and to correctly detect MinGW as the environment at compile time. Finally, the instructions aren't complete in the documentation for building on Windows (at least not anymore), and a few symlink hacks have to be put in place in the MinGW environment to get everything to build.
In practice, I had to compile OpenSSL from source (instead of installing from pacman) to get everything done.
1) Install MSYS2 -- it's the simplest way to get MinGW running on Windows, as far as I can tell: https://www.msys2.org/
2) Open MinGW32 from the Start menu
3) Run the following to install all the dependencies (note that there's almost certainly some extra stuff here you don't need, but anyway):
pacman -S mingw-w64-i686-gcc make vim mingw-w64-i686-gcc-libs bison bisonc++ btyacc flex mingw-w64-i686-binutils mingw-w64-i686-libconfig mingw-w64-i686-dlfcn git binutils mingw-w64-i686-toolchain --noconfirm
4) Run the following to set up some symlink hacks to convince compilation to complete:
ln -s /usr/bin/btyacc.exe /usr/bin/byacc.exe
ln -s /usr/bin/ar /usr/bin/i686-w64-mingw32-ar
ln -s /usr/bin/ranlib.exe /usr/bin/i686-w64-mingw32-ranlib
5) Make the following code changes (again, not sure what is wholly necessary, but these are the modifications we made before running (7)):
a) Fix the defined reference for MinGW:
file "cst-3.3.1/code/back_end-hsm/src/e_hsm.c: "
line 117: swap out "if defined(WIN32)" for "if defined(__CYGWIN32__)"
b) Remove code that ends up being duplicated by other files when using a different backend:
file "cst-3.3.1/code/cst/code/back_end/src/adapt_layer_openssl.c":
line 82 - 167: delete
line 266 - 358: delete
line 399 - 503: delete
line 818 - 876: delete
c) Fix an include:
file: cst-3.3.1/code/cst/code/front_end/src/cst.c
line 64: add an include:
#include <adapt_layer.h>
6) Make sure the script in (7) and the cst-3.3.1 folder (containing the contents of the 3.3.1 release archive) are in your current directory
7) Run the following to pull down the right OpenSSL source and compile the CST:
#!/bin/bash
set -e
VERSION_CST=3.3.1
VERSION_OPENSSL=1_0_2
OSTYPE=mingw32
OSTYPE_OPENSSL=mingw
if [[ -z ${CI_PROJECT_DIR} ]]; then
export CI_PROJECT_DIR=${HOME}
cp -r cst-${VERSION_CST} ${CI_PROJECT_DIR}
fi
OPENSSL_PATH=${CI_PROJECT_DIR}/openssl
SSL_PATH=${CI_PROJECT_DIR}/ssl
CST_PATH=${CI_PROJECT_DIR}/cst-${VERSION_CST}/code
CST_HSM_PATH=${CST_PATH}/back_end-hsm/src
git clone https://github.com/openssl/openssl.git ${OPENSSL_PATH} || true
cd ${OPENSSL_PATH}
git checkout OpenSSL_${VERSION_OPENSSL}
echo "Running ./Configure ${OSTYPE_OPENSSL} --prefix=${SSL_PATH}"
./Configure ${OSTYPE_OPENSSL} --prefix=${SSL_PATH}
make
make install
cd -
sed -i 's/no-idea/no-idea --prefix=$(CI_PROJECT_DIR)/' ${CST_PATH}/cst/Makefile
sed -i '/make && \\/a\ make install && \\' ${CST_PATH}/cst/Makefile
cd ${CST_PATH}/cst/code
sed -i '/OBJECTS += \\/a\ ssl_wrapper.o \\' ${CST_PATH}/cst/code/front_end/src/objects.mk
sed -i '/OBJECTS_FRONTEND += \\/a\ ssl_wrapper.o \\' ${CST_PATH}/cst/code/front_end/src/objects.mk
sed -i '/OBJECTS += \\/a\ pkey.o \\' ${CST_PATH}/cst/code/front_end/src/objects.mk
sed -i '/OBJECTS_FRONTEND += \\/a\ pkey.o \\' ${CST_PATH}/cst/code/front_end/src/objects.mk
sed -i '/OBJECTS += \\/a\ adapt_layer_openssl.o \\' ${CST_PATH}/cst/code/front_end/src/objects.mk
sed -i '/OBJECTS_FRONTEND += \\/a\ adapt_layer_openssl.o \\' ${CST_PATH}/cst/code/front_end/src/objects.mk
sed -i -e 's/err_msg/err_msg_local/g' ${CST_PATH}/cst/code/front_end/src/acst.c
cd -
cd ${CST_PATH}/cst/code/obj.mingw32
cp ${CI_PROJECT_DIR}/openssl/ms/* ${CI_PROJECT_DIR}/openssl/include/openssl
make libfrontend.a OSTYPE=${OSTYPE} _OPENSSL_PATH=${CI_PROJECT_DIR}/openssl
cp ${CST_PATH}/cst/code/obj.${OSTYPE}/libfrontend.a ${CST_HSM_PATH}
cd -
cd ${CST_HSM_PATH}
make OPENSSL_PATH=${SSL_PATH}
make all OSTYPE=${OSTYPE} OPENSSL_PATH=${CI_PROJECT_DIR}/ssl
cd -
You should now have cst.exe in the path "cst-3.3.1/code/back_end-hsm/src/cst"
Good luck!
Hi @cheuschkel,
In order to use CST with your HSM please build using back_end-engine. The back_end-hsm is deprecated and will be removed in next release.
use AN12812 (Using Code-Signing Tool with Hardware Security Module) as advised by @Yuri .
Regards
Maro
@cheuschkel Not needed
How do we specify the pkcs11 URI for AHAB ?
I put the pkcs11 URI in the "Source =" key of the [Install SRK] section but the CST returns an error "Unable to read".
Looks like a problem in the object=<cert_label> part in the pkcs11 URI.
If you are using pkcs15-tool -D to list all objects from the HSM, the label of the object is what inside the squared brackets e.g. x.509 certificate [some_label]
Not sure of what you mean, I tried to put the object as you suggested but still "unable to read".
It looks like the parser does not recognize the PKCS11 URI for the "Source" key for AHAB
It looks like the back_end-engine (not the hsm one) only creates a sig_req.txt file but does not actually sign with the HSM.
What is the sig_req.txt for (and its associated container.bin) for ?
Hi @Terry3,
Since this thread has been marked solved, I recommend opening a new one for better tracking of the issue.
Regards
Maro
I have written a script that makes it work with CentOS 7, so that all dependencies are included within libfrontend.a:
For what it is worth, I just tested the cst-3.1.0 package and was able to link that successfully. The libfrontend.a was pre-compiled in the lib/ directory, and worked just fine for me. This appears to be an issue with the custom build of the libfrontend.a package in cst-3.3.0.
osboxes@osboxes:~/cst-3.1.0/release/linux64/lib$ cp libfrontend.a ../../code/back_end-hsm/src/
osboxes@osboxes:~/cst-3.1.0/release/linux64/lib$ cd ../../code/back_end-hsm/src/
osboxes@osboxes:~/cst-3.1.0/release/code/back_end-hsm/src$ make all
$ARCH is []
gcc -std=c99 -D_POSIX_C_SOURCE=200809L -Wall -Werror -g -Wall -o cst libfrontend.a libbackend.a -L./lib -I/../openssl/include -mno-ms-bitfields -L/../openssl/lib -lssl -lcrypto -ldl -lpthread -lconfig -fno-builtin -fno-strict-aliasing -fno-common -DREMOVE_ENCRYPTION -Wl,--allow-multiple-definition
osboxes@osboxes:~/cst-3.1.0/release/code/back_end-hsm/src$ ls -al
total 700
drwxr-x--- 3 osboxes root 4096 Sep 21 10:35 .
drwxr-x--- 4 osboxes root 4096 Sep 21 10:23 ..
-rwxr-x--- 1 osboxes root 37338 Sep 21 10:23 backend.c
-rw-rw-r-- 1 osboxes osboxes 27664 Sep 21 10:34 backend.o
-rwxr-x--- 1 osboxes root 2705 Sep 21 10:23 config.c
-rw-rw-r-- 1 osboxes osboxes 4152 Sep 21 10:34 config.o
-rwxrwxr-x 1 osboxes osboxes 187520 Sep 21 10:35 cst
-rwxr-x--- 1 osboxes root 50555 Sep 21 10:23 e_hsm.c
-rwxr-x--- 1 osboxes root 7501 Sep 21 10:23 e_hsm_err.c
-rw-rw-r-- 1 osboxes osboxes 8504 Sep 21 10:34 e_hsm_err.o
-rw-rw-r-- 1 osboxes osboxes 54064 Sep 21 10:34 e_hsm.o
drwxr-x--- 2 osboxes root 4096 Sep 21 10:23 include
-rw-rw-r-- 1 osboxes osboxes 96962 Sep 21 10:34 libbackend.a
-rwxr-x--- 1 osboxes osboxes 190424 Sep 21 10:35 libfrontend.a
-rwxr-x--- 1 osboxes root 2216 Sep 21 10:23 Makefile
-rwxr-x--- 1 osboxes root 3028 Sep 21 10:23 openssl_helper.c
-rw-rw-r-- 1 osboxes osboxes 1376 Sep 21 10:34 openssl_helper.o
It's worth noting that I'm using an Ubuntu 20.04 VM with the default system OpenSSL v1.1.1f installed. Now that I see all of the NXP rep posts saying to use v1.0.2, I went ahead and downloaded and installed it locally. But now when I set my OPENSSL_PATH and try to run make on the cst to build libfrontend.a, I get the following errors:
osboxes@osboxes:~/cst-3.3.1/code/cst$ OSTYPE=linux64 OPENSSL_PATH=/home/osboxes/openssl-1.0.2l make
Compile srktool.o
Compile openssl_helper.o
Compile srk_helper.o
Compile err.o
Link srktool
/usr/bin/ld: srktool.o: in function `generate_srk_data':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/srktool/src/srktool.c:720: undefined reference to `X509_get_pubkey'
...
(lot of linker errors)
...
/usr/bin/ld: cryptlib.c:(.text+0x79b): undefined reference to `sk_value'
collect2: error: ld returned 1 exit status
make[1]: *** [../build/make/rules.mk:24: srktool] Error 1
make: *** [Makefile:59: rel_bin] Error 2
@Yuri you seem to be the most active NXP rep on these posts. Can you please look over these problems with the HSM back end?
Hello,
use AN12812 (Using Code-Signing Tool with Hardware Security Module).
Regards,
Yuri.
Assuming your host/VM runs a different version of OpenSSL, you can build it locally:
git clone https://github.com/openssl/openssl.git $HOME/openssl
pushd $HOME/openssl
git checkout OpenSSL_1_0_2
./Configure linux-x86_64 --prefix=/home/$USER/ssl
make
make install
popd
For linking cst:
line #48:
OPENSSL_CONFIG += no-deprecated no-threads no-shared no-dso no-engine no-hw \
+ no-idea --prefix=$(HOME)
line 75:
make clean && \
make && \
+ make install && \
cp ms/applink.c include/openssl/
4. Make:
OSTYPE=linux64 OPENSSL_PATH=$HOME/openssl make openssl
OSTYPE=linux64 OPENSSL_PATH=$HOME/openssl make
Thank you @YairBA! This got past my compilation problems for the CST. But now, using the OpenSSL on the 1_0_2 branch, I am having new errors when building the back_end-hsm project:
sboxes@osboxes:~/nxp/cst-3.3.1/code/back_end-hsm/src$ OSTYPE=linux64 OPENSSL_PATH=$HOME/openssl make
$ARCH is []
[Compile] backend.c
In file included from ./include/e_hsm.h:46,
from backend.c:48:
/home/osboxes/openssl/include/openssl/engine.h:71:4: error: #error ENGINE is disabled.
71 | # error ENGINE is disabled.
| ^~~~~
make: *** [Makefile:67: backend.o] Error 1
For what it's worth, if I just run `make` (which would in turn use my OpenSSL 1.0.2l version I have in a different directory that installed to /usr/bin/ssl) I compile the back end without problems. Perhaps I need to get rid of my separate OpenSSL v1.0.2l install.
Do you know why this ENGINE error is presented?
Thanks in advance.
Please try:
OSTYPE=linux64 OPENSSL_PATH=$HOME/openssl make openssl
OSTYPE=linux64 OPENSSL_PATH=$HOME/ssl make
4. Change into ~/cst-3.3.1/code/back_end-hsm/src/ and run:
OSTYPE=linux64 OPENSSL_PATH=$HOME/ssl make
OSTYPE=linux64 OPENSSL_PATH=$HOME/ssl make all
You will get (again):
cst-3.3.1/code/cst/code/obj.linux64/../../code/front_end/src/csf_cmd_ins_key.c:741: undefined reference to `get_der_encoded_certificate_data'
/usr/bin/ld: cst-3.3.1/code/cst/code/obj.linux64/libfrontend.a(csf_cmd_ins_key.o): in function `cmd_handler_installnocak':
...
To overcome the above linking issues, I build adapt_layer_openssl.c from within ~/cst-3.3.1/code/back_end-hsm/src/ , basically copied the relevant (for adapt_layer_openssl.c e.g. headers files) files from ~/cst-3.3.1/code/cst/code/back_end/src/ to ~/cst-3.3.1/code/back_end-hsm/src/ and from ~/cst-3.3.1/code/cst/code/front_end/hdr/ to ~/cst-3.3.1/code/back_end-hsm/src/include/ and modify ~/cst-3.3.1/code/back_end-hsm/src/Makefile to build adapt_layer_openssl.c .
Not the most sophisticated solution, but now I can build the cst file.
I'll try to post some more complete solution later today.
Please take into account that I not yet tested the created cst file.
@YairBA After being informed that the official supported Linux distribution was Ubuntu 16.04 LTS that includes OpenSSL v1.0.2g for the system install, I followed your directions to move all of the associated headers for adapt_layer_openssl.c and was able to build. I will test the CST now and see if it works as expected.
Thanks,
Cory
In addition to your recommendations, I also had to add the following files to back_end-hsm/src (and associated header files for each source file to back_end-hsm/src/include) and the local copies to the back_end-hsm/Makefile:
cst/code/back_end/src/adapt_layer_openssl.c
cst/code/back_end/src/pkey.c
After that, I was able to clean, re-run make, and run make all and build successfully. The cst executable now works, but I cannot yet attest to it working with my HSM as I'd expect. I suppose that means this can be closed since I solved the original linker problem. Thanks for all of the help.
Hi,
I got CST version 3.3.1 to compile and work with HSM:
pushd ~/cst-3.3.1/code/cst
OSTYPE=linux64 make rel_bin
popd
pushd ~/cst-3.3.1/code/back_end-engine/src
sed -i 's#^ROOT :=.*#ROOT := ../../cst/code#g' ./Makefile
sed -i 's#^FRONTEND :=.*#FRONTEND := $(ROOT)/obj.linux$(BITNESS)/libfrontend.a#g' ./Makefile
OSTYPE=linux64 make
popd
Use p11tool --list-tokens to get the HSM URL.
The File field inside the .csf file should looks like:
File = "pkcs11:token=some-token%20%28UserPIN%29;object=some_file;type=cert;pin-value=123456"
Then run the cst command with the -i and -o parameters.
If you run into "segmentation fault" make sure that SoftHSM is not installed, or some other race-condition (use valgrind).
I got it to run with the default package for Debian 10 (OpenSSL 1.1.1d, etc.)
Have you successfully signed some binary file with this CST you built on Debian 10? What HSM are you using if you don't mind me asking?
Thanks,
Cory