Solved: cst-3.3.1 back_end-hsm linker error

cheuschkel · ‎09-20-2020

I am receiving the following error when following directions to build the back end HSM source code from the recently released NXP CST 3.3.1 package (note in the directory listing that I had copied in the libfrontend.a which was built successfully):

osboxes@osboxes:~/cst-3.3.1/code/back_end-hsm/src$ make clean
$ARCH is []
rm -f backend.o config.o e_hsm.o e_hsm_err.o openssl_helper.o *~ core tags *.bak Makefile.bak libbackend.*
osboxes@osboxes:~/cst-3.3.1/code/back_end-hsm/src$ ls -al
total 680
drwxr-xr-x 3 osboxes osboxes   4096 Sep 20 22:46 .
drwxr-xr-x 4 osboxes osboxes   4096 Aug 14 08:53 ..
-rwxr-xr-x 1 osboxes osboxes  38775 Aug 14 08:56 backend.c
-rwxr-xr-x 1 osboxes osboxes   3874 Aug 14 08:56 config.c
-rwxr-xr-x 1 osboxes osboxes  51093 Aug 14 08:56 e_hsm.c
-rwxr-xr-x 1 osboxes osboxes   8670 Aug 14 08:56 e_hsm_err.c
drwxr-xr-x 2 osboxes osboxes   4096 Aug 14 08:53 include
-rwxr-xr-x 1 osboxes osboxes  96914 Sep 20 22:46 lib
-rw-rw-r-- 1 osboxes osboxes 437150 Sep 20 13:25 libfrontend.a
-rwxr-xr-x 1 osboxes osboxes   1937 Sep 20 22:22 Makefile
-rw-r--r-- 1 osboxes osboxes  12288 Sep 20 22:22 .Makefile.swp
-rwxr-xr-x 1 osboxes osboxes   4197 Aug 14 08:56 openssl_helper.c
-rw------- 1 osboxes osboxes  12288 Sep 20 21:34 .swp
osboxes@osboxes:~/cst-3.3.1/code/back_end-hsm/src$ make 
$ARCH is []
[Compile] backend.c
[Compile] config.c
[Compile] e_hsm.c
[Compile] e_hsm_err.c
[Compile] openssl_helper.c
[Link (Static) libbackend]
osboxes@osboxes:~/cst-3.3.1/code/back_end-hsm/src$ make all
$ARCH is []
gcc   -std=c99  -D_POSIX_C_SOURCE=200809L -Wall -Werror -g -Wall -o cst  libfrontend.a libbackend.a -L./lib  -I/../openssl/include -mno-ms-bitfields -L/../openssl/lib -lssl -lcrypto -ldl -lpthread -lconfig -fno-builtin -fno-strict-aliasing -fno-common -DREMOVE_ENCRYPTION -Wl,--allow-multiple-definition
/usr/bin/ld: libfrontend.a(csf_cmd_ins_key.o): in function `cmd_handler_installcsfk':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/front_end/src/csf_cmd_ins_key.c:741: undefined reference to `get_der_encoded_certificate_data'
/usr/bin/ld: libfrontend.a(csf_cmd_ins_key.o): in function `cmd_handler_installnocak':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/front_end/src/csf_cmd_ins_key.c:847: undefined reference to `get_der_encoded_certificate_data'
/usr/bin/ld: libfrontend.a(csf_cmd_ins_key.o): in function `cmd_handler_installkey':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/front_end/src/csf_cmd_ins_key.c:992: undefined reference to `get_der_encoded_certificate_data'
collect2: error: ld returned 1 exit status
make: *** [Makefile:77: all] Error 1

I'm not sure how get_der_encoded_certificate_data is supposed to be linked in in the first place. In the back_end-engine source, this function exists in backend.c, but in back_end-hsm backend.c, it does not. Can you please tell me if I'm missing a step?

cheuschkel

In addition to your recommendations, I also had to add the following files to back_end-hsm/src (and associated header files for each source file to back_end-hsm/src/include) and the local copies to the back_end-hsm/Makefile:

cst/code/back_end/src/adapt_layer_openssl.c

cst/code/back_end/src/pkey.c

After that, I was able to clean, re-run make, and run make all and build successfully. The cst executable now works, but I cannot yet attest to it working with my HSM as I'd expect. I suppose that means this can be closed since I solved the original linker problem. Thanks for all of the help.

View solution in original post

richardgottscha

I have written a script that makes it work with CentOS 7, so that all dependencies are included within libfrontend.a:

https://justpaste.it/nxp_cst

cheuschkel · ‎09-21-2020

For what it is worth, I just tested the cst-3.1.0 package and was able to link that successfully. The libfrontend.a was pre-compiled in the lib/ directory, and worked just fine for me. This appears to be an issue with the custom build of the libfrontend.a package in cst-3.3.0.

osboxes@osboxes:~/cst-3.1.0/release/linux64/lib$ cp libfrontend.a ../../code/back_end-hsm/src/
osboxes@osboxes:~/cst-3.1.0/release/linux64/lib$ cd ../../code/back_end-hsm/src/
osboxes@osboxes:~/cst-3.1.0/release/code/back_end-hsm/src$ make all
$ARCH is []
gcc   -std=c99  -D_POSIX_C_SOURCE=200809L -Wall -Werror -g -Wall -o cst  libfrontend.a libbackend.a -L./lib  -I/../openssl/include -mno-ms-bitfields -L/../openssl/lib -lssl -lcrypto -ldl -lpthread -lconfig -fno-builtin -fno-strict-aliasing -fno-common -DREMOVE_ENCRYPTION -Wl,--allow-multiple-definition
osboxes@osboxes:~/cst-3.1.0/release/code/back_end-hsm/src$ ls -al
total 700
drwxr-x--- 3 osboxes root      4096 Sep 21 10:35 .
drwxr-x--- 4 osboxes root      4096 Sep 21 10:23 ..
-rwxr-x--- 1 osboxes root     37338 Sep 21 10:23 backend.c
-rw-rw-r-- 1 osboxes osboxes  27664 Sep 21 10:34 backend.o
-rwxr-x--- 1 osboxes root      2705 Sep 21 10:23 config.c
-rw-rw-r-- 1 osboxes osboxes   4152 Sep 21 10:34 config.o
-rwxrwxr-x 1 osboxes osboxes 187520 Sep 21 10:35 cst
-rwxr-x--- 1 osboxes root     50555 Sep 21 10:23 e_hsm.c
-rwxr-x--- 1 osboxes root      7501 Sep 21 10:23 e_hsm_err.c
-rw-rw-r-- 1 osboxes osboxes   8504 Sep 21 10:34 e_hsm_err.o
-rw-rw-r-- 1 osboxes osboxes  54064 Sep 21 10:34 e_hsm.o
drwxr-x--- 2 osboxes root      4096 Sep 21 10:23 include
-rw-rw-r-- 1 osboxes osboxes  96962 Sep 21 10:34 libbackend.a
-rwxr-x--- 1 osboxes osboxes 190424 Sep 21 10:35 libfrontend.a
-rwxr-x--- 1 osboxes root      2216 Sep 21 10:23 Makefile
-rwxr-x--- 1 osboxes root      3028 Sep 21 10:23 openssl_helper.c
-rw-rw-r-- 1 osboxes osboxes   1376 Sep 21 10:34 openssl_helper.o

cheuschkel · ‎09-23-2020

It's worth noting that I'm using an Ubuntu 20.04 VM with the default system OpenSSL v1.1.1f installed. Now that I see all of the NXP rep posts saying to use v1.0.2, I went ahead and downloaded and installed it locally. But now when I set my OPENSSL_PATH and try to run make on the cst to build libfrontend.a, I get the following errors:

osboxes@osboxes:~/cst-3.3.1/code/cst$ OSTYPE=linux64 OPENSSL_PATH=/home/osboxes/openssl-1.0.2l make 
Compile srktool.o
Compile openssl_helper.o
Compile srk_helper.o
Compile err.o
Link srktool
/usr/bin/ld: srktool.o: in function `generate_srk_data':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/srktool/src/srktool.c:720: undefined reference to `X509_get_pubkey'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/srktool/src/srktool.c:723: undefined reference to `X509_check_ca'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/srktool/src/srktool.c:732: undefined reference to `EVP_PKEY_id'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/srktool/src/srktool.c:736: undefined reference to `EVP_PKEY_id'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/srktool/src/srktool.c:742: undefined reference to `EVP_PKEY_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/srktool/src/srktool.c:743: undefined reference to `X509_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/srktool/src/srktool.c:750: undefined reference to `EVP_PKEY_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/srktool/src/srktool.c:751: undefined reference to `X509_free'
/usr/bin/ld: openssl_helper.o: in function `ECDSA_SIG_set0':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:105: undefined reference to `BN_clear_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:106: undefined reference to `BN_clear_free'
/usr/bin/ld: openssl_helper.o: in function `EVP_MD_CTX_free':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:115: undefined reference to `EVP_MD_CTX_cleanup'
/usr/bin/ld: openssl_helper.o: in function `openssl_initialize':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:182: undefined reference to `ERR_load_crypto_strings'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:183: undefined reference to `OPENSSL_add_all_algorithms_noconf'
/usr/bin/ld: openssl_helper.o: in function `generate_hash':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:201: undefined reference to `EVP_get_digestbyname'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:212: undefined reference to `EVP_DigestInit'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:213: undefined reference to `EVP_DigestUpdate'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:214: undefined reference to `EVP_DigestFinal'
/usr/bin/ld: openssl_helper.o: in function `get_bn':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:229: undefined reference to `BN_num_bits'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:237: undefined reference to `BN_bn2bin'
/usr/bin/ld: openssl_helper.o: in function `sign_data':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:251: undefined reference to `EVP_MD_CTX_create'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:261: undefined reference to `EVP_PKEY_size'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:267: undefined reference to `EVP_sha1'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:271: undefined reference to `EVP_sha256'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:275: undefined reference to `EVP_MD_CTX_destroy'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:280: undefined reference to `EVP_DigestInit_ex'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:281: undefined reference to `EVP_DigestUpdate'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:282: undefined reference to `EVP_SignFinal'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:286: undefined reference to `EVP_MD_CTX_destroy'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:303: undefined reference to `EVP_MD_CTX_destroy'
/usr/bin/ld: openssl_helper.o: in function `read_certificate':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:321: undefined reference to `BIO_s_file'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:321: undefined reference to `BIO_new'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:330: undefined reference to `BIO_ctrl'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:332: undefined reference to `BIO_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:336: undefined reference to `PEM_read_bio_X509'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:344: undefined reference to `d2i_X509_fp'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:348: undefined reference to `BIO_free'
/usr/bin/ld: openssl_helper.o: in function `read_private_key':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:366: undefined reference to `BIO_s_file'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:366: undefined reference to `BIO_new'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:373: undefined reference to `BIO_ctrl'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:375: undefined reference to `BIO_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:382: undefined reference to `PEM_read_bio_PrivateKey'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:386: undefined reference to `BIO_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:392: undefined reference to `d2i_PKCS8PrivateKey_bio'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:396: undefined reference to `BIO_free'
/usr/bin/ld: openssl_helper.o: in function `seed_prng':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:417: undefined reference to `RAND_load_file'
/usr/bin/ld: openssl_helper.o: in function `gen_random_bytes':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:426: undefined reference to `RAND_bytes'
/usr/bin/ld: openssl_helper.o: in function `calculate_hash':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:478: undefined reference to `EVP_get_digestbyname'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:487: undefined reference to `BIO_s_file'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:487: undefined reference to `BIO_new'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:488: undefined reference to `BIO_f_md'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:488: undefined reference to `BIO_new'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:494: undefined reference to `BIO_ctrl'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:499: undefined reference to `BIO_ctrl'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:504: undefined reference to `BIO_push'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:509: undefined reference to `BIO_read'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:518: undefined reference to `BIO_gets'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:528: undefined reference to `BIO_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:529: undefined reference to `BIO_free'
/usr/bin/ld: openssl_helper.o: in function `ver_sig_data':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:544: undefined reference to `X509_get_pubkey'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:545: undefined reference to `EVP_get_digestbyname'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:565: undefined reference to `EVP_MD_type'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:565: undefined reference to `RSA_verify'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:573: undefined reference to `ECDSA_SIG_new'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:575: undefined reference to `BN_bin2bn'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:575: undefined reference to `BN_bin2bn'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:578: undefined reference to `i2d_ECDSA_SIG'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/openssl_helper.c:580: undefined reference to `ECDSA_verify'
/usr/bin/ld: srk_helper.o: in function `srk_entry_pkcs1':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:140: undefined reference to `EVP_PKEY_bits'
/usr/bin/ld: srk_helper.o: in function `srk_entry_ec':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:228: undefined reference to `EC_KEY_get0_public_key'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:233: undefined reference to `BN_new'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:238: undefined reference to `BN_new'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:241: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:244: undefined reference to `EC_KEY_get0_group'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:244: undefined reference to `EC_POINT_get_affine_coordinates_GFp'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:247: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:248: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:252: undefined reference to `BN_num_bits'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:253: undefined reference to `BN_num_bits'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:255: undefined reference to `EVP_PKEY_bits'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:267: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:268: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:277: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:278: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:318: undefined reference to `BN_free'
/usr/bin/ld: srk_helper.o:/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:319: more undefined references to `BN_free' follow
/usr/bin/ld: srk_helper.o: in function `srk_entry_ec':
/home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:326: undefined reference to `EVP_PKEY_bits'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:338: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:339: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:348: undefined reference to `EVP_PKEY_bits'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:360: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:361: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:391: undefined reference to `EVP_PKEY_bits'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:392: undefined reference to `EVP_PKEY_bits'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:401: undefined reference to `BN_bn2bin'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:410: undefined reference to `BN_bn2bin'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:416: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/cst-3.3.1/code/cst/code/obj.linux64/../../code/common/src/srk_helper.c:417: undefined reference to `BN_free'
/usr/bin/ld: /home/osboxes/openssl-1.0.2l/libcrypto.a(cryptlib.o): in function `CRYPTO_get_new_lockid':
cryptlib.c:(.text+0x14): undefined reference to `BUF_strdup'
/usr/bin/ld: cryptlib.c:(.text+0x2f): undefined reference to `sk_push'
/usr/bin/ld: cryptlib.c:(.text+0x46): undefined reference to `sk_new_null'
/usr/bin/ld: cryptlib.c:(.text+0x78): undefined reference to `ERR_put_error'
/usr/bin/ld: /home/osboxes/openssl-1.0.2l/libcrypto.a(cryptlib.o): in function `CRYPTO_get_new_dynlockid':
cryptlib.c:(.text+0x1ad): undefined reference to `sk_find'
/usr/bin/ld: cryptlib.c:(.text+0x1c9): undefined reference to `sk_set'
/usr/bin/ld: cryptlib.c:(.text+0x217): undefined reference to `sk_new_null'
/usr/bin/ld: cryptlib.c:(.text+0x26c): undefined reference to `ERR_put_error'
/usr/bin/ld: cryptlib.c:(.text+0x28b): undefined reference to `sk_push'
/usr/bin/ld: cryptlib.c:(.text+0x2fd): undefined reference to `ERR_put_error'
/usr/bin/ld: /home/osboxes/openssl-1.0.2l/libcrypto.a(cryptlib.o): in function `CRYPTO_destroy_dynlockid':
cryptlib.c:(.text+0x389): undefined reference to `sk_num'
/usr/bin/ld: cryptlib.c:(.text+0x39b): undefined reference to `sk_value'
/usr/bin/ld: cryptlib.c:(.text+0x424): undefined reference to `sk_set'
/usr/bin/ld: /home/osboxes/openssl-1.0.2l/libcrypto.a(cryptlib.o): in function `CRYPTO_get_dynlock_value':
cryptlib.c:(.text+0x4c4): undefined reference to `sk_num'
/usr/bin/ld: cryptlib.c:(.text+0x508): undefined reference to `sk_num'
/usr/bin/ld: cryptlib.c:(.text+0x51a): undefined reference to `sk_value'
/usr/bin/ld: /home/osboxes/openssl-1.0.2l/libcrypto.a(cryptlib.o): in function `CRYPTO_get_lock_name':
cryptlib.c:(.text+0x76c): undefined reference to `sk_num'
/usr/bin/ld: cryptlib.c:(.text+0x79b): undefined reference to `sk_value'
collect2: error: ld returned 1 exit status
make[1]: *** [../build/make/rules.mk:24: srktool] Error 1
make: *** [Makefile:59: rel_bin] Error 2

@Yuri you seem to be the most active NXP rep on these posts. Can you please look over these problems with the HSM back end?

Yuri

Hello,

use AN12812 (Using Code-Signing Tool with Hardware Security Module).

The document is valid for CST versions starting from 3.3.1.
OpenSSL should be 1.0.2g .

Ubuntu 16.04 and as root user.

Regards,
Yuri.

YairBA

Assuming your host/VM runs a different version of OpenSSL, you can build it locally:

git clone https://github.com/openssl/openssl.git $HOME/openssl
pushd $HOME/openssl
    git checkout OpenSSL_1_0_2
    ./Configure linux-x86_64 --prefix=/home/$USER/ssl
    make
    make install
popd

For linking cst:

Clone OpenSSL and checkout to OpenSSL_1_0_2
Change into ~/cst-3.3.1/code/cst
Open Makefile and add the following two changes:

line #48:
OPENSSL_CONFIG += no-deprecated no-threads no-shared no-dso no-engine no-hw \
+                  no-idea --prefix=$(HOME)

line 75:
        make clean                    && \
        make                          && \
+        make install                  && \
        cp ms/applink.c include/openssl/

4. Make:

OSTYPE=linux64 OPENSSL_PATH=$HOME/openssl make openssl
OSTYPE=linux64 OPENSSL_PATH=$HOME/openssl make

cheuschkel

Thank you @YairBA! This got past my compilation problems for the CST. But now, using the OpenSSL on the 1_0_2 branch, I am having new errors when building the back_end-hsm project:

sboxes@osboxes:~/nxp/cst-3.3.1/code/back_end-hsm/src$ OSTYPE=linux64 OPENSSL_PATH=$HOME/openssl make
$ARCH is []
[Compile] backend.c
In file included from ./include/e_hsm.h:46,
                 from backend.c:48:
/home/osboxes/openssl/include/openssl/engine.h:71:4: error: #error ENGINE is disabled.
   71 | #  error ENGINE is disabled.
      |    ^~~~~
make: *** [Makefile:67: backend.o] Error 1

For what it's worth, if I just run `make` (which would in turn use my OpenSSL 1.0.2l version I have in a different directory that installed to /usr/bin/ssl) I compile the back end without problems. Perhaps I need to get rid of my separate OpenSSL v1.0.2l install.

Do you know why this ENGINE error is presented?

Thanks in advance.

YairBA

Please try:

Remove the current cst-3.3.1 dir and re-extract cst-3.3.1.tgz .
Change into ~/cst-3.3.1/code/cst/ and do the above changes to ~/cst-3.3.1/code/cst/Makefile .
Run the following make commands:

OSTYPE=linux64 OPENSSL_PATH=$HOME/openssl make openssl
OSTYPE=linux64 OPENSSL_PATH=$HOME/ssl make

4. Change into ~/cst-3.3.1/code/back_end-hsm/src/ and run:

OSTYPE=linux64 OPENSSL_PATH=$HOME/ssl make
OSTYPE=linux64 OPENSSL_PATH=$HOME/ssl make all

You will get (again):

cst-3.3.1/code/cst/code/obj.linux64/../../code/front_end/src/csf_cmd_ins_key.c:741: undefined reference to `get_der_encoded_certificate_data'
/usr/bin/ld: cst-3.3.1/code/cst/code/obj.linux64/libfrontend.a(csf_cmd_ins_key.o): in function `cmd_handler_installnocak':
...

To overcome the above linking issues, I build adapt_layer_openssl.c from within ~/cst-3.3.1/code/back_end-hsm/src/ , basically copied the relevant (for adapt_layer_openssl.c e.g. headers files) files from ~/cst-3.3.1/code/cst/code/back_end/src/ to ~/cst-3.3.1/code/back_end-hsm/src/ and from ~/cst-3.3.1/code/cst/code/front_end/hdr/ to ~/cst-3.3.1/code/back_end-hsm/src/include/ and modify ~/cst-3.3.1/code/back_end-hsm/src/Makefile to build adapt_layer_openssl.c .

Not the most sophisticated solution, but now I can build the cst file.

I'll try to post some more complete solution later today.

Please take into account that I not yet tested the created cst file.

cheuschkel

@YairBA After being informed that the official supported Linux distribution was Ubuntu 16.04 LTS that includes OpenSSL v1.0.2g for the system install, I followed your directions to move all of the associated headers for adapt_layer_openssl.c and was able to build. I will test the CST now and see if it works as expected.

Thanks,

Cory

cheuschkel

In addition to your recommendations, I also had to add the following files to back_end-hsm/src (and associated header files for each source file to back_end-hsm/src/include) and the local copies to the back_end-hsm/Makefile:

cst/code/back_end/src/adapt_layer_openssl.c

cst/code/back_end/src/pkey.c

After that, I was able to clean, re-run make, and run make all and build successfully. The cst executable now works, but I cannot yet attest to it working with my HSM as I'd expect. I suppose that means this can be closed since I solved the original linker problem. Thanks for all of the help.

View solution in original post

YairBA

Hi,

I got CST version 3.3.1 to compile and work with HSM:

pushd ~/cst-3.3.1/code/cst
    OSTYPE=linux64 make rel_bin
popd

pushd ~/cst-3.3.1/code/back_end-engine/src
    sed -i 's#^ROOT :=.*#ROOT := ../../cst/code#g' ./Makefile
    sed -i 's#^FRONTEND :=.*#FRONTEND := $(ROOT)/obj.linux$(BITNESS)/libfrontend.a#g' ./Makefile
    OSTYPE=linux64 make
popd

Use p11tool --list-tokens to get the HSM URL.

The File field inside the .csf file should looks like:

File = "pkcs11:token=some-token%20%28UserPIN%29;object=some_file;type=cert;pin-value=123456"

Then run the cst command with the -i and -o parameters.

If you run into "segmentation fault" make sure that SoftHSM is not installed, or some other race-condition (use valgrind).

I got it to run with the default package for Debian 10 (OpenSSL 1.1.1d, etc.)

cheuschkel

@YairBA,

Have you successfully signed some binary file with this CST you built on Debian 10? What HSM are you using if you don't mind me asking?

Thanks,

Cory

YairBA

cheuschkel

Thanks! I also have a Nitrokey HSM so this is promising. My end goal is to use a cloud-based HSM, which I did get working with the CST after the modifications in this post for CST v3.3.1 on Ubuntu 16.04 (OpenSSL v1.0.2g), but then I was having issues with mkimage. So I will now try your suggested changes to get this all working on a newer distro.

Regards,

Cory

cheuschkel

I tried your suggestions but still ended up with the aforementioned engine error. So, in the makefile I went in and edited the CST Makefile to remove the `no-engine` call from OPENSSL_CONFIG. Then running `make all` for the back-end_hsm again, I end up pretty much back at square one.

I guess now I'm at a point where OpenSSL is again causing problems. I've been working to just try to get an answer from NXP on what OpenSSL and Linux distributions should be used. I am using VMs, so really I am flexible on what to use. But I have yet to find a straight answer on suggesting a distro and OpenSSL version. If you can also provide that information @YairBA, it would be appreciated.

EDIT: I think that this was due to the custom install of OpenSSL v1.0.2. I'm going to move forward with just using Ubuntu v16.04 which includes the system-level 1.0.2g.