problems with cst-2.3.1

julesg · ‎01-19-2016

Hello,

I downloaded cst-2.3.1 from this website and have unpacked the file onto a system running Ubuntu 12.04.5 LTS 64-bit. I have created the key_pass.txt and serial files as directed but when I run the hab4_pki_tree.sh script I get the following errors (taken from a log file generated by the terminal client I am using):

Tue Jan 19 15:05:59.893 2016] ++++++++++++++++++++++++++++++++++++++++

[Tue Jan 19 15:05:59.893 2016] + Generating SRK key and certificate 1 +

[Tue Jan 19 15:05:59.893 2016] ++++++++++++++++++++++++++++++++++++++++

[Tue Jan 19 15:05:59.893 2016]

[Tue Jan 19 15:05:59.909 2016] Generating RSA private key, 4096 bit long modulus

[Tue Jan 19 15:05:59.909 2016] ..........................................++

[Tue Jan 19 15:06:00.236 2016] ..............................................................................................................++

[Tue Jan 19 15:06:01.080 2016] e is 65537 (0x10001)

[Tue Jan 19 15:06:01.111 2016] Using configuration from ../ca/openssl.cnf

[Tue Jan 19 15:06:01.111 2016] unable to load CA private key

[Tue Jan 19 15:06:01.111 2016] 140363626993312:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:

[Tue Jan 19 15:06:01.127 2016] 140363626993312:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104:

[Tue Jan 19 15:06:01.127 2016] 140363626993312:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130:

[Tue Jan 19 15:06:01.127 2016] 140363626993312:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:

[Tue Jan 19 15:06:01.127 2016] Error opening Certificate ../crts/SRK1_sha256_4096_65537_v3_ca_crt.pem

[Tue Jan 19 15:06:01.127 2016] 140265689716384:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('../crts/SRK1_sha256_4096_65537_v3_ca_crt.pem','r')

[Tue Jan 19 15:06:01.127 2016] 140265689716384:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

[Tue Jan 19 15:06:01.127 2016] unable to load certificate

[Tue Jan 19 15:06:01.142 2016]

[Tue Jan 19 15:06:01.142 2016] ++++++++++++++++++++++++++++++++++++++++

[Tue Jan 19 15:06:01.142 2016] + Generating CSF key and certificate 1 +

[Tue Jan 19 15:06:01.142 2016] ++++++++++++++++++++++++++++++++++++++++

[Tue Jan 19 15:06:01.142 2016]

[Tue Jan 19 15:06:01.142 2016] Generating RSA private key, 4096 bit long modulus

[Tue Jan 19 15:06:01.142 2016] ..................................................................................................................................................................................................................................++

[Tue Jan 19 15:06:02.874 2016] ...++

[Tue Jan 19 15:06:02.905 2016] e is 65537 (0x10001)

[Tue Jan 19 15:06:02.936 2016] Using configuration from ../ca/openssl.cnf

[Tue Jan 19 15:06:02.936 2016] unable to load CA private key

[Tue Jan 19 15:06:02.936 2016] 139735995864736:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:

[Tue Jan 19 15:06:02.936 2016] 139735995864736:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104:

[Tue Jan 19 15:06:02.936 2016] 139735995864736:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130:

[Tue Jan 19 15:06:02.936 2016] 139735995864736:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:

[Tue Jan 19 15:06:02.936 2016] Error opening Certificate ../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem

[Tue Jan 19 15:06:02.936 2016] 140679265150624:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem','r')

[Tue Jan 19 15:06:02.936 2016] 140679265150624:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

[Tue Jan 19 15:06:02.936 2016] unable to load certificate

[Tue Jan 19 15:06:02.952 2016]

[Tue Jan 19 15:06:02.952 2016] ++++++++++++++++++++++++++++++++++++++++

[Tue Jan 19 15:06:02.952 2016] + Generating IMG key and certificate 1 +

[Tue Jan 19 15:06:02.952 2016] ++++++++++++++++++++++++++++++++++++++++

[Tue Jan 19 15:06:02.952 2016]

[Tue Jan 19 15:06:02.967 2016] Generating RSA private key, 4096 bit long modulus

[Tue Jan 19 15:06:02.967 2016] ........................................................................................................................................................................++

[Tue Jan 19 15:06:04.253 2016] ....................................................................................................................................................................................................................++

[Tue Jan 19 15:06:05.877 2016] e is 65537 (0x10001)

[Tue Jan 19 15:06:05.893 2016] Using configuration from ../ca/openssl.cnf

[Tue Jan 19 15:06:05.893 2016] unable to load CA private key

[Tue Jan 19 15:06:05.908 2016] 140552183891616:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:

[Tue Jan 19 15:06:05.908 2016] 140552183891616:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104:

[Tue Jan 19 15:06:05.908 2016] 140552183891616:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130:

[Tue Jan 19 15:06:05.908 2016] 140552183891616:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:

[Tue Jan 19 15:06:05.908 2016] Error opening Certificate ../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem

[Tue Jan 19 15:06:05.908 2016] 140225580635808:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem','r')

[Tue Jan 19 15:06:05.908 2016] 140225580635808:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

[Tue Jan 19 15:06:05.908 2016] unable to load certificate

I get similar errors for each SRK. Any idea what the problem could be?

Yuri · ‎01-20-2016

Hello,

From section 3.2.2 (Running the hab4_pki_tree script Example) of "HABCST_UG.pdf" :

"Run the hab4_pki_tree.sh script. The script will ask a series of questions:

— Do you want to use an existing CA key (y/n)?"

Please try "Choose no here ...".

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

julesg · ‎01-20-2016

Hi Yuri,

Sorry I forgot to include the log entries from how I answered the questions when I started the script. I did answer "no" when asked about using an existing CA key ( see below).

[Tue Jan 19 15:05:33.543 2016] ./hab4_pki_tree.sh

[Tue Jan 19 15:05:35.932 2016]

[Tue Jan 19 15:05:35.932 2016] +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[Tue Jan 19 15:05:35.932 2016] This script is a part of the Code signing tools for Freescale's

[Tue Jan 19 15:05:35.932 2016] High Assurance Boot. It generates a basic PKI tree. The PKI

[Tue Jan 19 15:05:35.932 2016] tree consists of one or more Super Root Keys (SRK), with each

[Tue Jan 19 15:05:35.932 2016] SRK having two subordinate keys:

[Tue Jan 19 15:05:35.932 2016] + a Command Sequence File (CSF) key

[Tue Jan 19 15:05:35.932 2016] + Image key.

[Tue Jan 19 15:05:35.932 2016] Additional keys can be added to the PKI tree but a separate

[Tue Jan 19 15:05:35.932 2016] script is available for this. This this script assumes openssl

[Tue Jan 19 15:05:35.932 2016] is installed on your system and is included in your search

[Tue Jan 19 15:05:35.932 2016] path. Finally, the private keys generated are password

[Tue Jan 19 15:05:35.932 2016] protectedwith the password provided by the file key_pass.txt.

[Tue Jan 19 15:05:35.932 2016] The format of the file is the password repeated twice:

[Tue Jan 19 15:05:35.932 2016] my_password

[Tue Jan 19 15:05:35.932 2016] All private keys in the PKI tree are in PKCS #8 format will be

[Tue Jan 19 15:05:35.932 2016] protected by the same password.

[Tue Jan 19 15:05:35.932 2016]

[Tue Jan 19 15:05:35.932 2016] +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[Tue Jan 19 15:05:35.932 2016] Do you want to use an existing CA key (y/n)?: n

[Tue Jan 19 15:05:45.850 2016] Enter key length in bits for PKI tree: 4096

[Tue Jan 19 15:05:49.751 2016] Enter PKI tree duration (years): 10

[Tue Jan 19 15:05:52.233 2016] How many Super Root Keys should be generated? 4

[Tue Jan 19 15:05:54.355 2016] Do you want the SRK certificates to have the CA flag set? (y/n)?: y

[Tue Jan 19 15:05:58.676 2016]

[Tue Jan 19 15:05:58.676 2016] +++++++++++++++++++++++++++++++++++++

[Tue Jan 19 15:05:58.676 2016] + Generating CA key and certificate +

[Tue Jan 19 15:05:58.676 2016] +++++++++++++++++++++++++++++++++++++

[Tue Jan 19 15:05:58.676 2016]

[Tue Jan 19 15:05:58.676 2016] Generating a 4096 bit RSA private key

[Tue Jan 19 15:05:58.676 2016] ...++

[Tue Jan 19 15:05:58.707 2016] ................................................................................................................................................++

[Tue Jan 19 15:05:59.831 2016] writing new private key to 'temp_ca.pem'

[Tue Jan 19 15:05:59.831 2016] -----

[Tue Jan 19 15:05:59.893 2016]

Yuri · ‎01-20-2016

Hello,

Perhaps it makes sense to try under root (sudo).

Regards,

Yuri.

julesg · ‎01-28-2016

Hi Yuri,

I tried again but this time under root using sudo but I still get the same errors. It looks like it doesn't like the CA private key that was previously generated for some reason. Why would this happen?

Yuri · ‎03-15-2016

Hello,

Please look at comment of Ben Foose in the following thread

https://community.freescale.com/message/624469?et=watches.email.thread#comment-624469

Regards,

Yuri.

problems with cst-2.3.1

problems with cst-2.3.1

i.MX6Quad