I’m following example: Securing IoT software deployments with Mender and NXP EdgeLock™ SE050 with se050x as engine provider
openssl version
OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
I know I could use OpenSSL provider as I have 3.0.11 version, but I decided to use old engine approach as it is documented with Mender and assuming well tested.
I start with having OpenSSL default configuration (as in Mender documentation) and generating key pair is going well:
./seTool genECC 0x7f000001 /dev/i2c-1
Failed to open GPIO export file : No such file or directory
Failed to open GPIO value file : No such file or directory
Failed to open unexport file : No such file or directory
App :INFO :PlugAndTrust_v04.05.01_20240219
App :INFO :Running ./seTool
App :INFO :Using PortName=‘/dev/i2c-1’ (CLI)
App :WARN :Using SCP03 keys from:‘/home/root/se.txt’ (ENV=EX_SSS_BOOT_SCP03_PATH)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x30100. Got newer 0x30600
sss :WARN :Object id 0x7F000001 exists
App :INFO :ex_sss Finished
Getting reference to private key works as well:
./seTool getECCRef 0x7f000001 /tmp/0x7f000001.ref /dev/i2c-1
Failed to open GPIO export file : No such file or directory
Failed to open GPIO value file : No such file or directory
Failed to open unexport file : No such file or directory
App :INFO :PlugAndTrust_v04.05.01_20240219
App :INFO :Running ./seTool
App :INFO :Using PortName=‘/dev/i2c-1’ (CLI)
App :WARN :Using SCP03 keys from:‘/home/root/se.txt’ (ENV=EX_SSS_BOOT_SCP03_PATH)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x30100. Got newer 0x30600
App :WARN :Accessing file using absolute path
App :INFO :ex_sss Finished
Then after switching to NXP OpenSSL configuration sign works successfully:
openssl req -new -x509 -subj “/CN=Unit1” -engine e4sss -key /tmp/0x7f000001.ref -out /tmp/cert-e4sss.pem
ssse-flw: EmbSe_Init(): Entry
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
App :WARN :Using SCP03 keys from:‘/home/root/se.txt’ (ENV=EX_SSS_BOOT_SCP03_PATH)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x30100. Got newer 0x30600
ssse-flw: Version: 1.0.5
ssse-flw: EmbSe_Init(): Exit
Engine “e4sss” set.
ssse-dbg: Using keyId=0x7F000001
ssse-dbg: shaAlgo: 771
ssse-flw: SSS based sign (keyId=0x7F000001, dgstLen=32)
ssse-flw: SSS based sign called successfully (sigDERLen=72)
ssse-flw: EmbSe_ECDSA_Do_Sign success.
ssse-flw: EmbSe_Finish(): Entry
ssse-flw: EmbSe_Finish(): Exit
ssse-flw: EmbSe_Destroy(): Entry
So far so good. Then I try to use pkcs11-tool to list available objects thought
pkcs11-tool --module /home/root/simw-top/build/sss/plugin/pkcs11/libsss_pkcs11.so -O
and get following output:
pkcs11-tool --module /home/root/simw-top/build/sss/plugin/pkcs11/libsss_pkcs11.so -O
Using slot 0 with a present token (0x1)
smCom :WARN :Invalid conn_ctx
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
App :WARN :Using SCP03 keys from:‘/home/root/se.txt’ (ENV=EX_SSS_BOOT_SCP03_PATH)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x30100. Got newer 0x30600
ssse-flw: EmbSe_Init(): Entry
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
App :WARN :Using SCP03 keys from:‘/home/root/se.txt’ (ENV=EX_SSS_BOOT_SCP03_PATH)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x30100. Got newer 0x30600
ssse-flw: Version: 1.0.5
ssse-flw: EmbSe_Init(): Exit
ssse-flw: EmbSe_Rand invoked requesting 8 random bytes
smCom :ERROR:phNxpEseProto7816_DecodeFrame Max retry count reached!!!
smCom :ERROR:phNxpEseProto7816_Transceive Transceive failed, hard reset to proceed
smCom :ERROR: phNxpEse_Transceive phNxpEseProto7816_Transceive- Failed
smCom :ERROR: Transcive Failed
sss :WARN :nxEnsure:‘retStatus == SM_OK’ failed. At Line:7975 Function:sss_se05x_channel_txn
sss :WARN :nxEnsure:‘ret == SM_OK’ failed. At Line:7837 Function:sss_se05x_TXn
scp :ERROR:GP_InitializeUpdate Failure on communication Link FFFF
scp :ERROR:nxScp03_GP_InitializeUpdate fails with Status 3C3C0000
sss :ERROR:Could not set SCP03 Secure Channel
App :ERROR:sss_session_open failed
PKCS11:WARN :nxEnsure:‘sss_status == kStatus_SSS_Success’ failed. At Line:1002 Function:C_OpenSession
error: PKCS11 function C_OpenSession failed: rv = CKR_GENERAL_ERROR (0x5)
When I switch back to default OpenSSL configuration then all objects present in secure element are listed correctly. Why OpenSSL is needed at all when running pkcs11-tool through PKCS#11? What am I doing wrong?