• State Not Answered
  • Replies 5 replies
  • Subscribers 65 subscribers
  • Views 502 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 312890
Options

nRF9160 RSA crypto changes from v2.3.0 to v2.4.0 SHA-1 signing

aldras

I am in the process of porting a project from v2.3.0 (Zeyphr v3.2.99) to v2.4.1 (Zephyr v3.3.99) and I believe there was a change that breaks the project.

I believe this change happened in v2.4.0.

I have extracted the relevant code and created a self contained project that can be used to demonstrate the issue.

Compiling this in SDK v2.3.0 works correctly, but there are errors during runtime with SDK v2.4.1.

The errors are either PSA_ERROR_NOT_SUPPORTED (-134) or PSA_ERROR_INVALID_ARGUMENT (-135).

I am working with a 384-bit SHA-1 RSA key used to sign data.

When using psa_generate_key() the error PSA_ERROR_NOT_SUPPORTED results.

When using psa_import_key() the error PSA_ERROR_INVALID_ARGUMENT results.

There were no issues in v2.3.0 so I am interested in what changed and how I can work around the changes.

I have been digging around in the v2.4.1 SDK but am having trouble following the abstraction and not sure what library is being used.

The uploaded project is self contained and should be able to be built as is and run on a nRF9160-DK.

Thanks,

Allan

rsa_sha1_384bit_test.zip

Parents
  • 0

    Hi,

     

    SHA-1 384 is not supported by oberon, and need mbedtls to work as expected.

    Can you try to add this to your configuration?

    CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=n
CONFIG_PSA_CORE_BUILTIN=y

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi Håkon,

    Thank you for the timely reply.

    I tried with the above configuration and it now works as expected while signing data with a 384-bit SHA-1 RSA key.

    There is one side effect, I have a *lot* of warnings for the following... however the project builds without error and the RSA singing features are now working again as expected, thank you very much for the workaround suggestion.

    In file included from secure_fw/partitions/crypto/mbedcrypto/nrf_security_src/include/generated/nrf-config.h:12:
secure_fw/partitions/crypto/mbedcrypto/nrf_security_src/include/generated/nrf-config-user.h:147: note: this is the location of the previous definition
  147 | #define MBEDTLS_PSA_BUILTIN_ALG_SHA_1

    I noticed there seemed to be an overhaul of the Oberon driver from v2.3.x to x2.4.x.  Have there been changes to the Oberon library that removed support for 384-bit SHA-1 keys?  I *believe* I was using the Oberon driver in 2.3.x as it was able to perform the RSA signing at the time.  Is this possibly the case here?

    Also, I did not look carefully, but I noticed that the Oberon library is provided precompiled into a binary form.  From a development standpoint was it easier to precompile the binary rather than have it build from source with the project?

    I ask this because I was trying to trace the issues that I was having with the Oberon library only to find that a large chunk was being linked to a precompiled library.  Perhaps the source is present, but requires me to setup the proper build environment to run the Makefile for it.

    Thank you for looking into the Oberon library support issues with the sample project /opt/nordic/ncs/v2.4.1/nrf/samples/crypto/rsa .  I look forward to the results.  I may move up to a 1024-bit key in the future, but will require change to code on other systems to support the change... at that time I may be able to use the hardware crypto cell.

    I will leave this ticket open until we hear a result from the developers concerning the Oberon library issues (in the sample project).

Reply
  • 0 in reply to Håkon Alseth

    Hi Håkon,

    Thank you for the timely reply.

    I tried with the above configuration and it now works as expected while signing data with a 384-bit SHA-1 RSA key.

    There is one side effect, I have a *lot* of warnings for the following... however the project builds without error and the RSA singing features are now working again as expected, thank you very much for the workaround suggestion.

    In file included from secure_fw/partitions/crypto/mbedcrypto/nrf_security_src/include/generated/nrf-config.h:12:
secure_fw/partitions/crypto/mbedcrypto/nrf_security_src/include/generated/nrf-config-user.h:147: note: this is the location of the previous definition
  147 | #define MBEDTLS_PSA_BUILTIN_ALG_SHA_1

    I noticed there seemed to be an overhaul of the Oberon driver from v2.3.x to x2.4.x.  Have there been changes to the Oberon library that removed support for 384-bit SHA-1 keys?  I *believe* I was using the Oberon driver in 2.3.x as it was able to perform the RSA signing at the time.  Is this possibly the case here?

    Also, I did not look carefully, but I noticed that the Oberon library is provided precompiled into a binary form.  From a development standpoint was it easier to precompile the binary rather than have it build from source with the project?

    I ask this because I was trying to trace the issues that I was having with the Oberon library only to find that a large chunk was being linked to a precompiled library.  Perhaps the source is present, but requires me to setup the proper build environment to run the Makefile for it.

    Thank you for looking into the Oberon library support issues with the sample project /opt/nordic/ncs/v2.4.1/nrf/samples/crypto/rsa .  I look forward to the results.  I may move up to a 1024-bit key in the future, but will require change to code on other systems to support the change... at that time I may be able to use the hardware crypto cell.

    I will leave this ticket open until we hear a result from the developers concerning the Oberon library issues (in the sample project).

Children
Related