Hello,
I am currently updating from SDK v2.3.0 to v2.5.2 but I am not able to get the 'psa' functions working correctly (as they did with previous SDKs).
I am trying to import a private key, with oberon driver I get the error -134 = PSA_ERROR_NOT_SUPPORTED,
with cc3xx driver the import itself is working but the next operations (psa_export_public_key and/or psa_sign_hash) will fail with error -147 = PSA_ERROR_HARDWARE_FAILURE
The problem seems familiar to:
nRF9160 RSA crypto changes from v2.3.0 to v2.4.0 SHA-1 signing
(I was also able to get error 135 in some cases) but the solution (to use CONFIG_PSA_CORE_BUILTIN=y) was removed in SDK v2.5.2
Initially I also thought it's because of the usage of a 512 bit key, which according to upper answer and to
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.4.1/nrfxlib/crypto/doc/nrf_oberon.html
is not supported anymore -> therefore we specially changed our server to 2048 bit, but results stayed the same.
I have experimented with variations of following settings, but neither combination was working:
CONFIG_CRYPTO=y CONFIG_NRF_SECURITY=y CONFIG_MBEDTLS_RSA_C=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR=y CONFIG_PSA_WANT_ALG_SHA_256=y CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
I am testing with following code:
STATUS_CODE rsa_import_prv_key(void)
{
/* Configure the key attributes */
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t status;
size_t olen;
int rc;
unsigned char buffer[2048];
size_t len;
/* Configure the key attributes */
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT);
psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);
psa_set_key_algorithm(&key_attributes, PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256));
psa_set_key_type(&key_attributes, PSA_KEY_TYPE_RSA_KEY_PAIR );
psa_set_key_bits(&key_attributes, RSA_KEY_BITS);
rc = base64_decode(buffer, sizeof(buffer), &len, &CONF_API_PRIVATE_KEY[0], strlen(CONF_API_PRIVATE_KEY) );
if(rc!=0) {
LOG_ERR("Base64 decode error: %d", rc);
}
// PRINT_HEX("Base64 decoded", buffer, sizeof(buffer));
status = psa_import_key(&key_attributes, buffer, len, &keypair_handle);
if (status != PSA_SUCCESS) {
LOG_INF("psa_import_key failed! (Error: %d)", status);
return STATUS_ERROR;
}
/* Export the public key */
status = psa_export_public_key(keypair_handle, m_pub_key, sizeof(m_pub_key), &olen);
if (status != PSA_SUCCESS) {
LOG_INF("psa_export_public_key failed! (Error: %d)", status);
return STATUS_ERROR;
}
// PRINT_HEX("Second (exported) puclic key", m_pub_key, sizeof(m_pub_key));
/* After the key handle is acquired the attributes are not needed */
psa_reset_key_attributes(&key_attributes);
return STATUS_OK;
}
And also tested some variations here (for example did I add the 'PSA_KEY_USAGE_EXPORT' flag due to an answer in the forum, this was not necessary in SDK2.3.0).
I was not able to find any solution, although I searched for a long time in the changelogs and in the forum, so I hope for some useful input...
Thank you, best regards,
Bernhard