Hello,
I am currently updating from SDK v2.3.0 to v2.5.2 but I am not able to get the 'psa' functions working correctly (as they did with previous SDKs).
I am trying to import a private key, with oberon driver I get the error -134 = PSA_ERROR_NOT_SUPPORTED,
with cc3xx driver the import itself is working but the next operations (psa_export_public_key and/or psa_sign_hash) will fail with error -147 = PSA_ERROR_HARDWARE_FAILURE
The problem seems familiar to:
nRF9160 RSA crypto changes from v2.3.0 to v2.4.0 SHA-1 signing
(I was also able to get error 135 in some cases) but the solution (to use CONFIG_PSA_CORE_BUILTIN=y) was removed in SDK v2.5.2
Initially I also thought it's because of the usage of a 512 bit key, which according to upper answer and to
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.4.1/nrfxlib/crypto/doc/nrf_oberon.html
is not supported anymore -> therefore we specially changed our server to 2048 bit, but results stayed the same.
I have experimented with variations of following settings, but neither combination was working:
CONFIG_CRYPTO=y CONFIG_NRF_SECURITY=y CONFIG_MBEDTLS_RSA_C=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR=y CONFIG_PSA_WANT_ALG_SHA_256=y CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
I am testing with following code:
STATUS_CODE rsa_import_prv_key(void) { /* Configure the key attributes */ psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status; size_t olen; int rc; unsigned char buffer[2048]; size_t len; /* Configure the key attributes */ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT); psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE); psa_set_key_algorithm(&key_attributes, PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256)); psa_set_key_type(&key_attributes, PSA_KEY_TYPE_RSA_KEY_PAIR ); psa_set_key_bits(&key_attributes, RSA_KEY_BITS); rc = base64_decode(buffer, sizeof(buffer), &len, &CONF_API_PRIVATE_KEY[0], strlen(CONF_API_PRIVATE_KEY) ); if(rc!=0) { LOG_ERR("Base64 decode error: %d", rc); } // PRINT_HEX("Base64 decoded", buffer, sizeof(buffer)); status = psa_import_key(&key_attributes, buffer, len, &keypair_handle); if (status != PSA_SUCCESS) { LOG_INF("psa_import_key failed! (Error: %d)", status); return STATUS_ERROR; } /* Export the public key */ status = psa_export_public_key(keypair_handle, m_pub_key, sizeof(m_pub_key), &olen); if (status != PSA_SUCCESS) { LOG_INF("psa_export_public_key failed! (Error: %d)", status); return STATUS_ERROR; } // PRINT_HEX("Second (exported) puclic key", m_pub_key, sizeof(m_pub_key)); /* After the key handle is acquired the attributes are not needed */ psa_reset_key_attributes(&key_attributes); return STATUS_OK; }
And also tested some variations here (for example did I add the 'PSA_KEY_USAGE_EXPORT' flag due to an answer in the forum, this was not necessary in SDK2.3.0).
I was not able to find any solution, although I searched for a long time in the changelogs and in the forum, so I hope for some useful input...
Thank you, best regards,
Bernhard