• State Verified Answer
  • Replies 11 replies
  • Subscribers 65 subscribers
  • Views 744 views
  • Users 0 members are here
Attachments (3) Download All
Nordic Case Info
  • Case ID: 323728
Options

PSA import key / sign hash not working after SDK update

Bernhard

Hello,

I am currently updating from SDK v2.3.0 to v2.5.2 but I am not able to get the 'psa' functions working correctly (as they did with previous SDKs).

I am trying to import a private key, with oberon driver I get the error -134 = PSA_ERROR_NOT_SUPPORTED,
with cc3xx driver the import itself is working but the next operations (psa_export_public_key and/or psa_sign_hash) will fail with error -147 = PSA_ERROR_HARDWARE_FAILURE

The problem seems familiar to:
     nRF9160 RSA crypto changes from v2.3.0 to v2.4.0 SHA-1 signing
(I was also able to get error 135 in some cases) but the solution (to use CONFIG_PSA_CORE_BUILTIN=y) was removed in SDK v2.5.2

Initially I also thought it's because of the usage of a 512 bit key, which according to upper answer and to
    https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.4.1/nrfxlib/crypto/doc/nrf_oberon.html
is not supported anymore -> therefore we specially changed our server to 2048 bit, but results stayed the same.

I have experimented with variations of following settings, but neither combination was working:
    

CONFIG_CRYPTO=y
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR=y
CONFIG_PSA_WANT_ALG_SHA_256=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y

CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

I am testing with following code:

STATUS_CODE rsa_import_prv_key(void)
{
	/* Configure the key attributes */
	psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
	psa_status_t status;
	size_t olen;

	int rc;
	unsigned char buffer[2048];
	size_t len;

	/* Configure the key attributes */
	psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT);
	psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);
	psa_set_key_algorithm(&key_attributes, PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256));
	psa_set_key_type(&key_attributes, PSA_KEY_TYPE_RSA_KEY_PAIR );
	psa_set_key_bits(&key_attributes, RSA_KEY_BITS);

	rc = base64_decode(buffer, sizeof(buffer), &len, &CONF_API_PRIVATE_KEY[0], strlen(CONF_API_PRIVATE_KEY) );
	if(rc!=0) {
		LOG_ERR("Base64 decode error: %d", rc);
	}

//	PRINT_HEX("Base64 decoded", buffer, sizeof(buffer));

	status = psa_import_key(&key_attributes, buffer, len, &keypair_handle);
	if (status != PSA_SUCCESS) {
		LOG_INF("psa_import_key failed! (Error: %d)", status);
		return STATUS_ERROR;
	}

	/* Export the public key */
	status = psa_export_public_key(keypair_handle, m_pub_key, sizeof(m_pub_key), &olen);
	if (status != PSA_SUCCESS) {
		LOG_INF("psa_export_public_key failed! (Error: %d)", status);
		return STATUS_ERROR;
	}
	
//	PRINT_HEX("Second (exported) puclic key", m_pub_key, sizeof(m_pub_key));

	/* After the key handle is acquired the attributes are not needed */
	psa_reset_key_attributes(&key_attributes);

	return STATUS_OK;
}

And also tested some variations here (for example did I add the 'PSA_KEY_USAGE_EXPORT' flag due to an answer in the forum, this was not necessary in SDK2.3.0).

I was not able to find any solution, although I searched for a long time in the changelogs and in the forum, so I hope for some useful input...

Thank you, best regards,
Bernhard

Related