How to do key derivation with PBKDF2 with HMAC with ARM PSA Cryptohttps://devzone.nordicsemi.com/f/nordic-q-a/109870/how-to-do-key-derivation-with-pbkdf2-with-hmac-with-arm-psa-cryptoMy project requires PBKDF2 with HMAC for key derivation. The new default setting for the Thread in Connect SDK is CONFIG_OPENTHREAD_NRF_SECURITY_PSA =y This apparently deactivated the mbedtls library. How can I do the equivalent of mbedtls_pkcs5_pbkdf2_hmac_exten-USTelligent Community 13Wed, 03 Apr 2024 11:25:44 GMTRE: How to do key derivation with PBKDF2 with HMAC with ARM PSA Cryptohttps://devzone.nordicsemi.com/thread/476848?ContentTypeID=1Wed, 03 Apr 2024 11:25:44 GMT137ad170-7792-4731-bb38-c0d22fbe4515:51c12881-ca80-4176-a701-aca8bac9d32dHieu<p>Hi Max,</p> <p>It looks like you haven&#39;t setup the key correctly and haven&#39;t imported it yet.</p> <p>Error 137 is <a href="https://arm-software.github.io/psa-api/crypto/1.1/api/library/status.html">PSA_ERROR_BAD_STATE</a>, and the documentation for <a href="https://arm-software.github.io/psa-api/crypto/1.1/api/ops/kdf.html#c.psa_key_derivation_output_key">psa_key_derivation_output_key()</a>&nbsp;suggests it could be that issue.</p> <p>Could you please refer to this documentation and see if it helps?<br /><a href="https://mbed-tls.readthedocs.io/en/latest/getting_started/psa/#deriving-a-new-key-from-an-existing-key">https://mbed-tls.readthedocs.io/en/latest/getting_started/psa/#deriving-a-new-key-from-an-existing-key</a>.</p> <p>Hieu</p><div style="clear:both;"></div>RE: How to do key derivation with PBKDF2 with HMAC with ARM PSA Cryptohttps://devzone.nordicsemi.com/thread/476708?ContentTypeID=1Tue, 02 Apr 2024 22:26:26 GMT137ad170-7792-4731-bb38-c0d22fbe4515:f60e3f62-6d2c-496b-81ef-00c89fc61494Max Peter<div> <div> <div> <div><span>I tried following the ARM Crypto API documentation:&nbsp;<a href="https://arm-software.github.io/psa-api/crypto/1.2/api/ops/kdf.html#c.PSA_ALG_PBKDF2_HMAC"><br />https://arm-software.github.io/psa-api/crypto/1.2/api/ops/kdf.html#c.PSA_ALG_PBKDF2_HMAC<br /></a><br />Still failing with &quot;psa_key_derivation_output_key failed! (Error: -137)&quot;<br />(code tested inside Thread CLI sample)<br /><br />Am I missing am Kconfig setting?<br />Notably,&nbsp;CONFIG_PSA_WANT_ALG_PBKDF2_HMAC cannot be set in prj.conf (unknown symbol) and setting it in later in build/zephyr/.config with nRF Kconfig GUI didn&#39;t help either.<br /><br /></span></div> <div><span></span></div> </div> </div> <div> <div> <div><span>#include</span><span> </span><span>&lt;psa/crypto.h&gt;</span></div> <div><span>#include</span><span> </span><span><span>&lt;psa/crypto_extra.h&gt;<br /><br /></span></span> <div> <div><span>#define</span><span> </span><span>PRINT_HEX</span><span>(</span><span>p_label</span><span>, </span><span>p_text</span><span>, </span><span>len</span><span>)</span><span>\</span></div> <div><span>&nbsp; &nbsp; ({</span><span>\</span></div> <div><span>&nbsp; &nbsp; &nbsp; &nbsp; </span><span>LOG_INF</span><span>(</span><span>&quot;---- </span><span>%s</span><span> (len: </span><span>%u</span><span>): ----&quot;</span><span>, p_label, len);</span><span>\</span></div> <div><span>&nbsp; &nbsp; &nbsp; &nbsp; </span><span>LOG_HEXDUMP_INF</span><span>(p_text, len, </span><span>&quot;Content:&quot;</span><span>);</span><span>\</span></div> <div><span>&nbsp; &nbsp; &nbsp; &nbsp; </span><span>LOG_INF</span><span>(</span><span>&quot;---- </span><span>%s</span><span> end &nbsp;----&quot;</span><span>, p_label);</span><span>\</span></div> <div><span>&nbsp; &nbsp; })</span></div> </div> </div> </div> </div> <div><span>void</span><span> </span><span>testPBKDF</span><span>()</span></div> <div><span>{</span></div> <div><span>&nbsp; &nbsp; </span><span>const</span><span> </span><span>uint8_t</span><span> </span><span>password</span><span>[]</span><span> </span><span>=</span><span> </span><span>&quot;my_secret_password&quot;</span><span>;</span></div> <div><span>&nbsp; &nbsp; </span><span>const</span><span> </span><span>size_t</span><span> </span><span>password_length</span><span> </span><span>=</span><span> </span><span>sizeof</span><span>(</span><span>password</span><span>) </span><span>-</span><span> </span><span>1</span><span>;</span></div> <div><span>&nbsp; &nbsp; </span><span>const</span><span> </span><span>uint8_t</span><span> </span><span>salt</span><span>[]</span><span> </span><span>=</span><span> { </span><span>0x12</span><span>, </span><span>0x34</span><span>, </span><span>0x56</span><span>, </span><span>0x78</span><span> };</span></div> <div><span>&nbsp; &nbsp; </span><span>const</span><span> </span><span>size_t</span><span> </span><span>salt_length</span><span> </span><span>=</span><span> </span><span>sizeof</span><span>(</span><span>salt</span><span>);</span></div> <div><span>&nbsp; &nbsp; </span><span>const</span><span> </span><span>size_t</span><span> </span><span>iteration_count</span><span> </span><span>=</span><span> </span><span>1000</span><span>;</span><span>&nbsp;</span></div> <div><span>&nbsp; &nbsp; </span><span>const</span><span> </span><span>size_t</span><span> </span><span>key_length</span><span> </span><span>=</span><span> </span><span>32</span><span>;</span><span> // Desired key length in bytes</span></div> <div><span>&nbsp; &nbsp; </span><span>uint8_t</span><span> </span><span>key</span><span>[</span><span>32</span><span>];</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>psa_status_t</span><span> </span><span>status</span><span>;</span></div> <div><span>&nbsp; &nbsp; </span><span>psa_key_attributes_t</span><span> </span><span>key_attributes</span><span> </span><span>=</span><span> </span><span>PSA_KEY_ATTRIBUTES_INIT</span><span>;</span></div> <div><span>&nbsp; &nbsp; </span><span>psa_key_id_t</span><span> </span><span>output_key_id</span><span>;</span></div> <div><span>&nbsp; &nbsp; </span><span>size_t</span><span> </span><span>olen</span><span>;</span></div> <br /> <div><span>&nbsp; &nbsp; /* Initialize PSA Crypto */</span></div> <div><span>&nbsp; &nbsp; </span><span>status</span><span> </span><span>=</span><span> </span><span>psa_crypto_init</span><span>();</span></div> <div><span>&nbsp; &nbsp; </span><span>if</span><span>(</span><span>status</span><span> </span><span>!=</span><span> </span><span>PSA_SUCCESS</span><span>) </span><span>goto</span><span> </span><span>error</span><span>;</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>psa_key_derivation_operation_t</span><span> </span><span>operation</span><span> </span><span>=</span><span> </span><span>PSA_KEY_DERIVATION_OPERATION_INIT</span><span>;</span></div> <div><span>&nbsp; &nbsp; </span><span>psa_set_key_lifetime</span><span>(</span><span>&amp;</span><span>key_attributes</span><span>, </span><span>PSA_KEY_LIFETIME_VOLATILE</span><span>);</span></div> <div><span>&nbsp; &nbsp; </span><span>psa_set_key_type</span><span>(</span><span>&amp;</span><span>key_attributes</span><span>, </span><span>PSA_KEY_TYPE_RAW_DATA</span><span>);</span></div> <div><span>&nbsp; &nbsp; </span><span>psa_set_key_usage_flags</span><span>(</span><span>&amp;</span><span>key_attributes</span><span>, </span><span>PSA_KEY_USAGE_EXPORT</span><span>);</span><span> /* DONT USE IN PRODUCTION */</span></div> <div><span>&nbsp; &nbsp; </span><span>psa_set_key_bits</span><span>(</span><span>&amp;</span><span>key_attributes</span><span>, </span><span>key_length</span><span> </span><span>*</span><span> </span><span>8</span><span>);</span></div> <br /> <div><span>&nbsp; &nbsp; /* Set the derivation algorithm */</span></div> <div><span>&nbsp; &nbsp; </span><span>status</span><span> </span><span>=</span><span> </span><span>psa_key_derivation_setup</span><span>(</span><span>&amp;</span><span>operation</span><span>, </span><span>PSA_ALG_PBKDF2_HMAC</span><span>(</span><span>PSA_ALG_SHA_256</span><span>)); </span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>if</span><span> (</span><span>status</span><span> </span><span>!=</span><span> </span><span>PSA_SUCCESS</span><span>) { </span><span>LOG_INF</span><span>(</span><span>&quot;psa_key_derivation_setup failed! (Error: </span><span>%d</span><span>)&quot;</span><span>, </span><span>status</span><span>);</span></div> <div><span>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</span><span>goto</span><span> </span><span>error</span><span>; }</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>status</span><span> </span><span>=</span><span> </span><span>psa_key_derivation_input_integer</span><span>(</span><span>&amp;</span><span>operation</span><span>, </span><span>PSA_KEY_DERIVATION_INPUT_COST</span><span>, </span><span>iteration_count</span><span>);</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>if</span><span> (</span><span>status</span><span> </span><span>!=</span><span> </span><span>PSA_SUCCESS</span><span>) { </span><span>LOG_INF</span><span>(</span><span>&quot;psa_key_derivation_input_integer failed! (Error: </span><span>%d</span><span>)&quot;</span><span>, </span><span>status</span><span>);</span></div> <div><span>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</span><span>goto</span><span> </span><span>error</span><span>; }</span></div> <br /> <div><span>&nbsp; &nbsp; /* Set the salt for the operation */</span></div> <div><span>&nbsp; &nbsp; </span><span>status</span><span> </span><span>=</span><span> </span><span>psa_key_derivation_input_bytes</span><span>(</span><span>&amp;</span><span>operation</span><span>, </span><span>PSA_KEY_DERIVATION_INPUT_SALT</span><span>, </span><span>salt</span><span>, </span><span>salt_length</span><span>);</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>if</span><span> (</span><span>status</span><span> </span><span>!=</span><span> </span><span>PSA_SUCCESS</span><span>) { </span><span>LOG_INF</span><span>(</span><span>&quot;psa_key_derivation_input_bytes (salt) failed! (Error: </span><span>%d</span><span>)&quot;</span><span>, </span><span>status</span><span>);</span></div> <div><span>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</span><span>goto</span><span> </span><span>error</span><span>; }</span></div> <br /> <div><span>&nbsp; &nbsp; /* Set the password for the operation */</span></div> <div><span>&nbsp; &nbsp; </span><span>status</span><span> </span><span>=</span><span> </span><span>psa_key_derivation_input_bytes</span><span>(</span><span>&amp;</span><span>operation</span><span>, </span><span>PSA_KEY_DERIVATION_INPUT_SALT</span><span>, &nbsp;</span><span>password</span><span>, </span><span>password_length</span><span>);</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>if</span><span> (</span><span>status</span><span> </span><span>!=</span><span> </span><span>PSA_SUCCESS</span><span>) { </span><span>LOG_INF</span><span>(</span><span>&quot;psa_key_derivation_input_bytes (password) failed! (Error: </span><span>%d</span><span>)&quot;</span><span>, </span><span>status</span><span>);</span></div> <div><span>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</span><span>goto</span><span> </span><span>error</span><span>; }</span></div> <br /> <div><span>&nbsp; &nbsp; /* Store the derived key in the keystore slot pointed by out_key_id */</span></div> <div><span>&nbsp; &nbsp; </span><span>status</span><span> </span><span>=</span><span> </span><span>psa_key_derivation_output_key</span><span>(</span><span>&amp;</span><span>key_attributes</span><span>, </span><span>&amp;</span><span>operation</span><span>, </span><span>&amp;</span><span>output_key_id</span><span>);</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>if</span><span> (</span><span>status</span><span> </span><span>!=</span><span> </span><span>PSA_SUCCESS</span><span>) { </span><span>LOG_INF</span><span>(</span><span>&quot;psa_key_derivation_output_key failed! (Error: </span><span>%d</span><span>)&quot;</span><span>, </span><span>status</span><span>);</span></div> <div><span>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</span><span>goto</span><span> </span><span>error</span><span>; }</span></div> <br /> <div><span>&nbsp; &nbsp; /* Clean up the context */</span></div> <div><span>&nbsp; &nbsp; </span><span>status</span><span> </span><span>=</span><span> </span><span>psa_key_derivation_abort</span><span>(</span><span>&amp;</span><span>operation</span><span>);</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>if</span><span> (</span><span>status</span><span> </span><span>!=</span><span> </span><span>PSA_SUCCESS</span><span>) { </span><span>LOG_INF</span><span>(</span><span>&quot;psa_key_derivation_abort failed! (Error: </span><span>%d</span><span>)&quot;</span><span>, </span><span>status</span><span>);</span></div> <div><span>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</span><span>goto</span><span> </span><span>error</span><span>; }</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>status</span><span> </span><span>=</span><span> </span><span>psa_export_key</span><span>(</span><span>output_key_id</span><span>, </span><span>key</span><span>, </span><span>key_length</span><span>, </span><span>&amp;</span><span>olen</span><span>);</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>if</span><span> (</span><span>status</span><span> </span><span>!=</span><span> </span><span>PSA_SUCCESS</span><span>) { </span><span>LOG_INF</span><span>(</span><span>&quot;psa_export_key failed! (Error: </span><span>%d</span><span>)&quot;</span><span>, </span><span>status</span><span>);</span></div> <div><span>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</span><span>goto</span><span> </span><span>error</span><span>; }</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>status</span><span> </span><span>=</span><span> </span><span>psa_destroy_key</span><span>(</span><span>output_key_id</span><span>);</span></div> <div><span>&nbsp; &nbsp; </span><span>if</span><span> (</span><span>status</span><span> </span><span>!=</span><span> </span><span>PSA_SUCCESS</span><span>) { </span><span>LOG_INF</span><span>(</span><span>&quot;psa_destroy_key failed! (Error: </span><span>%d</span><span>)&quot;</span><span>, </span><span>status</span><span>);</span></div> <div><span>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </span><span>goto</span><span> </span><span>error</span><span>; }</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>LOG_INF</span><span>(</span><span>&quot;Key derivation successful len=</span><span>%d</span><span>!&quot;</span><span>, </span><span>olen</span><span>);</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>PRINT_HEX</span><span>(</span><span>&quot;Output key&quot;</span><span>, </span><span>key</span><span>, </span><span>key_length</span><span>);</span></div> <br /> <div><span>&nbsp; &nbsp; </span><span>return</span><span>;</span></div> <br /> <div><span>error</span><span>:</span></div> <div><span>&nbsp; &nbsp; </span><span>LOG_INF</span><span>(</span><span>&quot;PSA Error </span><span>%d</span><span>&quot;</span><span>, </span><span>status</span><span>);</span></div> <div><span>}</span></div> </div><div style="clear:both;"></div>