psa_generate_key failed with error (-134)

When running the ECDSA Example from Nordic, the keys are generated successfully. But when I add the code for generating CSR it fails with the error code -134 which bby my knowledge is PSA_ERROR_NOT_SUPPORTED. Requesting help with this issue. 

using NRF Connect v2.6.1 and board nrf5340 in secure environment.

And my code is :

Parents
  • Hello,

    With regard to CSR, I can't find we have a specific sample. For more information, you can look at this discussion, and this link for list of steps. I also suggest to look at some similar cases if they may be relevant:

    https://devzone.nordicsemi.com/f/nordic-q-a/98100/psa_generate_key-returns-error--134?ReplyFilter=Answers&ReplySortBy=Answers&ReplySortOrder=Descending 

    Kenneth

  • I have followed same steps as mentioned in the link. The code also builds well. The problem is that the psa_generate_key function is returning an error. My problem is similar to this question link. The nrf5340 is able to generate keys with the sample code but after I add certain configurations to my config file, it still builds but the board is not able to generate keys and throws error -134

  •  Mbedtls - Using keys handled by PSA Crypto It is possible based on this ticket, I have tried to build my code around it which helped me build successfully but my code is dependent on MBEDTLS_USE_LEGACY_CRYPTO_C I have been tested that whenever I enable this key generation fails

  • There has to be a workaround as it was possible here 

     Mbedtls - Using keys handled by PSA Crypto 

    I have followed this as much as possible but I am not able to get rid of my code's dependency on MBEDTLS_USE_LEGACY_CRYPTO_C which causes key generation to fail whenever enabled

  • Hi,

    It is certainly possible and we are workign to support it. But it requiers quite a bit of changes to do properly, and not just a small workaround (it is not a bug). I cannot make any promisses, but we hope to have it in the next nRF Connect SDK release.

    From what I can see the customer that report he got it working in the other thread did not share the details, but it could be worth asking if he can share the full set of changes he did to get it working.

  • Yes, I can confirm we have the exactly the same problem - flags that allow x509 functions to be built and exported also disable psa_* functionality.

  • Thank you for your quick and useful replies, I really appreciate it. 

    As for CSR vs PSA support, it would be nice to have it working as soon as possible, but I understand it's not an easy task - I guess we will just for now stick with generating keys outside of the nrf sdk mbedtls implementation so we can at least somehow get this (generating CSRs) working.

    I know it's hard, but can you at least roughly tell when you expect this support to be implemented? From your github, it looks like minor SDK releases come every 3 or 4 months.

Reply
  • Thank you for your quick and useful replies, I really appreciate it. 

    As for CSR vs PSA support, it would be nice to have it working as soon as possible, but I understand it's not an easy task - I guess we will just for now stick with generating keys outside of the nrf sdk mbedtls implementation so we can at least somehow get this (generating CSRs) working.

    I know it's hard, but can you at least roughly tell when you expect this support to be implemented? From your github, it looks like minor SDK releases come every 3 or 4 months.

Children
No Data