Hello~
I am developing nrf52840 with zephyr ncs tool chain v2.7.0 and SDK v2.6.1.
What we need is to generate RSA key pairs and send public key to App to encrypt data and send back.
The first step, we need to generate RSA key pairs.
I found and example code in Nordic Q&A:
#include <zephyr/kernel.h>
#include <zephyr/sys/printk.h>
#include <zephyr/logging/log.h>
#include <stdio.h>
#include <stdlib.h>
#include <psa/crypto.h>
#include <psa/crypto_extra.h>
#ifdef CONFIG_BUILD_WITH_TFM
#include <tfm_ns_interface.h>
#endif
#define SAMPLE_PERS_KEY_ID PSA_KEY_ID_USER_MIN
int testRSAvsECCstored(int isRSA){
psa_status_t status;
printk("Destroy old key stored key on %d before test isRSA=%d\n",SAMPLE_PERS_KEY_ID,isRSA);
status = psa_destroy_key(SAMPLE_PERS_KEY_ID);
printk("psa_destroy_key returns %d\n",status);
psa_key_handle_t key_handle;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);
psa_set_key_id(&key_attributes, SAMPLE_PERS_KEY_ID);
if (isRSA){
psa_set_key_algorithm(&key_attributes, PSA_ALG_RSA_PKCS1V15_CRYPT);
psa_set_key_type(&key_attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
psa_set_key_bits(&key_attributes, 1024);
}else{
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA_ANY); // or PSA_ALG_ECDH
psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
psa_set_key_bits(&key_attributes, 256);
}
status = psa_generate_key(&key_attributes, &key_handle);
if (status != PSA_SUCCESS) {
printk("psa_generate_key failed! isRSA=%d (Error: %d)", isRSA,status);
return status;
}
printk("SUCCESS key handle is %d\n",key_handle);
psa_reset_key_attributes(&key_attributes);
return 0;
}
void main(void) {
#ifdef CONFIG_BUILD_WITH_TFM
printk("Built with TFM\n");
#else
printk("NOT with TFM\n");
#endif
int status = psa_crypto_init();
printk("crypto_init returns: %d\n",status);
printk("\n--------------- RSA TEST ---------------\n");
testRSAvsECCstored(1);
printk("\n--------------- ECC TEST ---------------\n");
testRSAvsECCstored(0);
}
and prj.conf is:
CONFIG_MAIN_STACK_SIZE=16384 CONFIG_HEAP_MEM_POOL_SIZE=16384 # Enable logging CONFIG_CONSOLE=y CONFIG_LOG=y # Enable nordic security backend and PSA APIs CONFIG_NRF_SECURITY=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y # Mbedtls configuration CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=16384 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR=y CONFIG_PSA_WANT_ALG_SHA_256=y # This samples source code explicitly uses an RSA key size of 4096 CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000 CONFIG_MAIN_STACK_SIZE=16384 CONFIG_HEAP_MEM_POOL_SIZE=16384 # Enable loging using RTT and UART CONFIG_CONSOLE=y CONFIG_LOG=y CONFIG_USE_SEGGER_RTT=y CONFIG_LOG_BACKEND_RTT=y CONFIG_LOG_BACKEND_UART=y CONFIG_LOG_BUFFER_SIZE=15360 CONFIG_SEGGER_RTT_BUFFER_SIZE_UP=15360 ## Enable nordic security backend and PSA APIs CONFIG_MBEDTLS_LIBRARY_NRF_SECURITY=y CONFIG_NORDIC_SECURITY_BACKEND=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_BUILD_WITH_TFM=y # Enable persistent storage APIs CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y # Mbedtls configuration CONFIG_MBEDTLS_RSA_C=y CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=16384 CONFIG_MBEDTLS_PK_WRITE_C=y CONFIG_MBEDTLS_PKCS1_V15=y
but when I run this code in nrf52840 development board, I gets error messages:
*** Booting nRF Connect SDK 3758bcbfa5cd *** NOT with TFM crypto_init returns: 0 --------------- RSA TEST --------------- Destroy old key stored key on 1 before test isRSA=1 psa_destroy_key returns -136 psa_generate_key failed! isRSA=1 (Error: -134) --------------- ECC TEST --------------- Destroy old key stored key on 1 before test isRSA=0 psa_destroy_key returns -136 psa_generate_key failed! isRSA=0 (Error: -134)
And, in prj.conf, there are yellow wave line under this line:
CONFIG_NRF_SECURITY=y
It says : CONFIG_NRF_SECURITY was assigned the value y, but got the value n. Missing dependencies:
SOC_FAMILY_NRF
SOC_FAMILY_NRF
But I do select Nordic Soc when create Build configuration ... why missing SOC_FAMILY_NRF ?
Would you please show me the correct code and correct settings ?