Generate Keys with nrfutil

RE: Generate Keys with nrfutil

Vidar Berg — Wed, 24 Jul 2019 05:57:24 GMT

You can try to modify the full cc310 backend using the bl variant as a reference. Search for NRF_CRYPTO_BACKEND_CC310_BL_ECC_LITTLE_ENDIAN_ENABLED and NRF_CRYPTO_BACKEND_CC310_BL_HASH_LITTLE_ENDIAN_DIGEST_ENABLED in the bootloader backend.

RE: Generate Keys with nrfutil

yes — Mon, 22 Jul 2019 13:09:21 GMT

We intend to use nrfutil for signing data packet which can't be transffered over DFU

As mentioned above nrfutil generates little endian byte order pair key

It signs package using private key pem file

We can convert the pem format into hex format and swap key endianness but can't convert it back to pem format.

As mention above there is the flag NRF_CRYPTO_BACKEND_MICRO_ECC_LITTLE_ENDIAN_ENABLED but it only for CC310 boot loader mode

Is there a way to force CC310 backend (not BL mode) to use little endianness byte order?

Thanks in advance

RE: Generate Keys with nrfutil

Vidar Berg — Fri, 12 Jul 2019 12:41:10 GMT

[quote userid="71582" url="~/f/nordic-q-a/49550/generate-keys-with-nrfutil/198156"]Just to be sure I understand. The keys pairs which are generated by nrfutil should be used as is for signing sw if we use dfu but should be endianness reversed otherwise?[/quote]

Correct. I'm not sure why we are using a different byte order in the bootloader. Excerpt from sdk_config:

NRF_CRYPTO_BACKEND_MICRO_ECC_LITTLE_ENDIAN_ENABLED - Enable non-standard little endian byte order.

// <i> This affects parameters for all ECC API (raw keys, signature, digest, shared secret). Only for use in nRF SDK DFU!

[quote userid="71582" url="~/f/nordic-q-a/49550/generate-keys-with-nrfutil/198156"]Do we need to reverse endianness of both private and public keys?[/quote]

Yes.

[quote userid="71582" url="~/f/nordic-q-a/49550/generate-keys-with-nrfutil/198156"]For the public key (64 bytes) should we use double swap Nordic's function?[/quote]

It should work as long as you set the size to 32 bytes.

RE: Generate Keys with nrfutil

yes — Fri, 12 Jul 2019 12:09:56 GMT

Thanks for the answer.

Just to be sure I understand. The keys pairs which are generated by nrfutil should be used as is for signing sw if we use dfu but should be endianness reversed otherwise?

Do we need to reverse endianness of both private and public keys?

For the public key (64 bytes) should we use double swap Nordic's function?

Thanks in advance

RE: Generate Keys with nrfutil

Vidar Berg — Fri, 12 Jul 2019 11:32:29 GMT

Hi,

The key pair format (endianess) from nrfutil is made to be used with the bootloader. But you can make it work by reversing the endianess (32 bytes at a time). But I didn't manage to make it work with the key-pair you posted, maybe I copied it in wrong. In any case, here is my private key and converted arrays that I used to verify this here:

__ALIGN(4) static const uint8_t m_alice_raw_private_key[] =
{
    0x97, 0x36, 0x50, 0x4f, 0xda, 0x46, 0x8d, 0x57, 
    0x4e, 0xd2, 0xe3, 0x2d, 0x8a, 0xa3, 0x8a, 0x21, 
    0x99, 0x0f, 0x4f, 0xe1, 0xd6, 0x45, 0xbd, 0xc0, 
    0x58, 0x17, 0xf7, 0xe4, 0xc4, 0x26, 0x5f, 0xf5
};

__ALIGN(4) static const uint8_t m_alice_raw_public_key[] = 
{
    0x7e, 0x2e, 0x9d, 0xe0, 0x5a, 0x52, 0x1e, 0xfc, 
    0xe6, 0x2d, 0xd4, 0x9c, 0x26, 0xfb, 0x26, 0x5b, 
    0x8f, 0xdd, 0xf0, 0xef, 0xd2, 0x09, 0xe5, 0xce, 
    0xc7, 0x33, 0x44, 0x3f, 0xe5, 0x5e, 0x8c, 0x97,
    /**********************************************/
    0xa8, 0x93, 0x3e, 0xd5, 0x80, 0xdd, 0xb2, 0xfd, 
    0x8d, 0xdf, 0x9e, 0x9d, 0xf5, 0x78, 0xc2, 0xd1,
    0x4c, 0x94, 0x24, 0x85, 0x22, 0xfd, 0xca, 0x3f, 
    0x8d, 0x67, 0x3f, 0xa0, 0x00, 0x1d, 0x2a, 0xc1
};

devzone.nordicsemi.com/.../private.zip

RE: Generate Keys with nrfutil

yes — Tue, 09 Jul 2019 13:27:59 GMT

This is the generated private key as file