Working on RSA encryption, I'm trying to build an RSA context from just the P, Q and E part of the key (as per https://tls.mbed.org/kb/development/how-to-fill-rsa-context-from-n-e-p-and-q)
I have this sequence working on a windows machine, using the latest mbedtls release on visual studio 2019.
mbedtls_rsa_init(&ctx, MBEDTLS_RSA_PKCS_V15, 0);
ret = mbedtls_rsa_import(&ctx, NULL, &P, &Q, NULL, &E);
if (ret != 0)
mbedtls_printf(" failed\n ! mbedtls_rsa_import returned %d\n\n", ret);
if ((ret = mbedtls_rsa_complete(&ctx)) != 0)
mbedtls_printf(" failed\n ! mbedtls_rsa_complete returned %d\n\n", ret);
When doing the same thing on a nrf52840 board, the mbedtls_rsa_complete call fails with errorcode -16512, 'RSA - Bad input parameters to function'.
When I compare the RSA context structure after the mbedtls_rsa_import call, the contents are identical (nrf vs windows), using the same P/Q/E input arrays.
So, this might be a long shot here, but I'm not sure where to look now. The mbedtls code is rather hard to follow, sofar I have not been able to tell why the function fails. Both machines are little endian, so that shouldn't be it, right? I've tried setting a larger heap (CONFIG_MBEDTLS_HEAP_SIZE=2048), but that did not make any difference either.
Or, thinking a bit about this, maybe I'm using the wrong API or configuration? Because I don't really have a clear picture about how and when the whole nrfxlib crypto stuff comes into play, the documentation (https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/crypto/README.html) is sort of useless; a changelog and an api-list really doesn't do...
Replying to myself again
When I disable the CC3XX backend, I get a little bit further. I now have these config's:
And now the mbedtls_rsa_import/mbedtls_rsa_complete calls work as expected. However, doing an actual RSA encryption fails with a fault in mbedtls_hardware_poll.
If I then disable the CC3XX entropy thingy (CONFIG_ENTROPY_CC3XX=n) it no longer crashes, but a call to mbedtls_ctr_drbg_seed() returns -52 (CTR_DRBG - The entropy source failed), which probably makes sense; it doesn't have an entropy source?
(Edit: found out how to select the entropy-source; setting 'zephyr,entropy = &rng;' in my dts makes it use the RNG peripheral, but then the mbedtls_ctr_drbg_seed() call ends in a recursive spinlock assert..)
So, all this leads me to believe that I'm not using the CC3XX stuff properly, or it's not working properly. Is there any useful documentation, or an example perhaps, on how to configure, initialize and use this stuff for my platform?
Unfortunately, I am not able to look at your ticket today, but I will try to get an answer to you in the beginning of next week.
Sorry for the inconvenience.
basvkesteren said:Because I don't really have a clear picture about how and when the whole nrfxlib crypto stuff comes into play, the documentation (https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/crypto/README.html) is sort of useless; a changelog and an api-list really doesn't do...
It is not meant that you should use the crypto libraries directly, instead, you should use the Nordic Security Module: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/nrf_security/README.html
I have also made a very small sample that seems to be working correctly, though I had to use Zephyr's sys_csrand_get() instead of mbedTLS's hardware_poll():
Thanks for the example, I'll start working on that with my own code right now!
One more question right of, though; you're not using the CC3XX backend (CONFIG_CC3XX_BACKEND=n), so there's no hardware-acceleration for the crypto stuff, right? Is it not possible to use the CC3XX backend on the 52840?