1 Reply by roelof

(3 replies, posted in General Inquiries)

Hi @Kaleb,

I do not believe my problem lies in the wc_GenerateSeed function as my RSA keys are generated successfully - according to WolfCrypt. The problem is that only the public key parts are available and not the private key

When generating a RSA keypair - using cryptocell the following function is called (from wolfcrypt/src/rsa.c):

int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
{
#ifndef WC_NO_RNG
    mp_int p, q, tmp1, tmp2, tmp3;
    int err, i, failCount, primeSz, isPrime = 0;
    byte* buf = NULL;

    if (key == NULL || rng == NULL)
        return BAD_FUNC_ARG;

    if (!RsaSizeCheck(size))
        return BAD_FUNC_ARG;

    if (e < 3 || (e & 1) == 0)
        return BAD_FUNC_ARG;

#if defined(WOLFSSL_CRYPTOCELL)

    return cc310_RSA_GenerateKeyPair(key, size, e);

#endif /*WOLFSSL_CRYPTOCELL*/

The following cryptocell function is then called:

cc310_RSA_GenerateKeyPair (in wolfcrypt/src/rsa.c) then executes :

 ret = CRYS_RSA_KG_GenerateKeyPair(&wc_rndState,
                        wc_rndGenVectFunc,
                        (byte*)&e,
                        3*sizeof(uint8_t),
                        size,
                        &key->ctx.privKey,
                        &key->ctx.pubKey,
                        &KeyGenData,
                        &FipsCtx);

    if (ret != SA_SILIB_RET_OK){
        WOLFSSL_MSG("CRYS_RSA_KG_GenerateKeyPair failed");
        return ret;
    }

    ret = CRYS_RSA_Get_PubKey(&key->ctx.pubKey, ex, &eSz, n, &nSz);
    if (ret != SA_SILIB_RET_OK){
        WOLFSSL_MSG("CRYS_RSA_Get_PubKey failed");
        return ret;
    }
    ret = wc_RsaPublicKeyDecodeRaw(n, nSz, ex, eSz, key);

key->type = RSA_PRIVATE;

From this code section only the public key elements ( &key->ctx.pubKey) are decoded into the original "struct RsaKey" and not the &key->ctx.privKey.

This means if a key is generated using cryptocell - only the public key elements can be used in the rest of the wolfcrypt RSA API functions like wc_RsaKeyToDer and then subsequently wc_RsaPrivateKeyDecode.

Then for some reason the key->type is set to RSA_PRIVATE

How can I get the private key from &key->ctx.privKey into a compatible RSA struct to use in wc_RsaKeyToDer

Go to forum: General Inquiries

2 Topic by roelof

(3 replies, posted in General Inquiries)

I am using wolfcrypt 4.1.0 with the Nordic NRF52840 cryptocell enabled.
Since enabling cryptocell I am no longer able to use wc_RsaSSL_Sign to sign with my RSA private key.
I have traced it to being unable to decode the private key from the RSA generated keypair.

The following code works successfully when cryptocell is not enabled, but with cryptocell enabled , wc_RsaPrivateKeyDecode return with error code -192 (Bad state operation )

   //Key generation
    RsaKey   RSAKey;
    long     exp = 65537l;
    WC_RNG   rng;
    int      keySize = 1024;
    uint8_t  *derKey = NULL;
    uint16_t derSz = 0;

    if( wc_InitRsaKey(&RSAKey, NULL) != 0 ) { // not using heap hint. No custom memory
        // error initializing rng
        printf("wc_InitRng Failed");
        goto end;
    }

    //initialize random number generator
    if( wc_InitRng(&rng) != 0 ) {
        // error initializing rng
        printf("wc_InitRng Failed");
        goto end;
    }

    if(wc_RsaSetRNG(&RSAKey, &rng) != EXIT_SUCCESS) {
        printf("wc_RsaSetRNG Failed\r\n");
        goto end; 
    }

    // generate keysize bit long private key
    if( wc_MakeRsaKey(&RSAKey, keySize, exp, &rng) != 0 ) {
        // error generating private key
        printf("wc_MakeRsaKey Failed\r\n");
        goto end; 
    }

    //free RNG object
    if (wc_FreeRng(&rng) != 0) {
      printf("wc_FreeRng Failed \r\n");
    }

    //Check RSA key
    int ret = wc_CheckRsaKey(&RSAKey);
    if (ret != 0) {
        printf("Key Error\r\n");
    }

    // Allocate memory for der
    derKey = pvPortMalloc(keySize);
    if (derKey == NULL) {
        NRF_LOG_ERROR("Could not allocate memory to create derKey");
        goto end;
    }

    derSz = 0;

    //Convert key to der
    derSz = wc_RsaKeyToDer(&RSAKey, derKey, keySize);
    printf("Der size = %d \r\n",derSz);
    if (derSz == 0) {
        printf("der Error\r\n");
    }

    RsaKey privateKey;
    word32 idx = 0;

    //decode new private key from DER
    ret = wc_RsaPrivateKeyDecode(derKey, &idx, &privateKey, derSz);
    if( ret != 0 ) {
        printf("Cannot decode private key. ret = %d \r\n",ret);
        printf("Failed here \r\n");
    }

Question: How can I extract the RSA private key to use to sign data using wc_RsaSSL_Sign- using cryptocell.

Go to forum: General Inquiries