microchiptech / cryptoauth-openssl-engine Goto Github PK

workspace/cryptoauth-openssl-engine/cryptoauthlib/lib/openssl/eccx08_eckey_meth.c:899:24: error: ‘eccx08_ecdsa’ undeclared (first use in this function)
EC_METHOD_set_name(eccx08_ecdsa, "ATECCX08 METHODS");

Fixed by adding this to eccx08_eckey_meth.c
extern ECDSA_METHOD * eccx08_ecdsa;

I was able to try out that the verifying part of the ecdsa_sign is working but the
sign_setup and sign part didn't get in

Can you give a little hints?
thanks

Jeff

Hi there,
I am finding so many troubles and a bit lack of documentation about the steps that are necessary to follow in order to build, install and use the engine for the atecc508.

Somebody know how can I follow the process step by step? The current version removed also the extensive information that was in the past wiki and now I don't know exactly what I need to do to use correctly Openssl with the encryption chip.

Thank you in advance!

There are quite a few broken links spread across README.md files. For example, https://github.com/MicrochipTech/cryptoauth-openssl-engine/tree/master/cryptoauthlib/lib/openssl points to wiki entries on AtmelCSO that don't exist there or on wiki for this project. Some of the links are to building on Linux and integrating the ATECC508A. Do these exist anywhere?

Longer digests could also be supported (e.g. SHA512). According the the NIST 186-4 section 6.4: "When the length of the output of the hash function is greater than the bit length of n, then the leftmost n bits of the hash function output block shall be used in any calculation using the hash function output during the generation or verification of a digital signature."

The proposed fix is to change this validation to only reject digests that are shorter than 256 bit (dgst_len < MEM_BLOCK_SIZE). This will remove the need to compile OpenSSL with -DOPENSSL_NO_SHA512.

The changed code works fine as tested with TLS client certificate authentication connecting to a plain Linux/Apache or Windows/IIS server.

This code makes OpenSSL app fail on exit (e->funct_ref < 0).

According to other OpenSSL modules, it should be done like this:

if (!ENGINE_init(e)) {
    break;
}
pkey->engine = e;

Hello,
One the our device failed to excute "openssl req -keygen_engine ateccx08 -newkey ec:/sdcard/prime256v1.pem -keyout /sdcard/DEVICE.key -nodes -new -out /sdcard/device_eccx08.csr.pem -sha256 -subj '/C=xx/O=xxxx/OU=xxxx/CN=xxxx/'" and here is the error logs:
I2C idle cmd failed: Transport endpoint is not connected
I2C wake
I2C W: 03 07 02 00 00 00 1E 2D
I2C R: 07 01 23 1C 2F 57 30
I2C idle
I2C wake
I2C W: 03 07 02 00 02 00 18 AD
I2C R: 07 F2 C4 9E 4B 4B 77
I2C idle
I2C wake
I2C W: 03 07 02 00 03 00 11 2D
I2C R: 07 EE C0 55 00 21 FD
I2C idle
I2C idle
I2C wake
I2C W: 03 07 40 00 00 00 00 05
I2C R: 04 0F 23 42 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
I2C idle
Error allocating keygen context

Could you please help us solve this issue? Thanks.

Hi.

I have the AT88CK590 Evaluation Kit connected via USB. But when running the tests the ATSHA204A crypto chip is being used. Is this normal? Can I always use the ECC chip?

Regards.

ssl3_send_client_key_exchange seem to not use ecc508 when generating new ECDH key pair.

Currently, it uses EC_KEY_generate_key (openssl default) but I think, it have to be replaced by ECDH_generate_key() same as "server key exchange"

right?

I have stored a private key in the crypto chip and I want to extract or generate a public key. The run_extract_certs.sh seems not working for me. I get ATECCX08: eccx08_cmd_ctrl(): error in atcatls_get_cert. I am missing something?

# ./run_extract_certs.sh 
++ dirname ./run_extract_certs.sh
+ cd .
+ source ./common.sh
++ set -e
++ set -x
+++ dirname ./run_extract_certs.sh
++ cd .
++ cd ..
++ export TREE_TOP=/home/parallels/cryptoauth-openssl-engine
++ TREE_TOP=/home/parallels/cryptoauth-openssl-engine
++ export CERTSTORE=/home/parallels/cryptoauth-openssl-engine/certstore
++ CERTSTORE=/home/parallels/cryptoauth-openssl-engine/certstore
++ export SCRIPTS=/home/parallels/cryptoauth-openssl-engine/scripts
++ SCRIPTS=/home/parallels/cryptoauth-openssl-engine/scripts
++ export BIN_DIR=/home/parallels/cryptoauth-openssl-engine/install_dir/bin
++ BIN_DIR=/home/parallels/cryptoauth-openssl-engine/install_dir/bin
++ export EX_DIR=/home/parallels/cryptoauth-openssl-engine/client-server
++ EX_DIR=/home/parallels/cryptoauth-openssl-engine/client-server
++ export DEVICE_CERT=/home/parallels/cryptoauth-openssl-engine/certstore/personal/AT_device
++ DEVICE_CERT=/home/parallels/cryptoauth-openssl-engine/certstore/personal/AT_device
++ export DEVICE_KEY=/home/parallels/cryptoauth-openssl-engine/certstore/privkeys/AT_device.key
++ DEVICE_KEY=/home/parallels/cryptoauth-openssl-engine/certstore/privkeys/AT_device.key
++ export DEVICE_CSR=/home/parallels/cryptoauth-openssl-engine/certstore/csr/AT_device.csr
++ DEVICE_CSR=/home/parallels/cryptoauth-openssl-engine/certstore/csr/AT_device.csr
++ export SIGNER_CERT=/home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_signer
++ SIGNER_CERT=/home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_signer
++ export SIGNER_PATH=/home/parallels/cryptoauth-openssl-engine/certstore/trusted
++ SIGNER_PATH=/home/parallels/cryptoauth-openssl-engine/certstore/trusted
++ export ROOT_CERT=/home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_root
++ ROOT_CERT=/home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_root
++ export SIGNER_BUNDLE=/home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_bundle.crt
++ SIGNER_BUNDLE=/home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_bundle.crt
++ export LD_LIBRARY_PATH=/home/parallels/cryptoauth-openssl-engine/install_dir/lib
++ LD_LIBRARY_PATH=/home/parallels/cryptoauth-openssl-engine/install_dir/lib
++ export LD_PRELOAD=/lib/x86_64-linux-gnu/libpthread.so.0
++ LD_PRELOAD=/lib/x86_64-linux-gnu/libpthread.so.0
++ '[' -z '' ']'
++ export PORT_NUMBER=49917
++ PORT_NUMBER=49917
++ '[' -z '' ']'
++ export IP_ADDRESS=127.0.0.1
++ IP_ADDRESS=127.0.0.1
++ export 'ENGINE=-engine ateccx08'
++ ENGINE='-engine ateccx08'
++ export 'KEYGEN_ENGINE=-keygen_engine ateccx08'
++ KEYGEN_ENGINE='-keygen_engine ateccx08'
++ '[' -z '' ']'
++ export COMPANY=homut
++ COMPANY=homut
++ '[' -z '' ']'
++ export COMMON_NAME=homut
++ COMMON_NAME=homut
++ '[' -z '' ']'
++ export USE_EXAMPLE=0
++ USE_EXAMPLE=0
++ '[' -z '' ']'
++ export USE_ENGINE=0
++ USE_ENGINE=0
++ '[' -z '' ']'
++ export USE_ATMEL_CA=0
++ USE_ATMEL_CA=0
++ '[' -z '' ']'
++ export NEW_KEY=0
++ NEW_KEY=0
++ '[' -z '' ']'
++ export NEW_ROOT=0
++ NEW_ROOT=0
++ '[' -z '' ']'
++ USE_WWW=0
++ '[' 0 = 0 ']'
++ export ENGINE=
++ ENGINE=
++ export ENGINE_EX=
++ ENGINE_EX=
++ '[' -z '' ']'
++ export USE_RSA=0
++ USE_RSA=0
++ '[' 0 = 0 ']'
++ RSA=
++ export CMD=/home/parallels/cryptoauth-openssl-engine/install_dir/bin/openssl
++ CMD=/home/parallels/cryptoauth-openssl-engine/install_dir/bin/openssl
++ export CMD_EX=/home/parallels/cryptoauth-openssl-engine/client-server/exchange-tls12
++ CMD_EX=/home/parallels/cryptoauth-openssl-engine/client-server/exchange-tls12
+ set +e
+ /home/parallels/cryptoauth-openssl-engine/client-server/exchange-tls12 -E -e ateccx08
Current working dir: /home/parallels/cryptoauth-openssl-engine
ATECCX08: bind_fn()
ATECCX08: ECCX08 bind_helper()
ATECCX08: eccx08_rand_init()
ATECCX08: eccx08_pkey_meth_init()
ATECCX08: eccx08_pkey_meth_init()
ATECCX08: eccx08_ecdh_init() - HW
ATECCX08: eccx08_cmd_defn_init()
ATECCX08: returned normally()
ATECCX08: eccx08_init()
ATECCX08: eccx08_pkey_meth_f()
ATECCX08: eccx08_pkey_asn1_meth_f()
ATECCX08: eccx08_ctrl()
ATECCX08: eccx08_cmd_ctrl(ECCX08_CMD_EXTRACT_ALL_CERTS)
ATECCX08: eccx08_cmd_ctrl(ECCX08_CMD_GET_SIGNER_CERT)
ATECCX08: eccx08_cmd_ctrl(): error in atcatls_get_cert

+ /home/parallels/cryptoauth-openssl-engine/install_dir/bin/openssl x509 -inform DER -outform PEM -in /home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_signer.der -out /home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_signer.pem
Error opening Certificate /home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_signer.der
140197270136472:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_signer.der','r')
140197270136472:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
+ /home/parallels/cryptoauth-openssl-engine/install_dir/bin/openssl x509 -inform DER -outform PEM -in /home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_root.der -out /home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_root.pem
Error opening Certificate /home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_root.der
139792167216792:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_root.der','r')
139792167216792:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
+ cat /home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_signer.pem /home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_root.pem
cat: /home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_signer.pem: No such file or directory
cat: /home/parallels/cryptoauth-openssl-engine/certstore/trusted/AT_root.pem: No such file or directory
+ /home/parallels/cryptoauth-openssl-engine/install_dir/bin/openssl x509 -inform DER -outform PEM -in /home/parallels/cryptoauth-openssl-engine/certstore/personal/AT_device.der -out /home/parallels/cryptoauth-openssl-engine/certstore/personal/AT_device.pem
Error opening Certificate /home/parallels/cryptoauth-openssl-engine/certstore/personal/AT_device.der
140693885945496:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/parallels/cryptoauth-openssl-engine/certstore/personal/AT_device.der','r')
140693885945496:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
+ '[' 0 = 1 ']'
+ STATUS=0
+ echo 'EXIT STATUS: 0'
EXIT STATUS: 0
+ exit 0

Regards. Thanks for your time.

on Ubuntu 18.04, openssl version is 1.1.0g and the source code won't compile.

Furthermore, we are using node.js. tls.certEngine is not supported until node.js v10. However, node.js v10 uses openSSL 1.1.0h. So we cannot use this chip until openssl 1.1.x is supported.

I'am using the crypto chip ATECC508 connected to a RPI3 compute module using I2C interface.
Running the test tool I was able to PASS all of them, but if I try to use openssl to get the certificate I have a failure.
I debugged a little bit where the error happened and I discovered that it is on:

OpenSSL> engine -t dynamic -pre SO_PATH:./ateccx08.so -pre LIST_ADD:1 -pre ID:ateccx08 -pre LOAD
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:./ateccx08.so
[Success]: LIST_ADD:1
[Success]: ID:ateccx08
$$eccx08_engine.c:307:bind_helper(): Entered
$$eccx08_ecdsa_sign.c:373:eccx08_ecdsa_init(): Entered
$$eccx08_eckey_meth.c:1072:eccx08_pkey_meth_init(): Entered
$$eccx08_engine.c:410:bind_helper(): Succeeded
[Success]: LOAD
Loaded: (ateccx08) Microchip ATECCx08 Engine
$$eccx08_engine.c:248:eccx08_init(): Entered
$$eccx08_cert.c:163:eccx08_cert_init(): Entered
$$eccx08_cert.c:128:eccx08_cert_copy(): Entered
$$eccx08_cert.c:66:eccx08_cert_new(): Entered
$$eccx08_cert.c:128:eccx08_cert_copy(): Entered
$$eccx08_cert.c:66:eccx08_cert_new(): Entered
$$eccx08_cert.c:128:eccx08_cert_copy(): Entered
$$eccx08_cert.c:66:eccx08_cert_new(): Entered
[ available ]
$$eccx08_engine.c:280:eccx08_finish(): Entered
$$eccx08_cert.c:182:eccx08_cert_cleanup(): Entered
$$eccx08_cert.c:100:eccx08_cert_free(): Entered
$$eccx08_cert.c:100:eccx08_cert_free(): Entered
$$eccx08_cert.c:100:eccx08_cert_free(): Entered
$$eccx08_ecdsa_sign.c:403:eccx08_ecdsa_cleanup(): Entered
$$eccx08_eckey_meth.c:1106:eccx08_pkey_meth_cleanup(): Entered
OpenSSL> engine ateccx08 -t -post GET_SIGNER_CERT:./signer.der
(ateccx08) Microchip ATECCx08 Engine
$$eccx08_engine.c:248:eccx08_init(): Entered
$$eccx08_cert.c:163:eccx08_cert_init(): Entered
$$eccx08_cert.c:128:eccx08_cert_copy(): Entered
$$eccx08_cert.c:66:eccx08_cert_new(): Entered
$$eccx08_cert.c:128:eccx08_cert_copy(): Entered
$$eccx08_cert.c:66:eccx08_cert_new(): Entered
$$eccx08_cert.c:128:eccx08_cert_copy(): Entered
$$eccx08_cert.c:66:eccx08_cert_new(): Entered
[ available ]
$$eccx08_cmd_defns.c:372:eccx08_cmd_ctrl(): Entered
$$eccx08_cmd_defns.c:110:get_cert(): ./signer.der cert:0x1992a40 sign:0x7e9fa181
$$eccx08_engine.c:79:eccx08_global_lock(): About to lock mutex in global_lock
$$eccx08_cmd_defns.c:144:get_cert(): Load puiblic key status: 0 signer:0
$$eccx08_cmd_defns.c:144:get_cert():
Load puiblic key status: 0 signer:0
atcacert_def.c:1380 atcacert_set_comp_cert(): tid 1:1 cid 0:0 source 9:0
atcacert_def.c:425: Read certificate status: 0xb
$$eccx08_cmd_defns.c:151:get_cert(): Read certificate status: 0xb
$$eccx08_cmd_defns.c:163:get_cert(): Failure: 0xb
[Failure]: GET_SIGNER_CERT:./signer.der

I added some printf to report the specific point where the error ATCACERT_E_WRONG_CERT_DEF happen and it seems a difference on the source expected.
The test using cio runs fine without any issue.
Any help or suggestion?

What is the specification necessary for me to create a template for my company "Honeywell, Inc, etc", needed for the following byte array which was used in the example in atcatls_tests.c
///////////////////////////////////////////////////////////////////////////////////////
// CSR Structures

uint8_t g_DeviceCsr[] =
{
0x30, 0x82, 0x01, 0x35, 0x30, 0x81, 0xDC, 0x02, 0x01, 0x00, 0x30, 0x7A, 0x31, 0x0B, 0x30, 0x09,
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55,
0x04, 0x08, 0x0C, 0x08, 0x43, 0x6F, 0x6C, 0x6F, 0x72, 0x61, 0x64, 0x6F, 0x31, 0x19, 0x30, 0x17,
0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x10, 0x43, 0x6F, 0x6C, 0x6F, 0x72, 0x61, 0x64, 0x6F, 0x20,
0x53, 0x70, 0x72, 0x69, 0x6E, 0x67, 0x73, 0x31, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x04, 0x0A,
0x0C, 0x05, 0x41, 0x74, 0x6D, 0x65, 0x6C, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0B,
0x0C, 0x0F, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x50, 0x72, 0x6F, 0x64, 0x75, 0x63, 0x74,
0x73, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0A, 0x41, 0x57, 0x53, 0x20,
0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE,
0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
0x04, 0x68, 0x94, 0x9A, 0x24, 0x35, 0xCB, 0xE5, 0x98, 0x3A, 0x35, 0x16, 0xDA, 0x7A, 0x0B, 0x61,
0x75, 0x8A, 0x63, 0x21, 0xEF, 0x50, 0xE1, 0x54, 0x45, 0x24, 0x11, 0x0D, 0x10, 0xA0, 0x53, 0x1B,
0x5F, 0x6F, 0x50, 0x0D, 0xBF, 0xBA, 0x0D, 0x01, 0xFA, 0x20, 0x01, 0x4D, 0x59, 0x92, 0xCE, 0xF9,
0x3F, 0xBB, 0xD2, 0x3D, 0xAA, 0x9A, 0x48, 0xAA, 0x98, 0x6A, 0xDC, 0x3C, 0xC8, 0x97, 0xD3, 0xDD,
0xAC, 0xA0, 0x00, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03,
0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0xB8, 0x01, 0x0D, 0xF0, 0xF9, 0x86, 0xD9, 0x33, 0xB6,
0x03, 0x7C, 0x72, 0x50, 0x64, 0x67, 0x53, 0x77, 0x51, 0x1F, 0xE1, 0x1A, 0x16, 0xEB, 0xFE, 0xD6,
0x3C, 0x9D, 0xEC, 0x05, 0x35, 0xE5, 0xDD, 0x02, 0x20, 0x70, 0x96, 0x1E, 0x4C, 0x5F, 0xB6, 0x0E,
0xE2, 0x28, 0xB8, 0x8D, 0x6C, 0xE4, 0x02, 0x63, 0x15, 0x79, 0x7C, 0x6A, 0x29, 0x3F, 0x7E, 0xEB,
0x48, 0x0F, 0x8F, 0x41, 0x15, 0x92, 0x4B, 0xF4, 0xB5
};

How can I generate the key file for the private key in the atecc08 without destroying it if the slot containing the private key is not locked?

Is this engine working with ATECC608A device or any problems can occur with this crypto device?

Thank you!

Hi, I'm currently using cryptauthlib from atmel. Is there a repo dedicated to cryptauthlib which is open for everyone?

Some applications (like curl) use the LOAD_CERT_CTRL command from the OpenSC project engine_pkcs11 when using an engine to perform certificate client authentication. In order to make these integrations work it would be nice to include this command in Release 2.

It supposed to be DEBUG_ENGINE() instead of eccx08_debug().

Fix:
File: cryptoauthlib/lib/openssl/eccx08_rand.c

static int RAND_eccx08_rand_bytes(unsigned char *buf, int num)
{
    ................

    if (total_num == 0) {
        **DEBUG_ENGINE**("RAND_eccx08_rand_bytes() -  hw\n");

Please let me know if this comment is wrong for error code ATCA_RX_NO_RESPONSE.

Actual: Not an error while the Command layer is polling for a command response.
Expected: Got an error while the Command layer is polling for a command response.

Running engine_atecc/ecc-test-main with a new chip, locks it with a bad configuration. The problem is that slot 1 is marked as locked (0xFE) before the key is generated in atcatls_config_default().

use correct data type for key_str in get_key

To fix, change the below line in lib/openssl/eccx08_cmd_defns.c

    char* key_str[32];
    EVP_PKEY* pkey;

    DEBUG_ENGINE("Entered\n");

to

    char key_str[32];
    EVP_PKEY* pkey;

    DEBUG_ENGINE("Entered\n");

Instead of committing the code for cryptoauthlib (which is essentially a fork), remove the committed code and include the cryptoauthlib project as a git submodule.

Now that cryptoauthlib has been provided as a github project (https://github.com/MicrochipTech/cryptoauthlib), it really doesn't make sense to have all of the code from cryptoauthlib committed into this project.

Hello,

The ATECC508A is being used on my platform.
And I try to porting this project to buildroot.

But it can't compile successfully.
Is there a buildroot example for reference?

error log:
eccx08_cmd_defns.c: In function 'verify_signer_cert': eccx08_cmd_defns.c:222:14: warning: implicit declaration of function 'atcacert_verify_cert_hw' [-Wimplicit-function-declaration] status = atcacert_verify_cert_hw(&g_cert_def_1_signer_t, signerCert, signerCertSize, caPubkey); ^ Compiling eccx08_rsa_meth.c. CFLAGS = -I. -I.. -I../.. -I../../openssl_1_0_2 -I../../openssl_1_0_2/include -I../../openssl_1_0_2/include/openssl -I../../openssl_1_0_2/crypto/crypto -I../../openssl_1_0_2/crypto/engine -I../../openssl_1_0_2/crypto/include/internal -I../cryptoauthlib/lib -I../cryptoauthlib/lib/tls -fPIC -g -O0 -DUSE_ECCX08 -DECC_DEBUG -DATCA_HAL_I2C Compiling eccx08_eckey_meth.c. CFLAGS = -I. -I.. -I../.. -I../../openssl_1_0_2 -I../../openssl_1_0_2/include -I../../openssl_1_0_2/include/openssl -I../../openssl_1_0_2/crypto/crypto -I../../openssl_1_0_2/crypto/engine -I../../openssl_1_0_2/crypto/include/internal -I../cryptoauthlib/lib -I../cryptoauthlib/lib/tls -fPIC -g -O0 -DUSE_ECCX08 -DECC_DEBUG -DATCA_HAL_I2C Compiling eccx08_rand.c. CFLAGS = -I. -I.. -I../.. -I../../openssl_1_0_2 -I../../openssl_1_0_2/include -I../../openssl_1_0_2/include/openssl -I../../openssl_1_0_2/crypto/crypto -I../../openssl_1_0_2/crypto/engine -I../../openssl_1_0_2/crypto/include/internal -I../cryptoauthlib/lib -I../cryptoauthlib/lib/tls -fPIC -g -O0 -DUSE_ECCX08 -DECC_DEBUG -DATCA_HAL_I2C Compiling eccx08_ecdh.c. CFLAGS = -I. -I.. -I../.. -I../../openssl_1_0_2 -I../../openssl_1_0_2/include -I../../openssl_1_0_2/include/openssl -I../../openssl_1_0_2/crypto/crypto -I../../openssl_1_0_2/crypto/engine -I../../openssl_1_0_2/crypto/include/internal -I../cryptoauthlib/lib -I../cryptoauthlib/lib/tls -fPIC -g -O0 -DUSE_ECCX08 -DECC_DEBUG -DATCA_HAL_I2C eccx08_ecdh.c:381:5: warning: initialization makes integer from pointer without a cast [-Wint-conversion] ECDH_eccx08_init, // init ^ eccx08_ecdh.c:381:5: note: (near initialization for 'eccx08_ecdh.flags') eccx08_ecdh.c:381:5: error: initializer element is not computable at load time eccx08_ecdh.c:381:5: note: (near initialization for 'eccx08_ecdh.flags') eccx08_ecdh.c:383:5: warning: excess elements in struct initializer 0, // flags ^ eccx08_ecdh.c:383:5: note: (near initialization for 'eccx08_ecdh') Makefile:32: recipe for target 'eccx08_ecdh.o' failed make[3]: *** [eccx08_ecdh.o] Error 1 Makefile:42: recipe for target 'tgt_engine_meth' failed make[2]: *** [tgt_engine_meth] Error 2 package/pkg-generic.mk:238: recipe for target '/home/msice/Workspace/MS5770/ambalink_sdk_4_9.20180316/output.oem/h22_ambalink/build/cryptoauthlib-0.1-alpha/.stamp_built' failed make[1]: *** [/home/msice/Workspace/MS5770/ambalink_sdk_4_9.20180316/output.oem/h22_ambalink/build/cryptoauthlib-0.1-alpha/.stamp_built] Error 2 Makefile:16: recipe for target '_all' failed make: *** [_all] Error 2

I'm having issues getting basic client cert authentication to work. I'm working with a device that was provided with the cryptoquth-openssl-engine already integrated by the vendor so I'm not doing the compilation/integration myself. I've attempted to make a test as basic as possible based on the scripts in this project. The file ec-params.pem as the prime256v1 params, the file my-ca.crt is a self-signed CA cert, and my-ca.key is it's key. I use these commands to generate my client key and certificate:

openssl req -keygen_engine ateccx08 -newkey ec:ec-params.pem -subj "/O=Example/CN=11000308" -sha256 -keyout client.key -out device-csr.pem -verify

openssl x509 -req -in device-csr.pem -days 2000000 -CA my-ca.crt -CAcreateserial -CAkey my-ca.key -out client.crt

openssl ec -in client.key -out client.key

I get this output:

ATECCX08: bind_fn()
ATECCX08: ECCX08 bind_helper()
ATECCX08: eccx08_rand_init()
ATECCX08: eccx08_pkey_meth_init()
ATECCX08: eccx08_pkey_meth_init()
ATECCX08: eccx08_ecdh_init() - HW
ATECCX08: eccx08_cmd_defn_init()
ATECCX08: returned normally()
ATECCX08: eccx08_init()
ATECCX08: eccx08_pkey_meth_f()
ATECCX08: eccx08_pkey_ec_init() - hw
ATECCX08: eccx08_pkey_ec_keygen_init()
Generating a 256 bit EC private key
ATECCX08: eccx08_pkey_ec_keygen() - HW
ATECCX08: eccx08_finish()
writing new private key to '/opt/ext/etc/keys/client.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
ATECCX08: eccx08_item_sign() - HW
ATECCX08: ECDSA_eccx08_do_sign(): int eckey HW
verify OK
ATECCX08: eccx08_int_ec_free()
ATECCX08: eccx08_pkey_meth_f()
ATECCX08: eccx08_pkey_asn1_meth_f()
ATECCX08: eccx08_destroy()
Signature ok
subject=/O=Example/CN=11000308
Getting CA Private Key
read EC key
Enter PEM pass phrase:
writing EC key

I have a server.crt and server.key that are also signed by my-ca.crt. I run a server that does not integrate with the ecc508A using this command:

openssl s_server -CAfile my-ca.crt -cert server.crt -key server.key -Verify 2

Finally, I run a client like this:

openssl s_client -engine ateccx08 -connect localhost:4433 -CAfile my-ca.crt -cert client.crt -key client.key

with this output

ATECCX08: bind_fn()
ATECCX08: ECCX08 bind_helper()
ATECCX08: eccx08_rand_init()
ATECCX08: eccx08_pkey_meth_init()
ATECCX08: eccx08_pkey_meth_init()
ATECCX08: eccx08_ecdh_init() - HW
ATECCX08: eccx08_cmd_defn_init()
ATECCX08: returned normally()
ATECCX08: eccx08_ctrl()
ATECCX08: eccx08_init()
ATECCX08: eccx08_pkey_meth_f()
ATECCX08: eccx08_pkey_asn1_meth_f()
engine "ateccx08" set.
ATECCX08: RAND_eccx08_rand_bytes() -  hw
CONNECTED(00000003)
ATECCX08: eccx08_rsa_init()
depth=1 C = US, ST = ..., L = ..., O = ..., CN = ...
verify return:1
ATECCX08: eccx08_rsa_init()
depth=0 C = US, ST = ..., L = ..., O = ..., CN = ...
verify return:1
ATECCX08: ECDH_eccx08_compute_key(): HW 
ATECCX08: ECDH_eccx08_get_pubkey() - hw
ATECCX08: ECDSA_eccx08_do_sign(): ERROR dgst_len
1995924688:error:14099006:SSL routines:ssl3_send_client_verify:EVP lib:s3_clnt.c:3286:
---
Certificate chain
 0 s:/C=US/ST=.../L=.../O=.../CN=...
   i:/C=US/ST=.../L=.../O=.../CN=...
 1 s:/C=US/ST=.../L=.../O=.../CN=...
   i:/C=US/ST=.../L=.../O=.../CN=...
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=.../L=.../O=.../CN=...
issuer=/C=US/ST=.../L=.../O=.../CN=...
---
Acceptable client certificate CA names
/C=US/ST=.../L=.../O=.../CN=...
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2297 bytes and written 1560 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: ED8D7DFD9ADCF5F896DE93D6AF2B581D217809AFA12EA7FA396A85D174FB2B5849DFFBA3AB5284981D33BFE9257B7F7A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1498848897
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
ATECCX08: eccx08_finish()
ATECCX08: eccx08_pkey_meth_f()
ATECCX08: eccx08_pkey_asn1_meth_f()
ATECCX08: eccx08_destroy()

As you can see I get this error ATECCX08: ECDSA_eccx08_do_sign(): ERROR dgst_len. I'm not sure why there is a key file when the key is stored in the hardware but your scripts included it so I kept it.

I should also note that if I omit the -keygen ateccx08 and -engine ateccx08 this all works fine.

I'd greatly appreciate any help you can provide.

Thanks.

Hello,
I've build the engine with a yoto build system and using it with openssl 1.0.2j
I tried different commands and every time i've got this error:
openssl: pthread_mutex_lock.c:352: __pthread_mutex_lock_full: Assertion `INTERNAL_SYSCALL_ERRNO (e, __err) != ESRCH || !robust' failed.

OpenSSL is running on a embedded linux ARM platform with an ATECC508A connected to I²C.
Complete out put

root@test:~# openssl version
OpenSSL 1.0.2j  26 Sep 2016

root@test:~# openssl req -keygen_engine ateccx08 -newkey ec:prime256v1.pem -keyout client_eccx08.key
$$eccx08_engine.c:211:bind_helper(): Entered
$$eccx08_ecdsa_sign.c:282:eccx08_ecdsa_init(): Entered
$$eccx08_eckey_meth.c:938:eccx08_pkey_meth_init(): Entered
$$eccx08_engine.c:314:bind_helper(): Succeeded
$$eccx08_engine.c:161:eccx08_init(): Entered
$$eccx08_cert.c:163:eccx08_cert_init(): Entered
$$eccx08_eckey_meth.c:802:eccx08_pmeth_selector(): Entered
$$eccx08_eckey_meth.c:536:eccx08_pkey_ec_init(): Entered
Private-Key: (256 bit)
ASN1 OID: prime256v1
NIST CURVE: P-256
$$eccx08_eckey_meth.c:586:eccx08_pkey_ec_keygen_init(): Entered
Private-Key: (256 bit)
ASN1 OID: prime256v1
NIST CURVE: P-256
Generating a 256 bit EC private key
$$eccx08_eckey_meth.c:614:eccx08_pkey_ec_keygen(): Entered
Private-Key: (256 bit)
ASN1 OID: prime256v1
NIST CURVE: P-256
openssl: pthread_mutex_lock.c:352: __pthread_mutex_lock_full: Assertion `INTERNAL_SYSCALL_ERRNO (e, __err) != ESRCH || !robust' failed.
Aborted

root@test:~# openssl engine -t ateccx08 -post GET_DEVICE_KEY:/home/root/testfile
$$eccx08_engine.c:211:bind_helper(): Entered
$$eccx08_ecdsa_sign.c:282:eccx08_ecdsa_init(): Entered
$$eccx08_eckey_meth.c:938:eccx08_pkey_meth_init(): Entered
$$eccx08_engine.c:314:bind_helper(): Succeeded
(ateccx08) Microchip ATECCx08 Engine
$$eccx08_engine.c:161:eccx08_init(): Entered
$$eccx08_cert.c:163:eccx08_cert_init(): Entered
     [ available ]
$$eccx08_cmd_defns.c:360:eccx08_cmd_ctrl(): Entered
$$eccx08_cmd_defns.c:215:get_key(): Entered
$$eccx08_eckey_meth.c:518:eccx08_load_pubkey(): Entered
$$eccx08_eckey_meth.c:412:eccx08_load_pubkey_internal(): Entered
$$eccx08_eckey_meth.c:121:eccx08_eckey_new_key(): Entered
$$eccx08_eckey_meth.c:154:eccx08_eckey_new_key(): KEY ID: ATECCx08:02:00:00:00$$eccx08_eckey_meth.c:206:eccx08_eckey_new_key(): EXITING
openssl: pthread_mutex_lock.c:352: __pthread_mutex_lock_full: Assertion `INTERNAL_SYSCALL_ERRNO (e, __err) != ESRCH || !robust' failed.
Aborted

So why is the engine never returning back to openssl?
And another question. Where is all the documention gone? All links refering to this repos documentation are redirected to the wikis Home.
Thank you

Building the engine against openssl-1.0.2n (or 1.0.2m) generates errors. Latest commit in evp.h on 1.0.2 branch seems to be the culprit - https://github.com/openssl/openssl/commits/OpenSSL_1_0_2-stable/crypto/evp/evp.h

/home/debian/cryptoauth-openssl-engine-github/cryptoauthlib/lib/openssl/eccx08_eckey_meth.c:815:13: error: static declaration of ‘EVP_PKEY_meth_get_init’ follows non-static declaration
 static void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth,
             ^~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/local/ssl/include/openssl/x509.h:73:0,
                 from /usr/local/ssl/include/openssl/engine.h:99,
                 from /home/debian/cryptoauth-openssl-engine-github/cryptoauthlib/lib/openssl/eccx08_engine.h:41,
                 from /home/debian/cryptoauth-openssl-engine-github/cryptoauthlib/lib/openssl/eccx08_eckey_meth.c:39:
/usr/local/ssl/include/openssl/evp.h:1366:6: note: previous declaration of ‘EVP_PKEY_meth_get_init’ was here
 void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth,
      ^~~~~~~~~~~~~~~~~~~~~~

Configuration can be complex so a defined API needs to be implemented to handle these complexities at run time rather than compile time for some systems.

/home/vgottardi/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference to `g_cert_def_1_signer'
/home/vgottardi/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference to `g_csr_def_3_device'
/home/vgottardi/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference to `g_signer_1_ca_public_key'
/home/vgottardi/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference to `g_cert_def_2_device'
collect2: error: ld returned 1 exit status
Makefile:132: recipe for target '/home/vgottardi/cryptoauth-openssl-engine/cryptoauthlib/.build/test' failed

It's not obvious how to build without the certificate storage capabilities. Is it still possible to have the certificate stored in a file, like in the previous version?

Hello!

I have used this openssl-engine on my ATECC508A. As we know the private key is stored inside and we have no way to get it out.

But during TLS communication with server, if server want's to verify the device identity, device needs to send signer cert and client cert to server. Besides device needs to send a response encrypted by client cert private key to server. Server will use the CA to verify this cert chain and use the public key in client cert to verify the response from client. All those thing would be finished during TLS handshake.

Therefore I used the engine to overwrite the sign algorithm in ECDSA and compile it with ECC_DEBUG macro. However when I run my program to connect the server, no output from new sign algorithm in ECDSA and of course, the server is not able to identify the client. I think this engine doesn't work on TLS handshake but response encryption during handshake is necessary. Hence do you have any ideas to solve this problem?

My test file in client side is here:

#include <openssl/ssl.h>
#include <openssl/conf.h>
#include "openssl/eccx08_engine.h"
#include "openssl/eccx08_engine_internal.h"

int main()
{
    static ENGINE *ateccx08_engine;
    OpenSSL_add_all_algorithms();
    ERR_load_crypto_strings();

    PRINTF("ENGINE_load_dynamic");
    ENGINE_load_dynamic();

    printf("CONF_modules_load_file");
    if (!CONF_modules_load_file(NULL, NULL, CONF_MFLAGS_DEFAULT_SECTION))
    {
        printf("Config failed to load");
    }

    printf("ENGINE_by_id");
    ateccx08_engine = ENGINE_by_id("ateccx08");

    if (ateccx08_engine == NULL)
    {
        printf("Engine failed to load");
    }

    // after some initialization

    // load client-side cert and key
    SSL_CTX_use_certificate_file(m_ctx, ClientCertificateFileTest, SSL_FILETYPE_PEM);

    // no need anymore because no way to extract private key
    // SSL_CTX_use_PrivateKey_file(m_ctx, ClientPrivateKeyFileTest, SSL_FILETYPE_PEM);

    // load intermediate cert
    X509* chaincert = X509_new();
    BIO* bio_cert = BIO_new_file(SignerCertificateFileTest, "rb");
    PEM_read_bio_X509(bio_cert, &chaincert, NULL, NULL);
    SSL_CTX_add1_chain_cert(m_ctx, chaincert)

    m_ssl = SSL_new(m_ctx);

    // get_seocket is my own API
    m_sock = get_socket();

    SSL_set_fd(m_ssl, m_sock)

    // doing handshake and build connection, however no output from ECDSA sign algorithm
    auto r = SSL_connect(m_ssl);
}

When I compile this project for target ATCA_HAL_KIT_HID (Kit with USB HID) and it failed to link the Linux udev static library.

Fix: cryptoauthlib/Makefile

$(OUTDIR)/libateccssl.so: $(LIBATECCSSL_OBJECTS) $(LIBCRYPTOAUTH_OBJECTS) | $(OUTDIR)
       $(LD) -dll -shared $(LIBATECCSSL_OBJECTS) $(LIBCRYPTOAUTH_OBJECTS) -o $@ -lcrypto -lrt -ludev

I noticed the segmentation fault \when I tried to execute TLS authentication example.
This error occurs in one of the debug function where it prints the eckey and so it's not trivial but blocking issue.

To unblock yourself, just comment the below line in lib/openssl/eccx08_ecdh.c

static int eccx08_ecdh_compute_key(void *out, size_t outlen, 
    const EC_POINT *pub_key, EC_KEY *ecdh, 
    void* (*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))
{
    DEBUG_ENGINE("Entered: outlen %d\n", outlen);

    // eccx08_eckey_debug(NULL, ecdh);
   
    ........................

Release 2 does not have ECDH support yet so this is a work item:

• Mirror the work done for ECDSA, PKEY, and Certificates use the public API to properly set up the ECDH selector function
• Use the ECDH configuration if not statically defined
• Roll keys properly
• Determine if it is possible or feasible for ECDHE to perform key generation after the session has ended