cancel
Showing results for 
Search instead for 
Did you mean: 

SBSFU | KMS | How to use KMS_GenerateKeyPair()

Jakub Standarski
Associate III

Hello all.
I have a question about how to use KMS_GenerateKeyPair() function. There are no examples in the code, and API description is not really enough for my little brain. Could somebody provide me an example on how it should be used? What kind of parameters, how to initialize them and so on. I would be grateful!

1 ACCEPTED SOLUTION

Accepted Solutions
Jocelyn RICARD
ST Employee

Hello @Jakub Standarski ,

KMS is implementing PKCS#11 standard.

So, you should find an example somewhere.

Using google I found a video and example in associated gihub here

Best regards

Jocelyn

View solution in original post

6 REPLIES 6
Jocelyn RICARD
ST Employee

Hello @Jakub Standarski ,

KMS is implementing PKCS#11 standard.

So, you should find an example somewhere.

Using google I found a video and example in associated gihub here

Best regards

Jocelyn

Much appreciated! That's what I needed.

I would like to refresh the topic.

So I've put such a code (which is basically the copy from example):

void generate_ecdsa_keys(void)
{
    SE_KMS_Initialize(NULL);

    CK_SESSION_HANDLE session_handle = 0;
    CK_SLOT_ID slot_id = 0;
    SE_KMS_OpenSession(slot_id, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL_PTR,
        NULL_PTR, &session_handle);

    CK_MECHANISM mechanism = {
        .mechanism = CKM_ECDSA_KEY_PAIR_GEN,
        .pParameter = NULL,
        .ulParameterLen = 0
    };

    const CK_BBOOL yes = CK_TRUE;
    const CK_BBOOL no = CK_FALSE;

    CK_UTF8CHAR public_key_label[] = "ecdsa_public";
    CK_BYTE secp384r1_curve[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22};
    CK_ATTRIBUTE public_key_attributes[] = {
        {CKA_TOKEN,             &yes,               sizeof(CK_BBOOL)},
        {CKA_PRIVATE,           &no,                sizeof(CK_BBOOL)},
        {CKA_VERIFY,            &yes,               sizeof(CK_BBOOL)},
        {CKA_ENCRYPT,           &yes,               sizeof(CK_BBOOL)},
        {CKA_EC_PARAMS,         &secp384r1_curve,   sizeof(secp384r1_curve)},
        {CKA_LABEL,             &public_key_label,  sizeof(public_key_label)}
    };
    CK_ULONG public_key_attributes_size = sizeof(public_key_attributes) /
        sizeof(*public_key_attributes);

    CK_UTF8CHAR private_key_lable[] = "ecdsa_private";
    CK_ATTRIBUTE private_key_attributes[] = {
        {CKA_TOKEN,             &yes,               sizeof(CK_BBOOL)},
        {CKA_PRIVATE,           &yes,               sizeof(CK_BBOOL)},
        {CKA_SIGN,              &yes,               sizeof(CK_BBOOL)},
        {CKA_DECRYPT,           &yes,               sizeof(CK_BBOOL)},
        {CKA_SENSITIVE,         &yes,               sizeof(CK_BBOOL)},
        {CKA_LABEL,             &private_key_lable, sizeof(private_key_lable)}
    };
    CK_ULONG private_key_attributes_size = sizeof(private_key_attributes) /
        sizeof(*private_key_attributes);

    CK_OBJECT_HANDLE public_key = 0;
    CK_OBJECT_HANDLE private_key = 0;
    CK_RV key_pair_generation_status = SE_KMS_GenerateKeyPair(session_handle,
        &mechanism, public_key_attributes, public_key_attributes_size,
        private_key_attributes, private_key_attributes_size, &public_key,
        &private_key);

    if (key_pair_generation_status == CKR_OK)
    {
        PRINT_INFO("Key pair generated successfully.\r\n");
    }
    else
    {
        PRINT_ERROR("Unable to generate key pair! Error code = 0x%0X\r\n",
            key_pair_generation_status);
    }
}

 

Unfortunately `SE_KMS_GenerateKeys()` fails with `CKR_FUNCTION_FAILED`. When I get into the function, it looks like it fails when `KMS_ECC_LoadCurve()` is called, which is quite weird.

Any ideas what could be wrong?

 

PS. Because of optimization, debugger doesn't let me check everything and it jumps into different parts of code so it's very misleading and it's hard to say where exactly it fails.

Jocelyn RICARD
ST Employee

Hello @Jakub Standarski ,

first regarding debugging capability, you must change optimization level at least for the files that are involved.

About your issue, I could find something in the code in file 

Projects\B-L4S5I-IOT01A\Applications\2_Images_KMS\2_Images_SBSFU\SBSFU\App\sfu_scheme_x509_mbedtls_ecdsa_verify.c

  else if(p_grp->id == MBEDTLS_ECP_DP_SECP384R1)
  {
    ref_secp[0] = 0x81;
    ref_secp[1] = 0x2b;
    ref_secp[2] = 0x05;
    ref_secp[3] = 0x06;
    ref_secp[4] = 0x22;
    ref_secp[5] = 0x00;
    ref_secp[6] = 0x04;
  }

So, it looks like buffer needs to be adapted to little endian.

Best regards

Jocelyn

Regarding debugging capabilities - yes, I'm aware of a need to change optimization level, the thing is that we don't have enough space so I had to operate on what was currently available.

 

Regarding the main issue though, that looks like potential solution (I will give it a try soon). I've been wondering why is that, because I've seen same numbers but in different order while debugging. On the other hand I took example from pkcs11 tutorial and was a bit confused. Thanks for clarification!

That fixed the problem.

Of course I've encountered another one later, but that's a different story related with CA_ECCkeyGen().