search

Infineon / linux-optiga-trust-m

Linux tools and examples for OPTIGA™ Trust V1/V3 security solution
MIT License
22 stars 18 forks source link

Error getting ECC private key using OpenSSL EC key processing #15

Closed thomas-at-rock7 closed 3 years ago

thomas-at-rock7 commented 3 years ago

When experimenting around with trustm_engine and OpenSSL. I have noticed that it is not possible to get a private ECC key using the trustm_engine with OpenSSL EC key processing.

For example for RSA I can do the following:

openssl pkey -engine trustm_engine -inform engine -in 0xe0fc:*:NEW:0x42:0x13 -out example_rsa_private.pem

Which will generate a 2048 RSA key for Auth/Enc/Sign, stored in OID 0xe0fc (0xf1e0) and a output of the private key in example_rsa_private.pem.

However if I do the same for a ECC key it fails with errors.

openssl ec -engine trustm_engine -inform engine -in 0xe0f1:*:NEW:0x04:0x13 -out example_ecc_private.pem

I would expect a generated a 384 ECC key for Auth/Enc/Sign, stored in OID 0xe0f1 (0xf1d1) and a output of the private key in example_ecc_private.pem. I believe it generates the key pair, just fails outputting the private key as it works when doing the public key with -pubout.

I get the following errors:

writing EC key
unable to write private key
3069517840:error:100C0010:elliptic curve routines:i2d_ECPrivateKey:EC lib:../openssl-1.1.1j/crypto/ec/ec_asn1.c:1097:
3069517840:error:0906900D:PEM routines:PEM_ASN1_write_bio:ASN1 lib:../openssl-1.1.1j/crypto/pem/pem_lib.c:336
Full debug logs of OpenSSL EC command ``` root@hostname:~# openssl ec -engine trustm_engine -inform engine -in 0xe0f1:*:NEW:0x04:0x13 -out example_ecc_private.pem 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:988 bind: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:106 __trustmEngine_ipcInit: Shared memory segment exists - opening as client 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:146 trustmEngine_ipc_acquire: Check if TrustM Open:queue 43605:current:432:Delay 33 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:150 trustmEngine_ipc_acquire: Resource seized by 432 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:177 trustmEngine_ipc_acquire: Lock queue 432 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:911 engine_init: > Engine 0x1d7d378 init 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:914 engine_init: Initializing 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:183 trustmEngine_Open: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:106 __trustmEngine_ipcInit: Shared memory segment exists - opening as client 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:146 trustmEngine_ipc_acquire: Check if TrustM Open:queue 432:current:432:Delay 33 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:177 trustmEngine_ipc_acquire: Lock queue 432 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:201 trustmEngine_Open: optiga_util_create OK 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:215 trustmEngine_Open: optiga_crypt_create OK 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:221 trustmEngine_Open: TrustM crypt instance created. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:222 trustmEngine_Open: TrustM Open. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:226 trustmEngine_Open: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_rsa.c:653 trustmEngine_init_rsa: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_rsa.c:682 trustmEngine_init_rsa: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ec.c:585 trustmEngine_init_ec: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ec.c:607 trustmEngine_init_ec: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:980 engine_init: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:192 trustmEngine_ipc_release: release shared memory 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:1043 bind: < engine "trustm_engine" set. read EC key 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:106 __trustmEngine_ipcInit: Shared memory segment exists - opening as client 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:146 trustmEngine_ipc_acquire: Check if TrustM Open:queue 43605:current:432:Delay 33 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:150 trustmEngine_ipc_acquire: Resource seized by 432 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:177 trustmEngine_ipc_acquire: Lock queue 432 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:766 engine_load_privkey: > key_id : 0xe0f1:*:NEW:0x04:0x13 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:488 parseKeyParams: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:238 trustmEngine_App_Open_Recovery: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:270 trustmEngine_App_Open: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:183 trustmEngine_Open: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:106 __trustmEngine_ipcInit: Shared memory segment exists - opening as client 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:146 trustmEngine_ipc_acquire: Check if TrustM Open:queue 432:current:432:Delay 33 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:177 trustmEngine_ipc_acquire: Lock queue 432 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:203 trustmEngine_Open: TrustM util instance exists. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:218 trustmEngine_Open: TrustM crypt instance exists. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:221 trustmEngine_Open: TrustM crypt instance created. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:222 trustmEngine_Open: TrustM Open. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:226 trustmEngine_Open: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:294 trustmEngine_App_Open: No hibernate ctx found. Skip restore 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:124 trustmEngine_WaitForCompletion: max wait_time:6000, Tick Counter: 16 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:307 ++done. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:346 trustmEngine_App_Open: Success : optiga_util_open_application 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:349 trustmEngine_App_Open: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:259 trustmEngine_App_Open_Recovery: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:530 parseKeyParams: ---> token [0] = 0xe0f1 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:685 parseKeyParams: found NEW 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:124 trustmEngine_WaitForCompletion: max wait_time:6000, Tick Counter: 5 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:450 trustmEngine_App_Close: Success : optiga_util_close_application 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:360 trustmEngine_Close: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:365 trustmEngine_Close: optiga_crypt_destroy 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:374 trustmEngine_Close: optiga_util_destroy 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:384 trustmEngine_Close: TrustM Closed. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:385 trustmEngine_Close: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:192 trustmEngine_ipc_release: release shared memory 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:461 trustmEngine_App_Close: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:704 parseKeyParams: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:776 engine_load_privkey: KEY_OID : 0xe0f1 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:777 engine_load_privkey: Pubkey : 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:778 engine_load_privkey: PubkeyLen : 0 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:779 engine_load_privkey: PubkeyHeader : 0 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:780 engine_load_privkey: PubkeyStore : 0xF1D1 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:782 engine_load_privkey: RSA key type : 0x00 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:783 engine_load_privkey: RSA key usage : 0x00 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:784 engine_load_privkey: RSA key flag : 0x00 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:786 engine_load_privkey: EC key type : 0x04 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:787 engine_load_privkey: EC key usage : 0x13 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:788 engine_load_privkey: EC key flag : 0x01 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ec.c:410 trustm_ec_loadkey: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ec.c:189 trustm_ec_generatekey: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:238 trustmEngine_App_Open_Recovery: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:270 trustmEngine_App_Open: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:183 trustmEngine_Open: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:106 __trustmEngine_ipcInit: Shared memory segment exists - opening as client 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:146 trustmEngine_ipc_acquire: Check if TrustM Open:queue 43605:current:432:Delay 33 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:150 trustmEngine_ipc_acquire: Resource seized by 432 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:177 trustmEngine_ipc_acquire: Lock queue 432 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:201 trustmEngine_Open: optiga_util_create OK 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:215 trustmEngine_Open: optiga_crypt_create OK 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:221 trustmEngine_Open: TrustM crypt instance created. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:222 trustmEngine_Open: TrustM Open. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:226 trustmEngine_Open: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:294 trustmEngine_App_Open: No hibernate ctx found. Skip restore 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:304 trustmEngine_App_Open: waiting... 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:124 trustmEngine_WaitForCompletion: max wait_time:6000, Tick Counter: 18 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:307 ++done. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:346 trustmEngine_App_Open: Success : optiga_util_open_application 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:349 trustmEngine_App_Open: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:259 trustmEngine_App_Open_Recovery: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:124 trustmEngine_WaitForCompletion: max wait_time:6000, Tick Counter: 141 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:124 trustmEngine_WaitForCompletion: max wait_time:6000, Tick Counter: 5 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:450 trustmEngine_App_Close: Success : optiga_util_close_application 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:360 trustmEngine_Close: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:365 trustmEngine_Close: optiga_crypt_destroy 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:374 trustmEngine_Close: optiga_util_destroy 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:384 trustmEngine_Close: TrustM Closed. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:385 trustmEngine_Close: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ipc_lock.c:192 trustmEngine_ipc_release: release shared memory 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:461 trustmEngine_App_Close: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ec.c:319 trustm_ec_generatekey: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine_ec.c:465 trustm_ec_loadkey: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:819 engine_load_privkey: < writing EC key unable to write private key 3069739024:error:100C0010:elliptic curve routines:i2d_ECPrivateKey:EC lib:../openssl-1.1.1j/crypto/ec/ec_asn1.c:1097: 3069739024:error:0906900D:PEM routines:PEM_ASN1_write_bio:ASN1 lib:../openssl-1.1.1j/crypto/pem/pem_lib.c:336: 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:748 engine_finish: > Engine 0x1d7d378 finish (releasing functional reference) 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:749 engine_finish: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:713 engine_destroy: > Engine 0x1d7d378 destroy 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:360 trustmEngine_Close: > 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:384 trustmEngine_Close: TrustM Closed. 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:385 trustmEngine_Close: < 432:/usr/src/debug/optiga-trust-m-cli/1.0+gitAUTOINC+6c02abc442-r0/git/trustm_engine/trustm_engine.c:742 engine_destroy: < ```
Metadata of `0xE0F1` ```shell ======================================================== Device EC Privte Key x [0xE0F1] [Size 0019] : 20 11 C0 01 01 D0 03 E1 FC 07 D3 01 00 E0 01 04 E1 01 13 LcsO:0x01, C:LcsO<0x07, E:ALW, Algo:ECC384, Key:Auth/Enc/Sign, ======================================================== ```
Metadata of `0xE0FC` ```shell ======================================================== Device RSA Privte Key x [0xE0FC] [Size 0019] : 20 11 C0 01 01 D0 03 E1 FC 07 D3 01 00 E0 01 42 E1 01 13 LcsO:0x01, C:LcsO<0x07, E:ALW, Algo:RSA2048, Key:Auth/Enc/Sign, ======================================================== ```

As you may of seen from the debug logs my openssl version OpenSSL 1.1.1j 16 Feb 2021.

Thanks

Thomas

thomas-at-rock7 commented 3 years ago

After further thought I believe this is intentional. After actually looking into the RSA key exported it seems to be truncated and not a valid key. So maybe the EC errors are are acceptable but maybe the RSA key export through OpenSSL pkey or OpenSSL rsa should behave like OpenSSL ec and raise a error "unable to write private key".

ayushev commented 3 years ago

Hello @thomas-at-rock7

thanks for the details and thoroughly contructed issue report. The chip can either store a private key internally and export at the same time the public component, or export both of them and don't store the private component internally.

thomas-at-rock7 commented 3 years ago

@ayushev thanks. That's as I thought, when I submitted the issue report I seemed to forget about the main function of the device. A bit of "D'oh!" moment.