search

MicrochipTech / cryptoauth-openssl-engine

DEPRECATED: Use https://github.com/MicrochipTech/cryptoauthlib/wiki/PKCS11-Linux-Setup
Other
76 stars 49 forks source link

"make test" fails with link issues #16

Open vgottardi opened 6 years ago

vgottardi commented 6 years ago 
/home/vgottardi/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference to `g_cert_def_1_signer'
/home/vgottardi/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference to `g_csr_def_3_device'
/home/vgottardi/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference to `g_signer_1_ca_public_key'
/home/vgottardi/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference to `g_cert_def_2_device'
collect2: error: ld returned 1 exit status
Makefile:132: recipe for target '/home/vgottardi/cryptoauth-openssl-engine/cryptoauthlib/.build/test' failed

It's not obvious how to build without the certificate storage capabilities. Is it still possible to have the certificate stored in a file, like in the previous version?

bryan-hunt commented 6 years ago

Yes. In eccx08_engine.h leave ATCA_OPENSSL_ENGINE_STATIC_CONFIG undefined.

vgottardi commented 6 years ago

Thanks! Building with ATCA_OPENSSL_ENGINE_STATIC_CONFIG undefined works. I'm still having issues. I can't run the commands I used to run with the older version. This used to work

$ openssl ecparam -name prime256v1 -out prime256v1.pem
$ openssl req -keygen_engine ateccx08 -newkey ec:prime256v1.pem -keyout client_eccx08.key -nodes -new -out client_eccx08.csr -sha256 -subj /C=CA/CN=openssl_ecc508/ -verify
$$eccx08_engine.c:211:bind_helper(): Entered
$$eccx08_ecdsa_sign.c:282:eccx08_ecdsa_init(): Entered
$$eccx08_eckey_meth.c:930:eccx08_pkey_meth_init(): Entered
$$eccx08_engine.c:314:bind_helper(): Succeeded
$$eccx08_engine.c:161:eccx08_init(): Entered
$$eccx08_cert.c:163:eccx08_cert_init(): Entered
$$eccx08_eckey_meth.c:794:eccx08_pmeth_selector(): Entered
$$eccx08_eckey_meth.c:528:eccx08_pkey_ec_init(): Entered
Private-Key: (256 bit)
ASN1 OID: prime256v1
NIST CURVE: P-256
$$eccx08_eckey_meth.c:578:eccx08_pkey_ec_keygen_init(): Entered
Private-Key: (256 bit)
ASN1 OID: prime256v1
NIST CURVE: P-256
Generating a 256 bit EC private key
$$eccx08_eckey_meth.c:606:eccx08_pkey_ec_keygen(): Entered
Private-Key: (256 bit)
ASN1 OID: prime256v1
NIST CURVE: P-256
Kit USB Device Node: /dev/hidraw1
  Manufacturer ATMEL (Crypto Device Demo)
  VID/PID:     03eb 2312

Kit Write: e:w()
Kit Read: 00(04113343)

Kit Write: e:t(07400400008387)
Kit Read: 00(040F2342)

Kit Write: e:i()
Kit Read: 00()

Kit Write: e:w()
Kit Read: 00(04113343)

Kit Write: e:t(07400000000005)
Kit Read: 00(4386F4DF25238D3545CFC3D639B41748515E4DA3D38EA86A405DFD0B3FDCF63AFB2D160C5D385366396B9D98169B649046373720483225A39E345234A01BFAE8C534BE)

Kit Write: e:i()
Kit Read: 00()
$$eccx08_engine.c:191:eccx08_finish(): Entered
$$eccx08_cert.c:182:eccx08_cert_cleanup(): Entered
$$eccx08_cert.c:100:eccx08_cert_free(): Entered
$$eccx08_cert.c:100:eccx08_cert_free(): Entered
$$eccx08_ecdsa_sign.c:312:eccx08_ecdsa_cleanup(): Entered
$$eccx08_eckey_meth.c:964:eccx08_pkey_meth_cleanup(): Entered
writing new private key to 'client_eccx08.key'
140597054756504:error:100C0043:elliptic curve routines:i2d_ECPrivateKey:passed a null parameter:ec_asn1.c:1126:
140597054756504:error:100D6010:elliptic curve routines:ECKEY_PRIV_ENCODE:EC lib:ec_ameth.c:327:
140597054756504:error:06071092:digital envelope routines:EVP_PKEY2PKCS8_broken:private key encode error:evp_pkey.c:128:
140597054756504:error:0907E073:PEM routines:DO_PK8PKEY:error converting private key:pem_pk8.c:120:
$$eccx08_eckey_meth.c:794:eccx08_pmeth_selector(): Entered
$$eccx08_eckey_meth.c:794:eccx08_pmeth_selector(): Entered
$$eccx08_eckey_meth.c:794:eccx08_pmeth_selector(): Entered
$$eccx08_engine.c:138:eccx08_destroy(): Entered
$$eccx08_engine.c:148:eccx08_destroy(): Finished
bryan-hunt commented 6 years ago

Sorry for the delay. Key generation is different for the latest version and in the update that will allow it to work with OpenSSL v1.1.x APIs there will be an addition that allows passing the necessary parameters. That update is scheduled for release mid April (2018).

The problem is OpenSSL doesn't discriminate between keys from an engine and those that are not - so the engine has to determine if the key has private key data in ram or in external hardware. The old engine always assumed the hardware and wouldn't fail gracefully if it wasn't. In other words since OpenSSL always generate ephemeral keys for ECDH it would fail without patching the core of OpenSSL in 1.0.2 in two places (OpenSSL 1.0.2's ECDH implementation has numerous issues that were fixed in 1.1 by converging on to the EVP api).

DevriesL commented 6 years ago

Hello @vgottardi , I meet the same issue too, have you fixed it?

vgottardi commented 6 years ago

@DevriesL, no. I'm still using the previous version, waiting for the new release.

balaji-reddy commented 5 years ago

Seeing different link errors with the following configuration and setup, Dev Kit: ATSAMD21 with AT88CKSCKTSOIC-XPRO (dip switches set to I2C) OS: Ubuntu 16.04 OpenSSL: 1.0.2l

  1. ATCA_OPENSSL_ENGINE_STATIC_CONFIG set to 0 to disable it
  2. Created static shared C library for cryptoauth-openssl-engine like, cd ./cryptoauthlib make libateccssl TARGET_HAL=I2C
  3. When I run the make test, getting below link errors, /ws/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference toECDSA_METHOD_set_sign' /ws/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference to ECDSA_METHOD_free' /ws/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference toECDSA_METHOD_new' /ws/cryptoauth-openssl-engine/cryptoauthlib/.build/libateccssl.so: undefined reference to ECDSA_METHOD_set_name' collect2: error: ld returned 1 exit status make: *** [/ws/cryptoauth-openssl-engine/cryptoauthlib/.build/test] Error 1 Is there anything missing? or Does make test works with OpenSSL v1.0.2l?