Failing to load "trustm_engine" incorrect key returned

[Kitty-Hawk1]

I'm seeing the error below, any suggestions ?

mosquitto[212]: 1649842415: Loaded engine
mosquitto[212]: 1649842415: Initialised engine
**mosquitto[212]: Error in trustm_engine/trustm_engine.c:358 trustmEngine_App_Open: Fail : optiga_util_open_application**
mosquitto[212]: 1649842415: private key is:
mosquitto[212]:  Private-Key: (256 bit)
mosquitto[212]:  pub:
mosquitto[212]:      04:01:a0:07:7b:b3:69:fd:88:d5:48:b7:98:bd:42:
mosquitto[212]:      a2:f2:83:ad:19:31:de:83:82:e8:a7:f7:6f:b0:01:
mosquitto[212]:      95:35:e4:fd:bd:45:79:01:cc:af:2f:f1:8c:bf:0e:
mosquitto[212]:      18:e6:43:3d:b8:1d:fb:b1:04:ab:29:50:71:50:16:
mosquitto[212]:      34:7a:04:f3:1f

When I run a command line the key returned is

trustm_data -r 0xF1D1

========================================================
App DataStrucObj type 3     [0xF1D1] [Size 0091] :
        30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A
        86 48 CE 3D 03 01 07 03 42 00 04 D9 C1 9F A4 FB
        2D D8 A8 F3 5A 6A B3 35 75 4C 00 94 91 4A A4 AC
        A4 76 3B DD AE 95 EB 0C 8D B7 F5 E2 94 86 D1 AE
        A6 BA 85 00 4C 35 F4 AE BE BD CD D4 A9 66 AB 22
        26 58 BE 91 C3 75 5D A2 B4 E9 0D
========================================================

Test Signing

openssl dgst -sign 0xe0f1 --keyform engine -engine trustm_engine -out helloworld.sig helloworld.txt

Test Verifying, is fine.

openssl dgst -sha256 -verify Cloud.pem -signature helloworld.sig helloworld.txt

The build is

SRC_URI = "gitsm://github.com/Infineon/cli-optiga-trust-m.git;protocol=https"

SRC_URI += "file://28db645eb6f121becd968ba62b775fa56a189f46.patch;patchdir=trustm_lib"
SRC_URI += "file://c0ec9b28dbc27748d18b52d1351fc1c1e44f54be.patch;patchdir=trustm_lib"
SRC_URI += "file://0001-remove-lock-gatesgarth.patch"
SRC_URI += "file://0001-trustm-file-locations.patch"
SRC_URI += "file://0001-trustm-cert-offset.patch"

PV = "1.0+git${SRCPV}"
SRCREV = "44f942c04424c03970242281667f01a5aa442d49"

S = "${WORKDIR}/git"

TARGET_CFLAGS = "-I${STAGING_INCDIR} -fPIC -DENGINE_DYNAMIC_SUPPORT"
TARGET_LDFLAGS = "-lpthread -lssl -lcrypto -lrt"

do_compile () {	
	oe_runmake -C ${WORKDIR}/git workaround_patch

	oe_runmake -C ${WORKDIR}/git 'CC=${CC}'
}

And
 #define OPTIGA_COMMS_DEFAULT_RESET_TYPE     (1)     

And the code being executed is

 ```
                                    engine = ENGINE_by_id("trustm_engine");

                                    if(!engine){
                                                    log__printf(mosq, MOSQ_LOG_ERR, "Error loading engine\n");
                                    }
                                    else
                                    {
                                                    log__printf(mosq, MOSQ_LOG_ERR, "Loaded engine\n");
                                    }

                                    if(!ENGINE_init(engine)){
                                                    log__printf(mosq, MOSQ_LOG_ERR, "Failed engine initialisation\n");
                                    }
                                    else
                                    {
                                                    log__printf(mosq, MOSQ_LOG_ERR, "Initialised engine\n");
                                    }

                                    ENGINE_set_default(engine, ENGINE_METHOD_ALL);

                                    EVP_PKEY* key = ENGINE_load_private_key(engine, mosq->tls_keyfile, NULL, NULL);

                                    if (key == NULL)
                                    {
                                                    log__printf(mosq, MOSQ_LOG_ERR, "Failed to load private key\n");
                                    }
                                    else
                                    {

                                            log__printf(mosq, MOSQ_LOG_ERR, "private key is:\n");
                                            BIO *bp = BIO_new_fp(stderr, BIO_NOCLOSE);
                                            EVP_PKEY_print_private(bp, key, 1, NULL);

                                            log__printf(mosq, MOSQ_LOG_ERR, "private key end \n");
                                            EVP_PKEY_print_public(bp, key, 1, NULL);

                                            log__printf(mosq, MOSQ_LOG_ERR, "public key end \n");

[sgsharath123]

Hi @Kitty-Hawk1
Please provide the code repository link.

[Kitty-Hawk1]

I've updated the original posting

[sgsharath123]

I have a couple of suggestions, please try and let us know:

1. Is the problem always there, even after restarting (cold start, remove plug, plug in)
2. Are you able to provide the return status in line to us, so that we can understand the error better.

[Kitty-Hawk1]

mosquitto[204]: 1649869323: 1 0
mosquitto[204]: 204:trustm_engine/trustm_engine.c:1022 bind: >
mosquitto[204]: 204:trustm_engine/trustm_engine.c:951 engine_init: > Engine 0x11f5180 init
mosquitto[204]: 204:trustm_engine/trustm_engine.c:954 engine_init: Initializing
mosquitto[204]: 204:trustm_engine/trustm_engine.c:235 trustmEngine_Open: >
mosquitto[204]: 204:trustm_engine/trustm_engine.c:250 trustmEngine_Open: TrustM util instance created.
mosquitto[204]: 204:trustm_engine/trustm_engine.c:260 trustmEngine_Open: TrustM crypt instance created.
mosquitto[204]: 204:trustm_engine/trustm_engine.c:261 trustmEngine_Open: TrustM Open.
mosquitto[204]: 204:trustm_engine/trustm_engine.c:265 trustmEngine_Open: <
mosquitto[204]: 204:trustm_engine/trustm_engine_rand.c:68 trustmEngine_init_rand: >
mosquitto[204]: 204:trustm_engine/trustm_engine_rand.c:72 trustmEngine_init_rand: <
mosquitto[204]: 204:trustm_engine/trustm_engine_rsa.c:653 trustmEngine_init_rsa: >
mosquitto[204]: 204:trustm_engine/trustm_engine_rsa.c:682 trustmEngine_init_rsa: <
mosquitto[204]: 204:trustm_engine/trustm_engine_ec.c:392 trustmEngine_init_ec: >
mosquitto[204]: 204:trustm_engine/trustm_engine_ec.c:414 trustmEngine_init_ec: <
mosquitto[204]: 204:trustm_engine/trustm_engine.c:1014 engine_init: <
mosquitto[204]: 204:trustm_engine/trustm_engine.c:1076 bind: <
mosquitto[204]: 1649869323: Loaded engine
mosquitto[204]: 1649869323: Initialised engine
mosquitto[204]: 204:trustm_engine/trustm_engine.c:806 engine_load_privkey: > key_id : 0xe0f1
mosquitto[204]: 204:trustm_engine/trustm_engine.c:540 parseKeyParams: >
mosquitto[204]: 204:trustm_engine/trustm_engine.c:279 trustmEngine_App_Open: >
mosquitto[204]: 204:trustm_engine/trustm_engine.c:158 __trustmEngine_ipcInit: Init Queue 204
mosquitto[204]: 204:trustm_engine/trustm_engine.c:296 trustmEngine_App_Open: Check if TrustM Open:queue 204:current:204:Delay 13
mosquitto[204]: 204:trustm_engine/trustm_engine.c:324 trustmEngine_App_Open: Lock queue 204
mosquitto[204]: 204:trustm_engine/trustm_engine.c:340 trustmEngine_App_Open: No hibernate ctx found. Skip restore
mosquitto[204]: 204:trustm_engine/trustm_engine.c:350 trustmEngine_App_Open: waiting...
mosquitto[204]: 204:trustm_engine/trustm_engine.c:353 ++done. optiga_lib_status = 202                 <<<<< HERE
mosquitto[204]: 204:Error in trustm_engine/trustm_engine.c:358 trustmEngine_App_Open: Fail : optiga_util_open_application
mosquitto[204]: 204:trustm_engine/trustm_engine.c:400 trustmEngine_App_Open: <
mosquitto[204]: 204:trustm_engine/trustm_engine.c:582 parseKeyParams: ---> token [0] = 0xe0f1
mosquitto[204]: 204:trustm_engine/trustm_engine.c:745 parseKeyParams: <
mosquitto[204]: 204:trustm_engine/trustm_engine.c:816 engine_load_privkey: KEY_OID       : 0xe0f1
mosquitto[204]: 204:trustm_engine/trustm_engine.c:817 engine_load_privkey: Pubkey        :
mosquitto[204]: 204:trustm_engine/trustm_engine.c:818 engine_load_privkey: PubkeyLen     : 0
mosquitto[204]: 204:trustm_engine/trustm_engine.c:819 engine_load_privkey: PubkeyHeader  : 0
mosquitto[204]: 204:trustm_engine/trustm_engine.c:820 engine_load_privkey: PubkeyStore   : 0x0000
mosquitto[204]: 204:trustm_engine/trustm_engine.c:822 engine_load_privkey: RSA key type  : 0x42
mosquitto[204]: 204:trustm_engine/trustm_engine.c:823 engine_load_privkey: RSA key usage : 0x03
mosquitto[204]: 204:trustm_engine/trustm_engine.c:824 engine_load_privkey: RSA key flag  : 0x00
mosquitto[204]: 204:trustm_engine/trustm_engine.c:826 engine_load_privkey: EC key type   : 0x03
mosquitto[204]: 204:trustm_engine/trustm_engine.c:827 engine_load_privkey: EC key usage  : 0x01
mosquitto[204]: 204:trustm_engine/trustm_engine.c:828 engine_load_privkey: EC key flag   : 0x00
mosquitto[204]: 204:trustm_engine/trustm_engine_ec.c:268 trustm_ec_loadkey: >
mosquitto[204]: 204:trustm_engine/trustm_engine_ec.c:276 trustm_ec_loadkey: no new key request
mosquitto[204]: 204:trustm_engine/trustm_engine_ec.c:285 trustm_ec_loadkey: No plubic Key found, Register Private Key only
mosquitto[204]: 204:trustm_engine/trustm_engine_ec.c:303 trustm_ec_loadkey: <
mosquitto[204]: 204:trustm_engine/trustm_engine.c:859 engine_load_privkey: <
mosquitto[204]: 1649869323: private key is:
mosquitto[204]:  Private-Key: (256 bit)
mosquitto[204]:  pub:
mosquitto[204]:      04:01:a0:07:7b:b3:69:fd:88:d5:48:b7:98:bd:42:
mosquitto[204]:      a2:f2:83:ad:19:31:de:83:82:e8:a7:f7:6f:b0:01:
mosquitto[204]:      95:35:e4:fd:bd:45:79:01:cc:af:2f:f1:8c:bf:0e:
mosquitto[204]:      18:e6:43:3d:b8:1d:fb:b1:04:ab:29:50:71:50:16:
mosquitto[204]:      34:7a:04:f3:1f

[sgsharath123]

In the function optiga_cmd_open_application_handler(), which is called by the function in line

            if (OPTIGA_LIB_PAL_DATA_STORE_NOT_CONFIGURED != me->optiga_context_datastore_id)
            {
                //Clearing context handle secret from datastore
                return_status = pal_os_datastore_write(me->optiga_context_datastore_id,
                                                       me->p_optiga->optiga_context_handle_buffer,
                                                       sizeof(me->p_optiga->optiga_context_handle_buffer));
                if (PAL_STATUS_SUCCESS != return_status)
                {
                    return_status = OPTIGA_CMD_ERROR;
                    break;
                }
            }

I believe you have issues in writing into the datastore and hence you get OPTIGA_CMD_ERROR (0x0202). Can you debug and check if this is really the issue?

[Kitty-Hawk1]

The handler is not being called

trustm_engine/trustm_engine.c:340 trustmEngine_App_Open: No hibernate ctx found. Skip restore
pal_loger_write : [optiga util]     : optiga_util_open_application
pal_loger_write :
pal_loger_write : [optiga cmd]      : optiga_cmd_open_application
pal_loger_write :
211:trustm_engine/trustm_engine.c:350 trustmEngine_App_Open: waiting...
211:trustm_engine/trustm_engine.c:353 ++done. optiga_lib_status = 202
211:Error in trustm_engine/trustm_engine.c:358 trustmEngine_App_Open: Fail : optiga_util_open_application

However we I send the command via the command line it is
`
openssl dgst -sign 0xe0f1 --keyform engine -engine trustm_engine -out helloworld.sig helloworld.txt

`458:trustm_engine/trustm_engine.c:340 trustmEngine_App_Open: No hibernate ctx found. Skip restore

pal_loger_write : [optiga util]     : optiga_util_open_application
pal_loger_write :

pal_loger_write : [optiga cmd]      : optiga_cmd_open_application
pal_loger_write :

458:trustm_engine/trustm_engine.c:350 trustmEngine_App_Open: waiting...
optiga_cmd_open_application_handler, cmd_next_execution_state = 8
pal_loger_write : [optiga cmd]      : Sending open app command...
pal_loger_write :

In optiga_cmd_open_application_handler called pal_os_datastore_write, return_status = 0x0
optiga_cmd_open_application_handler, cmd_next_execution_state = 9
pal_loger_write : [optiga cmd]      : Processing response for open app command...
pal_loger_write :

pal_loger_write : [optiga cmd]      : Response of open app command is processed...
pal_loger_write :

[sgsharath123]

So, open Application works?
Also note that you cannot read out private key from 0xE0F1 object. You can only create signature using Trust M, the key cannot be read outside Trust M.

[Kitty-Hawk1]

optiga_cmd_open_application works in one path through the code [when called from the command line via openss exel], when used to create a SSL/TLS connection using the openssl library it doesn't :-(

Note - when creating the SSL/TLS connection openssl is attempting to check that the public key [which is contained within the private key], matches the X.509 certificate attached

[sgsharath123]

There are 2 separate issues:

1. Open appl fails in some scenario (We'll come back to this after we're on the same page).
2. Signing is attempted via openssl by reading a private key object in Optiga. This will not work as you cannot read out the content of the object.

Another thing to note is that public key is not contained in the private key. Only openssl does this, it stores the public private key pair on key generation. Later, public key can be extracted from this. This is not the case with Optiga private key object (0xE0F1). It does not matter to Optiga, whether public key is stored or private key is stored or keypair is stored in this object. You can never read this object. Only Optiga can read this when you request signature generation. In case a keypair or wrong format key is stored here, the signature generation will fail. See section 6.2 (appendix) of Solution Reference Manual to check how keys are stored in Optiga.

Please provide feedback on 1 and 2.

[RaymWong]

@Kitty-Hawk1

1. what is the value that is used for " mosq->tls_keyfile"?
   EVP_PKEY* key = ENGINE_load_private_key(engine, mosq->tls_keyfile, NULL, NULL);

Can you try "0xe0f1:^". ^ sign means to use default key store at 0xF1D1, See here for more details public key input options

2. For using external cert and public key files : Simple Server and Client Example using external public key and certificate files

3. SRCREV = "44f942c04424c03970242281667f01a5aa442d49"
   this source could be quite old. Kindly consider to use the latest if not too much changes are needed in your current codes: a3bdf70a51dae0b7909388823ed60c0d351ea875

[Kitty-Hawk1]

Thanks will try 0xe0f1:^

But need to resolve why initialization fails first, will try newer baseline.
Also I'll be working on something else, for a while

Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: 212:trustm_engine/trustm_engine.c:806 engine_load_privkey: > key_id : 0xe0f1:^
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: 212:trustm_engine/trustm_engine.c:540 parseKeyParams: >
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: 212:trustm_engine/trustm_engine.c:279 trustmEngine_App_Open: >
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: 212:trustm_engine/trustm_engine.c:158 __trustmEngine_ipcInit: Init Queue 212
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: 212:trustm_engine/trustm_engine.c:296 trustmEngine_App_Open: Check if TrustM Open:queue 212:current:212:Delay 5
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: 212:trustm_engine/trustm_engine.c:324 trustmEngine_App_Open: Lock queue 212
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: 212:trustm_engine/trustm_engine.c:340 trustmEngine_App_Open: No hibernate ctx found. Skip restore
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: pal_loger_write : [optiga util]     : optiga_util_open_application
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: pal_loger_write :
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: pal_loger_write : [optiga cmd]      : optiga_cmd_open_application
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: pal_loger_write :
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: 212:trustm_engine/trustm_engine.c:350 trustmEngine_App_Open: waiting...
Apr 25 10:36:53 mach-cw-rnet-sn-gpm-249-2050 mosquitto[212]: 212:trustm_engine/trustm_engine.c:353 ++done. optiga_lib_status = 202

[RaymWong]

@Kitty-Hawk1
Your code missing ENGINE_load_builtin_engines(); ?
You may see the code here as example
https://github.com/Infineon/linux-optiga-trust-m/blob/a3bdf70a51dae0b7909388823ed60c0d351ea875/scripts/SimpleServeClientTest/SimpleServeClient_with_pubkeyfile/simpleTest_Server.c#L228