Filter results by

OpenSSL Support

For applications that are already using or plan to use the OpenSSL software library, the developer can still take advantage of the ARTIK Security features. The OpenSSL engine takes advantage of the hardware-accelerated ARTIK security library to get keys from the Secure Element, encrypt and decrypt, encode and decode, sign and verify, get a hash digest, etc.

The OpenSSL engine calls the lower-level security routines. It is used by all the ARTIK SDK modules that rely on OpenSSL (http through libcurl, websockets through libwebsockets, mqtt through mosquitto, etc…) to utilize the Secure Element.

Only certain OpenSSL operations are supported in hardware. The remainder are supported by software emulation.

Note: In addition to installing the security libraries, you also need to install the security test package to run the tests in this section.

dpkg -i libartik-security-test*

Once the security test installation has been done, you will have a convenient testing program available. Try it out with no parameters to see the functions available.

see_test

For OpenSSL testing, we'll only be using the key management functions. The full functionality is outlined in the SEE Test Utility section.

OpenSSL 'artiksee' Engine

ARTIK "s" modules incorporate the 'artiksee' engine that is loaded when specified in OpenSSL commands. You can get an overview of its supported features using this command.

openssl engine artiksee -vv

(artiksee) ARTIK Secure Element Support
     SO_PATH: Specifies the path to the  artik shared library
     LOAD_CERT_CTRL: Loads a public cert
     CREATE_KEY: Create a new key in SE
     REMOVE_KEY: Delete a key in SE
     SET_KEY: Set a key in SE

To see capabilities, use this command.

openssl engine -c

(dynamic) Dynamic engine loading support
(artiksee) ARTIK Secure Element Support
 [RSA, RAND, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224, SHA256, SHA384, SHA512]

OpenSSL Engine – Test Guide

The test cases demonstrate how to use the OpenSSL engine. The RSA, Digests algorithms, and AES tests are only supported by ARTIK Linux "s" modules.

RSA Test case 1

Scenario: Get a key from the secure element.

  1. Generate a 1024 bits RSA key in the secure element and get the public key with the openssl engine, by executing the following command on the artik board.
    see_test -K gen-key -k my_rsa -a 4096 -O my_rsa.pub

    This command stores the generated public key in the file my_rsa.pub in DER format. The private key is inaccessible as noted here.

    Use the table below to select the -a option for the desired RSA key length. Refer to Options for details.

    RSA Key Length option setting
    1024 -a 4096
    2048 -a 4097
    3072 -a 4098

  2. Read the public key from the file my_rsa.pub with the following OpenSSL command:
    openssl rsa -in my_rsa.pub -inform DER -pubin -noout -text

  3. Read the public key from the secure element (use rsa2048:// or rsa3072:// if you use a key with length 2048 or 3072).
    openssl rsa -engine artiksee -in "rsa1024://my_rsa" -noout -pubout -text -inform e

The output of the two last commands must be the same.

RSA Test case 2

Scenario: Encrypt data without the artiksee engine and decrypt data with the engine.

  1. Create a file to encrypt.
    echo "123456" > file.txt

  2. Encrypt file.txt with the following command.
    openssl rsautl -encrypt -pubin -inkey my_rsa.pub -keyform DER -in file.txt -out file.txt.enc

  3. Use the artik engine to decrypt the file.
    openssl rsautl -decrypt -engine artiksee -inkey "rsa1024://my_rsa" -keyform e -in file.txt.enc -out file.txt.dec

  4. Check if the original file and the decrypted file are identical.
    cmp --silent file.txt file.txt.dec && echo "### SUCCESS: files are identical" || echo "### FAILED: files are different"

  5. Clean up.
    rm file.txt file.txt.enc file.txt.dec

RSA Test case 3

Scenario: Encrypt and decrypt with artiksee engine.

  1. Create a file to encrypt.
    echo "123456" > file.txt

  2. Use the artik engine to encrypt the file.
    openssl rsautl -encrypt -engine artiksee -inkey "rsa1024://my_rsa" -keyform e -in file.txt -out file.txt.enc

  3. Use the artik engine to decrypt the file.
    openssl rsautl -decrypt -engine artiksee -inkey rsa1024://my_rsa -keyform e -in file.txt.enc -out file.txt.dec

  4. Check if the original file and the decrypted file are identical.
    cmp --silent file.txt file.txt.dec && echo "### SUCCESS: files are identical" || echo "### FAILED: files are different"

  5. Clean up.
    rm file.txt file.txt.enc file.txt.dec

RSA Test case 4

Scenario: Sign with artiksee and then verify without artiksee.

  1. Create a file to sign.
    echo "123456" > file.txt

  2. Sign the file file.txt and save the result in file.txt.sha256
    openssl dgst -engine artiksee -sha256 -sign "rsa1024://my_rsa" -keyform e -out file.txt.sha256 file.txt
    Use -md5 -sha1 -sha224 -sha384 or -sha512 instead of -sha256 to change the digest algorithm.

  3. We can't use the -verify option of the dgst command because by default, openssl uses PKCS#2, but the openssl engine uses PKCS#1.5. So we need to check the signature with the command rsautl and ans1parse.
    openssl rsautl -verify -inkey my_rsa.pub.pem -in file.txt.sha256 -pubin -out file.txt.sha256.dec

  4. Decode the raw signature file with the asn1parse command.
    openssl asn1parse -inform der < file.txt.sha256.dec
    The output of the asn1parse command: 
    0:d=0 hl=2 l= 49 cons: SEQUENCE
2:d=1 hl=2 l= 13 cons: SEQUENCE
4:d=2 hl=2 l= 9 prim: OBJECT :sha256
15:d=2 hl=2 l= 0 prim: NULL
17:d=1 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:
E150A1EC81E8E93E1EAE2C3A77E66EC6DBD6A3B460F89C1D08AECF422EE401A0
    The last line of the output gives the sha256 in hexadecimal.

  5. Compute the sha256 of file.txt with the following command:
    openssl dgst -sha256 -hex file.txt 
     SHA256(file.txt)= e150a1ec81e8e93e1eae2c3a77e66ec6dbd6a3b460f89c1d08aecf422ee401a0
    You can see that the sha256 stored in file.txt.sha256.dec and the sha256 returned by openssl are identical.

  6. Clean up.
    rm file.txt file.txt.sha256 file.txt.sha256.dec

RSA Test case 5

Scenario: Sign & verify with artiksee.

  1. Create a file to sign.
    echo "123456" > file.txt

  2. Sign the file "file.txt" and save the result in "file.txt.sha256" (use one of the following options -md5, -sha1, -sha224, -sha384, -sha512 instead of -sha256 to change the digest algorithm).
    openssl dgst -engine artiksee -sha256 -sign "rsa1024://my_rsa" -keyform e -out file.txt.sha256 file.txt

  3. Check the signature with the following command:
    openssl dgst -engine artiksee -sha256 -verify "rsa1024://my_rsa" -keyform ENGINE -signature file.txt.sha256 file.txt
    This command returns "Verified OK" if the signature is verified.

  4. Clean up.
    rm file.txt file.txt.sha256 file.txt.sha256.dec

  5. Remove the rsa key.
    see_test -K remove-key -k my_rsa -a 4096

Digest test case

Scenario: Get the digest with artiksee and without it.

  1. Create a file
    echo "123456" > file.txt

  2. Execute the following command to compute the sha256 of the file file.txt
    openssl dgst -sha256 -hex file.txt

  3. Execute the following command to compute the sha256 of file.txt with artiksee.
    openssl dgst -engine artiksee -sha256 -hex file.txt

The output of the two commands must be identical.

AES Test case 1

The artiksee engine supports the following OpenSSL ciphers:

aes-128-cbc       aes-128-ecb      aes-128-ctr

aes-192-cbc       aes-192-ecb      aes-192-ctr

aes-256-cbc       aes-256-ecb      aes-256-ctr

The AES tests here use the cipher aes-128-cbc.

Scenario: Encode without artiksee and decode with artiksee

  1. Generate a new AES key:
    openssl aes-128-cbc -k toto -P
    where "toto" is an example password
     salt=8C5BA8C5BBFF9B51                 
 key=472B8ABBA7D61BC70257830C3C90F629  
 iv =F7D8F3EC97479A3E33B70B201C889D36

  2. Create a file containing the AES 128 bit key.
    echo "472B8ABBA7D61BC70257830C3C90F629" | xxd -r -p > aes128.key
    The package vim-common on your ARTIK board provides the xxd command.

  3. Set the key in the SE with see_test (use options -a 1 if the key length is 192 bits or -a 2 if 256 bits).
    see_test -K set-key -a 0 -k test_aes_128 -I aes128.key

  4. Create a file.
    echo "123456" > file.txt

  5. Encode data without artiksee.
    openssl aes-128-cbc -e -K 472B8ABBA7D61BC70257830C3C90F629 -iv F7D8F3EC97479A3E33B70B201C889D36 -in file.txt -out file.txt.aes

  6. Decode data with artiksee.
    openssl aes-128-cbc -engine artiksee -d -K $(printf "test_aes_128" | xxd -pu) -iv F7D8F3EC97479A3E33B70B201C889D36 -in file.txt.aes -out file.txt.decode`

  7. Compare the original file with the decoded file.
    cmp --silent file.txt file.txt.decode && echo "### SUCCESS: files are identical" || echo "### FAILED: files are different"

  8. Clean up.
    rm file.txt file.txt.decode file.txt.aes

AES Test case 2

Scenario: Encode and decode with artiksee

  1. Create a file.
    echo "123456" > file.txt

  2. To encode the file with artiksee use the following command:
    openssl aes-128-cbc -engine artiksee -d -K $(printf "test_aes_128" | xxd -pu) -iv 4C7FB595220D6F5CCB68902C9358F27D -in file.txt -out file.txt.aes

  3. To decode the file with artiksee use the following command:
    openssl aes-128-cbc -engine artiksee -d -K $(printf "test_aes_128" | xxd -pu) -iv 4C7FB595220D6F5CCB68902C9358F27D -in file.txt.aes -out file.txt.decode

  4. Compare the original file and the decoded file.
    cmp --silent file.txt file.txt.decode && echo "### SUCCESS: files are identical" || echo "### FAILED: files are different"

  5. Clean up.
    rm file.txt file.txt.decode file.txt.aes

  6. Remove the AES key.
    see_test -K remove-key -k test_aes_128 -a 0

ECC Example 1

Scenario: Store a key in the secure element and compare the public key versions.

  1. Generate an ECC key using the ECC_SEC_P256R1 curve in the secure element.
    see_test -K gen-key -k my_ecc -a 8195 -O my_ecc.pub

    This command stores the generated public key in the file my_ecc.pub in DER format. The private key is inaccessible, as noted here.

  2. Read the public key from the public key file with the following OpenSSL command:
    openssl ecparam -name prime256v1 -in my_ecc.pub -inform DER -text

  3. Retrieve the public key from the Secure Element.
    see_test -K get-pubkey -k my_ecc -a 8195 -O my_se_ecc.pub

The output of the two last commands must be the same.

SEE Test Utility

The security test package installation includes the see_test binary. The reference below covers the basic functions available. Refer to the Security API thru SEE article for the underlying SEE calls.

Options

Once you have installed libartik-security-test*, you'll find the file
/usr/include/artik/security/see_common.h

that contains definitions for many of the Option parameters used here. For example, --algorithm :

value algorithm used
4096 RSA_1024
4097 RSA_2048
8195 ECC_SEC_P256R1

Key management

see_test --key-manager [test] [options] ...

see_test -K [test] [options] ...

test options
gen-key
set-key
get-pubkey
remove-key 		-i | --input
-I | --input-file
-z | --input-size
-k | --key-name
-a | --algorithm
-d | --debug

Examples

see_test --key-manager=gen-key --algorithm=4096

see_test -K gen-key -a 4096

Authentication

see_test --authentication [test] [options] ...

see_test -A [test] [options] ...

test options
generate-random
generate-certificate
set-certificate
get-certificate
remove-certificate
rsa-signature
rsa-verify
ecdsa-signature
ecdsa-verify
get-hash
get-hmac
generate-dhparams
set-dhparams
compute-dhparams
generate-ecdhkey
compute-ecdhkey 		-i | --input (string)
-I | --input-file
-z | --input-size
-O | --output-file (path)
-a | --algorithm (issuer alg)
-A | --sub-algorithm (subject alg)
-r | --random-size (test size)
-s | --sign (input string)
-S | --sign-file (input file)
-c | --cert-name
-k | --key-name (issuer key)
-K | --sub-key-name (subject key)
-P | --public-file
-d | --debug (result)

Examples

see_test --authentication=generate-random --random-size=128 --debug=1

see_test -A generate-random -r 128 -d 1

Secure storage

see_test --secure-storage [test] [options] ...

see_test -S [test] [options] ...

test options
read
write
delete
size
list
provision
prov-lock 		-i | --input (string)
-I | --input-file
-z | --input-size
-O | --output-file (path)
-n | --file-name (read/write data name)
-s | --read-size
-e | --offset (read/write offset)
-d | --debug (result)

Examples

see_test --secure-storage=write --name=test ...

see_test -S write -n test -i test

Encryption/decryption

see_test --enc-decryption [test] [options] ...

see_test -E [test] [options] ...

test options
aes-encryption
aes-decryption
rsa-encryption
rsa-decryption] 		-i | --input (string)
-I | --input-file
-z | --input-size
-O | --output-file (path)
-v | --iv (initial vector)
-k | --key-name
-m | --mode (aes/rsa)
-d | --debug (result)

Examples

see_test --enc-decryption=aes-encryption --key-name=aes...

see_test -E aes-encryption -k aes ...

Key Management Examples

Generate secure private keys

[root@artik ~]# see_test -K gen-key -k "my_ecc" -a 8195
. See Initialize …ok
. SEE Key Generate [0x2003, my_ecc] …ok
[root@artik ~]# see_test -K gen-key -k "my_rsa" -a 4096
. See Initialize …ok
. SEE Key Generate [0x1000, my_rsa] …ok

Recover the public EC key

[root@artik ~]# see_test -K get-pubkey -k my_ecc -a 8195 -O my_ecc.pub
. See Initialize …ok
. SEE Public Key Get [0x2003, my_ecc] …ok
> save output : my_ecc.pub

View it

[root@artik ~]# openssl ecparam -name prime256v1 -in my_ecc.pub -inform DER
-----BEGIN EC PARAMETERS-----
BgUrgQQACg==
-----END EC PARAMETERS-----

Delete keys

[root@artik ~]# see_test -K remove-key -k "my_ecc" -a 8195
. See Initialize …ok
. SEE Key Remove [0x2003, my_ecc] …ok
[root@artik ~]# see_test -K remove-key -k "my_rsa" -a 4096
. See Initialize …ok
. SEE Key Remove [0x1000, my_rsa] …ok

Set Private ECC key

[root@artik ~]# openssl ecparam -out marks.key -name prime256v1 -genkey
 [root@artik ~]# openssl ec -in marks.key -outform DER -out marks.der
 [root@artik ~]# see_test -K set-key -a 8195 -k my_own -I marks.der
. See Initialize …ok
. SEE Key Set [0x2003, my_own] …ok

Generate secure private keys, specifying exponent

First, create an exponent input file in binary.

echo -e "\x01\x00\x01\c" > params.bin

Read it back – the standard exponent of 0x10001 is used.

xxd params.bin
00000000: 0100 01 …

Now use it to create a random RSA 2048-bit key with that exponent.

see_test -K gen-key-with-params -k "rsaDevCert.key" -a 4097 -I params.bin
. See Initialize …ok
. SEE Key Generate [0x1001, rsaDevCert.key] …ok

Create a CSR using that key.

openssl req -new -engine artiksee -key "rsa2048://rsaDevCert.key" -out "filename.csr" -subj "/O=Samsung Semiconductor ARTIK/OU=ARTIK High Security Device/CN=ARTIK HS Device (01001703-0600-0000-03fe-259e86f03d9d)/C=US" -keyform e

Read its contents to verify the exponent.

openssl req -text -noout -verify -in filename.csr

verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=Samsung Semiconductor ARTIK, OU=ARTIK High Security Device, CN=ARTIK HS Device (01001703-0600-0000-03fe-259e86f03d9d), C=KR
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2047 bit)
                Modulus:
                    7a:ed:36:d3:39:52:cf:91:b8:92:6a:94:d8:33:92:
                    . . .
                    86:a9:b2:57:8d:ee:62:eb:24:b3:6e:30:67:27:33:
                    77
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         47:7e:53:5b:d6:ab:0b:57:8a:ae:11:b2:16:80:2c:e8:b7:da:
         . . .
         bf:de:6c:6e:ea:e7:93:0a:6e:c7:19:6d:d4:9f:c1:49:e7:46:
         cb:bb:65:fb

Authentication Examples

Set/remove cert

[root@artik ~]# see_test -A set-certificate -I deviceCert.crt -c deviceCert.crt
. See Initialize …ok
. SEE Set Certificate [deviceCert.crt] …ok
 [root@artik ~]# see_test -A get-certificate -c deviceCert.crt -O x
. See Initialize …ok
. SEE Get Certificate [deviceCert.crt] …ok
> save output : x
[root@artik ~]# cat x
-----BEGIN CERTIFICATE-----
MIICRjCCAe0CCQCihWCYOn6kdzAKBggqhkjOPQQDAjCBjzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMREwDwYDVQQHDAhTYW4gSm9zZTEQMA4GA1UECgwHU2Ftc3Vu
ZzEOMAwGA1UECwwFUy1MU0kxEjAQBgNVBAMMCW1hcmtzLWlvdDEqMCgGCSqGSIb3
DQEJARYbbWEud2lsbGlhbXNAc3NpLnNhbXN1bmcuY29tMB4XDTE4MDgxNzE2MjI1
OFoXDTE5MDgxNzE2MjI1OFowgcYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTER
MA8GA1UEBwwIU2FuIEpvc2UxEDAOBgNVBAoMB1NhbXN1bmcxDjAMBgNVBAsMBVMt
TFNJMUkwRwYDVQQDDEA5MmZiOTI0NThkNjQxZjZlNDY2ZjMyODZmYjZiMjIwMzg2
ZjkxYmUxYjliYzQ5NzU0YTUwZWNlOTk1YjY2ODM5MSowKAYJKoZIhvcNAQkBFhtt
YS53aWxsaWFtc0Bzc2kuc2Ftc3VuZy5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAAT6ZfqBsAE3QlkZ4nHj58Mcj3bgOrleASpYQoAJ7JA3J/dnVgpVZNw5Z0Hn
PFQ5IhfWemxx+gdWrxevYYWxt89wMAoGCCqGSM49BAMCA0cAMEQCIB1dpk9ou8Nn
M8awKf3O61nwbfBgasmNdb6dxQS6o48EAiBlTsuuqUnJOtcOs+DCni9RhImLWWIJ
Kx9IdLMnHzxLAA==
-----END CERTIFICATE-----
[root@artik ~]# see_test -A remove-certificate -c deviceCert.crt
. See Initialize …ok
. SEE Remove Certificate [deviceCert.crt] …ok

Get ARTIK pre-provisioned certificates

[root@artik ~]# see_test -A get-certificate -c ARTIK/0 -O x
. See Initialize …ok
. SEE Get Certificate [ARTIK/0] …ok
> save output : x
[root@artik ~]# cat x
-----BEGIN CERTIFICATE-----
MIICBzCCAa6gAwIBAgIQWULxj69HCVoOkJmX6zLgSzAKBggqhkjOPQQDAjBjMQsw
CQYDVQQGEwJLUjEkMCIGA1UEChMbU2Ftc3VuZyBTZW1pY29uZHVjdG9yIEFSVElL
MRYwFAYDVQQLEw1BUlRJSyBSb290IENBMRYwFAYDVQQDEw1BUlRJSyBSb290IENB
MCAXDTE3MDYxNTIwNDM1OVoYDzIwNjcwNjE1MjA0MzU5WjBjMQswCQYDVQQGEwJL
UjEkMCIGA1UEChMbU2Ftc3VuZyBTZW1pY29uZHVjdG9yIEFSVElLMRYwFAYDVQQL
Ew1BUlRJSyBSb290IENBMRYwFAYDVQQDEw1BUlRJSyBSb290IENBMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEMXHP576GyYS6P7SKSiHTVNmnoHsBRQUe/PTytK1W
9972fZeiJCwknJxnnUTH0kzVe2yNi+DmPnME2oL2zIDu/qNCMEAwDgYDVR0PAQH/
BAQDAgEGMB0GA1UdDgQWBBSi0+GxtetCghfueBp61CoWUr4UlzAPBgNVHRMBAf8E
BTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIGuP4Hdn20Qe8JjRVrVFJRP6SlKdm8Tx
Oqg0CwqyldZMAiA9cfcrALT8YrnR4zeluoDB5jrJDWSYMzTFwm6+2idLnA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICTjCCAfOgAwIBAgIQWUL1fKzBBjERX+SwyMwSLTAKBggqhkjOPQQDAjBjMQsw
CQYDVQQGEwJLUjEkMCIGA1UEChMbU2Ftc3VuZyBTZW1pY29uZHVjdG9yIEFSVElL
MRYwFAYDVQQLEw1BUlRJSyBSb290IENBMRYwFAYDVQQDEw1BUlRJSyBSb290IENB
MCAXDTE3MDYxNTIxMDA0NFoYDzIwNjcwNjE1MjEwMDQ0WjCBgzELMAkGA1UEBhMC
S1IxJDAiBgNVBAoTG1NhbXN1bmcgU2VtaWNvbmR1Y3RvciBBUlRJSzEmMCQGA1UE
CxMdQVJUSUsgSGlnaCBTZWN1cml0eSBEZXZpY2UgQ0ExJjAkBgNVBAMTHUFSVElL
IEhpZ2ggU2VjdXJpdHkgRGV2aWNlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEstT6Q1hw1k5rUoGeSQhx1Mvj2bt1HyLRvu3AeIhiEXtFjdFRDJuDOGBSm14E
1u8X8wjySHAEa+E9TZJH8q0MC6NmMGQwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQW
BBQWDA5QmlAYB5/JgEgm+wR4aWAtwDAfBgNVHSMEGDAWgBSi0+GxtetCghfueBp6
1CoWUr4UlzASBgNVHRMBAf8ECDAGAQH/AgEAMAoGCCqGSM49BAMCA0kAMEYCIQDc
PnvKZUfmyucxjVdavcfEOKDEDfGHRwpZBUPRaprr8wIhAPLxwuIvm8qw+DB63/po
PUintppHfivCZNukdWecHBOI
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIChzCCAi2gAwIBAgIJAQAXBiEAAJ9XMAoGCCqGSM49BAMCMIGDMQswCQYDVQQG
EwJLUjEkMCIGA1UEChMbU2Ftc3VuZyBTZW1pY29uZHVjdG9yIEFSVElLMSYwJAYD
VQQLEx1BUlRJSyBIaWdoIFNlY3VyaXR5IERldmljZSBDQTEmMCQGA1UEAxMdQVJU
SUsgSGlnaCBTZWN1cml0eSBEZXZpY2UgQ0EwHhcNMTcwNjIxMDE0MDQ1WhcNNDcw
NjIxMDE0MDQ1WjCBoDELMAkGA1UEBhMCS1IxJDAiBgNVBAoTG1NhbXN1bmcgU2Vt
aWNvbmR1Y3RvciBBUlRJSzEjMCEGA1UECxMaQVJUSUsgSGlnaCBTZWN1cml0eSBE
ZXZpY2UxRjBEBgNVBAMTPVMzRlQ5TUZFU0MtWTQzRi04RzlQVUYgKDAxMDAxNzA2
LTIxMDAtMDA5Zi01NzI2LWI3MDMwMDFiYTM4NykwWTATBgcqhkjOPQIBBggqhkjO
PQMBBwNCAAR49rQ50BieboRsotWXh7YC8vVnITDxnlOqhFmQRJhaJ5lnl0Ssv8p2
m+YaWtd+f3YYrxonHyotD+m4ZmewFoLYo2swaTAOBgNVHQ8BAf8EBAMCBsAwHQYD
VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDgGA1UdHwQxMC8wLaAroCmGJ2h0
dHA6Ly9wa2kuYXJ0aWsuaW8vYXJ0aWstaHMtZGV2aWNlLmNybDAKBggqhkjOPQQD
AgNIADBFAiBQWlos9NYJA5+Iib4jrGJlE1FtzjwTury+YZ8mdR76fwIhAPESATfh
X0K00+ZKNIoU229EAQtwo55cjUM1hn9Xardg
-----END CERTIFICATE-----
[root@artik ~]#

Generate certificate

-a and -k refer to Issuer algorithm; -A and -K refer to Subject algorithm.

[root@artik ~]# see_test -A generate-certificate -c "SE/1" -k "my_rsa" -a 4097 -K "my_rsa" -A 4097
. See Initialize …ok
. SEE Generate Certificate [0x1001, 0x1001, SE/1, my_rsa, my_rsa] …ok
[root@artik ~]# see_test -A get-certificate -c SE/1 -O cert.der
[root@artik ~]# openssl x509 -inform der -in cert.der -out cert.crt -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Test, CN=Issuer
        Validity
            Not Before: Sep  5 20:42:01 2018 GMT
            Not After : Sep  5 20:42:01 2021 GMT
        Subject: C=KR, O=Test, CN=Subject
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e4:6d:57:55:1b:6c:1b:74:5b:37:cf:de:85:24:
                    17:bd:11:13:11:d8:39:26:cb:6b:be:d0:2e:e6:bf:
                    67:65:ec:40:75:d0:7a:e3:df:49:ee:e8:e2:b2:eb:
                    45:74:8d:34:c5:26:3e:29:a9:3a:a2:66:88:18:2e:
                    9b:03:cf:71:0f:56:fe:57:86:29:c5:70:bb:2a:8e:
                    d7:a4:cd:19:54:45:0b:d9:7f:0b:39:52:fb:fb:88:
                    75:1e:1a:d5:10:a3:7b:68:58:25:31:d8:6d:85:e2:
                    62:31:75:2f:37:25:a4:dd:9e:e8:2e:c6:41:9f:6c:
                    c9:fe:9c:7c:eb:65:5a:b5:14:e9:8e:1e:70:83:ec:
                    8d:8d:82:cf:f3:6c:24:58:49:2d:fb:61:06:d1:bd:
                    62:e9:29:fd:d3:76:43:39:5e:63:bc:79:11:24:12:
                    f4:4c:cd:35:23:64:8b:09:03:67:f6:ac:1e:0f:08:
                    f8:d8:7b:c9:68:89:10:0e:a9:bf:83:32:7f:90:89:
                    da:3b:db:ed:11:e9:54:7a:0a:79:95:a4:d2:ef:b9:
                    0f:5e:a4:c0:18:9e:4f:49:0f:f0:16:0f:21:4a:2d:
                    d1:1d:fb:1f:b2:66:d0:9d:3c:fb:04:1a:1d:5e:8c:
                    ad:05:ca:02:44:44:90:18:16:94:a5:9c:f3:48:5c:
                    df:fb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                89:83:1B:24:CC:9F:BE:B5:BE:0A:54:B4:45:E8:3D:D7:73:6B:6A:93
            X509v3 Authority Key Identifier:
                keyid:89:83:1B:24:CC:9F:BE:B5:BE:0A:54:B4:45:E8:3D:D7:73:6B:6A:93

    Signature Algorithm: sha256WithRSAEncryption
         1e:a5:cb:0e:7f:e1:fb:d7:7e:d4:03:ab:02:51:21:78:b6:1c:
         0d:5f:fb:92:a9:e6:31:04:a8:08:11:ad:43:44:57:19:2f:ce:
         5d:88:72:ba:dd:e4:9e:22:07:8e:55:3a:0e:2b:05:48:a2:6a:
         bd:57:44:b7:82:b4:10:0c:52:5b:2a:71:4d:8e:3b:26:ce:e1:
         53:6e:05:cf:e2:8c:b8:55:56:ff:35:e8:23:61:5c:4a:f3:16:
         38:98:96:04:cc:f2:98:80:a9:0f:4c:29:50:0c:69:1f:1e:50:
         c7:3c:eb:0b:25:9f:cd:e7:9a:1a:0c:b1:64:08:94:a2:70:e3:
         40:48:aa:9a:f1:cf:7d:fe:2f:42:05:6f:4c:35:ad:73:7a:76:
         7a:b4:8a:42:13:f4:63:d0:b9:ab:8f:24:4f:6e:59:14:35:1d:
         7c:1b:78:c1:16:05:95:5f:de:26:84:63:31:82:d3:86:94:3a:
         7d:a6:e9:14:d4:46:08:bc:4d:1a:b3:88:91:a0:94:be:09:4c:
         2f:b4:fc:bf:d0:a7:9b:18:36:1c:18:d0:15:40:37:47:cb:1a:
         c8:59:8c:8b:c1:b1:1a:8a:c9:02:79:6a:68:fe:f7:a6:9b:b1:
         e7:58:55:81:f6:ed:d4:83:a1:c5:53:01:e8:8b:62:80:13:0b:
         60:63:d9:1c
[root@artik ~]#

Generate CSR

[root@artik ~]# openssl req -new -engine artiksee -key "rsa2048://my_rsa" -out "filename.csr" -subj "/O=Samsung Semiconductor ARTIK/OU=ARTIK High Security Device/CN=ARTIK HS Device (01001703-0600-0000-03fe-259e86f03d9d)/C=KR" -keyform e engine "artiksee" set.
[root@artik ~]# openssl req -noout -text -in filename.csr

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=Samsung Semiconductor ARTIK, OU=ARTIK High Security Device, CN=ARTIK HS Device (01001703-0600-0000-03fe-259e86f03d9d), C=KR
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e4:6d:57:55:1b:6c:1b:74:5b:37:cf:de:85:24:
                    17:bd:11:13:11:d8:39:26:cb:6b:be:d0:2e:e6:bf:
                    67:65:ec:40:75:d0:7a:e3:df:49:ee:e8:e2:b2:eb:
                    45:74:8d:34:c5:26:3e:29:a9:3a:a2:66:88:18:2e:
                    9b:03:cf:71:0f:56:fe:57:86:29:c5:70:bb:2a:8e:
                    d7:a4:cd:19:54:45:0b:d9:7f:0b:39:52:fb:fb:88:
                    75:1e:1a:d5:10:a3:7b:68:58:25:31:d8:6d:85:e2:
                    62:31:75:2f:37:25:a4:dd:9e:e8:2e:c6:41:9f:6c:
                    c9:fe:9c:7c:eb:65:5a:b5:14:e9:8e:1e:70:83:ec:
                    8d:8d:82:cf:f3:6c:24:58:49:2d:fb:61:06:d1:bd:
                    62:e9:29:fd:d3:76:43:39:5e:63:bc:79:11:24:12:
                    f4:4c:cd:35:23:64:8b:09:03:67:f6:ac:1e:0f:08:
                    f8:d8:7b:c9:68:89:10:0e:a9:bf:83:32:7f:90:89:
                    da:3b:db:ed:11:e9:54:7a:0a:79:95:a4:d2:ef:b9:
                    0f:5e:a4:c0:18:9e:4f:49:0f:f0:16:0f:21:4a:2d:
                    d1:1d:fb:1f:b2:66:d0:9d:3c:fb:04:1a:1d:5e:8c:
                    ad:05:ca:02:44:44:90:18:16:94:a5:9c:f3:48:5c:
                    df:fb
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         97:65:91:ae:8b:ac:b4:fb:96:ef:9c:7d:f9:ab:e8:c8:d0:a4:
         2b:3e:0a:a6:75:21:23:4a:78:d5:c9:f7:85:5b:d5:52:c5:fd:
         92:f1:cf:e8:56:23:1c:14:ae:30:a9:47:0f:44:01:ea:f7:f0:
         5d:24:29:6a:a9:35:7b:85:f5:44:76:42:22:3f:16:51:62:c0:
         bf:19:a5:37:85:8c:b1:bf:e3:3f:92:eb:2d:ee:95:9a:e3:d0:
         87:6d:30:0d:cd:c6:2e:59:41:8f:b4:da:30:8d:6c:ad:f5:78:
         3c:e7:76:a5:36:80:20:6f:c7:e6:79:03:10:a1:c2:e6:46:bd:
         5b:20:18:d4:ca:e9:00:23:2b:9f:a6:20:d3:05:ec:bb:a6:d0:
         07:e0:1e:2e:fa:9c:f0:db:ce:2a:a9:18:e2:f0:20:ed:26:62:
         a6:5f:44:24:bf:7e:4a:9a:1e:96:a6:ab:7f:fe:5f:e5:35:1c:
         11:6c:10:54:ca:75:f6:7c:82:74:59:4d:49:bd:21:5b:46:32:
         88:dd:72:43:fa:0e:df:b4:c2:4e:e9:98:11:a7:9a:de:fc:60:
         8b:56:2e:eb:04:88:dc:92:fe:22:d5:63:8b:6d:04:e0:77:2c:
         0d:da:d1:a9:d0:d7:33:f7:c8:ee:d6:34:2a:9f:75:04:e8:4d:
         dd:11:fd:1a

Get signed data

[root@artik ~]# see_test -A ecdsa-signature -a 8195 -k my_ecc -I (hashed data file) -O outputfile

List secure storage contents

[root@artik ~]# see_test -S list -d 1
. See Initialize …ok
. SEE List Secure Storage …ok
[ FILE NAME] [FILE ATTR]
[ key-ENMD-id-alg] [10000004]
[ my_ecc] [10000004]

Working with Certificates

If you're new to dealing with RSA keys and certificates, we provide here a few helpful hints.

x590v3 Extensions

If your certificate includes x590v3 extensions, you can see them when you use this command.

openssl x509 -in CACertificate.pem -noout -text

X509v3 extensions:

  X509v3 Subject Key Identifier:
   56:30:53:22:94:B1:97:6F:58:6A:77:A0:B5:99:38:EA:42:9B:A6:94

  X509v3 Authority Key Identifier:
   keyid:56:30:53:22:94:B1:97:6F:58:6A:77:A0:B5:99:38:EA:42:9B:A6:94

  X509v3 Basic Constraints:
   CA:TRUE

You'll see the Authority Key Identifier (AKI) referencing the issuer of the certificate, and the Subject Key Identifier (SKI) of the derived certificate. In the case shown, the certificate was self-signed so the same key was used for both – the AKI and SKI match.

You can use some scripts to check a .key or .crt file to verify that the identifiers match – that is, that the cert was signed by that key.

Script to extract SKI from cert

Call this file skic

1
2
3
#!/bin/bash
openssl x509  -noout -in $1 -pubkey  | openssl asn1parse  -strparse 19 -out tmp.pub.der
openssl dgst -c -sha1 tmp.pub.der

Script to extract SKI from key

Call this file skik

1
2
3
#!/bin/bash
openssl rsa -in $1  -pubout | openssl asn1parse -strparse 19 -out tmp.pub.der
openssl dgst -c -sha1 tmp.pub.der

Script to extract SKI from RSA 2048-bit SEE key

Call this file skisk

1
2
3
#!/bin/bash
openssl rsa -engine artiksee -in rsa2048://$1 -pubout -inform e | openssl asn1parse -strparse 19 -out tmp.pub.der
openssl dgst -c -sha1 tmp.pub.der

Don't forget to make all the batch files executable:

chmod 777 ski*

Utilize them to check that a cert was signed by a key

./skic rsaDevCert.crt

    0:d=0  hl=4 l= 266 cons: SEQUENCE
    4:d=1  hl=4 l= 257 prim: INTEGER           :C02E24ABFDD36198927ACEA70F1B83299554A8C132454CE948A7D504D5C37BCCA7CB01C647D3EDB56860634F72C2EA61253C5104771E674280EA7A4D7464310EA38458D8EC1B8730D03E88773A567960A8FBAD06E6E9BDE4101F12E40A3C2F775FD42BBE14CA19D150615B07F1F8A037D72DF1C10C59C3836962FEBFA43F87A4CE0C2211186D3B607C85C5B7DFDC21C8DA82AEA03EBF131B8A959D0E107459FD7C7C7126B436ACB7D5C84B669991981269424452710001250C10B5ABBFDF6F56C4DC38499E43E7D9F965E6AE70C65702FEC56C98095EBE53535E6F4CD23123A8A80E927E4BD45FA76E324BA4261AB5C867C77FC0DF552584609D89C1DB12C607
  265:d=1  hl=2 l=   3 prim: INTEGER           :010001
SHA1(tmp.pub.der)= 1a:db:3e:12:4c:0c:e1:19:60:bf:df:be:fe:4c:86:d8:85:7c:0a:21

./skik rsaDevCert.key

writing RSA key
    0:d=0  hl=4 l= 266 cons: SEQUENCE
    4:d=1  hl=4 l= 257 prim: INTEGER           :C02E24ABFDD36198927ACEA70F1B83299554A8C132454CE948A7D504D5C37BCCA7CB01C647D3EDB56860634F72C2EA61253C5104771E674280EA7A4D7464310EA38458D8EC1B8730D03E88773A567960A8FBAD06E6E9BDE4101F12E40A3C2F775FD42BBE14CA19D150615B07F1F8A037D72DF1C10C59C3836962FEBFA43F87A4CE0C2211186D3B607C85C5B7DFDC21C8DA82AEA03EBF131B8A959D0E107459FD7C7C7126B436ACB7D5C84B669991981269424452710001250C10B5ABBFDF6F56C4DC38499E43E7D9F965E6AE70C65702FEC56C98095EBE53535E6F4CD23123A8A80E927E4BD45FA76E324BA4261AB5C867C77FC0DF552584609D89C1DB12C607
  265:d=1  hl=2 l=   3 prim: INTEGER           :010001
SHA1(tmp.pub.der)= 1a:db:3e:12:4c:0c:e1:19:60:bf:df:be:fe:4c:86:d8:85:7c:0a:21

Note that the SHA1 output matches between cert and key, and would match the SKI in the x509v3 extension (if present).
Last updated on: