CSR generation using C API


#1

Hey guys!

I’d like to generate a Certificate Signing Request using the zymkey built-in features. I ran into a few troubles while using the shell script (under Raspbian 9.4 Stretch, even with the OpenSSL downgrade solution presented in another topic), so I went for the C API code in order to generate it, thanks to the zkSaveECDSAPubKey2File() function. Though I see it takes an int keyslot as a parameter, and I can’t figure out what this refers to. I tried putting some basic integers (0, 1), but the function won’t work. The documentation (whether it be the C, C++ or Python one) doesn’t provide much information other than we have to retrieve it and it’s only available for zymkey 4i and above, and I can’t find much elsewhere either.
Are those keyslots already preconfigured on the zymkey? If so, how do we access one? Are those public keys, associated to the already stored at manufactured private keys? Or should we generate keys that need to be stored in those key slots (even though I don’t see a zymkey function associated with it)?

Thanks for the help!


#2

Everything should work fine under Raspbian 9.4. The downgrade of OpenSSL is no longer necessary if you have the latest Zymbit apt packages installed.

I think your problem is probably that you need to specify a directory which has universal write privileges or that belongs to user:group zymbit. This is not documented well…apologies. The reason for this is that our interface daemon (run under user “zymbit”) performs the write on behalf of the client. Therefore, in order to show you something that works, the examples below specify “/tmp” as a path for the file.

To answer your other question, all 3 keys are burned in at the factory and are immutable. In the case of the Python interface, slot 0 is the default interface.

If you still want to use Python, there are two interfaces available: create_ecdsa_public_key_file and get_ecdsa_public_key. For example:

import zymkey
pubkey = zymkey.client.get_ecdsa_public_key()
zymkey.client.create_ecdsa_public_key_file("/tmp/mypk.pub", slot=1)