I have an application that requires I generate ECC key pairs post-production, inside the device itself, and be able to use the generated private key for signing data. I am using Mbed TLS to do this. I have found, that using the same curve (SECP265R1) and not changing any code at all, that ~50% of the key pairs generated are compatible with netutil. Major points to consider:
- All keys will 'install'.
- only 50% are able to sign a piece of data
- installing a 'good' key pair and signing/verifying data always works, a 'bad' key pair always fails.
- 'good' and 'bad' key pairs work just fine signing/verifying a piece of data using openssl
- For simplicity, the piece of data being signed is very small and unchanging for the test. The letters: HI
I have example code, not an example project. I don't have time currently to troubleshoot outside of my client's proprietary code base and what I've already done to characterize the problem. I have found a workaround, though it is far from ideal and may not be acceptable at some point as there will be some units that fail production test because of the workaround for this bug.
