topic Re: SE050: Overwritting UserID in Secure Authentication

SE050: Overwritting UserID

m_grand — Fri, 14 Aug 2020 20:51:15 GMT

Even if I create a UserID secure object with policy POLICY_OBJ_ALLOW_WRITE, i'm not able to overwrite it using WriteUserID command instead SE050 returns status word 0x6985. Does someone has a working example of such a use case ?

Re: SE050: Overwritting UserID

Kan_Li — Wed, 19 Aug 2020 09:37:48 GMT

Hi Michael,

Did you build your application based on the MW? Is it possible to share your code for a review? Or just APDU commands sent to SE050? Please kindly clarify.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Re: SE050: Overwritting UserID

m_grand — Wed, 19 Aug 2020 18:56:03 GMT

Yes, my application is based on the MW. Hereafter the most simple example that illustrates my problem.

During first call of sss_se05x_write_user_id(), UserID is properly created.

However second call, where i attempt to overwrite UserID value, fails.

Policy is properly applied because EX_SSS_BOOT_DO_ERASE macro actually erases the UserID (which is not the case by default if can_Delete filed is not set to 1).

#include <ex_sss.h>
#include <ex_sss_boot.h>
#include <fsl_sss_se05x_apis.h>
#include <fsl_sss_se05x_policy.h>
#include <nxLog_App.h>
#include <se05x_APDU.h>
#include <se05x_const.h>
#include <se05x_tlv.h>
#include <string.h>

#include "ex_sss_auth.h"

static ex_sss_boot_ctx_t sss_boot_ctx;

#define EX_SSS_BOOT_PCONTEXT (&sss_boot_ctx)
#define EX_SSS_BOOT_DO_ERASE 1
#define EX_SSS_BOOT_EXPOSE_ARGC_ARGV 0

#include <ex_sss_main_inc.h>

static sss_status_t sss_se05x_write_user_id(sss_se05x_session_t *pSession,
        sss_policy_t *policies, SE05x_MaxAttemps_t maxAttempt, uint32_t objectID,
        const uint8_t *userId, size_t userIdLen,
        const SE05x_AttestationType_t attestation_type) {

    Se05xSession_t *pSe05xSession = &pSession->s_ctx;
    Se05xPolicy_t policySet;
    size_t valid_policy_buff_len = 0;
    uint8_t policies_buff[MAX_POLICY_BUFFER_SIZE];

    if (policies) {
        if (kStatus_SSS_Success
                != sss_se05x_create_object_policy_buffer(policies,
                        &policies_buff[0], &valid_policy_buff_len)) {
            return kStatus_SSS_Fail;
        }
        policySet.value = policies_buff;
        policySet.value_len = valid_policy_buff_len;
    } else {
        policySet.value = NULL;
        policySet.value_len = 0;
    }
    smStatus_t sw_status;
    sw_status = Se05x_API_WriteUserID(pSe05xSession, &policySet, maxAttempt,
            objectID, userId, userIdLen, attestation_type);
    if(sw_status != SM_OK) {
        return kStatus_SSS_Fail;
    }
    return kStatus_SSS_Success;
}


sss_status_t ex_sss_entry(ex_sss_boot_ctx_t *pCtx) {
    sss_status_t status;
    sss_se05x_session_t *pSession = (sss_se05x_session_t*) &pCtx->session;

    const uint8_t userid_value[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
    const uint8_t userid_value2[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07 };
    const uint32_t test_id = MAKE_TEST_ID(__LINE__);

    /* Common rules */
    const sss_policy_u userid_withPol = {
        .type = KPolicy_UserID,
        .auth_obj_id = 0,
        .policy = {
            .pin = {
                .can_Write = 1,
            }
        }
    };
    const sss_policy_u common = {
        .type = KPolicy_Common,
        /*Authentication object based on SE05X_AUTH*/
        .auth_obj_id = 0,
        .policy = {
            .common = {
                /*Secure Messaging*/
                .req_Sm = 0,
                /*Policy to Delete object*/
                .can_Delete = 1,
                /*Forbid all operations on object*/
                .forbid_All = 0,
            }
        }
    };

    sss_policy_t policy_for_userid = {
        .nPolicies = 2,
        .policies = {
                &userid_withPol, &common
        }
    };

    status = sss_se05x_write_user_id(pSession, &policy_for_userid,
    SE05x_MaxAttemps_UNLIMITED, test_id, userid_value,
            sizeof(userid_value), kSE05x_AttestationType_AUTH);

    status = sss_se05x_write_user_id(pSession, NULL,
    SE05x_MaxAttemps_UNLIMITED, test_id, userid_value2,
            sizeof(userid_value2), kSE05x_AttestationType_AUTH);


    if (kStatus_SSS_Success == status) {
        LOG_I("Example Success !!!...");
    } else {
        LOG_E("Example Failed !!!...");
    }
    return status;
}

Re: SE050: Overwritting UserID

Kan_Li — Fri, 21 Aug 2020 08:23:15 GMT

Hi Michael,

Thanks for the information! I will test it and let you know the result when I make any progress. Thanks for your patience!

Have a great day,
Kan

Re: SE050: Overwritting UserID

Kan_Li — Thu, 03 Sep 2020 08:15:44 GMT

Hi Michael,

I just got the confirmation from the expert, The UserID object cannot be updated, but only be deleted and created new. please kindly refer to the spec for more details.

Have a great day,
Kan

Re: SE050: Overwritting UserID

HeikoT — Fri, 20 Sep 2024 04:29:24 GMT

Hi,

how can I delete an UserID?

Best regards,

Heiko