EdgeLock SE051 delete provisioned objects

cancel
Showing results for 
Search instead for 
Did you mean: 

EdgeLock SE051 delete provisioned objects

Jump to solution
117 Views
LAc00
Contributor II

Hello Experts,

For EC_KEY authentication I provisioned the public key of the host key pair. (Do we need to provision this public key?)

But now I would like to change it. So I would like to delete this provisioned public key first. How could I do it? With Se05x_API_DeleteSecureObject function it is not possible.

Help me please! Thank you!

 

Best regards, 

Laszlo

 

Tags (1)
0 Kudos
1 Solution
78 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @LAc00 ,

 

Indeed the DeleteALL command deletes all Secure Objects, all curves and Crypto Objects except the  secure objects that are trust provisioned by NXP, so the kSE05x_ECCurve_NIST_P256 curve needs to be created again with the command of CreateECCurve, otherwise the public part of an EC key can not be written into this SE again.

 

BTW, I noticed you set the policy for the public part of an EC key as NULL, and Auth type as well, so it is the expected result that this secure object can only be erased by the deleteAll command.

 

Hope that makes sense,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

0 Kudos
4 Replies
101 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hello @LAc00 ,

 

How did you set up the policy for the provisioned public key? That might be the root cause for your issue.

 

For EC_KEY authentication you may just generate the EC_KEY pair inside the secure element , then fetch the public key,  alternatively you may import the key pair generated externally.

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

0 Kudos
86 Views
LAc00
Contributor II

Hello @Kan_Li ,

The provisioning looks like this:

We have a generated EC key pair. We generated it with openssl. This is the keypair for the host.

The public part of this EC key pair was written into the SE with this command:

Se05x_API_WriteECKey(&pSession->s_ctx, NULL, SE05x_MaxAttemps_UNLIMITED, id, kSE05x_ECCurve_NIST_P256, NULL, 0, ECKey_SE_PublicEcdsakey, publicKeyLen, (SE05x_INS_t)kSE05x_AttestationType_AUTH, kSE05x_KeyPart_Public);

Of course I opened a plain (default) session before this call.

 

And then in the night I could solve to delete this object, with the factory reset. I created an Auth_ID object on the FACTORY RESET object ID. I opened a session with it, and I called this:

Se05x_API_DeleteAll(&pSession->s_ctx);

Now I would like to provision an EC key again (as I wrote it above), but it is not working.

Could you tell, what is needed/mandatory after a factory reset? I think something is missing and that is why I can not write the public part of an EC key into the SE again.

 

Thank you!

 

Best regards,

 

Laszlo

0 Kudos
79 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @LAc00 ,

 

Indeed the DeleteALL command deletes all Secure Objects, all curves and Crypto Objects except the  secure objects that are trust provisioned by NXP, so the kSE05x_ECCurve_NIST_P256 curve needs to be created again with the command of CreateECCurve, otherwise the public part of an EC key can not be written into this SE again.

 

BTW, I noticed you set the policy for the public part of an EC key as NULL, and Auth type as well, so it is the expected result that this secure object can only be erased by the deleteAll command.

 

Hope that makes sense,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
69 Views
LAc00
Contributor II

Hi @Kan_Li ,

 

Thank you very much! This was the solution for me!

 

Have a nice day!

 

Best regards,

 

Laszlo

0 Kudos