Hello Experts,
we have EdgeLock SE051, and we try to manage it with EdgeLock Plug & Trust Middleware.
I have now 2 questions, what we could not solve yet:
1, How could we establish an encrypted session between host and SE?
Now we are using plain session with ID 0. Does it mean, that we dont have a session?
2, We could generate ECC key pair in SE. (This is good.) If we call Se05x_API_CheckObjectExists, it says yes, it is there. We try to get the public key from this key pair with these functions:
sss_key_store_get_key or Se05x_API_ReadObject
but we are not able to get it. ReadObject returns with SM_NOT_OK.
(We are using plain session here as well, but I think it is ok, because we need only the public key.)
Please help us!
Thank you!
Best regards,
Laszlo
解決済! 解決策の投稿を見る。
Hello Laszlo,
the plain session with ID 0 is also called default session. So it is as well a "session", but not an individually authenticated one. Typically you should at least enable PlatformSCP which encrypts any communication ongoing between the host and the SE using AES encryption. You can enable this encryption in the MW examples when you set the cmake define SE05x_Auth to "PlatformSCP" as shown in AN12662 Binding a host device to EdgeLock SE05x in section "Ease binding configuration with EdgeLock SE05x Plug & Trust Middleware". This enables the startup code in the examples (libcommon) to start the examples with an authenticated and encrypted PlatformSCP channel.
Regarding the fail of the object read, are you using the MW compiled with correct Applet version? See AN13013 Get started with EdgeLock SE05x support package section "Product specific CMake build settings".
Kind regards,
Michael
Hello Laszlo,
the plain session with ID 0 is also called default session. So it is as well a "session", but not an individually authenticated one. Typically you should at least enable PlatformSCP which encrypts any communication ongoing between the host and the SE using AES encryption. You can enable this encryption in the MW examples when you set the cmake define SE05x_Auth to "PlatformSCP" as shown in AN12662 Binding a host device to EdgeLock SE05x in section "Ease binding configuration with EdgeLock SE05x Plug & Trust Middleware". This enables the startup code in the examples (libcommon) to start the examples with an authenticated and encrypted PlatformSCP channel.
Regarding the fail of the object read, are you using the MW compiled with correct Applet version? See AN13013 Get started with EdgeLock SE05x support package section "Product specific CMake build settings".
Kind regards,
Michael
Hello Michael,
Now I have an encrypted platform SCP session on ID 0. I generate an ECC key pair like this:
sss_key_store_context_init(pKeyStore, pPfSession);
sss_key_object_init(&asymmetricKeyPair, pKeyStore);
sss_key_object_allocate_handle(&asymmetricKeyPair, id, kSSS_KeyPart_Pair, kSSS_CipherType_EC_NIST_P, keyByteLenMax, kKeyObject_Mode_Persistent);
sss_key_store_generate_key(pKeyStore, &asymmetricKeyPair, keyBitLen, NULL);
with this the key pair is there (in SE). Then I would like to get the public key with this call:
sss_key_store_get_key(pKeyStore, &asymmetricKeyPair, publicKey, &len , &keyBitLen);
The keystore and the keyobject and the session is the same.
And it is failed at Se05x_API_ReadObject call.
Could you help me to solve this issue as well?
Best regards,
Laszlo
Hello Michael,
I could read out the public key now. I used a smaller buffer, because I did not calculate with the concatenated header, which length is 26. I increased my buffer with this value, and now everything is fine. I will close this topic! Thank you for your help!
Best regards,
Laszlo
Hello Laszlo,
good to hear this and thanks also for sharing your findings!
Kind regards,
Michael
Hello Michael,
thank you for your quick reply!
I try to solve the encrypted session first.
I am doing this:
SE_Connect_Ctx_t *pConnectCtx = &gex_sss_secure_element_ctx.se05x_open_ctx;
sss_session_t *pPfSession = &gex_sss_secure_element_ctx.session;
pConnectCtx->connType = kType_SE_Conn_Type_T1oI2C;
pConnectCtx->portName = NULL;
pConnectCtx->auth.authType = kSSS_AuthType_SCP03;
sss_session_open(pPfSession, kType_SSS_SE_SE05x, 1, kSSS_ConnectionType_Encrypted, pConnectCtx);
But I get an error:
:ERROR:nxScp03_GP_InitializeUpdate fails Invalid objects sent 3C3C0000
:ERROR:Could not set SCP03 Secure Channel
What did I miss? Should I somehow set the AES key? I thought there is a default one.
Thank you again!
Best regards,
Laszlo
I extended the code with this call before the session_open:
ex_sss_se05x_prepare_host_keys(pHostSession, pHostKeyStore, pConnectCtx, pAuthCtx, 0);
Now it is failed here:
nxScp03_HostLocal_VerifyCardCryptogram
Do you have any idea, what could be the problem here?
Best regards,
Laszlo
Hi Laszlo,
typically the wrong keys have been used. Please check if your code refers to the correct default keys which are set in the individual product variants like described in "How to configure the product specific default Platform SCP keys" of document AN13013 Get started with EdgeLock SE05x support package .
Kind regards,
Michael
Hi Michael,
thank you for the hint. I reconfigured the default keys. I open the session like this:
SE_Connect_Ctx_t *pConnectCtx = &gex_sss_secure_element_ctx.se05x_open_ctx;
sss_session_t *pPfSession = &gex_sss_secure_element_ctx.session;
sss_session_t *pHostSession = &gex_sss_secure_element_ctx.host_session;
sss_key_store_t *pHostKeyStore = &gex_sss_secure_element_ctx.host_ks;
ex_SE05x_authCtx_t *pAuthCtx = &gex_sss_secure_element_ctx.ex_se05x_auth;
pConnectCtx->connType = kType_SE_Conn_Type_T1oI2C;
pConnectCtx->portName = NULL;
ex_sss_se05x_prepare_host(pHostSession, pHostKeyStore, pConnectCtx, pAuthCtx, kSSS_AuthType_SCP03);
sss_session_open(pPfSession, kType_SSS_SE_SE05x, 0, kSSS_ConnectionType_Encrypted, pConnectCtx);
and IT IS WORKING now. I have an encrypted session. Thank you very much!
Hello Michael,
I see this file:
ex_sss_tp_scp03_keys.h
There are defines in it. (I understand that I have to choose the right one.) What I don't see: where are these defines used? They should be used at calculating the card cryptogram on host, isn't it?
Best regards,
Laszlo