How to SE050 content using PIN code?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to SE050 content using PIN code?

2,607 Views
devstar1018
Contributor I

Hi
Hope you are well.
Currently, I am going to use SE050 element for my project.
SE050 is connected to the Raspberry Pi via I2C interface.
I generated ECC key pair in SE050 and I want to protect them using PIN code.
By the way, I have not found correct solution so far.
If you could help me regarding this problem, I would be happy very much.
I will wait for your update.
Regards.

0 Kudos
Reply
9 Replies

2,489 Views
devstar1018
Contributor I

Hi @Kan_Li 
Hope you have had a great weekend.
And thank you very much for your kind reply.
I have understood you and followed the demo program.
So it looks like the userID had been provisioned already.

#################################################################
App :INFO :PlugAndTrust_v03.00.05_20201014
App :INFO :Running ./se05x_Delete_and_test_provision
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:5865 Function:sss_se05x_TXn
hostLib:WARN :Error in erasing ObjId=0x20181002 (Others)
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:5865 Function:sss_se05x_TXn
hostLib:WARN :Error in erasing ObjId=0x12E41001 (Others)
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:5865 Function:sss_se05x_TXn
hostLib:WARN :Error in erasing ObjId=0x20181001 (Others)
App :ERROR:# se05x_Delete_and_test_provision !!! Only for testing. NOT FOR PRODUCTION USE!!!!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:5865 Function:sss_se05x_TXn
hostLib:WARN :Error in erasing ObjId=0x20181002 (Others)
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:5865 Function:sss_se05x_TXn
hostLib:WARN :Error in erasing ObjId=0x12E41001 (Others)
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:5865 Function:sss_se05x_TXn
hostLib:WARN :Error in erasing ObjId=0x20181001 (Others)
App :INFO :Se05x_API_CreateCurve_prime256v1 status = 9000
App :WARN :kSE05x_AppletResID_FACTORY_RESET Object already exists
App :WARN :kSE05x_AppletResID_PLATFORM_SCP Object already exists
App :WARN :kEX_SSS_ObjID_UserID_Auth Object already exists
App :WARN :kEX_SSS_ObjID_UserID_Auth Object already exists
App :WARN :kEX_SSS_ObjID_APPLETSCP03_Auth Object already exists
App :WARN :kEX_SSS_ObjID_APPLETSCP03_Auth Object already exists
App :WARN :kEX_SSS_objID_ECKEY_Auth Object already exists
App :WARN :kEX_SSS_objID_ECKEY_Auth Object already exists
App :INFO :Production UID Found... skipping few steps
App :INFO :Production UID Found... skipping few steps
App :INFO :ex_sss Finished
#####################################################################

So I think this is happening since I have provided the userID using the following commands already.

######################################################
sudo ssscli policy userid ecc_userid_policy 0x7DA00001
ssscli generate ecc 0x20181002 NIST_P256 --policy_name ecc_userid_policy
###################################################################

Anyway, it seems the userID(0x7DA00001) has been provisioned as the policy.
So I tried the public key from keyID=20181002, but I couldnot get it.

output:
##################################################################
Getting ECC Public Key from KeyID = 0x20181002
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:5865 Function:sss_se05x_TXn
sss :WARN :nxEnsure:'status == SM_OK' failed. At Line:3396 Function:sss_se05x_key_store_get_key
ERROR:sss.keystore:sss_key_store_get_key FAILED
ERROR! Could not retrieve ECC Public Key from KeyID 0x20181002
####################################################################

I think this has happened since the key pair is protected via userID.
So how can I get the pub key using userID which has been provisioned already?
And the other problem,
How can I delete the provisioned userID? I tried to delete it(Delete and Test Provision example, and ssscli command - ssscli se05x reset), however, all of them failed.
There is no other problem to write the policy but it is not deleted well after it is written.
And using the provisioned userID(policy), I cannot get the content of certain keyID.

Please help me regarding these 2 problems.
Thank you for your kind help and your time.
I will wait for your update.
Regards.

0 Kudos
Reply

2,457 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hello @devstar1018 ,

 

I saw the keyID of 20181002 can not be deleted by the demo, how did you create it? Do you have a full process log? or could you start with a new KeyID? Thanks for your patience!

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

2,512 Views
devstar1018
Contributor I

Hi @Kan_Li 

Hope you are well.
Thank you for your kind support.
Currently, I have created the policy and attached it.

sudo ssscli policy userid ecc_userid_policy 0x7DA00001

ssscli generate ecc 0x20181002 NIST_P256 --policy_name ecc_userid_policy

After doing these ones, if I try to get pub key from this keyID, I cannot get it.

ssscli get ecc pub 20181002 pub_key.pem
Getting ECC Public Key from KeyID = 0x20181002
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:5865 Function:sss_se05x_TXn
sss :WARN :nxEnsure:'status == SM_OK' failed. At Line:3396 Function:sss_se05x_key_store_get_key
ERROR:sss.keystore:sss_key_store_get_key FAILED
ERROR! Could not retrieve ECC Public Key from KeyID 0x20181002

Of course, I know this happened because the userID has not been provisioned before using it.
But I couldnot do it using ssscli commmand.(provision of userID using ssscli command)

And if I cannot do this process via ssscli command, how can I do it?

You mentioned about this.

SE-PLUG-TRUST-MW\simw-top\binaries\tst\VCOM-None-se05x_Delete_and_test_provision.exe

So for provision of userID, do I have to run this exe file first?
And then, for the production usage later, we have to run this exe file all the time?
I am not clear about this problem.

Please help me kindly.
I will wait for your update.
Thank you for your time.
Regards.

0 Kudos
Reply

2,504 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @devstar1018 ,

 

Yes, before running other demos, you have to run SE-PLUG-TRUST-MW\simw-top\binaries\tst\VCOM-None-se05x_Delete_and_test_provision.exe at first, please kindly refer to SE-PLUG-TRUST-MW/simw-top/doc/demos/se05x/se05x_Delete_and_test_provision/Readme.html for more details.

 

for the production usage later, you don't have to run this exe file all the time, provisioning service is available via our distributors.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

0 Kudos
Reply

2,575 Views
devstar1018
Contributor I

Hi Kan_Li
Thank you for your support.
So there is no way that ssscli can be used with on platform/applet level?
I am going to use ssscli in my project with python, since it is easy to use rather than API usage.

It shows the warning message, by the way, it is not good for the project.

WARN :!!!Not recommended for production use.!!!


So I tried to find the solution to solve this problem, but I could not find it.

I tried the followings to protect the session using UserID.

"ssscli connect se05x t1oi2c none --auth_type UserID=0x7DA00001"

By the way, it shows the error.

When using UserID, where and how can I provide it for later usage?
How can I protect the session using UserID?

And if we use PlatformSCP, how can we create the scpkey file?

Please help me regarding this problem.
Thank you for your time.

Regards.

 

0 Kudos
Reply

2,532 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @devstar1018 ,

 

The option of "–auth_type" is not used like that. Please kindly refer to the following for details.

Options:
  --auth_type [None|PlatformSCP|UserID|ECKey|AESKey|UserID_PlatformSCP|ECKey_PlatformSCP|AESKey_PlatformSCP]
                                  Authentication type. Default is "None". Can
                                  be one of "None, UserID, ECKey, AESKey,
                                  PlatformSCP, UserID_PlatformSCP,
                                  ECKey_PlatformSCP, AESKey_PlatformSCP"

The keys and UserID (PIN) needs to be provisioned with test values before they can be used:

SE-PLUG-TRUST-MW\simw-top\binaries\tst\VCOM-None-se05x_Delete_and_test_provision.exe

 

Used keys and keyIDs from ssscli are specified in simw-top\pycli\src\sss\authkey.py

 

Example connection specification:

ssscli connect se050 vcom COM5 –auth_type UserID

The authentication is done only on command execution.

 

Hope that makes sense,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

2,591 Views
devstar1018
Contributor I

Hi Kan_Li
Thank you for your kind support.
I will read about se05x_policy carefully.
By the way, I have one question.
I am going to use SE050 as the secure element for my project, then when I use ssscli tool of the middle ware, it shows the warning message like this "warning: it is not recommended as production use".
And in my project, I am going to use Python, so cannot I integrate ssscli tool into my project?
If not, how can I use ssscli commands(for example, generate ECC key pair, sign, verify, etc) in my python code?
If you could help me regarding this problem, I will be happy.
Thank you very much.
Regards.

0 Kudos
Reply

2,583 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @devstar1018 ,

 

The warning is due to the communication channel is plain for demo purpose, for product , SCP on platform/applet level is usually applied.

 

SSSCLI tool is python based tool, so it should be ok to work with python, such as mentioned in https://docs.python.org/3/using/cmdline.html#generic-options .

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

0 Kudos
Reply

2,599 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @devstar1018 ,

 

Do you want to create a secure object as EC Key pair which can be protected by an Auth object such as User ID? If so , it is possible if you set up the Authentication Object ID in the policy for this EC Key pair as this User ID's identifier. and if you build your application based on the MW, there is an demo available for your reference, please kindly refer to SE-PLUG-TRUST-MW/simw-top/doc/demos/se05x/se05x_policy/Readme.html for details. You may have the latest MW from the following link:

https://www.nxp.com/webapp/Download?colCode=SE-PLUG-TRUST-MW 

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply