ECDH code working with SE050ARD but failing on SE050ARD-F

krsuresh

Hi Team,

As per the below sample ECDH code, the functionality works correctly with the SE050ARD board. However, the same code does not work on the SE050ARD-F board.

Could you please provide details or guidance on what changes are required to make this ECDH example work with the SE050ARD-F device?

const uint8_t nist256PubKey[] = {
0x04, 0xF2, 0x24, 0xBC, 0x5E, 0xEA, 0x74, 0x28, 0xA1, 0x20, 0xD3, 0xD2, 0x69, 0xFE, 0x22, 0xF3,
0x59, 0x9C, 0x20, 0x33, 0xA2, 0xE0, 0xCB, 0x81, 0xC2, 0xCE, 0xA9, 0xD6, 0xD4, 0x66, 0xC3, 0x68,
0xF8, 0xB6, 0xA8, 0x9C, 0xDE, 0x08, 0x88, 0xB5, 0x49, 0xCD, 0xED, 0x85, 0xD3, 0xB5, 0x88, 0x72,
0x0A, 0xDC, 0x26, 0x32, 0xB0, 0x30, 0xBF, 0xB1, 0x67, 0xD0, 0xFD, 0xBC, 0x89, 0xE7, 0x2B, 0x9C,
0xC1,
};

int ex_ecdh(pSe05xSession_t session_ctx)
{
smStatus_t status;
uint32_t keyID = TEST_ID_BASE + __LINE__;
SE05x_Result_t result;
SE05x_ECCurve_t curveID = kSE05x_ECCurve_NIST_P256;
uint8_t sharedSecret[32] = {
0,
};
size_t sharedSecret_len = sizeof(sharedSecret);

/* Check if the object exists in se05x already */
status = Se05x_API_CheckObjectExists(session_ctx, keyID, &result);
if (status != SM_OK) {
SMLOG_E("Error in Se05x_API_CheckObjectExists \n");
goto exit;
}

if (result == kSE05x_Result_SUCCESS) {
/* If key already exists, set curveID = NA */
curveID = kSE05x_ECCurve_NA;
}

/* Generate nist256 key */
status = Se05x_API_WriteECKey(
session_ctx, NULL, 0, keyID, curveID, NULL, 0, NULL, 0, kSE05x_INS_NA, kSE05x_KeyPart_Pair);
if (status != SM_OK) {
SMLOG_E("Error in Se05x_API_WriteECKey \n");
goto exit;
}

/* Calulate ECDH key using key pair at location 'keyID' and public key in buffer 'nist256PubKey' */
status = Se05x_API_ECDHGenerateSharedSecret(
session_ctx, keyID, nist256PubKey, sizeof(nist256PubKey), sharedSecret, &sharedSecret_len);
if (status != SM_OK) {
SMLOG_E("Error in Se05x_API_ECDHGenerateSharedSecret \n");
goto exit;
}

status = Se05x_API_DeleteSecureObject(session_ctx, keyID);
if (status != SM_OK) {
SMLOG_E("Error in Se05x_API_DeleteSecureObject \n");
goto exit;
}

EX_PASS;
exit:
EX_FAIL;
}

Thanks,

Sureshkumar R

Kan_Li

Hi @krsuresh ,

I am sorry, but this feature is not supported on SE050F2. Please kindly refer to the following for details.

Please refer to https://www.nxp.com.cn/docs/en/application-note/AN12436.pdf for more details.

If you need a FIPS certified SE05x with ECDH support, please use SE052F instead.

Please refer to https://www.nxp.com.cn/docs/en/application-note/AN14277.pdf for more details.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

krsuresh

Hi @Kan_Li,

Thank you for your prompt response.

I have one additional question — could you please confirm whether it is possible to generate an ECC key using the NIST-P384 curve on the SE050C or SE050F device? I have verified that the applet version currently in use is 3.1.0.

Thank you for your assistance.

Thanks,

Sureshkumar R

Kan_Li

Hi @krsuresh ,

Yes, both SE050C1 and SE050F2 support generating an ECC key using the NIST-P384 curve. Please kindly refer to the following for details.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

krsuresh

Hi @Kan_Li

Thanks for the quick response.

I am using the following code to generate a NIST P-384 ECC key, but the function Se05x_API_WriteECKey() returns an error.
The same implementation works correctly for NIST P-256 key generation.

Error Detail: 0x6985 -> "Conditions not satisfied"

Additional Information:

Applet version: 3.1.0
Device variant: SE050ARD

int sd_se05x_generate_eccp384_key()
{
SE05x_ECCurve_t curveID = kSE05x_ECCurve_NIST_P384;
smStatus_t status;
uint32_t keyID = 0x60000700;
SE05x_Result_t result;

status = Se05x_API_CheckObjectExists(&se05x_session, keyID, &result);
if (status != SM_OK) {
SMLOG_E("[SE050] Error in Se05x_API_CheckObjectExists \n");
return SE050_FAILURE;
}

if (result == kSE05x_Result_SUCCESS) {
curveID = kSE05x_ECCurve_NA;
}

status = Se05x_API_WriteECKey(
&se05x_session, NULL, 0, keyID, curveID, NULL, 0, NULL, 0, kSE05x_INS_NA, kSE05x_KeyPart_Pair);
if (status != SM_OK) {
SMLOG_E("[SE050] Error in Se05x_API_WriteECKey Status: 0x%x\n", status);
return SE050_FAILURE;
}

return SE050_SUCCESS;

}

Thanks,

Sureshkumar R

Kan_Li

Hi @krsuresh ,

Please make sure the ECCurve kSE05x_ECCurve_NIST_P384 exists before generating the ECCKey pair. and please also note, if you use the SSS APIs to generate the ECC key pair, the ECCurve is created automatically in case it doesn't exist.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------