- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- Identification and Security
- :
- Secure Authentication
- :
- Re: SE050: received error in write user-id command
SE050: received error in write user-id command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SE050: received error in write user-id command
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello NXP community and support team,
I am newbie to the secure element, in my current project i am using SE050ARDF2 board with STM32 microcontroller with FRDMK64 board's SDK(by porting according to the my controller).
I have tested get info example and it is perfectly working, so my mw is working.
Currently i am trying to write User id in SE050 and i am getting error of SM_ERR_WRONG_DATA(0x6A80), and i am not getting the reason behind it.
NOTE: Check summary section for quick review.
My configuration and all steps are below mentioned.
1) Here my fsl_sss_ftr.h file for configuration
/** SE050 (Super set of A + B) */
#define SSS_HAVE_APPLET_SE05X_C 1
#define SSS_HAVE_SE05X_VER_03_XX 1
#define SSS_HAVE_HOSTCRYPTO_MBEDTLS 1
#define SSS_HAVE_MBEDTLS_ALT_NONE 1
#define SSS_HAVE_SCP_SCP03_SSS 1
#define SSS_HAVE_FIPS_NONE 1
#define SSS_HAVE_SBL_NONE 1
#define SSS_HAVE_SE05X_AUTH_PLATFSCP03 1
#define SSSFTR_SE05X_AES 1
#define SSSFTR_SE05X_ECC 1
#define SSSFTR_SE05X_RSA 1
#define SSSFTR_SE05X_KEY_SET 1
#define SSSFTR_SE05X_KEY_GET 1
#define SSSFTR_SE05X_AuthECKey 1
#define SSSFTR_SE05X_AuthSession 1
#define SSSFTR_SE05X_CREATE_DELETE_CRYPTOOBJ 1
#define SSSFTR_SW_AES 1
#define SSSFTR_SW_ECC 1
#define SSSFTR_SW_RSA 1
#define SSSFTR_SW_KEY_SET 1
#define SSSFTR_SW_KEY_GET 1
#define SSS_HAVE_ECC 1
#define SSS_HAVE_RSA 0
#define SSS_HAVE_TPM_BN 1
#define SSS_HAVE_EC_ED 1
#define SSS_HAVE_EC_MONT 1
#define SSS_HAVE_MIFARE_DESFIRE 1
#define SSS_HAVE_PBKDF2 1
#define SSS_HAVE_TLS_HANDSHAKE 1
#define SSS_HAVE_IMPORT 1
#define SSS_HAVE_TESTCOUNTERPART (SSSFTR_SW_TESTCOUNTERPART)
#define SSS_PFSCP_ENABLE_SE050F2_0001A92A 1
#endif /* SSS_APIS_INC_FSL_SSS_FTR_H_ */
2)Created Session accordingly and it return's success.
status = ex_sss_boot_open(PCONTEXT, portName);
if (kStatus_SSS_Success != status) {
LOG_E("ex_sss_session_open Failed");
goto cleanup;
}
3)After session creation this function is called and here i am using write USER-ID function of middleware.
static ex_sss_boot_ctx_t gex_sss_gen_cert;
#define EX_SSS_BOOT_PCONTEXT (&gex_sss_gen_cert)
#define EX_SSS_BOOT_DO_ERASE 1
#define EX_SSS_BOOT_EXPOSE_ARGC_ARGV 0
#define ECC_KEY_BIT_LEN 256
/* NOTE: Other option are removed below this is used in the code
#define EX_LOCAL_OBJ_AUTH_ID EX_SSS_AUTH_SE05X_NONE_AUTH_ID
static sss_status_t sss_se05x_write_user_id(sss_se05x_session_t *pSession,
sss_policy_t *policies, SE05x_MaxAttemps_t maxAttempt, uint32_t objectID,
const uint8_t *userId, size_t userIdLen,
const SE05x_AttestationType_t attestation_type) {
Se05xSession_t *pSe05xSession = &pSession->s_ctx;
Se05xPolicy_t policySet;
size_t valid_policy_buff_len = 0;
uint8_t policies_buff[MAX_POLICY_BUFFER_SIZE];
if (policies) {
if (kStatus_SSS_Success
!= sss_se05x_create_object_policy_buffer(policies,
&policies_buff[0], &valid_policy_buff_len)) {
return kStatus_SSS_Fail;
}
policySet.value = policies_buff;
policySet.value_len = valid_policy_buff_len;
} else {
policySet.value = NULL;
policySet.value_len = 0;
}
smStatus_t sw_status;
sw_status = Se05x_API_WriteUserID(pSe05xSession, &policySet, maxAttempt,
objectID, userId, userIdLen, attestation_type);
if(sw_status != SM_OK) {
return kStatus_SSS_Fail;
}
return kStatus_SSS_Success;
}
sss_status_t ex_sss_entry(ex_sss_boot_ctx_t *pCtx)
{
LOG_I(
"This example is to demonstrate the use of policies for secure "
"objects");
sss_status_t status = kStatus_SSS_Fail;
uint8_t digest[32] = "Hello World";
size_t digestLen = sizeof(digest);
uint8_t signature[ECC_KEY_BIT_LEN] = {0};
size_t signatureLen = sizeof(signature);
sss_asymmetric_t asymm;
sss_object_t object;
sss_algorithm_t algorithm;
sss_mode_t mode;
//status = Se05x_API_DeleteAll(&pCtx);
const uint8_t userid_value[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x56, 0x07 };
const uint8_t userid_value2[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07 };
uint32_t keyId = MAKE_TEST_ID(__LINE__);
size_t keylen = ECC_KEY_BIT_LEN / 8;
algorithm = kAlgorithm_SSS_SHA256;
mode = kMode_SSS_Sign;
pCtx->se05x_open_ctx.skip_select_applet = 0;
/* clang-format off */
/* doc:start:allow-policy-sign */
/*Logic to pass sign & verifypolicy*/
const int allow_sign = 1;
const int allow_verify = 0;
/* doc:start:allow-policy-sign-part1 */
/* Policies for key */
const sss_policy_u key_withPol = {
.type = KPolicy_Asym_Key,
/*Authentication object based on SE05X_AUTH*/
.auth_obj_id = 0x00000001, ///EX_LOCAL_OBJ_AUTH_ID,
.policy = {
/*Asymmetric key policy*/
.asymmkey = {
/*Policy for sign*/
.can_Sign = allow_sign,
/*Policy for verify*/
.can_Verify = allow_verify,
/*Policy for encrypt*/
.can_Encrypt = 0,
/*Policy for decrypt*/
.can_Decrypt = 0,
/*Policy for Key Derivation*/
.can_KD = 0,
/*Policy for wrapped object*/
.can_Wrap = 0,
/*Policy to re-write object*/
.can_Write = 1,
/*Policy for reading object*/
.can_Read = 1,
/*Policy to use object for attestation*/
.can_Attest = 0,
}
}
};
const sss_policy_u common = {
.type = KPolicy_Common,
.auth_obj_id = EX_LOCAL_OBJ_AUTH_ID,
.policy = {
.common = {
.req_Sm = 0,
.can_Delete = 1,
.forbid_All = 0,
}
}
};
sss_policy_t policy_for_ec_key = {
.nPolicies = 2,
.policies = { &key_withPol, &common }
};
status = sss_se05x_write_user_id(pCtx, &policy_for_ec_key,
SE05x_MaxAttemps_UNLIMITED, keyId, userid_value,
sizeof(userid_value), kSE05x_AttestationType_AUTH);
NOTE: in last getting error here below: SM_ERR_WRONG_DATA(0x6A80)
SUMMARY:
1) fsl_sss_ftr.h configuration
2) Session creation with configuration of above file.
3) write user ID command function called with given policy details in function.
Q: Is my steps are correct, if not then please provide the correct steps and policy details that will be really helpful.
FYI: @kalpeshbalar @Shivangi
Thank you,
Priyank.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there anything else that required for RSA like ecc key required the curve?
I have also tried the sss example and result is the same, can you please help me with this.
Thanks.
Kan_Li
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Spri ,
0x6A80 means the policy validation fails, please kindly check the policy attached to the secure object.
BTW, since you are going to create a UserID, shouldn't the type be KPolicy_UserID instead of KPolicy_Asym_Key?
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kan_Li
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Spri ,
Your example using SE05x APIs should be right , the cause might be related with the policy, how did you set up the policy, was a secure object with the same ID already there? Please kindly clarify.
For more details regarding SSS APIs, please kindly refer to simw-top/doc/sss-apis.html within the MW.
Hope that helps,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The whole usecase is as below.
I am getting one certificate from the HOST(microcontroller) in der format after parsing the certificate i am taking public key data from the certificate and want to store in se050, in which i am getting error of SM_ERR_WRONG_DATA.
the values are as below:
Object ID : 0x50a0004, No previous object is over here, fresh user id
Pub Exp : 1
Pub Exp len : 3
pub modulo len : 256
#define try_with_raw_key 1 // Using this method to store the certificate
sss_status_t se_store_certi(ex_sss_boot_ctx_t *pCtx, uint32_t object_id, uint8_t *certi, uint16_t *certi_len)
{
sss_status_t status = kStatus_SSS_Success;
sss_object_t cert_object;
static ex_sss_boot_ctx_t boot_ctx_test;
sss_se05x_session_t *pSession = (sss_se05x_session_t *)&boot_ctx_test.session;
Se05xSession_t *pSe05xSession = &pSession->s_ctx;
///////////////////////////////////////////////////////////////////////////////////
/*
* Open session here
*/
status = ex_sss_boot_open(&boot_ctx_test, NULL);
if (kStatus_SSS_Success != status)
{
LOG_E("ex_sss_session_open Failed");
goto exit;
}
status = ex_sss_key_store_and_object_init(&boot_ctx_test);
if (kStatus_SSS_Success != status)
{
LOG_E("ex_sss_key_store_and_object_init Failed");
goto exit;
}
///////////////////////////////////////////////////////////////////////////////////////////
int ret = 0;
uint8_t buf[4000];
size_t buf_len = sizeof(buf);
mbedtls_x509_crt cert;
mbedtls_x509_crt_init(&cert);
ret = mbedtls_x509_crt_parse(&cert, (const unsigned char *)cert_array, sizeof(cert_array)+ 1);
if ((ret == 0)) {
printf("success in parsing pub key componant%d",ret);
}
#if try_with_raw_key
status = sss_key_object_init(&cert_object, &boot_ctx_test.ks);
if (kStatus_SSS_Success != status)
{
LOG_E("ex_sss_key_store_and_object_init Failed");
goto exit;
}
status = sss_key_object_allocate_handle(&cert_object,
object_id,
kSSS_KeyPart_Public,
kSSS_CipherType_RSA_CRT,
cert.pk_raw.len + 1,
kKeyObject_Mode_Transient);
if (kStatus_SSS_Success != status)
{
LOG_E("ex_sss_key_store_and_object_init Failed");
goto exit;
}
status = sss_key_store_set_key(&boot_ctx_test.ks, &cert_object, cert.pk_raw.p, (cert.pk_raw.len + 1), 2048/*(cert.pk_raw.len + 1)*8*/, NULL, 0);
if (kStatus_SSS_Success != status)
{
LOG_E("ex_sss_key_store_and_object_init Failed");
goto exit;
}
#endif
#if Method_2
/* Set the kye parameters */
status = Se05x_API_WriteRSAKey(pSe05xSession,
NULL,
object_id,
2048,
SE05X_RSA_NO_p,
SE05X_RSA_NO_q,
SE05X_RSA_NO_dp,
SE05X_RSA_NO_dq,
SE05X_RSA_NO_qInv,
&rsa->E.p,rsa->E.n,
SE05X_RSA_NO_priv,
SE05X_RSA_NO_pubMod,
kSE05x_INS_NA,
kSSS_KeyPart_Public,
kSSS_CipherType_RSA_CRT);
if (status != SM_OK) {
// retval = kStatus_SSS_Fail;
goto exit;
}
status = Se05x_API_WriteRSAKey(pSe05xSession,
NULL,
object_id,
2048,
SE05X_RSA_NO_p,
SE05X_RSA_NO_q,
SE05X_RSA_NO_dp,
SE05X_RSA_NO_dq,
SE05X_RSA_NO_qInv,
SE05X_RSA_NO_pubExp,
SE05X_RSA_NO_priv,
&rsa->N.p,rsa->N.n,
kKeyObject_Mode_Persistent,
kSSS_KeyPart_Public,
kSSS_CipherType_RSA);
if (status != SM_OK) {
// retval = kStatus_SSS_Fail;
goto exit;
}
#endif
mbedtls_pk_free(&cert.pk);
exit:
/////////////////////////////////////////////////////////////////////////////
/*
* Close session here
*/
ex_sss_session_close((&boot_ctx_test));
////////////////////////////////////////////////////////////////////
return status;
}
@Kan_Li thanks in advance.
