SE050: received error in write user-id command

Spri · ‎01-05-2024

Hello NXP community and support team,

I am newbie to the secure element, in my current project i am using SE050ARDF2 board with STM32 microcontroller with FRDMK64 board's SDK(by porting according to the my controller).

I have tested get info example and it is perfectly working, so my mw is working.

Currently i am trying to write User id in SE050 and i am getting error of SM_ERR_WRONG_DATA(0x6A80), and i am not getting the reason behind it.

NOTE: Check summary section for quick review.

My configuration and all steps are below mentioned.

1) Here my fsl_sss_ftr.h file for configuration

/** SE050 (Super set of A + B) */

#define SSS_HAVE_APPLET_SE05X_C 1

#define SSS_HAVE_SE05X_VER_03_XX 1

#define SSS_HAVE_HOSTCRYPTO_MBEDTLS 1

#define SSS_HAVE_MBEDTLS_ALT_NONE 1

#define SSS_HAVE_SCP_SCP03_SSS 1

#define SSS_HAVE_FIPS_NONE 1

#define SSS_HAVE_SBL_NONE 1

#define SSS_HAVE_SE05X_AUTH_PLATFSCP03 1

#define SSSFTR_SE05X_AES 1

#define SSSFTR_SE05X_ECC 1

#define SSSFTR_SE05X_RSA 1

#define SSSFTR_SE05X_KEY_SET 1

#define SSSFTR_SE05X_KEY_GET 1

#define SSSFTR_SE05X_AuthECKey 1

#define SSSFTR_SE05X_AuthSession 1

#define SSSFTR_SE05X_CREATE_DELETE_CRYPTOOBJ 1

#define SSSFTR_SW_AES 1

#define SSSFTR_SW_ECC 1

#define SSSFTR_SW_RSA 1

#define SSSFTR_SW_KEY_SET 1

#define SSSFTR_SW_KEY_GET 1

#define SSS_HAVE_ECC 1

#define SSS_HAVE_RSA 0

#define SSS_HAVE_TPM_BN 1

#define SSS_HAVE_EC_ED 1

#define SSS_HAVE_EC_MONT 1

#define SSS_HAVE_MIFARE_DESFIRE 1

#define SSS_HAVE_PBKDF2 1

#define SSS_HAVE_TLS_HANDSHAKE 1

#define SSS_HAVE_IMPORT 1

#define SSS_HAVE_TESTCOUNTERPART (SSSFTR_SW_TESTCOUNTERPART)

#define SSS_PFSCP_ENABLE_SE050F2_0001A92A 1

#endif /* SSS_APIS_INC_FSL_SSS_FTR_H_ */

2)Created Session accordingly and it return's success.

status = ex_sss_boot_open(PCONTEXT, portName);

if (kStatus_SSS_Success != status) {

LOG_E("ex_sss_session_open Failed");

goto cleanup;

}

3)After session creation this function is called and here i am using write USER-ID function of middleware.

static ex_sss_boot_ctx_t gex_sss_gen_cert;

#define EX_SSS_BOOT_PCONTEXT (&gex_sss_gen_cert)

#define EX_SSS_BOOT_DO_ERASE 1

#define EX_SSS_BOOT_EXPOSE_ARGC_ARGV 0

#define ECC_KEY_BIT_LEN 256

/* NOTE: Other option are removed below this is used in the code
#define EX_LOCAL_OBJ_AUTH_ID EX_SSS_AUTH_SE05X_NONE_AUTH_ID

static sss_status_t sss_se05x_write_user_id(sss_se05x_session_t *pSession,

sss_policy_t *policies, SE05x_MaxAttemps_t maxAttempt, uint32_t objectID,

const uint8_t *userId, size_t userIdLen,

const SE05x_AttestationType_t attestation_type) {

Se05xSession_t *pSe05xSession = &pSession->s_ctx;

Se05xPolicy_t policySet;

size_t valid_policy_buff_len = 0;

uint8_t policies_buff[MAX_POLICY_BUFFER_SIZE];

if (policies) {

if (kStatus_SSS_Success

!= sss_se05x_create_object_policy_buffer(policies,

&policies_buff[0], &valid_policy_buff_len)) {

return kStatus_SSS_Fail;

}

policySet.value = policies_buff;

policySet.value_len = valid_policy_buff_len;

} else {

policySet.value = NULL;

policySet.value_len = 0;

}

smStatus_t sw_status;

sw_status = Se05x_API_WriteUserID(pSe05xSession, &policySet, maxAttempt,

objectID, userId, userIdLen, attestation_type);

if(sw_status != SM_OK) {

return kStatus_SSS_Fail;

}

return kStatus_SSS_Success;

}

sss_status_t ex_sss_entry(ex_sss_boot_ctx_t *pCtx)

{

LOG_I(

"This example is to demonstrate the use of policies for secure "

"objects");

sss_status_t status = kStatus_SSS_Fail;

uint8_t digest[32] = "Hello World";

size_t digestLen = sizeof(digest);

uint8_t signature[ECC_KEY_BIT_LEN] = {0};

size_t signatureLen = sizeof(signature);

sss_asymmetric_t asymm;

sss_object_t object;

sss_algorithm_t algorithm;

sss_mode_t mode;

//status = Se05x_API_DeleteAll(&pCtx);

const uint8_t userid_value[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x56, 0x07 };

const uint8_t userid_value2[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x07 };

uint32_t keyId = MAKE_TEST_ID(__LINE__);

size_t keylen = ECC_KEY_BIT_LEN / 8;

algorithm = kAlgorithm_SSS_SHA256;

mode = kMode_SSS_Sign;

pCtx->se05x_open_ctx.skip_select_applet = 0;

/* clang-format off */

/* doc:start:allow-policy-sign */

/*Logic to pass sign & verifypolicy*/

const int allow_sign = 1;

const int allow_verify = 0;

/* doc:start:allow-policy-sign-part1 */

/* Policies for key */

const sss_policy_u key_withPol = {

.type = KPolicy_Asym_Key,

/*Authentication object based on SE05X_AUTH*/

.auth_obj_id = 0x00000001, ///EX_LOCAL_OBJ_AUTH_ID,

.policy = {

/*Asymmetric key policy*/

.asymmkey = {

/*Policy for sign*/

.can_Sign = allow_sign,

/*Policy for verify*/

.can_Verify = allow_verify,

/*Policy for encrypt*/

.can_Encrypt = 0,

/*Policy for decrypt*/

.can_Decrypt = 0,

/*Policy for Key Derivation*/

.can_KD = 0,

/*Policy for wrapped object*/

.can_Wrap = 0,

/*Policy to re-write object*/

.can_Write = 1,

/*Policy for reading object*/

.can_Read = 1,

/*Policy to use object for attestation*/

.can_Attest = 0,

}

};

const sss_policy_u common = {

.type = KPolicy_Common,

.auth_obj_id = EX_LOCAL_OBJ_AUTH_ID,

.policy = {

.common = {

.req_Sm = 0,

.can_Delete = 1,

.forbid_All = 0,

}

};

sss_policy_t policy_for_ec_key = {

.nPolicies = 2,

.policies = { &key_withPol, &common }

};

status = sss_se05x_write_user_id(pCtx, &policy_for_ec_key,

SE05x_MaxAttemps_UNLIMITED, keyId, userid_value,

sizeof(userid_value), kSE05x_AttestationType_AUTH);

NOTE: in last getting error here below: SM_ERR_WRONG_DATA(0x6A80)

SUMMARY:
1) fsl_sss_ftr.h configuration
2) Session creation with configuration of above file.
3) write user ID command function called with given policy details in function.

Q: Is my steps are correct, if not then please provide the correct steps and policy details that will be really helpful.

FYI: @kalpeshbalar @Shivangi

Thank you,
Priyank.

Kan_Li · ‎01-08-2024

Hi @Spri ,

0x6A80 means the policy validation fails, please kindly check the policy attached to the secure object.

BTW, since you are going to create a UserID, shouldn't the type be KPolicy_UserID instead of KPolicy_Asym_Key?

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Spri · ‎01-22-2024

Hi @Kan_Li,

Thanks for the reply, it is working now.

Currently i am trying to create RSA key with this below function and i am getting error of "SM_ERR_CONDITIONS_NOT_SATISFIED", i just want to know, is there any demo available for key generation(symmetric and asymmetric), i found example in mw but, i guess it uses external keys, and also any document that can help me about how to use sss apis.

-> Function used for rsa key generation:

"status = Se05x_API_WriteRSAKey(pSe05xSession,

&policy_for_rsa_obj,

rsa_temp_id,//RSA_ATTESTATION_KEY_ID,

512,

SE05X_RSA_NO_p,

SE05X_RSA_NO_q,

SE05X_RSA_NO_dp,

SE05X_RSA_NO_dq,

SE05X_RSA_NO_qInv,

SE05X_RSA_NO_pubExp,

SE05X_RSA_NO_priv,

SE05X_RSA_NO_pubMod,

kSE05x_INS_WRITE,

kSE05x_KeyPart_Pair,

kSE05x_RSAKeyFormat_RAW);

LOG_I("Se05x_API_WriteRSAKey (Attestation key - RSA_ATTESTATION_KEY_ID) status = %04X", status);

}"

Thanks,

Priyank.

Kan_Li · ‎01-22-2024

Hi @Spri ,

Your example using SE05x APIs should be right , the cause might be related with the policy, how did you set up the policy, was a secure object with the same ID already there? Please kindly clarify.

For more details regarding SSS APIs, please kindly refer to simw-top/doc/sss-apis.html within the MW.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Spri · ‎04-05-2024

Hi kan,

The whole usecase is as below.
I am getting one certificate from the HOST(microcontroller) in der format after parsing the certificate i am taking public key data from the certificate and want to store in se050, in which i am getting error of SM_ERR_WRONG_DATA.

the values are as below:

Object ID : 0x50a0004, No previous object is over here, fresh user id
Pub Exp : 1
Pub Exp len : 3
pub modulo len : 256

#define try_with_raw_key 1 // Using this method to store the certificate

sss_status_t se_store_certi(ex_sss_boot_ctx_t *pCtx, uint32_t object_id, uint8_t *certi, uint16_t *certi_len)

{

sss_status_t status = kStatus_SSS_Success;

sss_object_t cert_object;

static ex_sss_boot_ctx_t boot_ctx_test;

sss_se05x_session_t *pSession = (sss_se05x_session_t *)&boot_ctx_test.session;

Se05xSession_t *pSe05xSession = &pSession->s_ctx;

///////////////////////////////////////////////////////////////////////////////////

/*

* Open session here

*/

status = ex_sss_boot_open(&boot_ctx_test, NULL);

if (kStatus_SSS_Success != status)

{

LOG_E("ex_sss_session_open Failed");

goto exit;

}

status = ex_sss_key_store_and_object_init(&boot_ctx_test);

if (kStatus_SSS_Success != status)

{

LOG_E("ex_sss_key_store_and_object_init Failed");

goto exit;

}

///////////////////////////////////////////////////////////////////////////////////////////

int ret = 0;

uint8_t buf[4000];

size_t buf_len = sizeof(buf);

mbedtls_x509_crt cert;

mbedtls_x509_crt_init(&cert);

ret = mbedtls_x509_crt_parse(&cert, (const unsigned char *)cert_array, sizeof(cert_array)+ 1);
if ((ret == 0)) {
printf("success in parsing pub key componant%d",ret);
}

#if try_with_raw_key

status = sss_key_object_init(&cert_object, &boot_ctx_test.ks);

if (kStatus_SSS_Success != status)

{

LOG_E("ex_sss_key_store_and_object_init Failed");

goto exit;

}

status = sss_key_object_allocate_handle(&cert_object,

object_id,

kSSS_KeyPart_Public,

kSSS_CipherType_RSA_CRT,

cert.pk_raw.len + 1,

kKeyObject_Mode_Transient);

if (kStatus_SSS_Success != status)

{

LOG_E("ex_sss_key_store_and_object_init Failed");

goto exit;

}

status = sss_key_store_set_key(&boot_ctx_test.ks, &cert_object, cert.pk_raw.p, (cert.pk_raw.len + 1), 2048/*(cert.pk_raw.len + 1)*8*/, NULL, 0);

if (kStatus_SSS_Success != status)

{

LOG_E("ex_sss_key_store_and_object_init Failed");

goto exit;

}

#endif

#if Method_2

/* Set the kye parameters */

status = Se05x_API_WriteRSAKey(pSe05xSession,

NULL,

object_id,

2048,

SE05X_RSA_NO_p,

SE05X_RSA_NO_q,

SE05X_RSA_NO_dp,

SE05X_RSA_NO_dq,

SE05X_RSA_NO_qInv,

&rsa->E.p,rsa->E.n,

SE05X_RSA_NO_priv,

SE05X_RSA_NO_pubMod,

kSE05x_INS_NA,

kSSS_KeyPart_Public,

kSSS_CipherType_RSA_CRT);

if (status != SM_OK) {

// retval = kStatus_SSS_Fail;

goto exit;

}

status = Se05x_API_WriteRSAKey(pSe05xSession,

NULL,

object_id,

2048,

SE05X_RSA_NO_p,

SE05X_RSA_NO_q,

SE05X_RSA_NO_dp,

SE05X_RSA_NO_dq,

SE05X_RSA_NO_qInv,

SE05X_RSA_NO_pubExp,

SE05X_RSA_NO_priv,

&rsa->N.p,rsa->N.n,

kKeyObject_Mode_Persistent,

kSSS_KeyPart_Public,

kSSS_CipherType_RSA);

if (status != SM_OK) {

// retval = kStatus_SSS_Fail;

goto exit;

}

#endif

mbedtls_pk_free(&cert.pk);

exit:

/////////////////////////////////////////////////////////////////////////////

/*

* Close session here

*/

ex_sss_session_close((&boot_ctx_test));

////////////////////////////////////////////////////////////////////

return status;

}

@Kan_Li thanks in advance.