Why does Se05x_API_WriteECKey return kSE05x_SW12_CONDITIONS_NOT_SATISFIED

fvjdxe · ‎09-09-2021

I am trying to deploy an EC key to an SE050, which I have factory reset just before.

The call to Se05x_API_WriteECKey return 0x6985, which matches the enums kSE05x_SW12_CONDITIONS_NOT_SATISFIED, SW_CONDITIONS_NOT_SATISFIED and SM_ERR_CONDITIONS_OF_USE_NOT_SATISFIED.

I cannot find any hint what this error code means for this function.

Kan_Li · ‎09-17-2021

Hi @fvjdxe ,

It is used to create the NIST-P256 curve inside SE050 and is defined in the following header file.

Please kindly refer to "se05x_ECC_curves.c" for more details. You may find it in "SE-PLUG-TRUST-MW\simw-top\hostlib\hostLib\se05x\src".

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

Kan_Li · ‎09-12-2021

Hi @fvjdxe ,

Is it possible to share the log including APDU commands transaction between the host and SE050? We may help to analyze where the issue is.

Thanks for your patience!

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

fvjdxe · ‎09-12-2021

Hello Kan,

thanks for your reply. Is this what you need?

sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:5865 Function:sss_se05x_TXn

Best regards

Kan_Li · ‎09-13-2021

Hi @fvjdxe ,

Thanks for the information! While it is not what I am looking for. You have to use nxLog_DefaultConfig.h to enable the debug logging globally. Please refer to the following for details.

Looks like your application is based on MW, would you please specify the version? and there is a demo code for your reference, which is available in "SE-PLUG-TRUST-MW\simw-top\demos\se05x\se05x_Delete_and_test_provision\se05x_Delete_and_test_provision.c"

and you may also share some code snippet like this for further analyze.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

fvjdxe · ‎09-13-2021

Hello Kan,

I am using version 3.0.3 of the middleware. Please find a log attached as se050-provision-eckey.log.

My code is pretty close to the example:

int r = Se05x_API_WriteECKey(& session_ctx
    NULL,
    SE05x_MaxAttemps_UNLIMITED,
    0x00000100UL,
    kSE05x_ECCurve_NIST_P256,
    nullptr,
    0,
    gPublicKey,
    sizeof(gPublicKey),
    kSE05x_AttestationType_AUTH | kSE05x_TransientType_Persistent,
    kSE05x_KeyPart_Public);

Kan_Li · ‎09-14-2021

Hi @fvjdxe ,

Thanks for the information! The code snip looks good. We just tried your code and it was able to create a EC Key Object using the same APDU. so we are wondering if you are able to create any other object. Did you run any other examples using this device? Please kindly clarify.

Thanks for your patience!

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

fvjdxe · ‎09-14-2021

Hi Kan,

I have successfully provisioned the factory reset key and performed a factory reset.

Kan_Li · ‎09-15-2021

Hi @fvjdxe ,

Thanks for the information! Have you created other objects on this device? such as a binary, was the result the same? Please kindly clarify.

Thanks for your patience!

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

fvjdxe · ‎09-15-2021

Hello Kan,

yes, I am able to write a binary. Just tested it.

fvjdxe · ‎09-15-2021

Hello Kan,

since the very same sequence was working for you but not for me, I tried on a brand new hardware.

I completed the following sequence successfully:

Write factory reset key
Write binary object
Read and verify same binary object
Write EC authentication key
Establish encrypted session

But when I tried a second time, the following happened:

Perform factory reset (newly added)
Write factory reset key
Write binary object
Read and verify same binary object
Write EC authentication key
- I get the same error code I described initially
Establish encrypted session
- I get the following output:
- sss :ERROR:SE ECDSA Public Key is not Provisioned!!!

I wonder why the authentication key cannot be written the second time and why the factory reset seems to have no effect on this.

Kan_Li · ‎09-16-2021

Hi @fvjdxe ,

Thanks for the information! Indeed the factory reset also deletes all Security Objects including the EC curve parameters.

You have to Create the NIST-P256 curve first (see below). The following code snip works for me (after I have executed the factory reset first).

// Create EC Auth. Object
status = Se05x_API_CreateCurve_prime256v1(pSe05xSession, kSE05x_ECCurve_NIST_P256);
LOG_I("Se05x_API_CreateCurve_prime256v1 status = %04X", status);

const uint8_t gPublicKey[] = { 0x04, 0x97, 0x03, 0x51, 0xD3, 0xC8,
0xBB, 0x56, 0xAB, 0x9C, 0x57, 0x1F, 0x8C, 0xE4,
0x1D, 0x6B, 0xE0, 0xBB, 0xF8, 0x7D, 0x8B, 0x7B,
0xA7, 0xAB, 0xD3, 0x69, 0xEA, 0x04, 0x06, 0xEB,
0x4C, 0x1B, 0x88, 0xC5, 0xC6, 0x55, 0xEF, 0xBE,
0x10, 0x98, 0x4B, 0x7F, 0x4A, 0x90, 0x1E, 0xE7,
0xD2, 0xFF, 0x4B, 0x12, 0xAE, 0xD4, 0x97, 0x30,
0xFB, 0x2A, 0x67, 0x55, 0xEB, 0x73, 0xE0, 0x2C,
0xD4, 0x14, 0x4D};

int r = Se05x_API_WriteECKey(pSe05xSession,
NULL,
SE05x_MaxAttemps_UNLIMITED,
0x00000100UL,
kSE05x_ECCurve_NIST_P256,
NULL,
0,
gPublicKey,
sizeof(gPublicKey),
kSE05x_AttestationType_AUTH | kSE05x_TransientType_Persistent,
kSE05x_KeyPart_Public);

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

fvjdxe · ‎09-16-2021

Hello Kan,

what does the function Se05x_API_CreateCurve_prime256v1 do and where is it defined?

I cannot find it in the documentation. I cannot find its definition in the middleware source code. And also the compiler cannot find it.

Kan_Li · ‎09-17-2021

Hi @fvjdxe ,

It is used to create the NIST-P256 curve inside SE050 and is defined in the following header file.

Please kindly refer to "se05x_ECC_curves.c" for more details. You may find it in "SE-PLUG-TRUST-MW\simw-top\hostlib\hostLib\se05x\src".

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

fvjdxe · ‎09-17-2021

Hello Kan,

thanks, Se05x_API_CreateCurve_prime256v1 did the trick. It's hard to find this function since its name is generated via a macro and it is not documented. Or am I missing some piece of documentation?