how to set RSA private key into SE050

yang_lee · ‎10-28-2025

Hi everone, now I want to set RSA private key into SE050 but this function return fail: sss_key_store_set_key(). Is there a problem with the way I pass parameters to that function? Please help me.

My code below:

sss_status_t ex_sss_entry_user_set_privKey(ex_sss_boot_ctx_t *pCtx, uint32_t objectID, uint8_t *key_inject, size_t keyLen,)

{

sss_status_t status = kStatus_SSS_Success;

/* Policies for key */

const sss_policy_u key_withPol = {

.type = KPolicy_Asym_Key,

/*Authentication object based on SE05X_AUTH*/

.auth_obj_id = objectID,

.policy = {

/*Asymmetric key policy*/

.asymmkey = {

/*Policy for sign*/

.can_Sign = 1,

/*Policy for verify*/

.can_Verify = 1,

/*Policy for encrypt*/

.can_Encrypt = 1,

/*Policy for decrypt*/

.can_Decrypt = 1,

/*Policy for Key Derivation*/

.can_KD = 1,

/*Policy for wrapped object*/

.can_Wrap = 1,

/*Policy to re-write object*/

.can_Write = 1,

/*Policy for reading object*/

.can_Read = 1,

/*Policy to use object for attestation*/

.can_Attest = 1,

}

};

/* Common rules */

const sss_policy_u common = {

.type = KPolicy_Common,

/*Authentication object based on SE05X_AUTH*/

.auth_obj_id = objectID,

.policy = {

.common = {

/*Secure Messaging*/

.req_Sm = 0,

/*Policy to Delete object*/

.can_Delete = 1,

/*Forbid all operations on object*/

.forbid_All = 0,

}

};

/* create policy set */

sss_policy_t policy_for_ec_key = {

.nPolicies = 2,

.policies = { &key_withPol, &common }

};

#ifdef GET_FREE_MEM

sss_se05x_session_t *pSession = (sss_se05x_session_t *)&pCtx->session;

uint16_t free_mem = 0;

#endif

/* initialize keyObject with key store */

status = sss_key_object_init(&key_object, &pCtx->ks);

if (status != kStatus_SSS_Success)

{

return status; /* return error if can't initialize keyObject */

}

/* allocate/pre-provision memory for new key */

status = sss_key_object_allocate_handle(&key_object,

objectID,

kSSS_KeyPart_Private,

kSSS_CipherType_RSA_CRT,

keyLen,

kKeyObject_Mode_Persistent);

if (status != kStatus_SSS_Success)

{

return status;

}

/* moves data[] from memory to the destination key store */

status = sss_key_store_set_key(&pCtx->ks, &key_object, key_inject, keyLen, keyLen * 8, &policy_for_ec_key, 0);

if (status != kStatus_SSS_Success)

{

return status;

}

return status; /* return successful if save data successfully */

}

Kan_Li · ‎10-28-2025

Hi @yang_lee ,

Which SE05x variant are you playing with? Please kindly clarify.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

yang_lee · ‎10-29-2025

Hi Kan,

Thanks for reply, I am using SE050C2HQ1 for my product. It seems to support RSA.

In addition, when I use OM-SE051 ARD-E Dev Kit to run seTool to set RSA key (using PlugAndTrust_v04.07.00_20250210), I get an error described as below image:

Thanks,

Kan_Li · ‎10-30-2025

Hi @yang_lee ,

Please try with RSA RAW instead, the RSA CTR doesn't accept the pri key value, please check the APDU spec for more details.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

yang_lee · ‎10-31-2025

Hi @Kan_Li ,

I noticed that the code in seTool is using kSSS_CipherType_RSA_CRT.

And I also tried with raw data but still failed. The RSA key that I pass into the ex_sss_entry_user_set_privKey function is attached below:

Is there any problem with this raw key?

Thanks

Kan_Li · ‎11-03-2025

Hi @yang_lee ,

How did you generate the RSA Key for SeTool externally? Actually we have a demo of se05x_Delete_and_test_provision which provides an example for that purpose, please kindly refer to the following for details.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

yang_lee · ‎11-03-2025

Hi @Kan_Li,

I generated the RSA key by Openssl.

I think I will use it with ECC key instead of RSA key because now I have successfully used it with ECC key. Thanks for your kind support.

Brg.

Kan_Li · ‎11-03-2025

Hi @yang_lee ,

Thanks for the clarification!

Please kindly have SeTool examples regarding RSA key pair as below:

openssl genpkey -algorithm RSA -out RsaKeyPair2048.pem -pkeyopt rsa_keygen_bits:2048

./seTool setRsaKeyPair 2048 0xF0000211 RsaKeyPair2048.pem none

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

yang_lee · ‎11-04-2025

Hi @Kan_Li,

Thanks for suggestions.

I built Plug & Trust MW version 04.07.00 and tried with SE051 but it still fails when using RSA key while succeeds with ECC key. Details are shown in the image below:

Brg.

Kan_Li

Hi @yang_lee ,

Was the RSA key file generated with the following command?

openssl genpkey -algorithm RSA -out RsaKeyPair2048.pem -pkeyopt rsa_keygen_bits:2048

Are you using OM-SE050E-ARD ? Indeed SE050E doesn't support RSA.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

yang_lee

Hi @Kan_Li,

1. “Was the RSA key file generated with the following command?”
Yes, the RSA key file was generated using the command:
"openssl genpkey -algorithm RSA -out RsaKeyPair2048.pem -pkeyopt rsa_keygen_bits:2048."

2. “Are you using OM-SE050E-ARD? Indeed SE050E doesn't support RSA.”
No, I am using OM-SE051-ARD (SE051C2HQ1) instead of OM-SE050E-ARD. Actually I have both of these development kits and both build SE-PLUG-TRUST-MW_04.07.00 to run the examples with SE05x. Besides, the product I am developing is using SE050C2HQ1 (for both Android and Bare metal platform), everything seems to work fine except RSA.

Best regard.

Kan_Li

Hi @yang_lee ,

Sorry, my bad! Seems this tool has updated its parameters, please use the following command instead.

seTool setRSA 2048 0xF0000211 RsaKeyPair2048.pem none

Please kindly have my result as below:

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------