帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Is it not possible to export a P-521 key stored on an SE050 ?

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

Is it not possible to export a P-521 key stored on an SE050 ?

‎07-09-2024 03:06 AM
2,373 次查看
S_GUED
Contributor II

Hi,


I am trying to generate a P-521 secret key on an SE050 secure element and then export it using the SE050 import/export mechanism, but I find myself unable to do so.

I generate a transient P-521 key using the WriteEcKey command, generating a transient KeyPair, using the ECCurve value NIST_P521, with a policy set for the null object id: POLICY_OBJ_ALLOW_READ, POLICY_OBJ_ALLOW_WRITE, POLICY_OBJ_ALLOW_DELETE, POLICY_OBJ_ALLOW_IMPORT_EXPORT, POLICY_OBJ_ALLOW_VERIFY, POLICY_OBJ_ALLOW_KA, POLICY_OBJ_ALLOW_ENC, POLICY_OBJ_ALLOW_DEC, POLICY_OBJ_ALLOW_SIGN


After that, calling ExportObject on the object Id of the generated key fails with status code CONDITIONS_OF_USE_NOT_SATISFIED (0x6985)

The exact same operation on a P384 key generated with the same policy can be successfully exported. I found no indication in the APDU specification as to why can't the P521 key be exported and what this error can mean.

What can be the limitation for this?


Best,
Sosthène

标签 (1)
标签
标记 (3)
0 项奖励
回复
7 回复数

‎07-09-2024 06:39 PM
2,356 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @S_GUED ,

 

Is it possible to have the APDU log for a review? Which SE05x variant was used? What about the applet version(may be fetched with the demo of se05x_GetInfo)?

 

Thanks for your patience!

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 项奖励
回复

‎07-16-2024 01:07 AM
2,292 次查看
S_GUED
Contributor II

Sorry for the delay in responding.

Here are the APDU I sent. The third APDU that fails with status code 0x6985:

00A4040010A000000396545300000001030000000007
8081610014110908000000001F34100041040000000F420105
800200190941040000000F4201FF00

The variant used is the SE050 with applet version 3.1.1

0 项奖励
回复

‎07-16-2024 06:00 AM
2,283 次查看
S_GUED
Contributor II

I get the same error with BrainpoolP512R1 keys.

This does not happen with the nist or brainpool curves of 256 and 384 bits.

Prior to running the generation, the curves are created in the SE050 with the APDUs CreateEcCurve and SetEcCurveParam.

0 项奖励
回复

‎07-23-2024 05:23 AM
2,258 次查看
S_GUED
Contributor II

@Kan_LiI have not found any answer to this issue. Is it normal?

Best,
Sosthène

标记 (1)
0 项奖励
回复

‎07-23-2024 06:37 PM
2,247 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @S_GUED ,

 

I has reproduced this issue here, so I am checking internally with other teams now and will let you know when I have any more info from there.

 

Thanks for your patience!

 

Best Regards,

Kan

0 项奖励
回复

‎08-05-2024 07:52 AM
2,184 次查看
S_GUED
Contributor II

Hi,

I have not received any news regarding this issue. Have you been able to find the root cause or a workaround?

Best,
Sosthène

0 项奖励
回复

‎08-09-2024 12:38 AM
2,140 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @S_GUED ,

 

It was just confirmed that the export APDU command has to be sent in the extend length format. so please apply the following patch and it will be fixed in the next release.

 

smStatus_t Se05x_API_ExportObject(
    pSe05xSession_t session_ctx, uint32_t objectID, SE05x_RSAKeyComponent_t rsaKeyComp, uint8_t *data, size_t *pdataLen)
{
    smStatus_t retStatus = SM_NOT_OK;
    tlvHeader_t hdr      = {{kSE05x_CLA, kSE05x_INS_READ, kSE05x_P1_DEFAULT, kSE05x_P2_EXPORT}};
    uint8_t cmdbuf[SE05X_MAX_BUF_SIZE_CMD];
    size_t cmdbufLen                       = 0;
    uint8_t *pCmdbuf                       = &cmdbuf[0];
    int tlvRet                             = 0;
    uint8_t rspbuf[SE05X_MAX_BUF_SIZE_RSP] = {0};
    uint8_t *pRspbuf                       = &rspbuf[0];
    size_t rspbufLen                       = ARRAY_SIZE(rspbuf);
    size_t rspIndex                        = 0;
#if VERBOSE_APDU_LOGS
    NEWLINE();
    nLog("APDU", NX_LEVEL_DEBUG, "ExportObject []");
#endif /* VERBOSE_APDU_LOGS */
    tlvRet = TLVSET_U32("object id", &pCmdbuf, &cmdbufLen, kSE05x_TAG_1, objectID);
    if (0 != tlvRet) {
        goto cleanup;
    }
    tlvRet = TLVSET_RSAKeyComponent("rsaKeyComp", &pCmdbuf, &cmdbufLen, kSE05x_TAG_2, rsaKeyComp);
    if (0 != tlvRet) {
        goto cleanup;
    }

 

    retStatus = DoAPDUTxRx_s_Case4_ext(session_ctx, &hdr, cmdbuf, cmdbufLen, rspbuf, &rspbufLen);
    if (retStatus == SM_OK) {
        retStatus = SM_NOT_OK;
        tlvRet    = tlvGet_u8buf(pRspbuf, &rspIndex, rspbufLen, kSE05x_TAG_1, data, pdataLen); /*  */
        if (0 != tlvRet) {
            goto cleanup;
        }
        if ((rspIndex + 2) == rspbufLen) {
            retStatus = (smStatus_t)((pRspbuf[rspIndex] << | (pRspbuf[rspIndex + 1]));
        }
    }

 

cleanup:
    return retStatus;
}

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

0 项奖励
回复