Type of kSE05x_AppletResID_RESTRICT authentication object

Hi @Kan_Li ,

You indeed have some bits and pieces documented around applet-level SCP03, however I have been failing for a week to find any relevant code. Implementation I see does not follow your own documentation for "applet-level". Everything I could find is platform-level.

Host-side code needs me to provide the AES key (all 256 bits) that originally was provisioned in SE under ID I am to "open a session on". For example, SE has

Key-Id: 0X7fff0200   AES                              Size(Bits): 256

This is a symmetric key, so I need the host to have exactly this key to open a session. How would you expect ex_sss_boot_open_on_id() to work if it doesn't take this key as its argument???

It opens basic unprotected session:

20        status = ex_sss_boot_open_on_id(&ctx, NULL, kSE05x_AppletResID_TRANSPORT);
(gdb) n
smCom :INFO :Found Reader: Identiv uTrust 3700 F CL Reader [uTrust 3700 F CL Reader] (55022428201805) 00 00
smCom :INFO :Connecting to reader: Identiv uTrust 3700 F CL Reader [uTrust 3700 F CL Reader] (55022428201805) 00 00
sss   :INFO :Newer version of Applet Found
sss   :INFO :Compiled for 0x70200. Got newer 0x7022E
sss   :WARN :Communication channel is Plain.
sss   :WARN :!!!Not recommended for production use.!!!

Hi @psvz ,

Indeed my code snippet comes from the ECC concurrent example , which needs to invoke se05x_Delete_and_test_provision at first to provision the Auth IDs. Did you run se05x_Delete_and_test_provision before you tested this API? 

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi @Kan_Li 

The authentication object is provisioned as

Key-Id: 0X7fff0200   AES                              Size(Bits): 256

One actual question is - how would we expect ex_sss_boot_open_on_id() to work if it doesn't take a symmetric key as its argument???

And another question is how to populate sss_object_t key in memory of the host only, because sss_key_store_set_key() would always create the key inside SE, even with kKeyObject_Mode_Transient. I am not sure if it's PCSC-specific behavior, but I need my symmetric key in the host's memory within sss_object_t to open authenticated session, and existing API won't let me.

Hi @Kan_Li 

RE

ex_sss_boot_open_on_id() can work with any Auth ID not limited to AES Key, you may provision an EC key or a UserID as Authenticated secure object and pass the ID to this API to open an ECKey session or UserID session.

[VZ] I do not consider EC in the question. For UserID you need to supply the UserID at the host side. As ex_sss_boot_open_on_id() does not take UserID as its argument it cannot be possibly used for this. UserID was not in the question either but FYI the best way to open authenticated session on UserID is using these two calls:

Se05x_API_CreateSession()

Se05x_API_VerifySessionUserID()

The workflow is documented in APDU reference document.

For AES ex_sss_boot_open_on_id() cannot be used because it does not take AES key as its argument. So, I have to re-iterate this question. Perhaps you could share working call-flow.

RE

you may create symmetric key in host, sss_key_store_set_key() would check if the key store is a host key store or se05x key store, but the symmetric key in host key store can not be used to open an authenticated session. 

[VZ] I will check if I can change the type of the keystore - thanks for this. AES authenticated session is the equivalent of SCP03. You have to have the AES key in host memory to authenticate with a symmetric key. If host key store isn't suitable for this, then which key store is?

Hi @psvz ,

If you want to use ex_sss_boot_open_on_id() to open an AESKey session, you have to build the MW with Auth_type=AESKey, to allow this API to take the Auth ID. Please refer to ex_sss_boot_se05x_open_on_Id() for more details, in which the host key store would also prepare the AES key as well.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi @psvz ,

ex_sss_boot_open_on_id() can work with any Auth ID not limited to AES Key, you may provision an EC key or a UserID as Authenticated secure object and pass the ID to this API to open an ECKey session or UserID session.

you may create symmetric key in host, sss_key_store_set_key() would check if the key store is a host key store or se05x key store, but the symmetric key in host key store can not be used to open an authenticated session. 

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi @Kan_Li 

Inadvertently mixed up the order in the thread, sorry, replying to your

[RE]

If you want to use ex_sss_boot_open_on_id() to open an AESKey session, you have to build the MW with Auth_type=AESKey, to allow this API to take the Auth ID. Please refer to ex_sss_boot_se05x_open_on_Id() for more details, in which the host key store would also prepare the AES key as well. 

-------

The API does take Auth ID - it is not a problem. The problem is that it doesn't take symmetric key provisioned in SE under that ID. Symmetric authentication model requires authenticating party to present the key.

Hi @psvz ,

Yes, I agree Symmetric authentication model requires authenticating party to present the key, but that doesn't mean it allows the host to read the symmetric keys stored within the SE, if it allows , any user may authenticate with the SE. so from host side, it has to set the key value in the host key store for the AES authentication. If you use ex_sss_boot_open_on_id(), it calls ex_sss_se05x_prepare_host_keys() for that purpose. You may find it in ex_sss_se05x_auth.c

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi @Kan_Li 

I agree - I never asked for the host to read the symmetric keys stored within the SE. I only said your host-side API must have it as an input. And it doesn't.

I checked ex_sss_se05x_prepare_host_keys() from ex_sss_se05x_auth.c --

It does use a hard-coded key internally (16 bytes), and I need different key and size (32 bytes). I am trying to follow its implementation, however.

all sss_host_* functions in my code following

sss_host_session_open(&prep, kType_SSS_OpenSSL, 0, kSSS_ConnectionType_Plain, NULL); result in

gcc -g -O2 -Wall -I/usr/local/include/se05x -I/root/simw-top/ext/mbedtls/include -c test.c -o test.o
gcc -g -O2 -Wall -I/usr/local/include/se05x -I/root/simw-top/ext/mbedtls/include -o test test.o -lsssapisw -lse05x -lex_common
/usr/bin/ld: test.o: in function `main':
/root/nxp/tst/test.c:32: undefined reference to `sss_mbedtls_session_open'
/usr/bin/ld: /root/nxp/tst/test.c:34: undefined reference to `sss_mbedtls_key_store_context_init'
/usr/bin/ld: /root/nxp/tst/test.c:36: undefined reference to `sss_mbedtls_key_store_allocate'
/usr/bin/ld: /root/nxp/tst/test.c:38: undefined reference to `sss_mbedtls_key_object_init'
/usr/bin/ld: /root/nxp/tst/test.c:39: undefined reference to `sss_mbedtls_key_object_allocate_handle'
/usr/bin/ld: /root/nxp/tst/test.c:41: undefined reference to `sss_mbedtls_key_object_init'
/usr/bin/ld: /root/nxp/tst/test.c:42: undefined reference to `sss_mbedtls_key_object_allocate_handle'
/usr/bin/ld: /root/nxp/tst/test.c:44: undefined reference to `sss_mbedtls_key_object_init'
/usr/bin/ld: /root/nxp/tst/test.c:45: undefined reference to `sss_mbedtls_key_object_allocate_handle'
/usr/bin/ld: /root/nxp/tst/test.c:47: undefined reference to `sss_mbedtls_key_object_init'
/usr/bin/ld: /root/nxp/tst/test.c:48: undefined reference to `sss_mbedtls_key_object_allocate_handle'
/usr/bin/ld: /root/nxp/tst/test.c:50: undefined reference to `sss_mbedtls_key_object_init'
/usr/bin/ld: /root/nxp/tst/test.c:51: undefined reference to `sss_mbedtls_key_object_allocate_handle'
/usr/bin/ld: /root/nxp/tst/test.c:53: undefined reference to `sss_mbedtls_key_object_init'
/usr/bin/ld: /root/nxp/tst/test.c:54: undefined reference to `sss_mbedtls_key_object_allocate_handle'
/usr/bin/ld: /root/nxp/tst/test.c:56: undefined reference to `sss_mbedtls_key_store_set_key'
/usr/bin/ld: /root/nxp/tst/test.c:57: undefined reference to `sss_mbedtls_key_store_set_key'
/usr/bin/ld: /root/nxp/tst/test.c:58: undefined reference to `sss_mbedtls_key_store_set_key'
collect2: error: ld returned 1 exit status
make: *** [Makefile:16: test] Error 1

And my compile option is

PTMW_HostCrypto OPENSSL

Could you please help fix this behavior?

Hi @psvz ,

The CreateSession command always needs an Auth ID to create a session, and that is why ex_sss_boot_open_on_id() needs an Auth ID as one of its inputs. 

For your compiling issue, I am not sure if you write your application from scratch or based on some MW demo, but since you set PTMW_HostCrypto as OPENSSL, why include the mbedtls folder in the building? 

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi @Kan_Li 

I never questioned AuthID in ex_sss_boot_open_on_id() - what makes you explain its presence?

I said that NXP middleware lacks essential API for AES-authenticated session because the "API" you offer does not take symmetric key, and therefore it is not a useful API.

Yes, mbedtls was a workaround. NXP middleware fails to adjust fsl_sss_ftr_default.h at compile time, and it persisted with incompatible variable derailing the build process. For example, it contains wrong SE model, and this:

/** Use mbedTLS as host crypto */
#define SSS_HAVE_HOSTCRYPTO_MBEDTLS 1

/** Use OpenSSL as host crypto */
#define SSS_HAVE_HOSTCRYPTO_OPENSSL 0

which I had to just edit manually to make the build process consistent with compile-time configuration.

Next stopper:  Se05x_API_CreateSession() fails with SW_CONDITIONS_NOT_SATISFIED if I open a session on

Key-Id: 0X7fff0200   AES                              Size(Bits): 256

 Could you confirm 256-bits length is supported for authentication?

Hi @psvz ,

I am wondering if you have looked into the source code of the API I recommended, Indeed ex_sss_boot_open_on_id() supports opening an AESKey session but it always complies with PTMW_SE05X_Auth, if you define PTMW_SE05X_Auth as None, it always open the default session even you pass a proper Auth ID for AESKey session. That is why I asked you to check PTMW_SE05X_Auth definition in your case. 

The reason of your failure is also due to you tried to authenticate on RESERVED_ID_TRANSPORT, which is not a AES Auth ID known by the MW, you have to use the following keys for evaluation, 

and if you need RESERVED_ID_TRANSPORT(0x7fff0200) as the auth ID, please update the kEX_SSS_ObjID_APPLETSCP03_Auth definition as well as EX_SSS_AUTH_SE05X_APPLETSCP_VALUE , and of course you have to provision this key ID to SE at first.

Please also note the MW is managed by Cmake, so we always recommend configuring it based om Cmake tools instead of manually editing the header files directly. 

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi @Kan_Li 

I am reporting a MW bug: the Cmake automatic build process fails to adjust fsl_sss_ftr_default.h file - so one has to do it manually.

And we really need to focus on key-size question to close this thread. I can successfully open an authenticated session with this object:

Key-Id: 0X777        AES                              Size(Bits): 128

However, the same code fails with kStatus_SSS_Fail based on SM_ERR_CONDITIONS_NOT_SATISFIED from Se05x_API_CreateSession(), if I run it with this object:

Key-Id: 0X777        AES                              Size(Bits): 256

You can see the same ID, and the only difference is the key length. 

Can you please confirm with the manufacturer the max length of AES key for authentication SE05X supports is 16 bytes?