A problem about generating PKI tree via hab4_pki_tree.sh of cst-2.3.1

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

A problem about generating PKI tree via hab4_pki_tree.sh of cst-2.3.1

1,290 次查看
tsung-chihwang
Contributor III

Hi All,

I met a problem about generating PKI tree via hab4_pki_tree.sh of cst-2.3.1.

Even I input the same CA key, I will get different SRK each time..

Is it reasonable?

I supposed that I can get the same SRK/CSF/IMG if I input the same CA.

BR,

carter

标签 (1)
标记 (2)
4 回复数

1,032 次查看
Yuri
NXP Employee
NXP Employee

Hello,

    This is implementation feature of NXP CST.

Customers can design own  one ; please refer to Appendix B (Replacing the CST Backend

Implementation) of the CST User’s Guide (HABCST_UG.pdf).

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

1,032 次查看
tsung-chihwang
Contributor III

Hi Yuri,

Thanks for your quick response.

So the result is NXP's implementation feature, right?

If never modified NXP's implementation, I will get different SRK each time even input the same CA key, right?

BR,

carter

0 项奖励
回复

1,032 次查看
Yuri
NXP Employee
NXP Employee

Hello,

 Yes - different SRK for the same CA, since CA is top of PKI, intended just to sign SRK.

The openssl will generate different RSA key-pairs (IMG, CSF, SRK) each time. 

 

You can take a look also to CST/doc folder to HABCST_UG.pdf, page 26, Figure 11. HAB4 PKI Tree.

 

A HAB4 PKI tree consists of the following keys and certificates:
• CA key: is the top most key and is only used for signing SRK certificates.
• SRK: is the root key for HAB code signing keys. The cryptographic hash of a table of SRK is burned to one-time programmable efuses to establish a root of trust. Only one of the SRKs in the table may be selected for use on the Freescale processor per reset cycle. The selection of which SRK to use is a parameter within the Install Key CSF command (see Section 5.2.2, “Install SRK”). The SRK may only be used for signing certificate data of subordinate keys.
• CSF: is a subordinate key of the SRK and is used to verify the signature across CSF commands.
• IMG: is a subordinate key of the SRK key and is used to verify signatures across product software.

Regards,

Yuri

1,032 次查看
tsung-chihwang
Contributor III

Hi Yuri,

Got it.

Thanks for your great support.

BR,

carter

0 项奖励
回复