AnsweredAssumed Answered

SW_CONDITIONS_NOT_SATISFIED when reading RSA key pair or executing RSASign operations

Question asked by Daniel Bissler on Mar 18, 2020
Latest reply on Mar 31, 2020 by Kan_Li

I've been working with the OM-SE050ARD demo board connected via the external I2C interface to a proprietary circuit card. I have generated an RSA-2048 key pair, and according to the APDU specification, I should be able to read the public key using the ReadSecureObject command and sign data using the RSASign command.

 

I have run tests in both a session-less and UserID session context. I have tried assigning policies to the keys, but from my understanding of the documentation, the default policy should be adequate (default secure object policy is full access, except attestation. This would mean read, write, generate, delete, sign, verify, encrypt, decrypt, etc.) as I only am attempting to read and sign right now. 

To read the RSA public key modulus, the APDU command is as follows

80 02 00 00 09 41 04 00 00 00 01 44 01 00 00

CLA = 80

INS = INS_READ

P1 = P1_DEFAULT

P2 = P2_DEFAULT

Lc = 09

TAG_1 04 00 00 00 01 (object id = 0x00000001)

TAG_4 01 00 (RSA_COMP_MOD)

Lc = 0

TAG_2, TAG_3, TAG_5-TAG_7 are optional and do not apply to RSA keys

In response I receive 69 85, SW_CONDITIONS_NOT_SATISFIED. I get this regardless of whether the keys have the default policy or an explicit policy set. 

 

Furthermore, when I try to sign some random data, I get the same result of SW_CONDITIONS_NOT_SATISFIED. The command for that is as follows:

80 03 0c 09 2b 41 04 00 00 00 01 42 01 28 43 20 69 47 56 c0 a4 1d 6b 60 69 43 74 63 1c a3 80 7b 87 f3 5b 48 9e dd 82 9c 75 6b b3 32 ba e6 17 5d 00

CLA = 80

INS = INS_CRYPTO

P1 = P1_SIGNATURE

P2 = P2_SIGN

Lc = 2B

TAG_1 04 00 00 00 01 (object id = 0x00000001)

TAG_2 01 28 (RSASignatureAlgo = RSA_SHA_256_PKCS1)

TAG_3 20 69 47 56 c0 a4 1d 6b 60 69 43 74 63 1c a3 80 7b 87 f3 5b 48 9e dd 82 9c 75 6b b3 32 ba e6 17 5d (data)

Le 00

Here I get SW_CONDITIONS_NOT_SATISFIED as well regardless of whether I use the default policy or an explicitly set policy.

 

The applet version is 3.1.0 and applet config is 0x6FFF.

 

What other conditions would need satisfied to read the RSA public key components or sign using a generated RSA private key?

Outcomes