There's some indication that a customer can use a KEK to wrap keys
I "inject" into the SE05x keystore. Unfortunately, injecting keys into the part is non-compliant for this customer. Instead, can they use a KEK to wrap asymmetric keys that they generate on the SE05x using the sss_key_store_generate_key() API?
Hi @todd_nuzum ,
KEK is just available when you write SymmKey , but to cover all the secure objects injection, you may use the external import method, as mentioned by @msjcard . We have a demo to demonstrate how to prepare a complete raw APDU for that purpose, please kindly refer to simw-top/doc/demos/se05x/se05x_ImportExternalObjectPrepare/Readme.html for details.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Hi @TonyMo ,
KEK is not a valid option for WriteRSAKey APDU command, for such use case, you have to use the external import mechanism, please kindly refer to "3.2.9 Secure Object external import" in https://www.nxp.com/webapp/Download?colCode=AN12543 for details.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Hi @TonyMo ,
SE050 has an APDU command to generate RSA key pair inside, but there is no KEK option, which is for symmetric keys indeed, while you may set up the policy for the RSA key pair, so that only the specific user may access this secure object and of course the private kay can not be fetched by any means. You may refer to "4.7.1.2 WriteRSAKey" and "3.7 Policies" in AN12543 for more details.
Hope that helps,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
I'd take a look at AN12413, Figure 5 and section 3.2.9. I'm not sure which middleware calls implement that diagram, but it looks like it is certainly possible to upload a key securely.