11.12.3.4.91. Function Se05x_API_ExportObject

11.12.3.4.91.1. Function Documentation

smStatus_t Se05x_API_ExportObject(pSe05xSession_t session_ctx, uint32_t objectID, SE05x_RSAKeyComponent_t rsaKeyComp, uint8_t *data, size_t *pdataLen)

Se05x_API_ExportObject

Reads a transient Secure Object from SE05X.

Secure Objects can be serialized so the Secure Object can be represented as a byte array. The byte array contains all attributes of the Secure Object, as well as the value (including the secret part!) of the object.

The purpose of the serialization is to be able to allow export and import of Secure Objects. Serialized Secure Objects can be reconstructed so they can be used as a (normal) Secure Object. Any operation like key or file management and crypto operation can only be done on a deserialized Secure Object.

Users can export transient Secure Objects to a non-trusted environment (e.g., host controller). The object must be AESKey, DESKey, RSAKey or ECCKey.

Exported credentials are always encrypted and MAC’ed.

The following steps are taken:

  • The secure element holds a randomly generated persistent 256-bit AES cipher and an 128-bit AES CMAC key. Both keys do not require user interaction, they are internal to the SE05X .

  • A Secure Object that is identified for export is serialized. This means the key value as well as all Secure Object attributes are stored as byte array (see Object attributes for attribute details).

  • The serialized Secure Object is encrypted using AES CBC (no padding) and using the default IV.

  • A CMAC is applied to the serialized Secure Object + metadata using the AES CMAC key.

  • The byte array is exported.

An object may only be imported into the store if the SecureObject ID and type are the same as the exported object. Therefore, it is not possible to import if the corresponding object in the applet has been deleted.

NOTES:

  • The exported object is not deleted automatically.

  • The timestamp has a 100msec granularity, so it is possible to export multiple times with the same timestamp. The freshness (user input) should avoid duplicate attestation results as the user has to provide different freshness input.

Command to Applet

Field

Value

Description

CLA

0x80

INS

INS_READ

See SE05x_INS_t.

P1

P1_DEFAULT

See SE05x_P1_t

P2

P2_EXPORT

See SE05x_P2_t

Lc

#(Payload)

Payload Length.

TLV[TAG_1]

4-byte object identifier

TLV[TAG_2]

1-byte SE05x_RSAKeyComponent_t (only applies to Secure Objects of type RSAKey).

Le

0x00

R-APDU Body

Value

Description

TLV[TAG_1]

Byte array containing exported Secure Object data.

R-APDU Trailer

SW

Description

SW_NO_ERROR

The file is created or updated successfully.

Parameters
  • [in] session_ctx: Session Context [0:kSE05x_pSession]

  • [in] objectID: object id [1:kSE05x_TAG_1]

  • [in] rsaKeyComp: rsaKeyComp [2:kSE05x_TAG_2]

  • [out] data: [0:kSE05x_TAG_1]

  • [inout] pdataLen: Length for data