11.12.3.4.91. Function Se05x_API_ExportObject¶
Defined in File se05x_APDU_apis.h
11.12.3.4.91.1. Function Documentation¶
-
smStatus_t
Se05x_API_ExportObject
(pSe05xSession_t session_ctx, uint32_t objectID, SE05x_RSAKeyComponent_t rsaKeyComp, uint8_t *data, size_t *pdataLen)¶ Se05x_API_ExportObject
Reads a transient Secure Object from SE05X.
Secure Objects can be serialized so the Secure Object can be represented as a byte array. The byte array contains all attributes of the Secure Object, as well as the value (including the secret part!) of the object.
The purpose of the serialization is to be able to allow export and import of Secure Objects. Serialized Secure Objects can be reconstructed so they can be used as a (normal) Secure Object. Any operation like key or file management and crypto operation can only be done on a deserialized Secure Object.
Users can export transient Secure Objects to a non-trusted environment (e.g., host controller). The object must be AESKey, DESKey, RSAKey or ECCKey.
Exported credentials are always encrypted and MAC’ed.
The following steps are taken:
The secure element holds a randomly generated persistent 256-bit AES cipher and an 128-bit AES CMAC key. Both keys do not require user interaction, they are internal to the SE05X .
A Secure Object that is identified for export is serialized. This means the key value as well as all Secure Object attributes are stored as byte array (see Object attributes for attribute details).
The serialized Secure Object is encrypted using AES CBC (no padding) and using the default IV.
A CMAC is applied to the serialized Secure Object + metadata using the AES CMAC key.
The byte array is exported.
An object may only be imported into the store if the SecureObject ID and type are the same as the exported object. Therefore, it is not possible to import if the corresponding object in the applet has been deleted.
NOTES:
The exported object is not deleted automatically.
The timestamp has a 100msec granularity, so it is possible to export multiple times with the same timestamp. The freshness (user input) should avoid duplicate attestation results as the user has to provide different freshness input.
Command to Applet
Field
Value
Description
CLA
0x80
INS
INS_READ
See
SE05x_INS_t
.P1
P1_DEFAULT
See
SE05x_P1_t
P2
P2_EXPORT
See
SE05x_P2_t
Lc
#(Payload)
Payload Length.
TLV[TAG_1]
4-byte object identifier
TLV[TAG_2]
1-byte
SE05x_RSAKeyComponent_t
(only applies to Secure Objects of type RSAKey).Le
0x00
R-APDU Body
Value
Description
TLV[TAG_1]
Byte array containing exported Secure Object data.
R-APDU Trailer
SW
Description
SW_NO_ERROR
The file is created or updated successfully.
- Parameters
[in] session_ctx
: Session Context [0:kSE05x_pSession][in] objectID
: object id [1:kSE05x_TAG_1][in] rsaKeyComp
: rsaKeyComp [2:kSE05x_TAG_2][out] data
: [0:kSE05x_TAG_1][inout] pdataLen
: Length for data