10.5. A71CH Legacy Configure Tool

10.5.1. Introduction

The A71CH Configure Tool is a command line tool that supports the insertion of credentials into the A71CH. It can also report on the value and status of the stored credentials and on the status of the device. The tool is provided in source code (.../hostlib/a71ch/app) and can be deployed in one of the following configurations:

  • Installed on a development PC communicating over TCP/IP with the embedded target

  • Standalone on an embedded target

In Tool deployment we go into more detail on this.

Simply invoking the tool in standalone mode on an MCIMX6UL-EVKB board results in the following output (some output edited away):

root@imx6ulevk:~# ./a71chConfig_i2c_imx
a71chConfig (Rev 1.00) .. connect to A71CH. Chunksize at link layer = 256.
...
Applet-Rev:SecureBox-Rev   : 0x0131:0x0000
****************************
Usage: a71chConfig [apdu|debug|erase|gen|info|interactive|lock|rcrt|scp|set|wcrt|help] <OptArg>
    apdu -cmd <hexval> -sw <hexval>
    debug [permanently_disable_debug|reset]
    ecrt -x <int>
    erase [cnt|pair|pub|sym] -x <int>
    gen pair -x <int>
    get pub -c <hex_value> -x <int> -k <keyfile.pem>
    info [all|cnt|device|objects|pair|pub|status]
    info gp -h <hexvalue_offset> -n <segments>
    interactive
    lock [pair|pub] -x <int>
    lock gp -h <hexvalue_offset> -n <segments>
    lock inject_plain
    obj erase -x <int>
    obj get -x <int> [-h <hexvalue_offset>] [-s <hexvalue_size>] [-f <data.txt> -t [hex_16|hex_32]]
    obj update -x <int> -h <hexvalue_offset> [-f <data.txt> -t [hex_16|hex_32] | -h <hexvalue_data>]
    obj write -x <int> [-f <data.txt> -t [hex_16|hex_32] | -h <hexvalue_data> | -n <segments>]
    rcrt -x <int> [-c <certfile.crt>]
    refpem -c <hex_value> -x <int> [-k <keyfile.pem>] -r <ref_keyfile.pem>
    script -f <script.txt>
    scp [put|auth] -h <hexvalue_keyversion> -k <keyfile>
    set gp -h <hexvalue_offset> -h <hexvalue_data>
    set pair -x <int> [-k <keyfile.pem> | -h <hexvalue_pub> -h <hexvalue_priv>] [-w <hexvalue_wrap_key>]
    set pub  -x <int> [-k <keyfile.pem> | -h <hexvalue>] [-w <hexvalue_wrap_key>]
    set [cfg|cnt|sym]  -x <int> -h <hexvalue> [-w <hexvalue_wrap_key>]
    transport [lock|unlock -h <hexvalue_tpkey>]
    ucrt -x <int> [-c <certfile.crt> | -h <hexvalue_data> | -p <certfile.pem>]
    wcrt -x <int> [-c <certfile.crt> | -h <hexvalue_data> | -p <certfile.pem>] [-n <padding-segments>]
****************************

The tool provides an overview of the available command line options. We’ll go into more detail on the syntax in Command reference.

The easiest way to get familiar with the A71CH configure tool is to open it in interactive mode. Be sure to connect to an A71CH with the Debug Mode still available so you can easily revert to the initial state of the component. The following captures a session with a brand new A71CH with the Debug Mode active:

root@imx6ulevk:~/axHostSw/linux# ./a71chConfig_i2c_imx interactive
a71chConfig (Rev 1.00) .. connect to A71CH. Chunksize at link layer = 256.
I2CInit: opening /dev/i2c-1
I2C driver: PEC flag cleared
I2C driver supports plain i2c-level commands.
I2C driver supports Read Block.
SCI2C_ATR=0xB8.03.11.01.05.B9.02.01.01.BA.01.01.BB.0C.41.37.30.30.35.43.47.32.34.32.52.31.BC.00.
HostLib Version            : 0x0130
Applet-Rev:SecureBox-Rev   : 0x0131:0x0000
>>> info device
A71CH in Debug Mode Version (SCP03 is not set up)
selectResponse:   0x0131
transportLockState: 0x03 (Transport Lock NOT YET set)
injectLockState:    0x02 (Unlocked)
gpStorageSize:      4096
uid (LEN=18):
47:90:51:68:47:91:12:10:23:41:00:53:66:96:47:51:48:12
>>> info pair
Public Keys from ECC key pairs:
    idx=0x00 n.a.
    idx=0x01 n.a.
    idx=0x02 n.a.
    idx=0x03 n.a.
>>> gen pair -x 0
>>> info pair
Public Keys from ECC key pairs:
    idx=0x00 ECC_PUB (LEN=65):
04:0A:81:86:1D:0C:E6:F6:E4:57:65:8B:51:92:E9:D1:CB:AF:96:12:C6:71:FB:79:F1:3D:C9:64:4D:56:CC:87:
2E:8C:32:9B:0A:F8:BB:4B:79:56:7D:F0:9D:C2:D2:B8:96:E0:04:B7:D9:50:F5:EC:C2:50:99:25:6B:5B:4B:E1:
3B
    idx=0x01 n.a.
    idx=0x02 n.a.
    idx=0x03 n.a.
>>> quit
root@imx6ulevk:~/axHostSw/linux#

10.5.2. Usage modes

The A71CH Configure Tool can be used in:

  • Interactive mode. The tool opens a communication session with the A71CH, the user can issue configure commands in this session. The syntax to be used is identical to the syntax used in the command line mode.

  • Command line mode: passing parameters as command line arguments. Each invocation of the tool establishes a new communication session between Host and A71CH.

  • Batch file mode: this is a special variant of the command line mode where multiple configure commands are bundled in a file that is passed as a command line argument. All commands contained in the file are handled in the same communication session between Host and A71CH.

Note

On POSIX platforms like LINUX or Cygwin the interactive mode supports simple command line completion and command history (navigateable with the up and down arrows). It also stores a list of executed commands in a file called ‘a71chConfigCmdHistory.txt’.

10.5.3. Tool deployment

10.5.3.1. HW Setup for iMX

The HW setup, when using the Configure tool is illustrated the following figure. In case (1) the A71CH has not been integrated into an end-device yet. In case (2) the A71CH is already integrated into the end-device (e.g. an IoT Appliance) HW Set-up

10.5.3.2. HW Setup for Kinetis

For running the configure tool with a Kinetis system, USB-VCOM Interface to PC is used. In this combination the VCOM Application needs to be running on kinetis. For more information, see SW layers and communication for Kinetis.

10.5.3.3. SW layers and communication for iMX

In case the Configure Tool is installed on a development PC, the iMX6UL must run an RJCT-server process that will deal with the unpacking of the incoming commands and the communication over SCI2C with the A71CH. Configure Tool installed on PC

Note

Refer to JRCP_v1 Server for more information on the RJCT server.

In case the Configure Tool is installed on the embedded target, a development PC will typically be used to run a console that provides access via SSH to the embedded target. Standalone Configure Tool on Embedded Target

10.5.3.4. SW layers and communication for Kinetis

For Kinetis based embedded systems, the configuration tool can only be run from the PC. Also, the configuration tool is only compiled with OpenSSL (not with mbedTLS). VCOM needs to be running on the Kinetis platform and the communication between HostPC and Kinetis happens over USB VCOM.

The Kinetis platform will that care of SCI2C protocol communication with the A71CH. Configure Tool installed on PC for Kinetis

10.5.4. Command reference

10.5.4.1. Overall introduction

A command has the following general structure: a mandatory command name <cmd-n> is followed by an optional command qualifier <cmd-q>, followed by ‘0 to n’ (option, value) pairs.

<cmd-n> [<cmd-q>] [-option <option-value>]*

The command names <cmd-n> are further listed and explained in detail in the remainder of this section.

<cmd-n> = {apdu, debug, erase, gen, info, ...}

Legal values for command qualifiers <cmd-q> depend on the actual command name <cmd-n>.

<cmd-q> = {cnt, gp, pair, pub, sym, ...}
    cfg = configure key
    cnt = monotonic counter
    gp = general purpose data
    pair = ECC key pair
    pub = ECC public key
    sym = Symmetric secret

<cmd-q> = {permanently_disable_debug, reset, all, ...}

Legal (option, value) pairs again depend on the preceding <cmd-n> or <cmd-n> <cmd-q>. The order of the (option, value) pairs after the <cmd-n> or <cmd-n> <cmd-q> needs to be strictly respected. The type of the value, can be any of the following

<hexvalue> = [0-9A-F][0-9A-F]([0-9A-F][0-9A-F])*
    examples of legal hexvalue's are
        0A0B0C0D
        00112233445566778899AABBCCDDEEFF
    the following hexvalue's are not allowed
        0x0A0B0C0D # leading '0x' decorator is not supported
        0A1        # odd number of ascii characters is not supported

<int> = integer (currently only positive integers are supported)

<filename> = further explained with the individual commands

10.5.4.2. apdu

apdu -cmd <hexvalue> -sw <hexvalue>

The apdu command allows to exchange an APDU (in ‘raw’ format) between the Host and the A71CH. It’s mandatory to specify the expected status word that will be returned by the A71CH, if the actual returned status word is different this will be flagged as an execution error.

Note

This low level command can be used to extend the functionality of the Config Tool. In order to use this command one needs to consult the A71CH APDU specification. This command is not required for normal provisioning use cases.

In the following example the host requests the A71CH the SHA256 value of “F0F1F2F3”. The APDU command and response are printed on the console. The last two byte contained in the response

>>> apdu -cmd 8096000004F0F1F2F300 -sw 9000
cmd (LEN=10):
8096000004F0F1F2F300
rsp (LEN=34):
FEA4CE6719F1FDB6D2E30CFB86C2E797DBD4A3247FF2B0EFC15A814C5B25C75E9000

10.5.4.3. connect

connect [close|open]

The connect command allows to close or re-open the connection with an attached secure element. This command can be used in an interactive workflow where several instance of an A71CH are being configured. Before detaching a configured A71CH one calls connect close; after attaching another A71CH one calls connect open.

In the following example a connection is opened.

>>> connect open
I2CInit: opening /dev/i2c-1
I2C driver: PEC flag cleared
I2C driver supports plain i2c-level commands.
I2C driver supports Read Block.

10.5.4.4. debug

debug [permanently_disable_debug|reset]

The debug command can be used to permanently switch of the Debug Mode of the A71CH (the Debug Mode of the A71CH is a convience mode that can be used during product development). It can also be used - assuming the Debug Mode is still on - to bring the A71CH back to its initial state.

Note

Issuing a debug reset also erases all stored credentials.

In the following example a debug reset is issued.

>>> debug reset

10.5.4.5. ecrt

The ecrt command erases a certificate from the GP storage area by index.

ecrt -x <int>

Note

The valid index range for certificates is is limited only by memory size.

In the following ecrt example the certificate at index 3 is erased from the A71CH.

>>> ecrt -x 3

10.5.4.6. erase

The erase command erases (deletes the value) of the specified stored credential. A locked credential can not be erased. Erasing a monotonic counter value is only possible when the Debug Mode of the A71CH is available.

erase [cnt|pair|pub|sym] -x <int>

In the following example the ECC key pair stored on index 0 is erased.

erase pair -x 0

10.5.4.7. gen

The gen command makes the A71CH create a valid ECC key pair on the indicated index.

gen pair -x <int>

In the following example a new ECC keypair is created and stored on index 1

gen pair -x 1

10.5.4.8. get

The get command retrieves the public key value from either a public key or key pair at the index passed as argument and stores it - in pem format - in a file provided as argument.

Note

The parameter passed after the c option represents the key type and can be either 0x10 for public pair or 0x20 for public key.

get pub -c <hex_value> -x <int> -k <keyfile.pem>

In the following example the ECC public key stored at index 0 is stored to PEM file keyfile.pem

get pub -c 20 -x 0 -k keyfile.pem

10.5.4.9. info

The info command can be used to echo the value and/or status of the A71CH or its stored credentials to the console. Issuing an ‘info all’ will echo the same information as issuing ‘info device’, ‘info cnt’, ‘info pair’, ‘info pub’, ‘info gp -h 0000 -n <all>’ in sequence. The value of secret credentials like the private part of a keypair, a symmetric key or a configuration key can not be retrieved from the A71CH. The ‘info status’ command will report on the Initialized/Empty and Locked/Open status of all credentials. It’s possible to echo the value of consecutive 32 byte data segments from general purpose data storage by specifying the hexadecimal offset (specified with 4 hexadecimal digits) into the data store and the amount of segments to display.

info [all|device|cnt|pair|pub|sym|status]
info gp -h <hexvalue_offset> -n <segments>

In the following example the credential status is requested. The output corresponds to the status of a new device.

>>> info status
SCP03 is Not enabled
Key Pair status:
        Index=0: Empty Open
        Index=1: Empty Open
        Index=2: Empty Open
        Index=3: Empty Open
Public Key status:
        Index=0: Empty Open
        Index=1: Empty Open
        Index=2: Empty Open
Config Key status:
        Index=0: Empty Open
        Index=1: Empty Open
        Index=2: Empty Open
Sym Secret status:
        Index=0: Empty Open
        Index=1: Empty Open
        Index=2: Empty Open
        Index=3: Empty Open
Counter status:
        Index=0: Initialized Open
        Index=1: Initialized Open
Certificate Objects:
        0 Absolute offset = 0x00 Actual Size = 0x313
        1 Absolute offset = 0x320 Actual Size = 0x313
Data Objects:
    0 Absolute offset = 0x640 Actual Size = 0x09
    1 Absolute offset = 0x660 Actual Size = 0x09
General Purpose Storage status:
        Offset=0x0000: Open     Offset=0x0020: Open     Offset=0x0040: Open     Offset=0x0060: Open
        Offset=0x0080: Open     Offset=0x00A0: Open     Offset=0x00C0: Open     Offset=0x00E0: Open
        Offset=0x0100: Open     Offset=0x0120: Open     Offset=0x0140: Open     Offset=0x0160: Open
        Offset=0x0180: Open     Offset=0x01A0: Open     Offset=0x01C0: Open     Offset=0x01E0: Open
        Offset=0x0200: Open     Offset=0x0220: Open     Offset=0x0240: Open     Offset=0x0260: Open
        Offset=0x0280: Open     Offset=0x02A0: Open     Offset=0x02C0: Open     Offset=0x02E0: Open
        Offset=0x0300: Open     Offset=0x0320: Open     Offset=0x0340: Open     Offset=0x0360: Open
        Offset=0x0380: Open     Offset=0x03A0: Open     Offset=0x03C0: Open     Offset=0x03E0: Open

In the following example the contents from two 32 byte data segments is requested starting from general purpose storage offset 0x0010:

>>> info gp -h 0010 -n 2
GP Storage Data (2 segments from offset 0x0010):
        0x0010 (LEN=32): 0000000000000000000000000000000000000000000000000000000000000000
        0x0030 (LEN=32): 0000000000000000000000000000000000000000000000000000000000000000

10.5.4.10. interactive

Used to start the interactive mode from the command line

10.5.4.11. lock

The lock commands allows to lock individual credentials (ECC public keys and ECC key pairs). It allows to lock data segments of 32 byte in general purpose storage (on offsets that are multiples of 0x0020). It’s also possible to forbid the injection of unwrapped ECC public keys, ECC key pairs and symmetric secrets at the device level.

lock [pair|pub] -x <int>
lock gp -h <hexvalue_offset> -n <segments>
lock inject_plain

The following example locks the ECC key pair at index 0

>>> lock pair -x 0

The following example locks 2 data segments of 32 byte in general purpose data storage starting from offset 0x0060

>>> lock gp -h 0060 -n 2

10.5.4.12. obj erase

The obj erase command erases the object at the provided index.

obj erase -x <int>

Note

Upon erasing an object it cannot be reconstructed.

In the following obj erase example the object at index 0 is erased.

>>> obj erase -x 0

10.5.4.13. obj get

The obj get command gets the value of a data object, it retrieves the data from a specific offset within the data object (fetching the specified amount of byte). Optionally, the data is written to file. The type file could be 16 or 32 bytes at a line. If no type is specified the default would be 32 bytes.

obj get -x <int> [-h <hexvalue_offset>] [-s <hexvalue_size>] [-f <data.txt> -t [hex_16|hex_32]]

Note

The offset is relative to the start location of the object and must be specified as a 4 digit hexadecimal value.

In the following obj get example the value of the object at index 0 is read out.

>>> obj get -x 0 -h 0000 -s 0009
>>> 112233445566778899

10.5.4.14. obj update

The obj update command updates the value of a data object. It updates the data relative to an internal offset passed as a parameter. The data can be passed on the command line or be contained in a file.

obj update -x <int> -h <hexvalue_offset> [-f <data.txt> -t [hex_16|hex_32] | -h <hexvalue_data>]

Note

The data in the file must be binary and not textual. An object must already exist at the specified index. If data is read from file it can be set with lines in length of 16 or 32 bytes (i.e. hex_16 or hex_32). The default value is lines of 32 bytes.

In the following obj update example the value of the object at index 0 is updated.

>>> obj update -x 0 -h 0000 -h 998877665544332211

10.5.4.15. obj write

The obj write command creates an object. The value of the object to be created can be passed on the command line or contained in a file. When using the -n option the requested segments will be reserved for the data object and filled with zeros. If data is read from file it can be set with lines in length of 16 or 32 bytes (i.e. hex_16 or hex_32). The default value is lines of 32 bytes.

obj write -x <int> [-f <data.txt> -t [hex_16|hex_32] | -h <hexvalue_data> | -n <segments>]

In the following obj write example an zero filled object is created at index 0 with a size of 5 segments.

>>> obj write -x 0 -n 5

10.5.4.16. rcrt

The rcrt command reads a certificate from the GP storage area by index. Optionally, the command can save the certificate read to a CRT file.

rcrt -x <int> [-c <certfile.crt>]

Note

The certificate data will be presented whether it was written to a file or not. The valid index range for certificates is is limited only by memory size.

In the following rcrt example the certificate at index 3 is read from the A71CH, upon success it is also written to a CRT file.

>>> rcrt -x 3 -c certificate.crt
CER_DATA (LEN=520):
30820204308201A9020900CFD5820FFEC40937300A06082A8648CE3D04030230
8189310B30090603550406130242453116301406035504080C0D566C61616D73
42726162616E74310F300D06035504070C064C657576656E3111300F06035504
0A0C084E58502D44656D6F31163014060355040B0C0D4E58502D44656D6F2D55
6E6974310D300B06035504030C0464656D6F3117301506092A864886F70D0109
01160864656D6F406E7870301E170D3135313230373130353132395A170D3136
313230363130353132395A308188310B30090603550406130242453116301406
035504080C0D566C61616D7342726162616E74310F300D06035504070C064C65
7576656E310E300C060355040A0C05697063616D31123010060355040B0C0969
7063616D556E69743112301006035504030C09697063616D44656D6F31183016
06092A864886F70D0109011609697063616D406E78703059301306072A8648CE
3D020106082A8648CE3D03010703420004DB4CDB6C5A96C1615895095222AA0E
A3BC6F9E714D6438F0B120D691F18D7E7410EE04BE71D33A2D8B2D3B66F7174A
9654536965AFD2ABADB55269C6A6C0085E300A06082A8648CE3D040302034900
304602210083AA91AE33396825D560390952AEE91C64814C7CA681BA50589558
D681F974270221009BA1CF31A823B96C391E3C4F839666AECE9949639D796B24
A5B987A92E6F1CFA

10.5.4.17. refpem

Note

The reference keys created by the refpem command are only compatible with the A71CH OpenSSL Engine based upon the A71CH Legacy API. The A71CH OpenSSL Engine based upon the SSS API use a different reference key format, these keys must be created with the ssscli tool.

The refpem command allows to create A71CH OpenSSL Engine specific reference pem files. It can be used in a mode that fetches the public key value from the attached A71CH:

refpem -c <hex_value> -x <int> -r <ref_keyfile.pem>

Or it can be used in a ‘not-connected’ mode that fetches the public key value from a pem file (containing an EC key pair) supplied as an argument.

refpem -c <hex_value> -x <int> -k <keyfile.pem> -r <ref_keyfile.pem>

The value following the -c switch must be either 10 (create a reference to a key pair) or 20 (create a reference to a public key). The value following the -x switch is the storage index of either key pair or public key.

The following command creates a reference pem file ‘my_ref_keyfile.pem’ referring to a keypair stored at index 1.

refpem -c 10 -x 1 -r my_ref_keyfile.pem

10.5.4.18. script

The script command can be used to issue the Configure tool commands contained in a file.

script -f <script.txt>

An example of script file (script_example.txt)

root@imx6ulevk:~# cat script_example.txt
# Simple example script
info pair
gen pair -x 0
info pair       # This will illustrate a key pair was created

The following example issues the commands contained in the script file above (script_example.txt)

>>> script -f script_example.txt
>> # Simple example script

>> info pair

Public Keys from ECC key pairs:
        idx=0x00 n.a.
        idx=0x01 n.a.
>> gen pair -x 0

>> info pair       # This will illustrate a key pair was created

Public Keys from ECC key pairs:
        idx=0x00 ECC_PUB (LEN=65):
04:A4:B3:3B:A3:D4:23:BD:19:C3:CB:20:DB:6F:D3:80:46:73:06:56:2F:83:B2:B1:AE:86:9A:EF:E9:7A:62:A3:
04:E7:C1:42:31:97:D5:19:5A:80:27:74:DC:20:EC:B7:93:9B:E5:C1:22:22:6B:E3:49:A4:FB:3A:5C:26:08:85:
B5
        idx=0x01 n.a.

10.5.4.19. scp

The scp command can be used to write a set of SCP03 keys to the A71CH (‘scp put …’) or to establish an active SCP03 channel between Host and A71CH (‘scp auth …’). The ‘scp clear_host’ command will force the Host to issue commands in the clear again.

scp [put|auth] -h <hexvalue_keyversion> -k <keyfile>
scp clear_host

An example of a keyfile containing a set of SCP03 keys:

root@imx6ulevk:~# cat scp_keyfile_example.txt
# This is a comment, empty lines and comment lines allowed.
ENC AA112233445566778899AABBCCDDEEFF # Trailing comment
MAC BB112233445566778899AABBCCDDEEFF # Optional trailing comment
DEK CC112233445566778899AABBCCDDEEFF # Optional trailing comment

10.5.4.20. set

The set command can be used to set a credential stored on the A71CH to a specific value.

Note

The set gp command can only be used to set a maximum of 32 byte of data at a time.

The value of a key pair or public key can either be passed as command line parameters or be contained in a pem-file (containing an EC key pair).

The command line value of the private key (set by the set pair command) can be either in the clear or wrapped with the Configuration key stored at index 1. Wrapping is according to RFC3394.

The command line value of the public key (set by the set pub command) can be either in the clear or wrapped with the Configuration key stored at index 2. In case RFC3394 wrapping is applied the first byte of the public key (the one indicating the public key format) is removed before applying wrapping.

The value of the configure key, the monotonic counter or the symmetric secret can only be passed explicitly as a command line parameter. The configure and symmetric keys can also be set wrapped (with the stored value of the key) according to RFC3394.

Whether an argument is wrapped is implicit in the lenght of the provided argument.

set gp -h <hexvalue_offset> -h <hexvalue_data>
set pair -x <int> [-k <keyfile.pem> | -h <hexvalue_pub> -h <hexvalue_priv>]
set pub  -x <int> [-k <keyfile.pem> | -h <hexvalue>]
set [cfg|cnt|sym]  -x <int> -h <hexvalue>

The following example writes 5 byte of data at offset 0004 into the General Purpose data store. The data written (4137314348) is the equivalent of the ASCII encoding of the string ‘A71CH’. The command itself is preceded and followed by an info statement covering the general purpose storage segment of interest.

>>> info gp -h 0000 -n 1
GP Storage Data (1 segments from offset 0x0000):
        0x0000 (LEN=32): 0000000000000000000000000000000000000000000000000000000000000000
>>> set gp -h 0004 -h 4137314348
>>> info gp -h 0000 -n 1
GP Storage Data (1 segments from offset 0x0000):
        0x0000 (LEN=32): 0000000041373143480000000000000000000000000000000000000000000000

The following example set the key pair at index 1 from the value contained in file keyfile_ecc_nist_256_1.pem. The command itself is preceded and followed by an info statement on the stored key pairs.

>>> info pair
Public Keys from ECC key pairs:
        idx=0x00 n.a.
        idx=0x01 n.a.
>>> set pair -x 1 -k keyfile_ecc_nist_256_1.pem
ECCPrivateKey (LEN=32):
21:AF:C1:1E:F5:64:61:3D:2E:96:4D:8B:93:19:CC:AB:38:E0:7A:6E:35:3A:21:A3:D1:69:8B:19:13:DF:1D:FF

ECCPublicKey (LEN=65):
04:74:E2:1E:54:6C:C1:9E:31:58:55:B6:D5:45:D3:0D:3F:48:79:D4:64:5D:3F:67:73:75:FB:0B:2C:80:43:1E:
8D:34:95:71:0E:71:E1:E3:F8:93:62:75:B4:AC:F1:52:E3:DE:55:CC:1D:86:5E:B0:D1:22:A8:CF:35:EC:47:31:
F8
>>> info pair
Public Keys from ECC key pairs:
        idx=0x00 n.a.
        idx=0x01 ECC_PUB (LEN=65):
04:74:E2:1E:54:6C:C1:9E:31:58:55:B6:D5:45:D3:0D:3F:48:79:D4:64:5D:3F:67:73:75:FB:0B:2C:80:43:1E:
8D:34:95:71:0E:71:E1:E3:F8:93:62:75:B4:AC:F1:52:E3:DE:55:CC:1D:86:5E:B0:D1:22:A8:CF:35:EC:47:31:
F8

The value contained in file keyfile\_ecc\_nist\_256\_1.pem is
$ cat keyfile_ecc_nist_256_1.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEICGvwR71ZGE9LpZNi5MZzKs44HpuNToho9FpixkT3x3/oAoGCCqGSM49
AwEHoUQDQgAEdOIeVGzBnjFYVbbVRdMNP0h51GRdP2dzdfsLLIBDHo00lXEOceHj
+JNidbSs8VLj3lXMHYZesNEiqM817Ecx+A==
-----END EC PRIVATE KEY-----

The following example sets the public key at index 0 to the provided public key value (in the clear, ANSI X9.62 uncompressed format). The command itself is preceded and followed by an info statement on the stored public key.

>>> info pub
Public Keys:
        idx=0x00 n.a.
        idx=0x01 n.a.
>>> set pub -x 0 -h 043802B1164C30860AC913F5F997B84158C40CFFCC1D3A4359BC22574A4FC95E628933A9E95820AD6B96A1DA106BDD5D6A8E556A78AE959C59336FE53E3A1D9ED4
>>> info pub
Public Keys:
        idx=0x00 ECC_PUB (LEN=65):
04:38:02:B1:16:4C:30:86:0A:C9:13:F5:F9:97:B8:41:58:C4:0C:FF:CC:1D:3A:43:59:BC:22:57:4A:4F:C9:5E:
62:89:33:A9:E9:58:20:AD:6B:96:A1:DA:10:6B:DD:5D:6A:8E:55:6A:78:AE:95:9C:59:33:6F:E5:3E:3A:1D:9E:
D4
        idx=0x01 n.a.

The following example sets the monotonic counter at index 0 to 00E0. The command itself is preceded and followed by an info statement on the stored monotonic counters.

>>> info cnt
Monotonic counter values:
        idx=0x00 0x00000000
        idx=0x01 0x00000000
>>> set cnt -x 0 -h 000000E0
>>> info cnt
Monotonic counter values:
        idx=0x00 0x000000E0
        idx=0x01 0x00000000

10.5.4.21. transport

The transport lock command can be used to enable the transport lock on the A71CH. To disable the transport lock one needs to pass the transport key as an option value to the transport unlock command.

Note

A precondition to enable the transport lock is that the Transport Configuration key has been set: use ‘set cfg -x 0 -h <hexvalue_tpkey>’ to achieve this. Furthermore the transport lock / unlock cycle can only be initiated once.

transport [lock|unlock -h <hexvalue_tpkey>]

The following example sets the Transport Configuration key, locks the device and finally unlocks the device. The info device command is used to illustrate the value of the transportLockState of the device.

>>> info device
...
transportLockState: 0x03 (Transport Lock NOT YET set)
...
>>> set cfg -x 0 -h AA112233445566778899AABBCCDDEEFF
>>> transport lock
>>> info device
...
transportLockState: 0x01 (Transport Lock is set)
...
>>> transport unlock -h AA112233445566778899AABBCCDDEEFF
>>> info device
A71CH in Debug Mode Version (SCP03 is not set up)
selectResponse:   0x0111
transportLockState: 0x02 (Open device, Transport Lock can no longer be set)
injectLockState:    0x02 (Unlocked)
gpStorageSize:      1024
uid (LEN=18):
47:90:70:02:47:91:12:10:20:89:00:50:36:91:64:23:00:00

10.5.4.22. ucrt

The ucrt command updates a certificate to the GP storage area by index. The certificate can be provided as raw data (-h option), as a file in PEM format (-p option) or as a file in DER format (-c option).

ucrt -x <int> [-c <certfile.crt> | -h <hexvalue_data> | -p <certfile.pem>]

Note

In case the certificate to be written is in PEM format it will be stored into the A71CH in DER format. The valid index range for certificates is is limited only by memory size.

In the following ucrt example a certificate contained in a PEM file (c:\certificate.pem) is stored into the A71CH at index 3.

>>> ucrt -x 3 -p c:\certificate.pem
Filename: c:\certificate.pem
Certificate Size (DER format) = 493 byte

10.5.4.23. wcrt

The wcrt command writes a certificate to the GP storage area by index. The certificate can be provided as raw data (-h option), as a file in PEM format (-p option) or as a file in DER format (-c option).

wcrt -x <int> [-c <certfile.crt> | -h <hexvalue_data> | -p <certfile.pem>] [-n <padding-segments>]

Note

Writing to an existing index will fail. Use the ucrt command to update the certificate (taking into account certificate size constraints) or use the ecrt command to erase and then write the new certificate. The valid index range for certificates is is limited only by memory size. Using padding segments parameter creates an extra place holder for future updates with larger certificates at the same index without the need for erasing it first.

In case the certificate to be written is in PEM format it will be stored into the A71CH in DER format.

The rcrt command allows to read out a certificate by index.

In the following wcrt example a certificate contained in a PEM file (c:\certificate.pem) is stored into the A71CH at index 3.

>>> wcrt -x 3 -p c:\certificate.pem
Filename: c:\certificate.pem
Certificate Size (DER format) = 493 byte

10.5.5. Not connected mode

When starting up the A71CH Configure Tool it is possible to indicate no attached A71CH device is required. This is achieved by preceding the command (on the command line only) by the keyword nc (not connected).

Currently the only application of this feature is the creation of Reference Pem files where the public key value is contained in a Pem file (containing an EC key pair) passed as argument.

The following command creates a reference pem file ‘my_ref_keyfile.pem’ referring to a public key (stored or to be stored) at index 0 whose value is contained in ‘kp_keyfile.pem’

root@imx6ulevk:~# ./a71chConfig_i2c_imx nc refpem -c 20 -x 0 -k kp_keyfile.pem -r my_ref_keyfile.pem
a71chConfig (Rev 0.94) .. NOT connecting to A71CH.
ECCPublicKey (LEN=65):
04:7C:59:16:D4:F5:46:B3:D3:17:20:78:F8:AD:41:84:9A:79:46:6B:5B:0B:FC:39:3D:4C:E1:A8:53:F5:4F:8D:
C2:98:65:F8:84:E9:9E:28:38:09:FF:29:34:B6:97:27:DB:6C:0A:F3:79:B0:D7:2C:16:25:B5:CB:B8:A2:CB:70:
89