11.12.3.4.85. Function Se05x_API_ECDHGenerateSharedSecret

11.12.3.4.85.1. Function Documentation

smStatus_t Se05x_API_ECDHGenerateSharedSecret(pSe05xSession_t session_ctx, uint32_t objectID, const uint8_t *pubKey, size_t pubKeyLen, uint8_t *sharedSecret, size_t *psharedSecretLen)

Se05x_API_ECDHGenerateSharedSecret

The ECDHGenerateSharedSecret command generates a shared secret ECC point on the curve using an EC private key on SE05X and an external public key provided by the caller. The output shared secret is returned to the caller.

All curves from ECCurve are supported, except ECC_ED_25519.

Note that ECDHGenerateSharedSecret commands with EC keys using curve ID_ECC_MONT_DH_25519 or ID_ECC_MONT_DH_448 cause NVM write operations for each call. This is not the case for the other curves.

When CONFIG_FIPS_MODE_DISABLED is not set, this function will always return SW_CONDTIONS_NOT_SATISFIED.

The shared secret can only be received when the Secure Object containing the key pair or private key (TLV[TAG_1]) does not contain the policy POLICY_OBJ_FORBID_DERIVED_OUTPUT. If that is the case, the user must provide TLV[TAG_7} to store the shared secret in an HMACKey object. The user is responsible to assign the correct size of the HMACKey object: this must equal the size of the shared secret exactly.

On applet 4.4.0, the policy POLICY_OBJ_FORBID_DERIVED_OUTPUT is not yet verified for this function. It will always be allowed.

Command to Applet

Field

Value

Description

CLA

0x80

INS

INS_CRYPTO

SE05x_INS_t

P1

P1_EC

See SE05x_P1_t

P2

P2_DH

See SE05x_P2_t

Lc

#(Payload)

Payload

TLV[TAG_1]

4-byte identifier of the key pair or private key.

TLV[TAG_2]

External public key (see ECKeyRef).

TLV[TAG_7]

4-byte HMACKey identifier to store output. [Optional]

Le

0x00

Expected shared secret length.

R-APDU Body

Value

Description

TLV[TAG_1]

The returned shared secret. [Conditional: only when the input does not contain TLV[TAG_7].}

R-APDU Trailer

SW

Description

SW_NO_ERROR

The command is handled successfully.

Parameters
  • [in] session_ctx: Session Context [0:kSE05x_pSession]

  • [in] objectID: objectID [1:kSE05x_TAG_1]

  • [in] pubKey: pubKey [2:kSE05x_TAG_2]

  • [in] pubKeyLen: Length of pubKey

  • [out] sharedSecret: [0:kSE05x_TAG_1]

  • [inout] psharedSecretLen: Length for sharedSecret