10.5. A71CH Legacy Configure Tool¶
10.5.1. Introduction¶
The A71CH Configure Tool is a command line tool that supports the
insertion of credentials into the A71CH.
It can also report on the value and status of the stored credentials and on the status of the device.
The tool is provided in source code (.../hostlib/a71ch/app
) and can be deployed in one of the following configurations:
Installed on a development PC communicating over TCP/IP with the embedded target
Standalone on an embedded target
In Tool deployment we go into more detail on this.
Simply invoking the tool in standalone mode on an MCIMX6UL-EVKB board results in the following output (some output edited away):
root@imx6ulevk:~# ./a71chConfig_i2c_imx
a71chConfig (Rev 1.00) .. connect to A71CH. Chunksize at link layer = 256.
...
Applet-Rev:SecureBox-Rev : 0x0131:0x0000
****************************
Usage: a71chConfig [apdu|debug|erase|gen|info|interactive|lock|rcrt|scp|set|wcrt|help] <OptArg>
apdu -cmd <hexval> -sw <hexval>
debug [permanently_disable_debug|reset]
ecrt -x <int>
erase [cnt|pair|pub|sym] -x <int>
gen pair -x <int>
get pub -c <hex_value> -x <int> -k <keyfile.pem>
info [all|cnt|device|objects|pair|pub|status]
info gp -h <hexvalue_offset> -n <segments>
interactive
lock [pair|pub] -x <int>
lock gp -h <hexvalue_offset> -n <segments>
lock inject_plain
obj erase -x <int>
obj get -x <int> [-h <hexvalue_offset>] [-s <hexvalue_size>] [-f <data.txt> -t [hex_16|hex_32]]
obj update -x <int> -h <hexvalue_offset> [-f <data.txt> -t [hex_16|hex_32] | -h <hexvalue_data>]
obj write -x <int> [-f <data.txt> -t [hex_16|hex_32] | -h <hexvalue_data> | -n <segments>]
rcrt -x <int> [-c <certfile.crt>]
refpem -c <hex_value> -x <int> [-k <keyfile.pem>] -r <ref_keyfile.pem>
script -f <script.txt>
scp [put|auth] -h <hexvalue_keyversion> -k <keyfile>
set gp -h <hexvalue_offset> -h <hexvalue_data>
set pair -x <int> [-k <keyfile.pem> | -h <hexvalue_pub> -h <hexvalue_priv>] [-w <hexvalue_wrap_key>]
set pub -x <int> [-k <keyfile.pem> | -h <hexvalue>] [-w <hexvalue_wrap_key>]
set [cfg|cnt|sym] -x <int> -h <hexvalue> [-w <hexvalue_wrap_key>]
transport [lock|unlock -h <hexvalue_tpkey>]
ucrt -x <int> [-c <certfile.crt> | -h <hexvalue_data> | -p <certfile.pem>]
wcrt -x <int> [-c <certfile.crt> | -h <hexvalue_data> | -p <certfile.pem>] [-n <padding-segments>]
****************************
The tool provides an overview of the available command line options. We’ll go into more detail on the syntax in Command reference.
The easiest way to get familiar with the A71CH configure tool is to open it in interactive mode. Be sure to connect to an A71CH with the Debug Mode still available so you can easily revert to the initial state of the component. The following captures a session with a brand new A71CH with the Debug Mode active:
root@imx6ulevk:~/axHostSw/linux# ./a71chConfig_i2c_imx interactive
a71chConfig (Rev 1.00) .. connect to A71CH. Chunksize at link layer = 256.
I2CInit: opening /dev/i2c-1
I2C driver: PEC flag cleared
I2C driver supports plain i2c-level commands.
I2C driver supports Read Block.
SCI2C_ATR=0xB8.03.11.01.05.B9.02.01.01.BA.01.01.BB.0C.41.37.30.30.35.43.47.32.34.32.52.31.BC.00.
HostLib Version : 0x0130
Applet-Rev:SecureBox-Rev : 0x0131:0x0000
>>> info device
A71CH in Debug Mode Version (SCP03 is not set up)
selectResponse: 0x0131
transportLockState: 0x03 (Transport Lock NOT YET set)
injectLockState: 0x02 (Unlocked)
gpStorageSize: 4096
uid (LEN=18):
47:90:51:68:47:91:12:10:23:41:00:53:66:96:47:51:48:12
>>> info pair
Public Keys from ECC key pairs:
idx=0x00 n.a.
idx=0x01 n.a.
idx=0x02 n.a.
idx=0x03 n.a.
>>> gen pair -x 0
>>> info pair
Public Keys from ECC key pairs:
idx=0x00 ECC_PUB (LEN=65):
04:0A:81:86:1D:0C:E6:F6:E4:57:65:8B:51:92:E9:D1:CB:AF:96:12:C6:71:FB:79:F1:3D:C9:64:4D:56:CC:87:
2E:8C:32:9B:0A:F8:BB:4B:79:56:7D:F0:9D:C2:D2:B8:96:E0:04:B7:D9:50:F5:EC:C2:50:99:25:6B:5B:4B:E1:
3B
idx=0x01 n.a.
idx=0x02 n.a.
idx=0x03 n.a.
>>> quit
root@imx6ulevk:~/axHostSw/linux#
10.5.2. Usage modes¶
The A71CH Configure Tool can be used in:
Interactive mode. The tool opens a communication session with the A71CH, the user can issue configure commands in this session. The syntax to be used is identical to the syntax used in the command line mode.
Command line mode: passing parameters as command line arguments. Each invocation of the tool establishes a new communication session between Host and A71CH.
Batch file mode: this is a special variant of the command line mode where multiple configure commands are bundled in a file that is passed as a command line argument. All commands contained in the file are handled in the same communication session between Host and A71CH.
Note
On POSIX platforms like LINUX or Cygwin the interactive mode supports simple command line completion and command history (navigateable with the up and down arrows). It also stores a list of executed commands in a file called ‘a71chConfigCmdHistory.txt’.
10.5.3. Tool deployment¶
10.5.3.1. HW Setup for iMX¶
The HW setup, when using the Configure tool is illustrated the following
figure. In case (1) the A71CH has not been integrated into an end-device
yet. In case (2) the A71CH is already integrated into the end-device
(e.g. an IoT Appliance)
10.5.3.2. HW Setup for Kinetis¶
For running the configure tool with a Kinetis system, USB-VCOM Interface to PC is used. In this combination the VCOM Application needs to be running on kinetis. For more information, see SW layers and communication for Kinetis.
10.5.3.3. SW layers and communication for iMX¶
In case the Configure Tool is installed on a development PC, the iMX6UL
must run an RJCT-server process that will deal with the unpacking of the
incoming commands and the communication over SCI2C with the A71CH.
Note
Refer to JRCP_v1 Server for more information on the RJCT server.
In case the Configure Tool is installed on the embedded target, a
development PC will typically be used to run a console that provides
access via SSH to the embedded target.
10.5.3.4. SW layers and communication for Kinetis¶
For Kinetis based embedded systems, the configuration tool can only be run from the PC. Also, the configuration tool is only compiled with OpenSSL (not with mbedTLS). VCOM needs to be running on the Kinetis platform and the communication between HostPC and Kinetis happens over USB VCOM.
The Kinetis platform will that care of SCI2C protocol communication with
the A71CH.
10.5.4. Command reference¶
10.5.4.1. Overall introduction¶
A command has the following general structure: a mandatory command name
<cmd-n>
is followed by an optional command qualifier <cmd-q>
, followed by ‘0 to n’ (option, value) pairs.
<cmd-n> [<cmd-q>] [-option <option-value>]*
The command names <cmd-n>
are further listed and explained in
detail in the remainder of this section.
<cmd-n> = {apdu, debug, erase, gen, info, ...}
Legal values for command qualifiers <cmd-q>
depend on the
actual command name <cmd-n>
.
<cmd-q> = {cnt, gp, pair, pub, sym, ...}
cfg = configure key
cnt = monotonic counter
gp = general purpose data
pair = ECC key pair
pub = ECC public key
sym = Symmetric secret
<cmd-q> = {permanently_disable_debug, reset, all, ...}
Legal (option, value) pairs again depend on the preceding <cmd-n>
or <cmd-n> <cmd-q>
.
The order of the (option, value) pairs after the <cmd-n>
or <cmd-n> <cmd-q>
needs
to be strictly respected. The type of the value, can be any of the following
<hexvalue> = [0-9A-F][0-9A-F]([0-9A-F][0-9A-F])*
examples of legal hexvalue's are
0A0B0C0D
00112233445566778899AABBCCDDEEFF
the following hexvalue's are not allowed
0x0A0B0C0D # leading '0x' decorator is not supported
0A1 # odd number of ascii characters is not supported
<int> = integer (currently only positive integers are supported)
<filename> = further explained with the individual commands
10.5.4.2. apdu¶
apdu -cmd <hexvalue> -sw <hexvalue>
The apdu
command allows to exchange an APDU (in ‘raw’
format) between the Host and the A71CH. It’s mandatory to specify the
expected status word that will be returned by the A71CH, if the actual
returned status word is different this will be flagged as an execution
error.
Note
This low level command can be used to extend the functionality of the Config Tool. In order to use this command one needs to consult the A71CH APDU specification. This command is not required for normal provisioning use cases.
In the following example the host requests the A71CH the SHA256 value of “F0F1F2F3”. The APDU command and response are printed on the console. The last two byte contained in the response
>>> apdu -cmd 8096000004F0F1F2F300 -sw 9000
cmd (LEN=10):
8096000004F0F1F2F300
rsp (LEN=34):
FEA4CE6719F1FDB6D2E30CFB86C2E797DBD4A3247FF2B0EFC15A814C5B25C75E9000
10.5.4.3. connect¶
connect [close|open]
The connect
command allows to close or re-open the
connection with an attached secure element. This command can be used in
an interactive workflow where several instance of an A71CH are being
configured. Before detaching a configured A71CH one calls
connect close
; after attaching another
A71CH one calls connect open
.
In the following example a connection is opened.
>>> connect open
I2CInit: opening /dev/i2c-1
I2C driver: PEC flag cleared
I2C driver supports plain i2c-level commands.
I2C driver supports Read Block.
10.5.4.4. debug¶
debug [permanently_disable_debug|reset]
The debug
command can be used to permanently switch of
the Debug Mode of the A71CH (the Debug Mode of the A71CH is a convience
mode that can be used during product development). It can also be used -
assuming the Debug Mode is still on - to bring the A71CH back to its
initial state.
Note
Issuing a debug reset also erases all stored credentials.
In the following example a debug reset is issued.
>>> debug reset
10.5.4.5. ecrt¶
The ecrt
command erases a certificate
from the GP storage area by index.
ecrt -x <int>
Note
The valid index range for certificates is is limited only by memory size.
In the following ecrt
example the
certificate at index 3 is erased from the A71CH.
>>> ecrt -x 3
10.5.4.6. erase¶
The erase
command erases (deletes the value) of the
specified stored credential. A locked credential can not be erased.
Erasing a monotonic counter value is only possible when the Debug Mode
of the A71CH is available.
erase [cnt|pair|pub|sym] -x <int>
In the following example the ECC key pair stored on index 0 is erased.
erase pair -x 0
10.5.4.7. gen¶
The gen
command makes the A71CH create a valid ECC key
pair on the indicated index.
gen pair -x <int>
In the following example a new ECC keypair is created and stored on index 1
gen pair -x 1
10.5.4.8. get¶
The get
command retrieves the public key value from
either a public key or key pair at the index passed as argument and
stores it - in pem format - in a file provided as argument.
Note
The parameter passed after the c option represents the key type and can be either 0x10 for public pair or 0x20 for public key.
get pub -c <hex_value> -x <int> -k <keyfile.pem>
In the following example the ECC public key stored at index 0 is stored to PEM file keyfile.pem
get pub -c 20 -x 0 -k keyfile.pem
10.5.4.9. info¶
The info
command can be used to echo the value and/or
status of the A71CH or its stored credentials to the console. Issuing an
‘info all’ will echo the same information as issuing ‘info device’,
‘info cnt’, ‘info pair’, ‘info pub’, ‘info gp -h 0000 -n <all>’ in
sequence. The value of secret credentials like the private part of a
keypair, a symmetric key or a configuration key can not be retrieved
from the A71CH. The ‘info status’ command will report on the
Initialized/Empty and Locked/Open status of all credentials. It’s
possible to echo the value of consecutive 32 byte data segments from
general purpose data storage by specifying the hexadecimal offset
(specified with 4 hexadecimal digits) into the data store and the amount
of segments to display.
info [all|device|cnt|pair|pub|sym|status]
info gp -h <hexvalue_offset> -n <segments>
In the following example the credential status is requested. The output corresponds to the status of a new device.
>>> info status
SCP03 is Not enabled
Key Pair status:
Index=0: Empty Open
Index=1: Empty Open
Index=2: Empty Open
Index=3: Empty Open
Public Key status:
Index=0: Empty Open
Index=1: Empty Open
Index=2: Empty Open
Config Key status:
Index=0: Empty Open
Index=1: Empty Open
Index=2: Empty Open
Sym Secret status:
Index=0: Empty Open
Index=1: Empty Open
Index=2: Empty Open
Index=3: Empty Open
Counter status:
Index=0: Initialized Open
Index=1: Initialized Open
Certificate Objects:
0 Absolute offset = 0x00 Actual Size = 0x313
1 Absolute offset = 0x320 Actual Size = 0x313
Data Objects:
0 Absolute offset = 0x640 Actual Size = 0x09
1 Absolute offset = 0x660 Actual Size = 0x09
General Purpose Storage status:
Offset=0x0000: Open Offset=0x0020: Open Offset=0x0040: Open Offset=0x0060: Open
Offset=0x0080: Open Offset=0x00A0: Open Offset=0x00C0: Open Offset=0x00E0: Open
Offset=0x0100: Open Offset=0x0120: Open Offset=0x0140: Open Offset=0x0160: Open
Offset=0x0180: Open Offset=0x01A0: Open Offset=0x01C0: Open Offset=0x01E0: Open
Offset=0x0200: Open Offset=0x0220: Open Offset=0x0240: Open Offset=0x0260: Open
Offset=0x0280: Open Offset=0x02A0: Open Offset=0x02C0: Open Offset=0x02E0: Open
Offset=0x0300: Open Offset=0x0320: Open Offset=0x0340: Open Offset=0x0360: Open
Offset=0x0380: Open Offset=0x03A0: Open Offset=0x03C0: Open Offset=0x03E0: Open
In the following example the contents from two 32 byte data segments is requested starting from general purpose storage offset 0x0010:
>>> info gp -h 0010 -n 2
GP Storage Data (2 segments from offset 0x0010):
0x0010 (LEN=32): 0000000000000000000000000000000000000000000000000000000000000000
0x0030 (LEN=32): 0000000000000000000000000000000000000000000000000000000000000000
10.5.4.10. interactive¶
Used to start the interactive mode from the command line
10.5.4.11. lock¶
The lock
commands allows to lock individual credentials
(ECC public keys and ECC key pairs). It allows to lock data segments of
32 byte in general purpose storage (on offsets that are multiples of
0x0020). It’s also possible to forbid the injection of unwrapped ECC
public keys, ECC key pairs and symmetric secrets at the device level.
lock [pair|pub] -x <int>
lock gp -h <hexvalue_offset> -n <segments>
lock inject_plain
The following example locks the ECC key pair at index 0
>>> lock pair -x 0
The following example locks 2 data segments of 32 byte in general purpose data storage starting from offset 0x0060
>>> lock gp -h 0060 -n 2
10.5.4.12. obj erase¶
The obj erase
command erases the object
at the provided index.
obj erase -x <int>
Note
Upon erasing an object it cannot be reconstructed.
In the following obj erase
example the
object at index 0 is erased.
>>> obj erase -x 0
10.5.4.13. obj get¶
The obj get
command gets the value of a
data object, it retrieves the data from a specific offset within the
data object (fetching the specified amount of byte). Optionally, the
data is written to file. The type file could be 16 or 32 bytes at a
line. If no type is specified the default would be 32 bytes.
obj get -x <int> [-h <hexvalue_offset>] [-s <hexvalue_size>] [-f <data.txt> -t [hex_16|hex_32]]
Note
The offset is relative to the start location of the object and must be specified as a 4 digit hexadecimal value.
In the following obj get
example the
value of the object at index 0 is read out.
>>> obj get -x 0 -h 0000 -s 0009
>>> 112233445566778899
10.5.4.14. obj update¶
The obj update
command updates the value
of a data object. It updates the data relative to an internal offset
passed as a parameter. The data can be passed on the command line or be
contained in a file.
obj update -x <int> -h <hexvalue_offset> [-f <data.txt> -t [hex_16|hex_32] | -h <hexvalue_data>]
Note
The data in the file must be binary and not textual. An object must already exist at the specified index. If data is read from file it can be set with lines in length of 16 or 32 bytes (i.e. hex_16 or hex_32). The default value is lines of 32 bytes.
In the following obj update
example the
value of the object at index 0 is updated.
>>> obj update -x 0 -h 0000 -h 998877665544332211
10.5.4.15. obj write¶
The obj write
command creates an object.
The value of the object to be created can be passed on the command line
or contained in a file. When using the -n
option the
requested segments will be reserved for the data object and filled with
zeros. If data is read from file it can be set with lines in length of
16 or 32 bytes (i.e. hex_16 or hex_32). The default value is lines of
32 bytes.
obj write -x <int> [-f <data.txt> -t [hex_16|hex_32] | -h <hexvalue_data> | -n <segments>]
In the following obj write
example an
zero filled object is created at index 0 with a size of 5 segments.
>>> obj write -x 0 -n 5
10.5.4.16. rcrt¶
The rcrt
command reads a certificate
from the GP storage area by index. Optionally, the command can save the
certificate read to a CRT file.
rcrt -x <int> [-c <certfile.crt>]
Note
The certificate data will be presented whether it was written to a file or not. The valid index range for certificates is is limited only by memory size.
In the following rcrt
example the
certificate at index 3 is read from the A71CH, upon success it is also
written to a CRT file.
>>> rcrt -x 3 -c certificate.crt
CER_DATA (LEN=520):
30820204308201A9020900CFD5820FFEC40937300A06082A8648CE3D04030230
8189310B30090603550406130242453116301406035504080C0D566C61616D73
42726162616E74310F300D06035504070C064C657576656E3111300F06035504
0A0C084E58502D44656D6F31163014060355040B0C0D4E58502D44656D6F2D55
6E6974310D300B06035504030C0464656D6F3117301506092A864886F70D0109
01160864656D6F406E7870301E170D3135313230373130353132395A170D3136
313230363130353132395A308188310B30090603550406130242453116301406
035504080C0D566C61616D7342726162616E74310F300D06035504070C064C65
7576656E310E300C060355040A0C05697063616D31123010060355040B0C0969
7063616D556E69743112301006035504030C09697063616D44656D6F31183016
06092A864886F70D0109011609697063616D406E78703059301306072A8648CE
3D020106082A8648CE3D03010703420004DB4CDB6C5A96C1615895095222AA0E
A3BC6F9E714D6438F0B120D691F18D7E7410EE04BE71D33A2D8B2D3B66F7174A
9654536965AFD2ABADB55269C6A6C0085E300A06082A8648CE3D040302034900
304602210083AA91AE33396825D560390952AEE91C64814C7CA681BA50589558
D681F974270221009BA1CF31A823B96C391E3C4F839666AECE9949639D796B24
A5B987A92E6F1CFA
10.5.4.17. refpem¶
Note
The reference keys created by the refpem
command are only compatible with the
A71CH OpenSSL Engine based upon the A71CH Legacy API. The A71CH OpenSSL Engine based
upon the SSS API use a different reference key format, these keys must be created with
the ssscli
tool.
The refpem
command allows to create A71CH OpenSSL Engine
specific reference pem files. It can be used in a mode that fetches the
public key value from the attached A71CH:
refpem -c <hex_value> -x <int> -r <ref_keyfile.pem>
Or it can be used in a ‘not-connected’ mode that fetches the public key value from a pem file (containing an EC key pair) supplied as an argument.
refpem -c <hex_value> -x <int> -k <keyfile.pem> -r <ref_keyfile.pem>
The value following the -c
switch must be either 10
(create a reference to a key pair) or 20 (create a reference to a public
key). The value following the -x
switch is the storage
index of either key pair or public key.
The following command creates a reference pem file ‘my_ref_keyfile.pem’ referring to a keypair stored at index 1.
refpem -c 10 -x 1 -r my_ref_keyfile.pem
10.5.4.18. script¶
The script
command can be used to issue the Configure
tool commands contained in a file.
script -f <script.txt>
An example of script file (script_example.txt)
root@imx6ulevk:~# cat script_example.txt
# Simple example script
info pair
gen pair -x 0
info pair # This will illustrate a key pair was created
The following example issues the commands contained in the script file above (script_example.txt)
>>> script -f script_example.txt
>> # Simple example script
>> info pair
Public Keys from ECC key pairs:
idx=0x00 n.a.
idx=0x01 n.a.
>> gen pair -x 0
>> info pair # This will illustrate a key pair was created
Public Keys from ECC key pairs:
idx=0x00 ECC_PUB (LEN=65):
04:A4:B3:3B:A3:D4:23:BD:19:C3:CB:20:DB:6F:D3:80:46:73:06:56:2F:83:B2:B1:AE:86:9A:EF:E9:7A:62:A3:
04:E7:C1:42:31:97:D5:19:5A:80:27:74:DC:20:EC:B7:93:9B:E5:C1:22:22:6B:E3:49:A4:FB:3A:5C:26:08:85:
B5
idx=0x01 n.a.
10.5.4.19. scp¶
The scp
command can be used to write a set of SCP03 keys
to the A71CH (‘scp put …’) or to establish an active SCP03 channel
between Host and A71CH (‘scp auth …’). The ‘scp clear_host’ command
will force the Host to issue commands in the clear again.
scp [put|auth] -h <hexvalue_keyversion> -k <keyfile>
scp clear_host
An example of a keyfile containing a set of SCP03 keys:
root@imx6ulevk:~# cat scp_keyfile_example.txt
# This is a comment, empty lines and comment lines allowed.
ENC AA112233445566778899AABBCCDDEEFF # Trailing comment
MAC BB112233445566778899AABBCCDDEEFF # Optional trailing comment
DEK CC112233445566778899AABBCCDDEEFF # Optional trailing comment
10.5.4.20. set¶
The set
command can be used to set a credential stored
on the A71CH to a specific value.
Note
The set gp
command
can only be used to set a maximum of 32 byte of data at a time.
The value of a key pair or public key can either be passed as command line parameters or be contained in a pem-file (containing an EC key pair).
The command line value
of the private key (set by the set pair
command) can be either in the clear or wrapped with the Configuration
key stored at index 1. Wrapping is according to
RFC3394.
The command line value of the public key (set by the
set pub
command) can be either in the
clear or wrapped with the Configuration key stored at index 2. In case
RFC3394 wrapping is applied
the first byte of the public key (the one indicating the public key
format) is removed before applying wrapping.
The value of the configure key, the monotonic counter or the symmetric secret can only be passed explicitly as a command line parameter. The configure and symmetric keys can also be set wrapped (with the stored value of the key) according to RFC3394.
Whether an argument is wrapped is implicit in the lenght of the provided argument.
set gp -h <hexvalue_offset> -h <hexvalue_data>
set pair -x <int> [-k <keyfile.pem> | -h <hexvalue_pub> -h <hexvalue_priv>]
set pub -x <int> [-k <keyfile.pem> | -h <hexvalue>]
set [cfg|cnt|sym] -x <int> -h <hexvalue>
The following example writes 5 byte of data at offset 0004 into the General Purpose data store. The data written (4137314348) is the equivalent of the ASCII encoding of the string ‘A71CH’. The command itself is preceded and followed by an info statement covering the general purpose storage segment of interest.
>>> info gp -h 0000 -n 1
GP Storage Data (1 segments from offset 0x0000):
0x0000 (LEN=32): 0000000000000000000000000000000000000000000000000000000000000000
>>> set gp -h 0004 -h 4137314348
>>> info gp -h 0000 -n 1
GP Storage Data (1 segments from offset 0x0000):
0x0000 (LEN=32): 0000000041373143480000000000000000000000000000000000000000000000
The following example set the key pair at index 1 from the value contained in file keyfile_ecc_nist_256_1.pem. The command itself is preceded and followed by an info statement on the stored key pairs.
>>> info pair
Public Keys from ECC key pairs:
idx=0x00 n.a.
idx=0x01 n.a.
>>> set pair -x 1 -k keyfile_ecc_nist_256_1.pem
ECCPrivateKey (LEN=32):
21:AF:C1:1E:F5:64:61:3D:2E:96:4D:8B:93:19:CC:AB:38:E0:7A:6E:35:3A:21:A3:D1:69:8B:19:13:DF:1D:FF
ECCPublicKey (LEN=65):
04:74:E2:1E:54:6C:C1:9E:31:58:55:B6:D5:45:D3:0D:3F:48:79:D4:64:5D:3F:67:73:75:FB:0B:2C:80:43:1E:
8D:34:95:71:0E:71:E1:E3:F8:93:62:75:B4:AC:F1:52:E3:DE:55:CC:1D:86:5E:B0:D1:22:A8:CF:35:EC:47:31:
F8
>>> info pair
Public Keys from ECC key pairs:
idx=0x00 n.a.
idx=0x01 ECC_PUB (LEN=65):
04:74:E2:1E:54:6C:C1:9E:31:58:55:B6:D5:45:D3:0D:3F:48:79:D4:64:5D:3F:67:73:75:FB:0B:2C:80:43:1E:
8D:34:95:71:0E:71:E1:E3:F8:93:62:75:B4:AC:F1:52:E3:DE:55:CC:1D:86:5E:B0:D1:22:A8:CF:35:EC:47:31:
F8
The value contained in file keyfile\_ecc\_nist\_256\_1.pem is
$ cat keyfile_ecc_nist_256_1.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEICGvwR71ZGE9LpZNi5MZzKs44HpuNToho9FpixkT3x3/oAoGCCqGSM49
AwEHoUQDQgAEdOIeVGzBnjFYVbbVRdMNP0h51GRdP2dzdfsLLIBDHo00lXEOceHj
+JNidbSs8VLj3lXMHYZesNEiqM817Ecx+A==
-----END EC PRIVATE KEY-----
The following example sets the public key at index 0 to the provided public key value (in the clear, ANSI X9.62 uncompressed format). The command itself is preceded and followed by an info statement on the stored public key.
>>> info pub
Public Keys:
idx=0x00 n.a.
idx=0x01 n.a.
>>> set pub -x 0 -h 043802B1164C30860AC913F5F997B84158C40CFFCC1D3A4359BC22574A4FC95E628933A9E95820AD6B96A1DA106BDD5D6A8E556A78AE959C59336FE53E3A1D9ED4
>>> info pub
Public Keys:
idx=0x00 ECC_PUB (LEN=65):
04:38:02:B1:16:4C:30:86:0A:C9:13:F5:F9:97:B8:41:58:C4:0C:FF:CC:1D:3A:43:59:BC:22:57:4A:4F:C9:5E:
62:89:33:A9:E9:58:20:AD:6B:96:A1:DA:10:6B:DD:5D:6A:8E:55:6A:78:AE:95:9C:59:33:6F:E5:3E:3A:1D:9E:
D4
idx=0x01 n.a.
The following example sets the monotonic counter at index 0 to 00E0. The command itself is preceded and followed by an info statement on the stored monotonic counters.
>>> info cnt
Monotonic counter values:
idx=0x00 0x00000000
idx=0x01 0x00000000
>>> set cnt -x 0 -h 000000E0
>>> info cnt
Monotonic counter values:
idx=0x00 0x000000E0
idx=0x01 0x00000000
10.5.4.21. transport¶
The transport lock
command can be used
to enable the transport lock on the A71CH. To disable the transport lock
one needs to pass the transport key as an option value to the
transport unlock
command.
Note
A precondition to enable the transport lock is that the Transport Configuration key has been set: use ‘set cfg -x 0 -h <hexvalue_tpkey>’ to achieve this. Furthermore the transport lock / unlock cycle can only be initiated once.
transport [lock|unlock -h <hexvalue_tpkey>]
The following example sets the Transport Configuration key, locks the
device and finally unlocks the device. The info device
command is used to illustrate the value of the
transportLockState of the device.
>>> info device
...
transportLockState: 0x03 (Transport Lock NOT YET set)
...
>>> set cfg -x 0 -h AA112233445566778899AABBCCDDEEFF
>>> transport lock
>>> info device
...
transportLockState: 0x01 (Transport Lock is set)
...
>>> transport unlock -h AA112233445566778899AABBCCDDEEFF
>>> info device
A71CH in Debug Mode Version (SCP03 is not set up)
selectResponse: 0x0111
transportLockState: 0x02 (Open device, Transport Lock can no longer be set)
injectLockState: 0x02 (Unlocked)
gpStorageSize: 1024
uid (LEN=18):
47:90:70:02:47:91:12:10:20:89:00:50:36:91:64:23:00:00
10.5.4.22. ucrt¶
The ucrt
command updates a certificate
to the GP storage area by index. The certificate can be provided as raw
data (-h option), as a file in PEM format (-p option) or as a file in
DER format (-c option).
ucrt -x <int> [-c <certfile.crt> | -h <hexvalue_data> | -p <certfile.pem>]
Note
In case the certificate to be written is in PEM format it will be stored into the A71CH in DER format. The valid index range for certificates is is limited only by memory size.
In the following ucrt
example a certificate contained in
a PEM file (c:\certificate.pem) is stored into the A71CH at index 3.
>>> ucrt -x 3 -p c:\certificate.pem
Filename: c:\certificate.pem
Certificate Size (DER format) = 493 byte
10.5.4.23. wcrt¶
The wcrt
command writes a certificate to
the GP storage area by index. The certificate can be provided as raw
data (-h option), as a file in PEM format (-p option) or as a file in
DER format (-c option).
wcrt -x <int> [-c <certfile.crt> | -h <hexvalue_data> | -p <certfile.pem>] [-n <padding-segments>]
Note
Writing to an existing index will fail. Use the
ucrt
command to update the certificate
(taking into account certificate size constraints) or use the
ecrt
command to erase and then write the
new certificate. The valid index range for certificates is is limited
only by memory size. Using padding segments parameter creates an extra
place holder for future updates with larger certificates at the same
index without the need for erasing it first.
In case the certificate to be written is in PEM format it will be stored into the A71CH in DER format.
The rcrt
command
allows to read out a certificate by index.
In the following wcrt
example a certificate contained in
a PEM file (c:\certificate.pem) is stored into the A71CH at index 3.
>>> wcrt -x 3 -p c:\certificate.pem
Filename: c:\certificate.pem
Certificate Size (DER format) = 493 byte
10.5.5. Not connected mode¶
When starting up the A71CH Configure Tool it is possible to indicate no
attached A71CH device is required. This is achieved by preceding the
command (on the command line only) by the keyword nc
(not connected).
Currently the only application of this feature is the creation of Reference Pem files where the public key value is contained in a Pem file (containing an EC key pair) passed as argument.
The following command creates a reference pem file ‘my_ref_keyfile.pem’ referring to a public key (stored or to be stored) at index 0 whose value is contained in ‘kp_keyfile.pem’
root@imx6ulevk:~# ./a71chConfig_i2c_imx nc refpem -c 20 -x 0 -k kp_keyfile.pem -r my_ref_keyfile.pem
a71chConfig (Rev 0.94) .. NOT connecting to A71CH.
ECCPublicKey (LEN=65):
04:7C:59:16:D4:F5:46:B3:D3:17:20:78:F8:AD:41:84:9A:79:46:6B:5B:0B:FC:39:3D:4C:E1:A8:53:F5:4F:8D:
C2:98:65:F8:84:E9:9E:28:38:09:FF:29:34:B6:97:27:DB:6C:0A:F3:79:B0:D7:2C:16:25:B5:CB:B8:A2:CB:70:
89