Secure Authenticator (Qi) Provisioning demo

This project is used to provision Qi credentials (ECDSA Key pair and Device certificate chain) inside the secure element.

Warning

This example is only for demonstration purpose. Maintaining and provisioning the credentials should be done in a secure way.

The user should update the credentials qi_ec_priv_key and qi_certificate_chain in demos/se05x/sa_qi_provisioning/sa_qi_credentials.c

By default the demo will provision the credentials for Slot ID 0. The user can update the macro QI_PROVISIONING_SLOT_ID in demos/se05x/sa_qi_provisioning/sa_qi_provisioning.h to provision for a different slot:

/* Update the SLOT_ID to provision for another slot
 * Valid values are 0, 1, 2, 3
 */
#define QI_PROVISIONING_SLOT_ID 0

This demo requires the credentials to be provisioned using a management credential. In this example we use the demo key provisioned at kEX_SSS_ObjID_APPLETSCP03_Auth (sss/ex/inc/ex_sss_objid.h) to open an AESKey session and provision the credentials. The user is expected to provision their own authentication key and use that for provisioning the Qi credentials by updating the macro EX_SSS_AUTH_SE05X_APPLETSCP_VALUE in sss/ex/inc/ex_sss_auth.h:

#define EX_SSS_AUTH_SE05X_APPLETSCP_AUTH_ID kEX_SSS_ObjID_APPLETSCP03_Auth

#define EX_SSS_AUTH_SE05X_APPLETSCP_VALUE                                 \
    {                                                                     \
        0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, \
        0x4B, 0x4C, 0x4D, 0x4E, 0x4F                                      \
    }

#define EX_SSS_AUTH_SE05X_APPLETSCP_VALUE2                                \
    {   0xea, 0x62, 0x04, 0x48, 0x0b, 0xf5, 0x19, 0xf6, 0xc2, 0xb7, 0x7f, \
        0xba, 0x8b, 0x2d, 0x57, 0x30                                      \
    }

Also see example Section 5.7.28 Delete and Test Provision for details on how to provision an authentication object.

Pre-requisites

Building the Demo

Select CMake options:

  • PTMW_SCP=SCP03_SSS

  • PTMW_SE05X_Auth=AESKey

  • PTMW_SE05X_Ver=07_02

Build project:

  • Project: sa_qi_provisioning

Running the Example

If you have built a binary, flash the binary on to the board and reset the board.

If you have built an exe to be run from Windows using VCOM, run as:

sa_qi_provisioning.exe <PORT NAME>

Where <PORT NAME> is the VCOM COM port.

On successful execution you should be able to see logs as:

App :INFO :PlugAndTrust_v04.01.01_20220112
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Qi Provisioning successful
App :INFO :Qi Provisioning Example Finished
App :INFO :ex_sss Finished