Questions about certificates and ECC

[jin-tech1]

Hello, Please help with the following questions.

[Q1] How to pass a certificate, saved in fx. 0xe0e1, into the OpenSSL command "ca" using the trustm_engine? We also pass the key in, if this changes anything.

We like to avoid written the certificate to a file.

[Q2] When trying to write a new ECC key using the "Linux Tools for Integrity and Confidentiality Protected Update", what is the "priv_key" and how to generate one that fits our chip?

Thanks for the help

[ying-css]

Hi @jin-tech1, For Q1, Do you mean you want to use ECC private key stored inside 0xe0f1 as CA key and ECC certificate stored inside 0xe0e1 as CA for OpenSSL function? and you don't want to readout the cert from Trust M and save it as file to use? For Q2, "priv_key" is the private key for Trust Anchor which provides the integrity protection. You can use the simple OpenSSL command to generate. For example, openssl ecparam -out ecc256_privkey.pem -name prime256v1 -genkey

[jin-tech1]

We save a Certificate into 0xe0e1 using the trustm_cert -w 0xe0e1 -i [OUR CERT]. We would like to use this OID (0xe0e1) in the OpenSSL "ca" command, like: OpenSSL ca -keyform engine -engine trustm_engine -keyfile 0xe0fc:^ -cert 0xe0e1:* -config ca.conf -out cert.pem.crt -infiles test_csr.csr

[ying-css]

Hi @jin-tech1, I see. Please give us some time to check and test it out. we will come back to you very soon. Thanks.

[jin-tech1]

Hi,

Is there any updates on this issue? Thanks.

[ying-css]

@jin-tech1 To support this function, we need to modify the code. We need more time to implement this. Thanks.

[ying-css]

@jin-tech1 Is the scripts here: https://github.com/Infineon/linux-optiga-trust-m/tree/development_v3/scripts/openssl_trustm_as_CA useful for you? Thanks.