Generating an ECC keypair

[stefanomologni]

Dear all,
I'm trying to generate a new ECC keypair into OPTIGA chip. The code snippet is:

    _optiga_key_id = OPTIGA_KEY_ID_E0F0;
    
    return_status = optiga_crypt_ecc_generate_keypair(me,
                                                              OPTIGA_ECC_CURVE_NIST_P_384,
                                                              (uint8_t)OPTIGA_KEY_USAGE_SIGN,
                                                              FALSE,
                                                              &optiga_key_id,
    														  pub_key,
                                                              pub_key_size);_

This returns error 0x8007, but if I change position with optiga_key_id = OPTIGA_KEY_ID_E0F1; than works fine. Why?

Best regards,
Stefano

[ayushev]

If we are talking about generic OPTIGA Trust M chips, they are pre-provisioned by default with a X.509 Certificate and a corresponding private key. You can find more about this either here or here

So that certificate is provisioned at 0xe0e0 data slot and the private key is loaded at 0xe0f0. You can't change them generally speaking. it is possible to permanently remove them (only applied for the generic chips on the market) by chaning metadata.

0x8007 error is Access Conditions error, which means that you can't update the object as the change Access Conditions don't allow this. Please have a look at Solutions Reference Manual Table 72 page 104,

You have there a Key Object 0xe0f0, the default "Change" Access Condition for this object is "NEV (Never)", which means you can't update this private key (key generation is a key update procedure), but you can do this for other objects.

[stefanomologni]

Thank you.

We are talking about OPTIGA TRUST M SLS32AIA.

Simply I'll switch to 0xE0E1 for this applicatgion, thanks a lot!

Best regards,
Stefano

[stefanomologni]

It is programmed during production? How many bits has?

Do you know if it is possible to ask Infineon to "customize" this key during production? Can we ask for a specific bit size?

Thanks a lot

[ayushev]

It is programmed during production?

It is fixed only for the standard samples during the production, for customer specific orders this is completly flexible.

How many bits has?

Public Key Certificate SLots has a maximum of 1728 bytes per slot. More on this you can find in the Solution Reference Manual Table 76 Common data structures.

Do you know if it is possible to ask Infineon to "customize" this key during production? Can we ask for a specific bit size?

Sure, this is possible, no issues. You can ask for this either your Infineon contact or a distribution partner in your region who works with Infineon, if you have troubles to find this our you can look for the one here.

If you still need to replace that certificate and private key slots (this action is irrevertable) there is a way, but it requires some metadata manipulation. If you like I can explain it here.

[stefanomologni]

Ok!

Thanks a lot for your precious help.

Best regards,
Stefano