Infineon OPTIGA™ Trust X - ECDSA Simple Example

nRF5 SDK v15.2.0

The Infineon OPTIGA™ Trust X - ECDSA Simple Example is an example project that demonstrates the major ECDSA-related cryptographic functions offered by Trust X.

Note
The Infineon OPTIGA™ Trust X hardware security module must be acquired separately. For more information, visit Infineon.com - OPTIGA™ Trust X SLS 32AIA .

This example application demonstrates the use of some of the Trust X features. It does not demonstrate a secured system. In a productive system, it depends on the system's security requirements and the system's security architecture, among other factors, which entity and processor conducts which operations (for example, a remote server, a cloud service, or a smartphone).

The example application uses the following two Infineon libraries:

The example application shows the initialization and three Trust X function groups, using the high-level command library ( Infineon OPTIGA™ Trust X Command Library ).

  1. Initialization:
    1. Initialize the Trust X hardware module using optiga_init() and optiga_open_application().
  2. Generation of random numbers:
    1. Retrieve 16 bytes of cryptographic-quality random numbers from Trust X using optiga_get_random().
  3. One-way authentication:
    1. Calculate a SHA-256 digest of a challenge, using optiga_calc_hash().
    2. Sign (ECDSA) the challenge digest using optiga_calc_sign().
    3. Read the Trust X device certificate using optiga_get_data_object().
    4. Verify the signature using mbed TLS and the public key contained in the device certificate.
  4. Key generation and message authentication:
    1. Generate an elliptic curve (EC) private/public key pair and export the public key, using optiga_generate_key_pair().
    2. Calculate a SHA-256 digest of a message, using optiga_calc_hash().
    3. Sign (ECDSA) the message digest using the generated private key.
    4. Verify the challenge signature with the exported public key, using optiga_verify_signature().
    5. Verify the challenge signature with the exported public key, using mbed TLS signature verification.

The result of each step is explained and output using NRF_LOG_RAW_INFO and NRF_LOG_RAW_HEXDUMP statements.

A sample output, as it can be observed with SEGGER RTT Viewer, looks similar to the following example:

Infineon OPTIGA(TM) Trust X ("Trust X") example for ECDSA
Initialize Trust X host library and I2C protocol.
Open Trust X application.
Retrieve random number (16 byte) from Trust X:
38 F3 A7 35 7F 9B 95 11|8..5....
6F 0B 8B 53 15 1F 6F 9B|o..S..o.
Calculate message digest (SHA-256) with Trust X:
2D D0 0B D7 7E 02 22 CE|-...~.".
D8 82 66 54 81 A9 C1 D9|..fT....
F9 07 30 9D 16 E0 5E D0|..0...^.
07 A1 EA 63 92 84 77 A9|...c..w.
Sign digest with protected private key OID_DEVICE_PRIVATE_KEY_1 inside Trust X:
30 44 02 20 50 A2 67 2E|0D. P.g.
D5 B8 60 43 1A DB D1 9F|..`C....
64 47 0F 5E FB AB 02 7A|dG.^...z
06 1F 60 F9 64 E0 FA D7|..`.d...
22 6F CA 4D 02 20 71 1F|"o.M. q.
FB 02 7C C2 2B 46 D1 AD|..|.+F..
83 79 7F 4B D6 67 DD 01|.y.K.g..
7A 36 48 83 28 41 82 03|z6H.(A..
11 93 5F EB 83 41 |.._..A
Retrieve Infineon public key certificate (OID_INFINEON_CERTIFICATE) from Trust X (output truncated):
30 82 01 C0 30 82 01 67|0...0..g
A0 03 02 01 02 02 04 01|........
02 03 0A 30 0A 06 08 2A|...0...*
86 48 CE 3D 04 03 02 30|.H.=...0
77 31 0B 30 09 06 03 55|w1.0...U
04 06 13 02 44 45 31 21|....DE1!
30 1F 06 03 55 04 0A 0C|0...U...
18 49 6E 66 69 6E 65 6F|.Infineo
6E 20 54 65 63 68 6E 6F|n Techno
6C 6F 67 69 65 73 20 41|logies A
Verify signature using mbed TLS and the certificate's public key:
OK - successfully verified!
Create key pair with Trust X in slot OID_DEVICE_PRIVATE_KEY_2 and print public key:
04 0B 48 0A E2 40 E5 46|[email protected]
DB 33 E4 E7 E5 DE 90 42|.3.....B
A8 94 92 30 E7 1E 5D 18|...0..].
36 75 31 CE CF C9 12 08|6u1.....
B7 6A 94 D9 27 22 77 2F|.j..'"w/
22 48 DC 62 C5 AF B9 DD|"H.b....
E0 CE 66 49 49 C8 DA 83|..fII...
A9 63 A6 76 49 B4 E8 76|.c.vI..v
12 |.
Calculate message digest (SHA-256) with Trust X:
AB 53 0A 13 E4 59 14 98|.S...Y..
2B 79 F9 B7 E3 FB A9 94|+y......
CF D1 F3 FB 22 F7 1C EA|...."...
1A FB F0 2B 46 0C 6D 1D|...+F.m.
Sign digest with generated private key OID_DEVICE_PRIVATE_KEY_2 inside Trust X:
30 46 02 21 00 E4 52 B0|0F.!..R.
29 CA F9 EE 91 FB 26 57|).....&W
C4 DE 95 5A C1 5C 1A C6|...Z.\..
94 8D C0 72 D3 C2 F7 22|...r..."
28 7A 68 D0 A8 02 21 00|(zh...!.
A9 0F 33 1A 40 EA 36 2B|[email protected]+
D3 82 58 6D 17 FB 3E 41|..Xm..>A
63 22 3C E3 E2 62 39 5F|c"<..b9_
8C 56 27 CE 64 32 E9 DD|.V'.d2..
Verify signature with Trust X using the generated public key:
OK - successfully verified!
Verify signature with mbed TLS using the generated public key:
OK - successfully verified!
Trust X example application finished.

Setup

You can find the source code and the project file of the example in the following folder: <InstallFolder>\examples\crypto\ifx_optiga_ecdsa_simple

Testing

Note
The application executes the described procedure once and then waits for an external reset.

Test the application by observing the debugging output via SEGGER J-Link RTT Viewer:

  1. Enable the nRF logging module (if not activated by default).
  2. Compile and program the application.
  3. Turn on SEGGER RTT Viewer to observe the output.
  4. Restart the app on the nRF52 device to observe the process again.

Alternatively, a debugger in any supported IDE can be used to step through the example application code in main.c and the host library files.