cancel
Showing results for 
Search instead for 
Did you mean: 

I am trying to integrate the STSAFE-A110 into my product, but putting a key into STSAFEA_TAG_PRIVATE_KEY_SLOT always returns STSAFEA_INCONSISTENT_COMMAND_DATA

CWein.1
Associate II
pd stsafe: Upload ECDSA Private Key
pd stsafe: BusSend
pd stsafe: 10 13 00 08 2a 86 48 ce 3d 03 01 07 04 00 20 01 
pd stsafe: ef bc 56 8f ef 45 ef 23 ef 67 34 67 67 ef 01 00 
pd stsafe: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 
pd stsafe: 72 
pd stsafe: BusRecv
pd stsafe: 02 00 02 d3 6a 
stsafe service: StSafeA_ReceiveBytes() status_code: 0
stsafe service: stsafe replied status_code: 2
stsafe core: StSafeA_Receive() failed. status_code: 2 (Inconsistent Cmd Data)

Hi, I am trying to integrate an STSAFEA110 into my product for Authentication, but I cannot get it to work.

The first step, AFAICT, is to load the private key into the device, so that it can be used for signatures.

I have found StSafeA_PutPublicKeySlot but I cannot find a corresponding StSafeA_PutPrivateKeySlot.

See code: https://github.com/ISCA-HMU/WL55JC1_STSAFEA110_PKA_Secure_Bootloader/blob/9263f142d30dd9d610fd8251e156983866cce5fb/CM0PLUS/Middlewares/STSAFE_AXX0/CoreModules/Src/stsafea_core.c#L2963

I tried to use StSafeA_PutPublicKeySlot as a guide to create my own StSafeA_PutPrivateKeySlot, but it still returns errors.

The 256 bit key was generated with open SSL, ECDSA NIST_P_256

How are we supposed to load the private key?

2 REPLIES 2
Benjamin BARATTE
ST Employee

Hi @CWein.1​,

Thanks for the interest to STSAFE-A110 solution.

Regarding your question, the STSAFE-A110 secure element does not allow to inject private key in private key slot.

You can use the private key slot 0 which is pre provisioned with NIST P256 private key (you will find the associated public key in the x509 certificate in memory region 0)

You can also use the private key slot 1 to generate a new private key and the return of the StSafeA_GenerateKeyPair() will give you the associated public key.

Could you share more information regarding your use case we can check how to implement it with STSAFE-A110.

Best Regards,

Benjamin

CWein.1
Associate II

Thank you for the clear answer!

There is no reason to load my own private key, other than I thought that it "would be simpler".

But in retrospect, the way you describe makes much more sense, and is more secure. I should just sign the STSAFE's public key with my CA, and load the signed public cert back into the STSAFE.

Thank you for the explanation! I don't know if that would have ever crossed my mind otherwise!

Best,

Chip