FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How can I store a private ECDSA key in the KMS as a dynamic object ?

BEnge.1
Associate III

‎2022-05-20 08:43 AM

I would like to store two keys in the KMS as dynamic objects to use them in my UserApp project:

  • One public ECDSA key
  • One private ECDSA key

For the public key, I have as example the SBSFU_ECDSA_1_Verify key so this should be fine. However, I don't know how to add a ECDSA private key. Is that explained somewhere? I find very little information about the KMS.

Thanks in advance,

Benjamin

Labels:
0 Kudos
7 REPLIES 7
Jocelyn RICARD
ST Employee

‎2022-05-20 10:59 AM

Hello @BEnge.1​ ,

documentation about this feature can be found in

1) UM2262

2) AN5056

The principle is to generate an authenticated, encrypted blob using the 2_Images_KMS_Blob project.

Once blob is created you download it using same principle as a firmware update.

After reset, SBSFU installs the new key in the KMS.

Best regards

Jocelyn

0 Kudos
Fred
ST Employee
In response to Jocelyn RICARD

‎2022-05-20 09:50 PM

Agree with Jocelyn, just pay attention to the parameters to declare the object in the BLOB project: ECDSA private key objects (object class CKO_PRIVATE_KEY, key type CKK_ECDSA) hold ECDSA private keys.

0 Kudos
Fred
ST Employee

‎2022-05-23 01:22 AM

I checked with my KMS colleague and unfortunately KMS does not provide the ECDSA sign service.

So, yes, you can declare the key and store it but KMS will not be able to use it.

The declaration must follow these rules:

PKCS #11 Cryptographic Token Interface Current Mechanisms Specification Version 2.40 (oasis-open.org)

see section 2.3.4

0 Kudos
BEnge.1
Associate III

‎2022-05-23 02:23 AM

@Fred​ Thank you for the precision. So If i am not able to use it, I think I will go for another algorithm (RSA) as I can see from the provided example project that it is possible to sign and verify using RSA.

If I use openssl to generate a RSA key pair, do you know how I can translate the .pem files to these objects :

(public)

0693W00000NqTDPQA3.png 

(private)

0693W00000NqTDeQAN.pngThanks,

Benjamin

0 Kudos
Fred
ST Employee

‎2022-05-23 04:18 AM

There is an example of encoding in "kms_blob_example_keys.c".

But I can check with the colleague who developed it how he created the data.

0 Kudos
BEnge.1
Associate III

‎2022-05-23 04:33 AM

Yes I saw the example but I was wondering how the data was generated. I think the required information can be found using 

openssl rsa -in <my_key.key> -noout -text

but if you can check with your colleague that would be very much appreciated.

0 Kudos
Fred
ST Employee
In response to BEnge.1

‎2022-05-25 07:28 AM

Unfortunately, nobody had to store lots of keys, so the colleagues who worked on it made the mapping manually.

0 Kudos
Top