{"id":13830663,"url":"https://github.com/Infineon/linux-optiga-trust-m","last_synced_at":"2025-07-09T12:30:59.218Z","repository":{"id":41285612,"uuid":"175434862","full_name":"Infineon/linux-optiga-trust-m","owner":"Infineon","description":"Linux tools and examples for OPTIGA™ Trust V1/V3 security solution","archived":false,"fork":false,"pushed_at":"2024-11-06T05:37:12.000Z","size":5473,"stargazers_count":22,"open_issues_count":1,"forks_count":18,"subscribers_count":8,"default_branch":"provider_dev","last_synced_at":"2024-11-12T22:42:31.661Z","etag":null,"topics":["cryptography","ecc","linux","openssl","openssl-engine","openssl-provider","optiga-trust","rsa"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Infineon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-13T14:15:49.000Z","updated_at":"2024-11-06T05:37:15.000Z","dependencies_parsed_at":"2023-09-23T02:28:43.992Z","dependency_job_id":"78ec8794-cb85-4eed-b1ec-ca5fe9212ee1","html_url":"https://github.com/Infineon/linux-optiga-trust-m","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infineon%2Flinux-optiga-trust-m","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infineon%2Flinux-optiga-trust-m/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infineon%2Flinux-optiga-trust-m/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infineon%2Flinux-optiga-trust-m/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Infineon","download_url":"https://codeload.github.com/Infineon/linux-optiga-trust-m/tar.gz/refs/heads/provider_dev","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225539485,"owners_count":17485338,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","ecc","linux","openssl","openssl-engine","openssl-provider","optiga-trust","rsa"],"created_at":"2024-08-04T10:01:05.095Z","updated_at":"2025-07-09T12:30:59.210Z","avatar_url":"https://github.com/Infineon.png","language":"C","funding_links":[],"categories":["C"],"sub_categories":[],"readme":"# Linux tools and examples\u003c/br\u003e for OPTIGA™ Trust V1/V3 security solution\r\n\r\n- [Linux tools and examples for OPTIGA™ Trust V1/V3 security solution](#linux-tools-and-examples-for-optiga-trust-m1m3-security-solution)\r\n - [About](#about)\r\n - [Prerequisites](#prerequisites)\r\n - [Getting Started](#getting-started)\r\n - [Getting the Code from Github](#getting-the-code-from-github)\r\n - [First time building the library](#first-time-building-the-library)\r\n - [CLI Tools Usage](#cli-tools-usage)\r\n - [Important Notes:](#important-notes)\r\n - [trustm\\_cert](#trustm_cert)\r\n - [trustm\\_chipinfo](#trustm_chipinfo)\r\n - [trustm\\_data](#trustm_data)\r\n - [trustm\\_ecc\\_keygen](#trustm_ecc_keygen)\r\n - [trustm\\_ecc\\_sign](#trustm_ecc_sign)\r\n - [trustm\\_ecc\\_verify](#trustm_ecc_verify)\r\n - [trustm\\_errorcode](#trustm_errorcode)\r\n - [trustm\\_metadata](#trustm_metadata)\r\n - [trustm\\_monotonic\\_counter](#trustm_monotonic_counter)\r\n - [trustm\\_read\\_data](#trustm_read_data)\r\n - [trustm\\_readmetadata\\_data](#trustm_readmetadata_data)\r\n - [trustm\\_readmetadata\\_private](#trustm_readmetadata_private)\r\n - [trustm\\_readmetadata\\_status](#trustm_readmetadata_status)\r\n - [trustm\\_read\\_status](#trustm_read_status)\r\n - [trustm\\_rsa\\_dec](#trustm_rsa_dec)\r\n - [trustm\\_rsa\\_enc](#trustm_rsa_enc)\r\n - [trustm\\_rsa\\_keygen](#trustm_rsa_keygen)\r\n - [trustm\\_rsa\\_sign](#trustm_rsa_sign)\r\n - [trustm\\_rsa\\_verify](#trustm_rsa_verify)\r\n - [trustm\\_symmetric\\_keygen](#trustm_symmetric_keygen)\r\n - [trustm\\_symmetric\\_enc](#trustm_symmetric_enc)\r\n - [trustm\\_symmetric\\_dec](#trustm_symmetric_dec)\r\n - [trustm\\_hkdf](#trustm_hkdf)\r\n - [trustm\\_rng](#trustm_rng)\r\n - [trustm\\_hash](#trustm_hash)\r\n - [trustm\\_hmac](#trustm_hmac)\r\n - [trustm\\_hmac\\_verify\\_Auth](#trustm_hmac_verify_auth)\r\n - [trustm\\_protected\\_update](#trustm_protected_update)\r\n - [trustm\\_protected\\_update\\_aeskey](#trustm_protected_update_aeskey)\r\n - [trustm\\_protected\\_update\\_ecckey](#trustm_protected_update_ecckey)\r\n - [trustm\\_protected\\_update\\_rsakey](#trustm_protected_update_rsakey)\r\n - [trustm\\_protected\\_update\\_data](#trustm_protected_update_data)\r\n - [trustm\\_update\\_with\\_PBS\\_Auto](#trustm_update_with_pbs_auto)\r\n - [trustm\\_probe](#trustm_probe)\r\n - [OPTIGA™ Trust M OpenSSL Provider usage](#provider_usage)\r\n - [rand](#rand)\r\n - [req](#req)\r\n - [pkey](#pkey)\r\n - [KeyGen with public key as output](#keygen-with-public-key-as-output)\r\n - [KeyGen with Reference Keys in file format as output ](#keygen-with-reference-keys-in-file-format-as-output)\r\n - [pkeyutl](#pkeyutl)\r\n - [Sign using Labels with key id](#sign-using-labels-with-key-id)\r\n - [Sign using Reference Keys in file format ](#sign-using-reference-keys-in-file-format)\r\n - [Referencing keys in OPTIGA™ Trust M](#referencing-keys-in-optiga-trust-m)\r\n - [Testing TLS connection with ECC key](#testing-tls-connection-with-ecc-key)\r\n - [Scenario where OPTIGA™ Trust M is on the client ](#test_tls_ecc_client)\r\n - [Scenario where OPTIGA™ Trust M is on the server ](#test_tls_ecc_server)\r\n - [Testing TLS connection with ECC Reference key in file format](#test_tls_ecc_file)\r\n - [Testing Curl connection using ECC Reference key in file format](#test_curl_ecc_file)\r\n - [Testing TLS connection with RSA key](#test_tls_rsa)\r\n - [Scenario where OPTIGA™ Trust M is on the client ](#test_tls_rsa_client)\r\n - [Scenario where OPTIGA™ Trust M is on the server ](#test_tls_rsa_server)\r\n - [Generating a Test Server Certificate](#test_server_cert)\r\n - [Using OPTIGA™ Trust M OpenSSL provider to sign and issue certificate](#using-optiga-trust-m-openssl-provider-to-sign-and-issue-certificate)\r\n - [Known observations](#known-observations)\r\n - [Secure communication bypass](#secure-communication-bypass)\r\n\r\n## \u003ca name=\"about\"\u003e\u003c/a\u003eAbout\r\n\r\nThis is a Linux Tools for OPTIGA Trust V1/V3 on Linux platform that consist of:\r\n\r\n- [Command Line Interface examples](#cli_usage)\r\n- [OpenSSL Provider](#provider_usage)\r\n\r\n\r\n### \u003ca name=\"prerequisites\"\u003e\u003c/a\u003ePrerequisites\r\n\r\nFollowing is the software component to build the tools :\r\n* GCC\r\n* OpenSSL 3.x\r\n* OPTIGA Trust V3 library (source code)\r\n* pthread\r\n* rt\r\n\r\n\r\nHardware platforms and boards:\r\n* Raspberry PI 4 on Linux kernel \u003e= 5.15\r\n\r\n* Micro SD card (≥16GB)\r\n\r\n* [S2GO SECURITY OPTIGA™ Trust M](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-security-optiga-m/) paired with [OPTIGA™ Trust M MTR SHIELD](https://www.infineon.com/cms/en/product/evaluation-boards/trust-m-mtr-shield/)\r\n\r\n* [Shield2Go Adapter for Raspberry Pi](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-adapter-rasp-pi-iot/) paired with [Pi Click Shield](https://www.mikroe.com/pi-4-click-shield) \r\n\r\n \r\n \r\n Note: OPTIGA™ Trust M Provider is tested on Linux Raspberry PI 6.6.31+rpt-rpi--v8 aarch64 with OpenSSL 3.0.14 pre-installed\r\n \r\n ![](/pictures/connection_diagram1.png)\r\n \r\n Figure 1 Connection for S2GO SECURITY OPTIGA™ Trust M using Shield2Go Adapter\r\n \r\n ![](pictures/HardwareSetup.png)\r\n \r\n Figure 2 Hardware Setup for S2GO SECURITY OPTIGA™ Trust M using Shield2Go Adapter\r\n \r\n ![](/pictures/rpi_mikro_connection.png)\r\n\r\n​ Figure 3 Hardware Setup for OPTIGA™ Trust M MTR SHIELD using Pi Click Shield\r\n\r\n## \u003ca name=\"getting_started\"\u003e\u003c/a\u003eGetting Started\r\n\r\n### \u003ca name=\"getting_code\"\u003e\u003c/a\u003eGetting the Code from GitHub\r\n\r\nGetting the initial code from GitHub with submodules\r\n\r\n```\r\ngit clone --recurse-submodules https://github.com/Infineon/linux-optiga-trust-m.git\r\n```\r\n\r\n### \u003ca name=\"build_lib\"\u003e\u003c/a\u003eFirst time building the library\r\nRun the commands below in sequence to install the required dependencies and the OPTIGA™ Trust M provider. \r\n\r\n cd linux-optiga-trust-m\r\n ./trustm_installation_script.sh\r\n\r\nNote: \r\n\r\nEnable I2C interface for Raspberry Pi to communicate with OPTIGA™ Trust M\r\n\r\n## \u003ca name=\"cli_usage\"\u003e\u003c/a\u003eCLI Tools Usage\r\n\r\n### Important Notes: \r\n1. To pair the host with OPTIGA™ Trust M, please run the test script \"write_default_shared_secret\" inside \"**linux-optiga-trust-m/scripts/misc/**\" to write the default shared secret into OPTIGA™ Trust M.\r\n2. For secuirty reason, all commands in the following examples are with \"**Shielded Connection Enabled**\" and hence will increase the security counter by one. It is at the user discretion to disable \"**Shielded Connection**\" by using \"**-X**\" option if required by the application. \r\n\r\n### \u003ca name=\"trustm_cert\"\u003e\u003c/a\u003etrustm_cert\r\n\r\nRead/Write/Clear certificate from/to certificate data object. Output and input certificate in PEM format.\r\n\r\n```console\r\n./bin/trustm_cert\r\nHelp menu: trustm_cert \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-r \u003cCert OID\u003e \t: Read Certificate from OID 0xNNNN \r\n-w \u003cCert OID\u003e \t: Write Certificte to OID\r\n-o \u003cfilename\u003e \t: Output certificate to file \r\n-i \u003cfilename\u003e \t: Input certificate to file \r\n-c \u003cCert OID\u003e : Clear cert OID data to zero \r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nExample : read OID 0xE0E0 and output the certification to teste0e0.crt\r\n\r\n```console\r\n./bin/trustm_cert -r 0xe0e0 -o teste0e0.crt\r\n========================================================\r\nOID : 0xE0E0 \r\nOutput File Name : teste0e0.crt \r\nSuccess!!!\r\n========================================================\r\n\r\ncat teste0e0.crt \r\n-----BEGIN CERTIFICATE-----\r\nMIIB2DCCAX6gAwIBAgIEERCFGjAKBggqhkjOPQQDAjByMQswCQYDVQQGEwJERTEh\r\nMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMwEQYDVQQLDApPUFRJ\r\nR0EoVE0pMSswKQYDVQQDDCJJbmZpbmVvbiBPUFRJR0EoVE0pIFRydXN0IE0gQ0Eg\r\nMTAxMB4XDTE5MDYxODA2MzAxMFoXDTM5MDYxODA2MzAxMFowHDEaMBgGA1UEAwwR\r\nSW5maW5lb24gSW9UIE5vZGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQRjgnP\r\n/Cuv2C6aEHEiIib60TBi8TU0GN6LXMKAShMUNd6yYosO3Cv3XExwWVqkbeAIrXRo\r\ngM3bPK7w5CRWu8hqo1gwVjAOBgNVHQ8BAf8EBAMCAIAwDAYDVR0TAQH/BAIwADAV\r\nBgNVHSAEDjAMMAoGCCqCFABEARQBMB8GA1UdIwQYMBaAFDwwjFzViuijXTKA5FSD\r\nsv/Nhk0jMAoGCCqGSM49BAMCA0gAMEUCIQC5y2fv2p1VS41jSX72pl/B3am+Oboy\r\nB1ItWszBjNzc0AIgEiPyApU78Oif0drcgQhH0qfxaKPJAFySCb2wpHYy6Uc=\r\n-----END CERTIFICATE-----\r\n```\r\n\r\nExample : write certificate teste0e0.crt into OID 0xE0E1\r\n\r\n```console\r\n./bin/trustm_cert -w 0xe0e1 -i teste0e0.crt \r\n========================================================\r\nSuccess!!!\r\n========================================================\r\n```\r\n\r\nExample : clear certificate store in OID 0xE0E1\r\n\r\n```console\r\n./bin/trustm_cert -c 0xe0e1\r\n========================================================\r\nCleared.\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_chipinfo\"\u003e\u003c/a\u003etrustm_chipinfo\r\n\r\nDisplay the OPTIGA™ Trust M chip information\r\n\r\n```console\r\n./bin/trustm_chipinfo \r\nRead Chip Info [0xE0C2]: Success.\r\n========================================================\r\nCIM Identifier [bCimIdentifer]: 0xcd\r\nPlatform Identifer [bPlatformIdentifier]: 0x16\r\nModel Identifer [bModelIdentifier]: 0x33\r\nID of ROM mask [wROMCode]: 0x8201\r\nChip Type [rgbChipType]: 0x00 0x1c 0x00 0x05 0x00 0x00\r\nBatch Number [rgbBatchNumber]: 0x0a 0x09 0x1b 0x5c 0x00 0x07\r\nX-coordinate [wChipPositionX]: 0x0020\r\nY-coordinate [wChipPositionY]: 0x008e\r\nFirmware Identifier [dwFirmwareIdentifier]: 0x80101071\r\nBuild Number [rgbESWBuild]: 08 09\r\n\r\nChip software build: \r\nOPTIGA(TM) Trust M rev.1; Firmware Version: 1.30.809\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_data\"\u003e\u003c/a\u003etrustm_data\r\n\r\nRead/Write/Erase OID data object in raw format.\r\n\r\n```console\r\n./bin/trustm_data \r\nHelp menu: trustm_data \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-r \u003cOID\u003e : Read from OID 0xNNNN \r\n-w \u003cOID\u003e : Write to OID\r\n-i \u003cfilename\u003e : Input file \r\n-I \u003cvalue\u003e : Input byte value \r\n-o \u003cfilename\u003e : Output file \r\n-p \u003coffset\u003e : Offset position \r\n-e : Erase and write \r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nExample : writing text file 1234.txt into OID 0xE0E1 and reading after writing\r\n\r\n```console\r\ncat 1234.txt \r\n1234\r\n\r\n./bin/trustm_data -w 0xe0e1 -i 1234.txt\r\n========================================================\r\nDevice Public Key [0xE0E1] Offset: 0\r\nInput data : \r\n\t31 32 33 34 0a \r\nWrite Success.\r\n========================================================\r\n\r\n./bin/trustm_data -r 0xe0e1\r\n========================================================\r\nDevice Public Key [0xE0E1] [Size 0005] : \r\n\t31 32 33 34 0a \r\n========================================================\r\n```\r\n\r\nExample : erase with offset OID 0xE0E1\r\n\r\n```console\r\n./bin/trustm_data -w 0xe0e1 -e -p 10 -i 1234.txt\r\n========================================================\r\nDevice Public Key [0xE0E1] Offset: 10\r\nInput data : \r\n\t31 32 33 34 0a \r\nWrite Success.\r\n========================================================\r\n\r\n./bin/trustm_data -r 0xe0e1\r\n========================================================\r\nDevice Public Key [0xE0E1] [Size 0015] : \r\n\t00 00 00 00 00 00 00 00 00 00 31 32 33 34 0a \r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_ecc_keygen\"\u003e\u003c/a\u003etrustm_ecc_keygen\r\n\r\nGenerate OPTIGA™ Trust M ECC key pair. Key type can be or together to form multiple type.\r\n\r\n```console\r\n./bin/trustm_ecc_keygen \r\nHelp menu: trustm_ecc_keygen \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-g \u003cKey OID\u003e : Generate ECC Key in OID 0xNNNN \r\n-t \u003ckey type\u003e : Key type Auth:0x01 Enc :0x02 HFWU:0x04\r\n DevM:0X08 Sign:0x10 Agmt:0x20\r\n [default Auth]\r\n-k \u003ckey size\u003e : Key size ECC256:0x03 ECC384:0x04 ECC521:0x05\r\n BRAINPOOL256:0x13 BRAINPOOL384:0x15 BRAINPOOL512:0x16\r\n [default ECC256]\r\n-o \u003cfilename\u003e : Output Pubkey to file in PEM format\r\n-s : Save Pubkey in \u003cKey OID + 0x10E0\u003e\r\n For ECC521/BRAINPOOL512: \r\n Save Pubkey in \u003cKey OID + 0x10EF\u003e\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\n**Note:** For ECC521/BRAINPOOL512 keygen with \"**-s**\", the private key slot can only be chosen from 0xE0F1 and 0xE0F2 if you want to save the public key into the data objects. User may make use of \"**-o**\" option to output public key to file. \r\n\r\nFor private key slot 0xE0F1, the public key will be stored in 0xF1E0.\r\n\r\nFor private key slot 0xE0F2, the public key will be stored in 0xF1E1.\r\n\r\nExample : generate an ECC256 key with type Auth/Enc/Sign in OID 0xE0F3 and save pubkey in OID 0xF1D3.\r\n\r\n```console\r\n./bin/trustm_ecc_keygen -g 0xe0f3 -t 0x13 -k 0x03 -o test_e0f3_pub.pem -s\r\n========================================================\r\nGenerating Key to 0xE0F3\r\nOutput File Name : test_e0f3_pub.pem \r\nPubkey :\r\n\t30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A \r\n\t86 48 CE 3D 03 01 07 03 42 00 04 F1 55 65 CB 42 \r\n\tFB 3E 58 DB C6 9F 67 E8 FC D3 48 F6 AA 5F 13 2D \r\n\tF6 3B A7 90 22 B4 B6 D3 4E 5B BB 98 AB 46 97 BD \r\n\t2A 03 A6 27 A5 4D FB 95 C2 BB 9A D3 AF A9 4E A7 \r\n\tD6 A1 63 9F 93 B6 71 57 07 E6 00 \r\nWrite Success to OID: 0xF1D3.\r\n========================================================\r\n\r\ncat test_e0f3_pub.pem \r\n-----BEGIN PUBLIC KEY-----\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8VVly0L7Pljbxp9n6PzTSPaqXxMt\r\n9junkCK0ttNOW7uYq0aXvSoDpielTfuVwrua06+pTqfWoWOfk7ZxVwfmAA==\r\n-----END PUBLIC KEY-----\r\n\r\n./bin/trustm_data -r 0xf1d3\r\n========================================================\r\nApp DataStrucObj type 3 [0xF1D3] [Size 0091] : \r\n\t30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A \r\n\t86 48 CE 3D 03 01 07 03 42 00 04 F1 55 65 CB 42 \r\n\tFB 3E 58 DB C6 9F 67 E8 FC D3 48 F6 AA 5F 13 2D \r\n\tF6 3B A7 90 22 B4 B6 D3 4E 5B BB 98 AB 46 97 BD \r\n\t2A 03 A6 27 A5 4D FB 95 C2 BB 9A D3 AF A9 4E A7 \r\n\tD6 A1 63 9F 93 B6 71 57 07 E6 00 \r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_ecc_sign\"\u003e\u003c/a\u003etrustm_ecc_sign\r\n\r\nSimple demo to show the process to sign using OPTIGA™ Trust M ECC key.\r\n\r\n*Note : to output OpenSSL signature format used -o*\r\n\r\n```console\r\n./bin/trustm_ecc_sign \r\nHelp menu: trustm_ecc_sign \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-k \u003cOID Key\u003e : Select ECC key for signing OID (0xE0F0-0xE0F3) \r\n-o \u003cfilename\u003e : Output to file with header\r\n-O \u003cfilename\u003e : Output to file without header\r\n-i \u003cfilename\u003e : Input Data file\r\n-H : Hash before sign\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nExample : Hash and sign the file helloworld.txt with key OID 0xE0F3 and output to testsignature.bin\r\n\r\n```console\r\n./bin/trustm_ecc_sign -k 0xe0f3 -o testsignature.bin -i helloworld.txt -H\r\n========================================================\r\nOID Key : 0xE0F3\r\nOutput File Name : testsignature.bin \r\nInput File Name : helloworld.txt \r\nHash Success : SHA256\r\n\t8C D0 7F 3A 5F F9 8F 2A 78 CF C3 66 C1 3F B1 23 \r\n\tEB 8D 29 C1 CA 37 C7 9D F1 90 42 5D 5B 9E 42 4D \r\n\t\r\nfilesize: 11\r\nSuccess\r\n========================================================\r\n\r\nhd testsignature.bin \r\n00000000 30 44 02 20 14 ea 77 98 ed 26 89 40 22 bb a0 60 |0D. ..w..\u0026.@\"..`|\r\n00000010 c5 1f 01 8f 65 21 7a 98 0d 63 73 03 4e ea 13 39 |....e!z..cs.N..9|\r\n00000020 0c ed 58 8a 02 20 2a 7b fc 7a dd 2e 75 86 41 f5 |..X.. *{.z..u.A.|\r\n00000030 43 14 ec e8 14 34 6b 2a 20 68 23 eb 14 ec 59 2f |C....4k* h#...Y/|\r\n00000040 37 04 37 44 62 c9 |7.7Db.|\r\n00000046\r\n```\r\n\r\n### \u003ca name=\"trustm_ecc_verify\"\u003e\u003c/a\u003etrustm_ecc_verify\r\n\r\nSimple demo to show the process to verify using OPTIGA™ Trust M library.\r\n\r\n```console\r\n./bin/trustm_ecc_verify \r\nHelp menu: trustm_ecc_verify \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-k \u003cOID Key\u003e : Use Certificate from OID [0xE0E1-E0E3]\r\n-p \u003cpubkey\u003e : Use Pubkey file\r\n-i \u003cfilename\u003e : Input Data file\r\n-s \u003csignature\u003e : Signature file\r\n-H : Hash input before verify\r\n-X : Bypass Shielded Communication \r\n-h : Print this help\r\n```\r\n\r\nExample : verifying a signature using external public key.\r\n\r\n```console\r\n./bin/trustm_ecc_verify -i helloworld.txt -s testsignature.bin -p test_e0f3_pub.pem -H\r\n========================================================\r\nPubkey file : test_e0f3_pub.pem\r\nInput File Name : helloworld.txt \r\nSignature File Name : testsignature.bin \r\nHash Digest : \r\n\t8C D0 7F 3A 5F F9 8F 2A 78 CF C3 66 C1 3F B1 23 \r\n\tEB 8D 29 C1 CA 37 C7 9D F1 90 42 5D 5B 9E 42 4D \r\n\t\r\nSignature : \r\n\t02 20 14 EA 77 98 ED 26 89 40 22 BB A0 60 C5 1F \r\n\t01 8F 65 21 7A 98 0D 63 73 03 4E EA 13 39 0C ED \r\n\t58 8A 02 20 2A 7B FC 7A DD 2E 75 86 41 F5 43 14 \r\n\tEC E8 14 34 6B 2A 20 68 23 EB 14 EC 59 2F 37 04 \r\n\t37 44 62 C9 \r\nPub key : [256]\r\n\t03 42 00 04 F1 55 65 CB 42 FB 3E 58 DB C6 9F 67 \r\n\tE8 FC D3 48 F6 AA 5F 13 2D F6 3B A7 90 22 B4 B6 \r\n\tD3 4E 5B BB 98 AB 46 97 BD 2A 03 A6 27 A5 4D FB \r\n\t95 C2 BB 9A D3 AF A9 4E A7 D6 A1 63 9F 93 B6 71 \r\n\t57 07 E6 00 \r\nVerify Success.\r\n========================================================\r\n```\r\n\r\nExample : verifying using certificate store in OID 0xE0E3.\r\n\r\n*Note : This example assume you have a valid x.509 certificate with key usage for signature store in OID 0xE0E3 and data is signed by the private key of the x.509 certificate.* \r\n\r\n```console\r\n./bin/trustm_ecc_verify -i helloworld.txt -s testsignature.bin -k 0xe0e3 -H\r\n========================================================\r\nOID Cert : 0xE0E3\r\nInput File Name : helloworld.txt \r\nSignature File Name : testsignature.bin \r\nHash Digest : \r\n\t8C D0 7F 3A 5F F9 8F 2A 78 CF C3 66 C1 3F B1 23 \r\n\tEB 8D 29 C1 CA 37 C7 9D F1 90 42 5D 5B 9E 42 4D \r\n\t\r\nSignature : \r\n\t02 20 14 EA 77 98 ED 26 89 40 22 BB A0 60 C5 1F \r\n\t01 8F 65 21 7A 98 0D 63 73 03 4E EA 13 39 0C ED \r\n\t58 8A 02 20 2A 7B FC 7A DD 2E 75 86 41 F5 43 14 \r\n\tEC E8 14 34 6B 2A 20 68 23 EB 14 EC 59 2F 37 04 \r\n\t37 44 62 C9 \r\nVerify Success.\r\n\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_errorcode\"\u003e\u003c/a\u003etrustm_errorcode\r\n\r\nList all the known OPTIGA™ Trust M error code with description\r\n\r\n### \u003ca name=\"trustm_metadata\"\u003e\u003c/a\u003etrustm_metadata\r\n\r\nModify OPTIGA™ Trust M OID metadata.\r\n\r\n***Warning : Any manipuldation with the lifecycle state LcsO like -I, -O and -T option might lock the data/key slot permanently. Depending on the access condition cofiguration \"locking\" means you would be able to use it, but, for instance, not change.**.* \r\n\r\nThe Lcs is implemented in a way that the four primary states only progress in one direction from a lower value to a higher value(e.g. initialization(in)=\u003eoperational(op) state). Once Lcs0 is set to higher value, it is not reversible and can not be set to lower value any more.\r\n\r\n```console\r\n./bin/trustm_metadata \r\nHelp menu: trustm_metadata \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-r \u003cOID\u003e : Read metadata of OID 0xNNNN \r\n-w \u003cOID\u003e : Write metadata of OID\r\n-C \u003cdata\u003e : Set Change mode (a:ALW,\r\n n:NEV,\r\n i:Lsc0 \u003c 0x03,\r\n o:Lsc0 \u003c 0x07,\r\n t:Lsc0 \u003c 0x0F,\r\n f:\u003cinput file for complex setting\u003e)\r\n-R \u003cdata\u003e : Set Read mode (a:ALW,\r\n n:NEV,\r\n i:Lsc0 \u003c 0x03,\r\n o:Lsc0 \u003c 0x07,\r\n t:Lsc0 \u003c 0x0F,\r\n f:\u003cinput file for complex setting\u003e)\r\n-E \u003cdata\u003e : Set Change mode (a:ALW,\r\n n:NEV,\r\n i:Lsc0 \u003c 0x03,\r\n o:Lsc0 \u003c 0x07,\r\n t:Lsc0 \u003c 0x0F,\r\n f:\u003cinput file for complex setting\u003e)\r\n-F \u003cfile\u003e : Custom input\r\n : (Need to input the full Metadata to be written)\r\n-I : Set Initialization State (Lsc0: 0x03)\r\n-O : Set Operational State (Lsc0: 0x07)\r\n-T : Set Termination State (Lsc0: 0x0F)\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nExample : changing OID 0xE0E1 metadata to read only and reading the metadata after changing\r\n\r\n```console\r\n./bin/trustm_metadata -w 0xe0e1 -Cn -Ra\r\n========================================================\r\nDevice Public Key [0xE0E1] \r\n\t20 06 D0 01 FF D1 01 00 \r\n\tC:NEV, R:ALW, \r\nWrite Success.\r\n========================================================\r\n\r\n./bin/trustm_metadata -r 0xe0e1\r\n========================================================\r\nDevice Public Key [0xE0E1] [Size 0025] : \r\n\t20 17 c0 01 01 c4 02 06 c0 c5 02 01 dc d0 01 ff \r\n\td1 01 00 d3 01 00 e8 01 12 \r\n\tLcsO:0x01, Max:1728, Used:476, C:NEV, R:ALW, E:ALW, DType:DEVCERT, \r\n\r\n========================================================\r\n```\r\n\r\nExample : charging OID 0xE0E1 metadata using complex setting (LcsO\u003e3||LcsG\u003c4) for Change mode\r\n\r\n```console\r\necho -e -n \\\\x07\\\\xe1\\\\xfb\\\\x03\\\\xfe\\\\x70\\\\xfc\\\\x04 \u003e complexsetting.bin\r\n\r\nhd complexsetting.bin \r\n00000000 07 e1 fb 03 fe 70 fc 04 |.....p..|\r\n00000008\r\n\r\n./bin/trustm_metadata -w 0xe0e1 -Cf:complexsetting.bin \r\n========================================================\r\nDevice Public Key [0xE0E1] \r\n\t20 09 D0 07 E1 FB 03 FE 70 FC 04 \r\n\tC:LcsO\u003e3||LcsG\u003c4, \r\nWrite Success.\r\n========================================================\r\n\r\n./bin/trustm_metadata -r 0xe0e1\r\n========================================================\r\nDevice Public Key [0xE0E1] [Size 0031] : \r\n\t20 1d c0 01 01 c4 02 06 c0 c5 02 01 dc d0 07 e1 \r\n\tfb 03 fe 70 fc 04 d1 01 00 d3 01 00 e8 01 12 \r\n\tLcsO:0x01, Max:1728, Used:476, C:LcsO\u003e3||LcsG\u003c4, R:ALW, E:ALW, DType:DEVCERT, \r\n\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_monotonic_counter\"\u003e\u003c/a\u003etrustm_monotonic_counter\r\n\r\nSimple demo to show the OPTIGA™ Trust M monotonic counter.\r\n\r\n```console\r\n./bin/trustm_monotonic_counter \r\nHelp menu: trustm_monotonic_counter \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-r \u003cOID\u003e : Read from OID [0xE120-0xE123] \r\n-w \u003cOID\u003e : Write to OID [0xE120-0xE123] \r\n-u \u003cOID\u003e : Update Counter [0xE120-0xE123] \r\n-i \u003cvalue\u003e : Input Value \r\n-s \u003cvalue\u003e : Increment Steps \r\n-X : Bypass Shielded Communication \r\n-h : Print this help\r\n```\r\n\r\nExample : Setting the threshold value to 10 and resetting the counter to zero\r\n\r\n```console\r\n./bin/trustm_monotonic_counter -w 0xe120 -i 10\r\n========================================================\r\nInput Value : 10 [0x0000000A]\r\n\t00 00 00 00 00 00 00 0a \r\nWrite Success.\r\n========================================================\r\n```\r\n\r\nExample : Count up the monotonic counter in steps of 2\r\n\r\n```console\r\n./bin/trustm_monotonic_counter -u 0xe120 -s 2\r\n========================================================\r\nSteps Value : 2 [0x00000002]\r\nUpdate Counter Success.\r\n========================================================\r\n\r\n./bin/trustm_monotonic_counter -r 0xe120\r\n========================================================\r\nMonotonic Counter x : [0xE120]\r\nThreshold : 0x0000000A [10]\r\nCounter Value : 0x00000002 [2]\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_read_data\"\u003e\u003c/a\u003etrustm_read_data\r\n\r\nRead all data object listed below\r\n\r\n*oid : 0xE0E0-0xE0E3, 0xE0E8-0xE0E9, 0xE0EF,* \r\n\r\n​ *0xE120-0xE123,* \r\n\r\n​ *0xE140, 0xF1D0-0xF1DB, 0xF1E0-0xF1E1*\r\n\r\n### \u003ca name=\"trustm_readmetadata_data\"\u003e\u003c/a\u003etrustm_readmetadata_data\r\n\r\nRead all data object metadata listed below \r\n\r\n*oid : 0xE0E0-0xE0E3, 0xE0E8-0xE0E9, 0xE0EF,* \r\n\r\n​ *0xE120-0xE123,* *0xE200*,\r\n\r\n​ *0xE140, 0xF1D0-0xF1DB, 0xF1E0-0xF1E1*\r\n\r\n### \u003ca name=\"trustm_readmetadata_private\"\u003e\u003c/a\u003etrustm_readmetadata_private\r\n\r\nRead all data object metadata listed below \r\n\r\n*oid : 0xE0F0-0xE0F3,* \r\n\r\n​ *0xE0FC-0xE0FD*\r\n\r\n### \u003ca name=\"trustm_readmetadata_status\"\u003e\u003c/a\u003etrustm_readmetadata_status\r\n\r\nRead all data object metadata listed below \r\n\r\n*oid : 0xE0C0-0xE0C6,* \r\n\r\n​ *0xF1C0-0xF1C2*\r\n\r\n### \u003ca name=\"trustm_read_status\"\u003e\u003c/a\u003etrustm_read_status\r\n\r\nRead all data object listed below \r\n\r\n*oid : 0xE0C0-0xE0C6,* \r\n\r\n​ *0xF1C0-0xF1C2*\r\n\r\n### \u003ca name=\"trustm_rsa_dec\"\u003e\u003c/a\u003etrustm_rsa_dec\r\n\r\nSimple demo to show the process to decrypt using OPTIGA™ Trust M RSA key.\r\n\r\n*Note : This example assume RSA key with usage Encryption has already been generated and data is encrypted by the pubkey*\r\n\r\n```console\r\n./bin/trustm_rsa_dec\r\nHelp menu: trustm_rsa_dec \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-k \u003cOID Key\u003e : Select key to decrypt OID 0xNNNN \r\n-o \u003cfilename\u003e : Output to file \r\n-i \u003cfilename\u003e : Input Data file\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\n Example : Decrypt using OID Key 0xE0FC, an encrypted file test_e0fc.enc and output to test_e0fc.dec\r\n\r\n```console\r\n./bin/trustm_rsa_dec -k 0xe0fc -o test_e0fc.dec -i test_e0fc.enc \r\n========================================================\r\nOID Key : 0xE0FC \r\nOutput File Name : test_e0fc.dec \r\nInput File Name : test_e0fc.enc \r\nInput data : \r\n\t35 38 AC E8 54 CA 02 92 A7 B4 72 0A 62 F9 7B DD \r\n\tCC C7 E1 9C A4 52 D6 AF CC 04 E4 B4 54 19 85 DD \r\n\t10 80 FA 8B 04 8E B0 5E 29 C5 F5 2F A7 99 BB EC \r\n\t2E 69 D4 AB 35 80 BF F5 87 6D 80 65 60 3E A6 31 \r\n\t6E 05 80 F2 CB 9E 32 DA F2 82 DB 15 D6 9C 1E DF \r\n\tFE 1C 5E 1F 7F E6 6D 2A EA B3 54 AD 41 AF C2 08 \r\n\tFE BF C7 B5 87 22 79 A2 AA F3 0D 71 BA DB 5D F7 \r\n\tCE 50 EA 89 D4 42 BD 0B 11 6A C8 11 2F 09 99 28 \r\n\t\r\nSuccess\r\n========================================================\r\n\r\ncat test_e0fc.dec \r\nhelloworld!!!\r\n```\r\n\r\n### \u003ca name=\"trustm_rsa_enc\"\u003e\u003c/a\u003etrustm_rsa_enc\r\n\r\nSimple demo to show the process to encrypt using OPTIGA™ Trust M RSA key.\r\n\r\n```console\r\n./bin/trustm_rsa_enc \r\nHelp menu: trustm_rsa_enc \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-k \u003cOID Key\u003e : Select key for encrypt OID 0xNNNN \r\n-p \u003cpubkey\u003e : Use Pubkey file\r\n-o \u003cfilename\u003e : Output to file \r\n-i \u003cfilename\u003e : Input Data file\r\n-X : Bypass Shielded Communication \r\n-h : Print this help\r\n```\r\n\r\nExample : Encrypt using external pubkey\r\n\r\n```console\r\n./bin/trustm_rsa_enc -p test_e0fc_pub.pem -o test_e0fc.enc -i helloworld.txt \r\n========================================================\r\nPubkey file : test_e0fc_pub.pem \r\nOutput File Name : test_e0fc.enc \r\nInput File Name : helloworld.txt \r\nInput data : \r\n\t68 65 6C 6C 6F 77 6F 72 6C 64 21 21 21 0A \r\nSuccess\r\n========================================================\r\n```\r\n\r\nExample : Encrypt using Certificate store in OID 0xE0E2\r\n\r\n*Note : This example assume you have a valid x.509 certificate with key usage for Key Encipherment store in OID 0xE0E2.* \r\n\r\n```console\r\n./bin/trustm_rsa_enc -k 0xe0e2 -o test_e0fc1.enc -i helloworld.txt \r\n========================================================\r\nOID Key : 0xE0E2 \r\nOutput File Name : test_e0fc1.enc \r\nInput File Name : helloworld.txt \r\nInput data : \r\n\t68 65 6C 6C 6F 77 6F 72 6C 64 21 21 21 0A \r\nSuccess\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_rsa_keygen\"\u003e\u003c/a\u003etrustm_rsa_keygen\r\n\r\nGenerate OPTIGA™ Trust M RSA key pair. Key type can be or together to form multiple type.\r\n\r\n```console\r\n./bin/trustm_rsa_keygen \r\nHelp menu: trustm_rsa_keygen \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-g \u003cKey OID\u003e : Generate RSA Key in OID [0xE0FC-0xE0FD] \r\n-t \u003ckey type\u003e : Key type Auth:0x01 Enc :0x02 HFWU:0x04\r\n DevM:0X08 Sign:0x10 Agmt:0x20\r\n [default Auth]\r\n-k \u003ckey size\u003e : Key size RSA1024:0x41 RSA2048:0x42 [default RSA1024]\r\n-o \u003cfilename\u003e : Output Pubkey to file in PEM format\r\n-s : Save Pubkey with header in \u003cKey OID + 0x10E4\u003e\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nExample : generate an RSA1024 key with type Auth/Enc/Sign in OID 0xe0fc and save pubkey in OID 0xF1E0.\r\n\r\n```console\r\n./bin/trustm_rsa_keygen -g 0xe0fc -t 0x13 -k 0x41 -o test_e0fc_pub.pem -s\r\n========================================================\r\nGenerating Key to 0xE0FC\r\nOutput File Name : test_e0fc_pub.pem \r\nPubkey :\r\n\t30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 \r\n\t05 00 03 81 8d 00 30 81 89 02 81 81 00 9c 2d 6b \r\n\t19 9c 8e d9 6c 59 0b bc 53 4a 1f 51 0c 87 14 71 \r\n\t09 21 55 d6 0c 1c 36 71 42 d9 dd db a2 f5 d8 de \r\n\tdf 80 d2 0f aa ae 31 6e 08 04 60 2d 32 ac 3c b7 \r\n\te1 d0 d9 47 16 77 d7 ed d9 d3 e8 41 ed 6a e7 88 \r\n\t10 a6 2e 51 d2 cb d2 7d 9a 3b c8 09 c9 05 27 0d \r\n\t85 39 c2 b6 4f 76 08 59 6e e7 51 07 9e 76 60 96 \r\n\t8d 63 ce 19 fc d0 a2 7c 28 c2 35 30 72 96 7d 3f \r\n\t3c 48 95 bc 0a a5 5a 37 c6 64 e3 8e 31 02 03 01 \r\n\t00 01 \r\nWrite Success to OID: 0xF1E0.\r\n========================================================\r\n\r\ncat test_e0fc_pub.pem \r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcLWsZnI7ZbFkLvFNKH1EMhxRx\r\nCSFV1gwcNnFC2d3bovXY3t+A0g+qrjFuCARgLTKsPLfh0NlHFnfX7dnT6EHtaueI\r\nEKYuUdLL0n2aO8gJyQUnDYU5wrZPdghZbudRB552YJaNY84Z/NCifCjCNTByln0/\r\nPEiVvAqlWjfGZOOOMQIDAQAB\r\n-----END PUBLIC KEY-----\r\n\r\n./bin/trustm_data -r 0xf1e0\r\n========================================================\r\nApp DataStrucObj type 2 [0xF1E0] [Size 1500] : \r\n\t03 81 8d 00 30 81 89 02 81 81 00 9c 2d 6b 19 9c \r\n\t8e d9 6c 59 0b bc 53 4a 1f 51 0c 87 14 71 09 21 \r\n\t55 d6 0c 1c 36 71 42 d9 dd db a2 f5 d8 de df 80 \r\n\td2 0f aa ae 31 6e 08 04 60 2d 32 ac 3c b7 e1 d0 \r\n\td9 47 16 77 d7 ed d9 d3 e8 41 ed 6a e7 88 10 a6 \r\n\t2e 51 d2 cb d2 7d 9a 3b c8 09 c9 05 27 0d 85 39 \r\n\tc2 b6 4f 76 08 59 6e e7 51 07 9e 76 60 96 8d 63 \r\n\tce 19 fc d0 a2 7c 28 c2 35 30 72 96 7d 3f 3c 48 \r\n\t95 bc 0a a5 5a 37 c6 64 e3 8e 31 02 03 01 00 01 \r\n\t47 1b 75 53 fd 53 88 72 5e 0b 83 04 29 4e 44 03 \r\n\t51 7a 50 ea f6 a7 a9 82 04 6e cb 1a fa 57 7e 17 \r\n\tb6 39 d8 76 e7 fe 76 84 59 bc e6 91 a3 f7 fc 75 \r\n\te2 e3 f7 ec 2a d6 3e 36 c6 f0 7f fb a8 50 d5 a7 \r\n\tfc 7e c2 28 2e bf ea e2 8d c9 c9 6e 76 69 a3 a2 \r\n\tec 2f 01 40 8f 65 ba 16 19 81 00 8f 74 17 31 da \r\n\t0e 2f f4 19 a9 f3 00 15 8a 28 5e af 99 4e ab 96 \r\n\t7f c8 7f fd f6 ea 17 30 7f 71 8e 1f 27 a1 02 03 \r\n\t01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 \r\n\t...\r\n\t(trucated for better view)\r\n========================================================\r\n\r\n```\r\n\r\n### \u003ca name=\"trustm_rsa_sign\"\u003e\u003c/a\u003etrustm_rsa_sign\r\n\r\nSimple demo to show the process to sign using OPTIGA™ Trust M RSA key.\r\n\r\n```console\r\n./bin/trustm_rsa_sign \r\nHelp menu: trustm_rsa_sign \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-k \u003cOID Key\u003e : Select RSA key for signing OID (0xE0FC-0xE0FD) \r\n-o \u003cfilename\u003e : Output to file \r\n-i \u003cfilename\u003e : Input Data file\r\n-H : Hash before sign\r\n-X : Bypass Shielded Communication \r\n-h : Print this help\r\n```\r\n\r\nExample : Hash and sign the file helloworld.txt with key OID 0xE0FC and output to testsignature.bin\r\n\r\n```console\r\n./bin/trustm_rsa_sign -k 0xe0fc -o testsignature.bin -i helloworld.txt -H\r\n========================================================\r\nOID Key : 0xE0FC\r\nOutput File Name : testsignature.bin \r\nInput File Name : helloworld.txt \r\nHash Success : SHA256\r\n\tE0 EE B7 C6 63 CC 5F 6F 45 26 13 E2 D7 AE FF 45 \r\n\t2A 26 95 A0 2F B4 AF 30 33 CC 5B C0 62 01 DE 70 \r\n\t\r\nfilesize: 14\r\nSuccess\r\n========================================================\r\n\r\nhd testsignature.bin\r\n00000000 0f 20 5a d3 0f 8c ec 41 24 74 d9 e3 20 bf ba 75 |. Z....A$t.. ..u|\r\n00000010 56 df a4 5b be 25 0e 0e e5 32 1a f5 bf 24 45 e0 |V..[.%...2...$E.|\r\n00000020 1d 4c f5 b7 99 0c 17 c2 49 88 52 e1 b8 b4 9e 7d |.L......I.R....}|\r\n00000030 da 48 6d 98 53 45 e0 12 e8 48 59 dc 80 35 cd 2f |.Hm.SE...HY..5./|\r\n00000040 e0 01 c1 e2 1e 1d 00 05 9a 32 3b 56 d7 90 72 a9 |.........2;V..r.|\r\n00000050 30 06 72 c9 f4 19 62 eb 20 76 9f c8 12 cb 23 ff |0.r...b. v....#.|\r\n00000060 bf b1 56 80 89 ea fe 7b 52 5d f0 26 98 10 3e 82 |..V....{R].\u0026..\u003e.|\r\n00000070 bf 8d a7 9b 5e 2b e9 ec 89 6f 46 f2 ee fa 03 83 |....^+...oF.....|\r\n00000080\r\n```\r\n\r\n### \u003ca name=\"trustm_rsa_verify\"\u003e\u003c/a\u003etrustm_rsa_verify\r\n\r\nSimple demo to show the process to verify using OPTIGA™ Trust M library.\r\n\r\n```console\r\n./bin/trustm_rsa_verify \r\nHelp menu: trustm_rsa_verify \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-k \u003cOID Key\u003e : Use Certificate from Data OID \r\n-p \u003cpubkey\u003e : Use Pubkey file\r\n-i \u003cfilename\u003e : Input Data file\r\n-s \u003csignature\u003e : Signature file\r\n-H : Hash input before verify\r\n-X : Bypass Shielded Communication \r\n-h : Print this help\r\n```\r\n\r\nExample : verifying a signature using external public key.\r\n\r\n```console\r\n./bin/trustm_rsa_verify -i helloworld.txt -s testsignature.bin -p test_e0fc_pub.pem -H\r\n========================================================\r\nPubkey file : test_e0fc_pub.pem\r\nInput File Name : helloworld.txt \r\nSignature File Name : testsignature.bin \r\nHash Digest : \r\n\tE0 EE B7 C6 63 CC 5F 6F 45 26 13 E2 D7 AE FF 45 \r\n\t2A 26 95 A0 2F B4 AF 30 33 CC 5B C0 62 01 DE 70 \r\n\t\r\nSignature : \r\n\t0F 20 5A D3 0F 8C EC 41 24 74 D9 E3 20 BF BA 75 \r\n\t56 DF A4 5B BE 25 0E 0E E5 32 1A F5 BF 24 45 E0 \r\n\t1D 4C F5 B7 99 0C 17 C2 49 88 52 E1 B8 B4 9E 7D \r\n\tDA 48 6D 98 53 45 E0 12 E8 48 59 DC 80 35 CD 2F \r\n\tE0 01 C1 E2 1E 1D 00 05 9A 32 3B 56 D7 90 72 A9 \r\n\t30 06 72 C9 F4 19 62 EB 20 76 9F C8 12 CB 23 FF \r\n\tBF B1 56 80 89 EA FE 7B 52 5D F0 26 98 10 3E 82 \r\n\tBF 8D A7 9B 5E 2B E9 EC 89 6F 46 F2 EE FA 03 83 \r\n\t\r\nPub key : [1024]\r\n\t03 81 8D 00 30 81 89 02 81 81 00 9C 2D 6B 19 9C \r\n\t8E D9 6C 59 0B BC 53 4A 1F 51 0C 87 14 71 09 21 \r\n\t55 D6 0C 1C 36 71 42 D9 DD DB A2 F5 D8 DE DF 80 \r\n\tD2 0F AA AE 31 6E 08 04 60 2D 32 AC 3C B7 E1 D0 \r\n\tD9 47 16 77 D7 ED D9 D3 E8 41 ED 6A E7 88 10 A6 \r\n\t2E 51 D2 CB D2 7D 9A 3B C8 09 C9 05 27 0D 85 39 \r\n\tC2 B6 4F 76 08 59 6E E7 51 07 9E 76 60 96 8D 63 \r\n\tCE 19 FC D0 A2 7C 28 C2 35 30 72 96 7D 3F 3C 48 \r\n\t95 BC 0A A5 5A 37 C6 64 E3 8E 31 02 03 01 00 01 \r\n\t\r\nVerify Success.\r\n========================================================\r\n```\r\n\r\nExample : verifying using certificate store in OID 0xE0E2.\r\n\r\n*Note : This example assume you have a valid x.509 certificate with key usage for signature store in OID 0xE0E2 and data is signed by the private key of the x.509 certificate.* \r\n\r\n```console\r\n./bin/trustm_rsa_verify -i helloworld.txt -s testsignature.bin -k 0xe0e2 -H\r\n========================================================\r\nOID Cert : 0xE0E2\r\nInput File Name : helloworld.txt \r\nSignature File Name : testsignature.bin \r\nHash Digest : \r\n\tE0 EE B7 C6 63 CC 5F 6F 45 26 13 E2 D7 AE FF 45 \r\n\t2A 26 95 A0 2F B4 AF 30 33 CC 5B C0 62 01 DE 70 \r\n\t\r\nSignature : \r\n\t0F 20 5A D3 0F 8C EC 41 24 74 D9 E3 20 BF BA 75 \r\n\t56 DF A4 5B BE 25 0E 0E E5 32 1A F5 BF 24 45 E0 \r\n\t1D 4C F5 B7 99 0C 17 C2 49 88 52 E1 B8 B4 9E 7D \r\n\tDA 48 6D 98 53 45 E0 12 E8 48 59 DC 80 35 CD 2F \r\n\tE0 01 C1 E2 1E 1D 00 05 9A 32 3B 56 D7 90 72 A9 \r\n\t30 06 72 C9 F4 19 62 EB 20 76 9F C8 12 CB 23 FF \r\n\tBF B1 56 80 89 EA FE 7B 52 5D F0 26 98 10 3E 82 \r\n\tBF 8D A7 9B 5E 2B E9 EC 89 6F 46 F2 EE FA 03 83 \r\n\t\r\nVerify Success.\r\n\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_symmetric_keygen\"\u003e\u003c/a\u003etrustm_symmetric_keygen\r\n\r\nSimple demo to show the process to generate symmetric key using OPTIGA™ Trust M library.\r\n\r\nNote: The Access Condition CHA for OID 0xe200 must be set to \"ALW\"(Only executable when LcsO\u003cop). Fore details, please refer to the test script AES_CBC.sh inside \"**linux-optiga-trust-m/scripts/misc/**\"\r\n\r\n```console\r\n./bin/trustm_symmetric_keygen \r\nHelp menu: trustm_symmetric_keygen \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-t \u003ckey type\u003e : Key type Auth:0x01 Enc :0x02 HFWU:0x04\r\n DevM:0X08 Sign:0x10 Agmt:0x20\r\n [default Enc]\r\n-k \u003ckey size\u003e : Key size AES128:0x81 AES192:0x82 AES256:0x83\r\n [default AES128]\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nExample : generate an AES256 key with type Enc in OID 0xe200.\r\n\r\n```console\r\n./bin/trustm_symmetric_keygen -t 0x02 -k 0x83 \r\n========================================================\r\nSuccessfully Generated Symmetric Key in 0xE200 \r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_symmetric_enc\"\u003e\u003c/a\u003etrustm_symmetric_enc\r\n\r\nSimple demo to show the process to encrypt using OPTIGA™ Trust M library.\r\n\r\n```console\r\n./bin/trustm_symmetric_enc \r\nHelp menu: trustm_symmetric_enc \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-m \u003cmode\u003e : Mode CBC:0x09 CBC_MAC:0X0A CMAC:0X0B \r\n [default CBC]\r\n-o \u003cfilename\u003e : Output to file \r\n-i \u003cfilename\u003e : Input Data file\r\n-v \u003cfilename\u003e : Input IV Value\r\n Only needed for CBC mode\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n\r\n```\r\n\r\nExample : Encrypt mydata.txt using AES256 CBC mode.\r\n\r\nNote: Initialized value is only applicable for AES CBC mode.\r\n\r\n```console\r\n./bin/trustm_symmetric_enc -m 0x09 -v iv_aes256.bin -i mydata.txt -o aes256.enc \r\n========================================================\r\nmode : 0x0009 \r\nOutput File Name : aes256.enc \r\nInput File Name : mydata.txt \r\nInput data : \r\n\t6D 79 64 61 74 61 31 32 33 34 35 36 37 38 39 0A \r\n\t\r\nIV File Name : iv_aes256.bin \r\nInitialized value : \r\n\t69 6E 69 74 69 61 6C 69 7A 65 64 76 32 35 36 0A \r\n\t\r\nSuccess\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_symmetric_dec\"\u003e\u003c/a\u003etrustm_symmetric_dec\r\n\r\nSimple demo to show the process to decrypt using OPTIGA™ Trust M library.\r\n\r\n```console\r\n./bin/trustm_symmetric_dec -h\r\nHelp menu: trustm_symmetric_dec \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-m \u003cmode\u003e : Mode CBC:0x09 \r\n [only support CBC mode]\r\n-o \u003cfilename\u003e : Output to file \r\n-i \u003cfilename\u003e : Input Data file\r\n-v \u003cfilename\u003e : Input IV Value\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nExample : decrypt aes256.enc using AES256 CBC mode.\r\n\r\nNote: Initialized value is only applicable for AES CBC mode.\r\n\r\n```console\r\n./bin/trustm_symmetric_dec -m 0x09 -v iv_aes256.bin -i aes256.enc -o mydata.txt.dec\r\n========================================================\r\nmode : 0x0009 \r\nOutput File Name : mydata.txt.dec \r\nInput File Name : aes256.enc \r\nInput data : \r\n\tE5 4E C6 9E 33 51 0F 3D 81 8C 0D 58 34 04 49 D6 \r\n\t\r\nIV File Name : iv_aes256.bin \r\nInitialized value : \r\n\t69 6E 69 74 69 61 6C 69 7A 65 64 76 32 35 36 0A \r\n\t\r\nSuccess\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_hkdf\"\u003e\u003c/a\u003etrustm_hkdf\r\n\r\nSimple demo to show the process to derive key using OPTIGA™ Trust M library.\r\n\r\nNote: For detailed use case, please refer to the test script hkdf.sh inside \"**linux-optiga-trust-m/scripts/misc/**\"\r\n\r\n```console\r\n./bin/trustm_hkdf\r\nHelp menu: trustm_hkdf \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-i \u003cOID\u003e : Input secret OID 0xNNNN \r\n [default 0xF1D0]\r\n-H \u003cSHA\u003e : SHA256:0x08 SHA384 :0x09 SHA512:0x0A\r\n [default SHA256]\r\n-f \u003cfilename\u003e : Import Info \r\n-s \u003cfilename\u003e : Import Salt \r\n-o \u003cfilename\u003e : Export Derived Key \r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nExample : derive key using HKDF SHA256 with shared secret in 0xF1D0.\r\n\r\nPrecondition: Write shared secret into the data object and change the metadata of this data object to PRESSEC.\r\n\r\n```console\r\n./bin/trustm_hkdf -i 0xF1D0 -H 0X08 -f info.bin -s salt.bin -o hkdf_f1d0_256.txt\r\n========================================================\r\nRun HKDF SHA256 command to derive the key\r\n\r\nInput Secret OID: 0xF1D0\r\nHKDF Type 0x0008\r\nOutput Derived key. \r\n========================================================\r\nHKDF Type : 0x0008 \r\nInfo File Name : info.bin \r\nSalt File Name : salt.bin \r\nOutput File Name : hkdf_f1d0_256.txt \r\nsalt data : \r\n\t73 61 6C 74 31 32 33 34 35 36 37 38 39 61 62 31 \r\n\t32 33 34 35 36 37 38 39 0A \r\nInfo data : \r\n\t69 6E 66 6F 76 61 6C 75 65 31 32 33 0A \r\nSuccess\r\nDecryption Key :\r\n\tD6 8B 57 18 C3 E8 F7 82 5F 1C A5 19 A7 59 26 8B \r\n\t\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_rng\"\u003e\u003c/a\u003etrustm_rng\r\n\r\nRandom number generator using OPTIGA™ Trust M.\r\n\r\n```console\r\n./bin/trustm_rng -h\r\n\r\nHelp menu: trustm_rng \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-t \u003crng type\u003e : TRNG:0x00 DRNG:0x01\r\n [default TRNG]\r\n-l \u003crng length\u003e : rng length \r\n [default 64]\r\n-o \u003cfilename\u003e : Output RNG to file\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nExample : To Generate 64 bytes RNG using TRNG type.\r\n\r\n```console\r\n./bin/trustm_rng -t 0x00 -l 64 -o rng.txt \r\n\r\n========================================================\r\nOutput File Name : rng.txt \r\nGenerating RNG Number ........\r\nOPTIGA execution time: 0.1205 sec.\r\nRNG Number :\r\n\t27 7D B5 AD 55 53 CF 5C F5 D2 95 44 80 0D 36 39 \r\n\t7A 3E 2F F4 49 2F 0A 32 92 C3 2B 2C 92 7F F4 72 \r\n\tAF 50 7D D3 6E E9 B5 B2 F1 40 6B FF 4F DA 17 9D \r\n\tC7 B9 C6 F6 0A FD 99 61 D9 57 5F F1 CD 23 3D 46 \r\n\t\r\nSuccess\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_hash\"\u003e\u003c/a\u003etrustm_hash\r\n\r\nHash input file using OPTIGA™ Trust M SHA256 function .\r\n\r\n```console\r\n./bin/trustm_hash -h\r\n\r\nHelp menu: trustm_hash \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-o \u003cfilename\u003e : Output to file \r\n-i \u003cfilename\u003e : Input Data file\r\n-H : Hash with SHA256\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n\r\n```\r\n\r\nExample : To hash input file datain.txt using OPTIGA™ Trust M SHA256 function.\r\n\r\n```console\r\n./bin/trustm_hash -i datain.txt -o hash_sha256.bin -H -X\r\n\r\nBypass Shielded Communication. \r\n========================================================\r\nOutput File Name : hash_sha256.bin \r\nInput File Name : datain.txt \r\nOPTIGA execution time: 0.4596 sec.\r\nfilesize: 2500\r\nHash Success\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_hmac\"\u003e\u003c/a\u003etrustm_hmac\r\n\r\nSimple demo to show the process to generate the MAC for the given input data using the secret installed in OPTIGA™ Trust M.\r\n\r\nNote: For detailed use case, please refer to the test script hmac.sh inside \"**linux-optiga-trust-m/scripts/misc/**\"\r\n\r\n```console\r\n./bin/trustm_hmac\r\nHelp menu: trustm_hmac \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-I \u003cOID\u003e : Input secret OID 0xNNNN \r\n [default 0xF1D0]\r\n-H \u003cSHA\u003e : hmac_SHA256:0x20 hmac_SHA384 :0x21 hmac_SHA512:0x22\r\n [default hmac_SHA256]\r\n-o \u003cfilename\u003e : Output MAC Data \r\n-i \u003cfilename\u003e : Input Data file\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nExample : generate MAC value using HMAC SHA256 with shared secret in 0xF1D0.\r\n\r\nPrecondition: Write shared secret into the data object and change the metadata of this data object to PRESSEC.\r\n\r\n```console\r\n./bin/trustm_hmac -I 0xF1D0 -H 0X20 -i hmac.txt -o hmac_data.txt\r\n========================================================\r\nInput Secret OID: 0xF1D0\r\nSHA Type 0x0020\r\noutput the MAC data. \r\n========================================================\r\nHMAC Type : 0x0020 \r\nOutput File Name : hmac_data.txt \r\nInput File Name : hmac.txt \r\nInput data : \r\n\t68 6D 61 63 74 65 73 74 31 32 33 34 35 36 37 38 \r\n\t0A \r\nMAC data :\r\n\t1A 36 BA 85 4F B1 CC A5 4C 83 98 CD 5B CB EB 67 \r\n\t7D D5 07 B6 BD 9A E0 73 15 0D F6 63 6B 57 E1 6F \r\n\t\r\n========================================================\r\n\r\n```\r\n\r\n### \u003ca name=\"trustm_hmac_verify_Auth\"\u003e\u003c/a\u003etrustm_hmac_verify_Auth\r\n\r\nSimple demo to show the process to do hmac verification with authorization reference(the secret installed in OPTIGA™ Trust M).\r\n\r\n```console\r\n./bin/trustm_hmac_verify_Auth -h\r\nHelp menu: trustm_hmac_verify_Auth \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-I \u003cOID\u003e : Input secret OID 0xNNNN \r\n [default 0xF1D0]\r\n-s \u003cfilename\u003e : Input user secret \r\n-r \u003cOID\u003e : Read from target OID\r\n-w \u003cOID\u003e : Write into target OID 0xNNNN \r\n-o \u003cfilename\u003e : Output Data stored inside target OID\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nPrecondition: Write shared secret into the data object and change the metadata of this data object to AUTHREF.\r\n\r\nNote: For detailed use case, please refer to the sample test scripts inside \"**linux-optiga-trust-m/scripts/hmac_secure_storage/**\"\r\n\r\nRun hmac_authenticated_storage_provisioning_step1.sh to do the provision for secret OID and Target OID.\r\n\r\nRun hmac_authenticated_read_write_step2.sh to write in or readout the data in target OID after hmac verify successfully.\r\n\r\n### \u003ca name=\"trustm_protected_update\"\u003e\u003c/a\u003etrustm_protected_update\r\n\r\nSimple demo to show the process to do protected update for metadata of target OID by using the trust Anchor installed in OPTIGA™ Trust M and/or the secret installed in OPTIGA™ Trust M .\r\n\r\n```console\r\n./bin/trustm_protected_update -h\r\nHelp menu: trustm_protected_update \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-k \u003cOID\u003e : Target OID \r\n-f \u003cfilename\u003e : Fragment file\r\n-m \u003cfilename\u003e : Manifest file\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nFor detailed example for Integrity and Confidentiality Protected Update, Go to the subsection at [Integrity and Confidentiality Protected Update example](./scripts/protected_update_metadata/)\r\n\r\n*Note :* \r\n*To generate the manifest and fragment for Integrity and Confidentiality Protected Update, please refer to the [README.md](./ex_protected_update_data_set) for more instruction*\r\n\r\n### \u003ca name=\"trustm_protected_update_aeskey\"\u003e\u003c/a\u003etrustm_protected_update_aeskey\r\n\r\nSimple demo to show the process to do protected update for AES key of target OID(0xE200) by using the trust Anchor installed in OPTIGA™ Trust M and/or the secret installed in OPTIGA™ Trust M .\r\n\r\n```console\r\n./bin/trustm_protected_update_aeskey -h\r\nHelp menu: trustm_protected_update_aeskey \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-k \u003cOID\u003e : Target key OID: 0xE200 \r\n-f \u003cfilename\u003e : Fragment file\r\n-m \u003cfilename\u003e : Manifest file\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nFor detailed example for Integrity and Confidentiality Protected Update for AES Key, Go to the subsection at [Integrity and Confidentiality Protected Update example for AES Key](./scripts/protected_update_aeskey/)\r\n\r\n*Note :* \r\n*To generate the manifest and fragment for Integrity and Confidentiality Protected Update, please refer to the [README.md](./ex_protected_update_data_set) for more instruction*\r\n\r\n### \u003ca name=\"trustm_protected_update_ecckey\"\u003e\u003c/a\u003etrustm_protected_update_ecckey\r\n\r\nSimple demo to show the process to do protected update for ECC key of target OID(0xE0F1-E0F3) by using the trust Anchor installed in OPTIGA™ Trust M and/or the secret installed in OPTIGA™ Trust M .\r\n\r\n```console\r\n./bin/trustm_protected_update_ecckey -h\r\nHelp menu: trustm_protected_update_ecckey \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-k \u003cOID\u003e : Target ECC Key OID[0xE0F1-0xE0F3] \r\n-f \u003cfilename\u003e : Fragment file\r\n-m \u003cfilename\u003e : Manifest file\r\n-X : Bypass Shielded Communication \r\n-h : Print this help\r\n```\r\n\r\nFor detailed example for Integrity and Confidentiality Protected Update for ECC Key, Go to the subsection at [Integrity and Confidentiality Protected Update example for ECC Key](./scripts/protected_update_ecckey/)\r\n\r\n*Note :* \r\n*To generate the manifest and fragment for Integrity and Confidentiality Protected Update, please refer to the [README.md](./ex_protected_update_data_set) for more instruction*\r\n\r\n### \u003ca name=\"trustm_protected_update_rsakey\"\u003e\u003c/a\u003etrustm_protected_update_rsakey\r\n\r\nSimple demo to show the process to do protected update for RSA key of target OID(0xE0FC-E0FD) by using the trust Anchor installed in OPTIGA™ Trust M and/or the secret installed in OPTIGA™ Trust M .\r\n\r\n```console\r\n./bin/trustm_protected_update_rsakey -h\r\nHelp menu: trustm_protected_update_rsakey \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-k \u003cOID\u003e : Target RSA Key OID[0xE0FC-0xE0FD] \r\n-f \u003cfilename\u003e : Fragment file\r\n-m \u003cfilename\u003e : Manifest file\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nFor detailed example for Integrity and Confidentiality Protected Update for RSA Key, Go to the subsection at [Integrity and Confidentiality Protected Update example for RSA Key](./scripts/protected_update_rsakey/)\r\n\r\n*Note :* \r\n*To generate the manifest and fragment for Integrity and Confidentiality Protected Update, please refer to the [README.md](./ex_protected_update_data_set) for more instruction*\r\n\r\n### \u003ca name=\"trustm_protected_update_data\"\u003e\u003c/a\u003etrustm_protected_update_data\r\n\r\nSimple demo to show the process to do protected update for data of target OID(0xE0E1-E0E3,0xF1D0-F1DB) by using the trust Anchor installed in OPTIGA™ Trust M and/or the secret installed in OPTIGA™ Trust M .\r\n\r\n```console\r\n./bin/trustm_protected_update_data -h\r\nHelp menu: trustm_protected_update_data \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-k \u003cOID\u003e : Target OID \r\n-c \u003cfilename\u003e : Continue 1 Fragment file\r\n-d \u003cfilename\u003e : Continue 2 Fragment file\r\n-f \u003cfilename\u003e : Final Fragment file\r\n-m \u003cfilename\u003e : Manifest file\r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n\r\n```\r\n\r\nFor detailed example for Integrity and Confidentiality Protected Update for data, Go to the subsection at [Integrity and Confidentiality Protected Update example for data](./scripts/protected_update_data/)\r\n\r\n*Note :* \r\n*To generate the manifest and fragment for Integrity and Confidentiality Protected Update, please refer to the [README.md](./ex_protected_update_data_set) for more instruction*\r\n\r\n### \u003ca name=\"trustm_update_with_PBS_Auto\"\u003e\u003c/a\u003etrustm_update_with_PBS_Auto\r\n\r\nRead/Write/Erase OID data object in raw format. Establish a shielded connection and/or unlock the Authorization Reference state.\r\nThis is relevant for OPTIGA Trust M Express and OPTIGA Trust M Matter-ready Configurations, where some slots are write-protected with PBS and AutoRef Secrets. \r\n\r\n```console\r\n./bin/trustm_update_with_PBS_Auto \r\nHelp menu: trustm_update_with_PBS_Auto \u003coption\u003e ...\u003coption\u003e\r\noption:- \r\n-r \u003cOID\u003e : Read from OID 0xNNNN \r\n-w \u003cOID\u003e : Write to OID\r\n-i \u003cfilename\u003e : Input file \r\n-I \u003cvalue\u003e : Input byte value \r\n-o \u003cfilename\u003e : Output file \r\n-p \u003cfilename\u003e : Offset position \r\n-P \u003cvalue\u003e : Input byte value with PBS\r\n-a \u003cfilename\u003e : Input file with Authorization Reference\r\n-A \u003cvalue\u003e : Input byte value with Authorization Reference\r\n-e : Erase and write \r\n-X : Bypass Shielded Communication \r\n-h : Print this help \r\n```\r\n\r\nExample : Writing a new Security Monitor Configuration into protected OID 0xE0C9 and reading after writing. PBS and Authorization Reference are supplied on the CLI but must match the Trust M's dataslots in 0xE140 and 0xF1D0. For readability, PBS and AUTOREF are declared as variables.\r\n\r\n```console\r\nPBS=4AC4E0C890EF3ADE16A95025ADA2F6564DD74BC2374EEF2FE70393F300AA2C37ADAAD66F2615BE82E731B0D3948C84CCEA1E51BF4EF7CFFAB21695E82454EB19\r\n AUTOREF=D3DEBC1125CBE59E3D5D177B171DA8AF1121976EA5E7155819443FBC20910735E174EF6988E85EB08FB50A267448D3B742B18292AB501FD390BB3B68DC936FDE\r\n\r\n./bin/trustm_update_with_PBS_Auto -w 0xe0c9 -P $PBS -A $AUTOREF -I 3200050100000000\r\n\r\n========================================================\r\nSecurity Monitor configurations [0xE0C9] \r\nInput data : \r\n 4A C4 E0 C8 90 EF 3A DE 16 A9 50 25 AD A2 F6 56 \r\n 4D D7 4B C2 37 4E EF 2F E7 03 93 F3 00 AA 2C 37 \r\n AD AA D6 6F 26 15 BE 82 E7 31 B0 D3 94 8C 84 CC \r\n EA 1E 51 BF 4E F7 CF FA B2 16 95 E8 24 54 EB 19 \r\n\r\nInput Authorization Reference: \r\n D3 DE BC 11 25 CB E5 9E 3D 5D 17 7B 17 1D A8 AF \r\n 11 21 97 6E A5 E7 15 58 19 44 3F BC 20 91 07 35 \r\n E1 74 EF 69 88 E8 5E B0 8F B5 0A 26 74 48 D3 B7 \r\n 42 B1 82 92 AB 50 1F D3 90 BB 3B 68 DC 93 6F DE \r\n\r\nHMAC verified successfully \r\nOffset: 0\r\nInput data : \r\n 32 00 05 01 00 00 00 00 \r\nOPTIGA execution time: 0.0940 sec.\r\nWrite Success.\r\n========================================================\r\n```\r\n\r\n### \u003ca name=\"trustm_probe\"\u003e\u003c/a\u003etrustm_probe\r\n\r\nA simple script to probe for a connected Trust M chip on the I2C bus. \r\n\r\nIf it finds a connection, the Chip-UID is returned. If no chip is found, returns an error.\r\n\r\n```console\r\n./bin/trustm_probe\r\n0A091B5C001500930025\r\n```\r\n\r\n\r\n## \u003ca name=\"provider_usage\"\u003e\u003c/a\u003eOPTIGA™ Trust V3 OpenSSL Provider usage\r\n\r\nOPTIGA™ Trust M Provider is tested base on OpenSSL version 3.0.14.\r\n\r\n### \u003ca name=\"rand\"\u003e\u003c/a\u003erand\r\n\r\nUsage : Random number generation\r\nExample\r\n\r\n```console \r\nopenssl rand -provider trustm_provider -base64 32\r\n```\r\n*Note :* \r\n*If OPTIGA™ Trust M random number generation fails, there will still be random number output.* \r\n*This is control by OpenSSL provider do not have control over it.*\r\n\r\n### \u003ca name=\"req\"\u003e\u003c/a\u003ereq\r\nUsage : Certificate request / self signed cert / key generation\r\n\r\nOPTIGA™ Trust M provider uses the -key parameter to pass input to the key generation/usage function.\r\n\r\nFollowing is the input format:\r\n\r\n-key **OID** : **public key input** : **NEW** :**key size** : **key usage**\r\n\r\nwhere :\r\n\r\n- **OID** for OPTIGA™ Trust M key\r\n\r\n - if OID 0xE0F0 is used no other input is needed\r\n- **public key input**\r\n\r\n - public key file name in PEM format\r\n\r\n - \\* = no public input\r\n\r\n - ^ = public key store in Application OID Key\r\n\r\n - 0xE0F1 store in 0xF1D1,\r\n\r\n - 0xE0F2 store in 0xF1D2,\r\n\r\n - 0xE0F3 store in 0xF1D3,\r\n\r\n - 0xE0FC store in 0xF1E0,\r\n\r\n - 0xE0FD store in 0xF1E1\r\n\r\n Note: For ECC521/BRAINPOOL512, the public key store in Application OID list as below:\r\n\r\n - 0xE0F1 store in 0xF1E0,\r\n\r\n - 0xE0F2 store in 0xF1E1\r\n \r\n- **NEW**\r\n\r\n - Generate new key pair in OPTIGA™ Trust M\r\n- **key size**\r\n\r\n - ECC\r\n - 0x03 = 256 key length for NIST 256\r\n - 0x04 = 384 key length for NIST 384\r\n - 0x05 = 521 key length for NIST 521\r\n - 0x13 = 256 key length for brainpoolP256r1\r\n - 0x15 = 384 key length for brainpoolP384r1\r\n - 0x16 = 512 key length for brainpoolP512r1\r\n - RSA\r\n - 0x41 = 1024 key length\r\n - 0x42 = 2048 key length\r\n- **Key usage** \r\n\r\n - Auth : 0x01 \r\n - Enc : 0x02 \r\n - HFWU : 0x04 \r\n - DevM : 0X08 \r\n - Sign : 0x10 \r\n - Agmt : 0x20\r\n\r\n*Note: If wrong public is submitted the certificate generation will still go through but verification will fail.*\r\n\r\nExample : Generating a certificate request using OID 0xE0F3 with new key generated, ECC 384 key length and Auth/Enc/Sign usage. Verify that public key match the private key in the OID.\r\n\r\n```console \r\nopenssl req -provider trustm_provider -key 0xe0f3:*:NEW:0x04:0x13 -new -out test_e0f3.csr -verify\r\n```\r\n*Note:*\r\n*If wrong public is used or no pubkey is submitted the certificate generation will still* \r\n*go through but verification will fail. Pubic key input only in PEM*\r\n\r\n### \u003ca name=\"pkey\"\u003e\u003c/a\u003epkey\r\nUsage : Key generation\r\n\r\nOPTIGA™ Trust M provider uses the -in parameter to pass input to the key generation/usage function.\r\n\r\nFollowing is the input format:\r\n\r\n-in **OID** : **public key input** : **NEW** :**key size** : **key usage**\r\n\r\n(see [req](#req) for input details)\r\n\r\nThere are two ways to generate New ECC/RSA Key Pair. \r\n\r\n#### KeyGen with public key as output \r\n\r\nExample: To generate keypair with public key as output and private key stored inside OPTIGA™ Trust M:\r\n\r\n```console \r\nopenssl pkey -provider trustm_provider -in 0xe0f1:*:NEW:0x03:0x13 -pubout -out e0f1_pub.pem\r\n```\r\n\r\nThe above command will generate the ECC256 keypair in OPTIGA™ Trust M. The output (e0f1_pub.pem) is the public key and the private key is stored inside Trust M. Refer to [Referencing keys in OPTIGA™ Trust M](#referencing-keys-in-optiga-trust-m) Section for more details.\r\n\r\n#### KeyGen with Reference Keys in file format as output\r\n\r\nExample: To generate reference keys in file format for ECC256:\r\n\r\n```console \r\nopenssl pkey -provider trustm_provider -provider default -propquery provider=trustm -in 0xe0f1:*:NEW:0x03:0x13 -out ecc256_key.pem\r\n```\r\n\r\nThe above command will generate the ECC256 keypair in OPTIGA™ Trust M. The private key id and public key of OPTIGA™ Trust M are stored inside the output file (ecc256_key.pem). Refer to [Referencing keys in OPTIGA™ Trust M](#referencing-keys-in-optiga-trust-m) Section for more details.\r\n\r\n### \u003ca name=\"pkeyutl\"\u003e\u003c/a\u003epkeyutl\r\n\r\nUsage : Sign and verify\r\n\r\n#### Sign using Labels with key id\r\n\r\nExample for signing using Labels with key id.\r\n\r\nSigning the message in the test_sign.txt file using the OPTIGA™ Trust M ECC key and saving the generated signature in the test_sign.sig file.\r\n\r\n```console \r\nopenssl pkeyutl -provider trustm_provider -inkey 0xe0f1:^ -sign -rawin -in test_sign.txt -out test_sign.sig\r\n```\r\nVerifying the signature of the raw input data in test_sign.txt using the provided public key in eofd_pub.pem and the signature in test_sign.sig\r\n\r\n```console \r\nopenssl pkeyutl -verify -pubin -inkey e0f1_pub.pem -rawin -in test_sign.txt -sigfile test_sign.sig\r\n```\r\n\r\nFor more details, please refer to [ec_keygen_and_sign](./provider-scripts/ec_keygen_and_sign/).\r\n\r\n#### Sign using Reference Keys in file format\r\n\r\nExample for Signing using Reference Keys in file format.\r\n\r\nSigning the message in the test_sign.txt file using the OPTIGA™ Trust M ECC key and saving the generated signature in the test_sign.sig file.\r\n\r\n```console \r\nopenssl pkeyutl -provider trustm_provider -provider default -sign -rawin -inkey ecc256_key.pem -in test_sign.txt -out test_sign.sig\r\n```\r\n\r\nVerifying the signature of the raw input data in test_sign.txt using the provided public key in eofd_pub.pem and the signature in test_sign.sig\r\n\r\n```console \r\nopenssl pkeyutl -verify -pubin -inkey e0f1_pub.pem -rawin -in test_sign.txt -sigfile test_sign.sig\r\n```\r\n\r\nFor more details, please refer to [ec_sign_verify_pem_files](./provider-scripts/ec_sign_verify_pem_files/).\r\n\r\n### \u003ca name=\"referencing-keys-in-optiga-trust-m\"\u003e\u003c/a\u003eReferencing keys in OPTIGA™ Trust M\r\n\r\nThe keys created inside OPTIGA™ Trust M can be referenced in 2 different ways\r\n\r\n1. Labels with key id. Example - 0xe0f1:\r\n2. Reference Keys in file format\r\n\r\n### 1. Labels with key id\r\n\r\nIn this method, the 2-byte key ID of the private key created / stored in OPTIGA™ Trust M is passed in string format.\r\n\r\nExample - 0xe0f1:\r\n\r\n### 2. Reference Keys in file format\r\n\r\nThe cryptographic functionality offered by the OpenSSL provider requires a reference to a key stored inside the secure element (exception is random generation).\r\n\r\nOpenSSL requires a key pair, consisting of a private and a public key, to be loaded before the cryptographic operations can be executed. This creates a challenge when OpenSSL is used in combination with a secure element as the private key cannot be extracted out from the secure element.\r\n\r\nThe solution is to populate the OpenSSL Key data structure with only a reference to the private key inside the secure element instead of the actual private key. The public key as read from the secure element can still be inserted into the key structure.\r\n\r\nOpenSSL crypto APIs are then invoked with these data structure objects as parameters. When the crypto API is routed to the provider, the Trust M provider implementation decodes these key references and invokes the secure element APIs with correct key references for a cryptographic operation. If the input key is not a reference key, execution will roll back to OpenSSL software implementation.\r\n\r\n``NOTE: When using this method, the Trust M provider has to be loaded first. This will ensure that Trust M provider can decode the key id information present in the reference key.``\r\n\r\n\r\n#### EC Reference Key Format\r\n\r\nThe following provides an example of an EC reference key. The value reserved\r\nfor the private key has been used to contain:\r\n\r\n- a 16 bit key identifier (in the example below ``0xe0f1``)\r\n\r\n```console\r\nPrivate-Key: (256 bit)\r\npriv:\r\n e0:f1:00:00:00:00:00:00:00:00:00:00:00:00:00:\r\n 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:\r\n 00:00\r\npub:\r\n 04:68:ba:d2:d6:23:b5:0d:fa:41:4e:8a:73:f7:d6:\r\n c5:08:13:92:49:28:b6:13:24:ff:2c:2e:02:4f:c5:\r\n a1:57:46:6f:f6:9e:1c:62:77:a4:42:fd:ce:66:06:\r\n d5:76:0d:95:0a:00:fe:7c:b0:ad:5c:91:73:61:c1:\r\n 38:33:cc:4a:03\r\nASN1 OID: prime256v1\r\nNIST CURVE: P-256\r\n```\r\n\r\n- Ensure the value reserved for public key and ASN1 OID contain the values\r\n matching the stored key.\r\n\r\n---\r\n\r\n#### RSA Reference Key Format\r\n\r\nThe following provides an example of an RSA reference key.\r\n\r\n- The value reserved for 'p' ('prime1') is used as a magic number and is\r\n set to '1'\r\n- The value reserved for 'q' ('prime2') is used to store the 16 bit key\r\n identifier (in the example below 0xe0fc)\r\n\r\n```console\r\nPrivate-Key: (2047 bit, 2 primes)\r\nmodulus:\r\n 47:ee:f4:a5:fc:63:d5:93:04:21:c0:86:eb:09:b0:\r\n 6d:9f:2b:28:1c:63:9a:2a:64:89:07:30:9e:2f:f3:\r\n 02:55:e3:6c:8c:87:91:29:27:ed:a3:76:ab:1d:7d:\r\n f0:d8:e8:b2:b8:e2:83:af:6b:e3:e5:3b:0f:c8:3e:\r\n cf:8b:7a:79:6d:1a:ab:f5:41:b6:94:70:ad:2b:33:\r\n 60:08:e0:4f:ab:9c:70:2a:a0:87:da:fd:4a:ef:f7:\r\n b8:d2:03:d1:c6:d0:39:5a:e8:de:d3:80:af:5f:fe:\r\n 63:01:7a:24:9d:a5:2b:29:a4:7c:61:a4:74:dd:37:\r\n 96:05:7f:7a:b0:3b:5b:b8:a5:72:fa:1f:14:d5:72:\r\n 66:00:be:e6:cd:a4:9e:3e:70:23:88:fd:38:48:b0:\r\n 04:80:4e:73:77:dc:fc:75:a5:38:c2:b8:ce:82:8e:\r\n d7:8e:33:f5:3f:63:e3:dd:4c:07:a0:70:f4:8a:a1:\r\n ff:15:2a:9d:ba:af:9c:98:4c:b4:a2:21:a3:a0:22:\r\n 3f:67:66:4a:9d:6f:0c:6e:4a:49:97:d0:27:af:3f:\r\n 3f:40:7f:9b:7e:5d:0a:91:cc:95:1a:30:19:be:87:\r\n c4:3f:c7:c9:a9:65:10:ad:d5:17:b6:af:78:e1:a5:\r\n 8c:07:50:8d:9b:9f:c7:3b:7f:9e:b1:2c:da:11:2b:\r\n a1\r\npublicExponent: 65537 (0x10001)\r\nprivateExponent: 0\r\nprime1: 1 (0x1)\r\nprime2: 57596 (0xe0fc)\r\nexponent1: 0\r\nexponent2: 0\r\ncoefficient: 0\r\n```\r\n\r\n---\r\n- Ensure key length, the value reserved for (private key) modulus and\r\n public exponent match the stored key.\r\n- Setting prime1 to '1' makes it impossible that a normal private key\r\n matches a reference key.\r\n- The mathematical relation between the different key components is not\r\n preserved for this reference key pem file.\r\n\r\n### \u003ca name=\"test_tls_ecc\"\u003e\u003c/a\u003eTesting TLS connection with ECC key\r\n\r\n#### \u003ca name=\"test_tls_ecc_client\"\u003e\u003c/a\u003eScenario where OPTIGA™ Trust M is on the client :\r\n\r\n*Note : To generate a test server certificate refer to [Generating a Test Server Certificate](#test_Server_cert)* or refer below\r\n\r\nGenerate Server ECC Private Key on Trust M\r\n\r\n```\r\nopenssl ecparam -out server1_privkey.pem \\\r\n-name prime256v1 -genkey\r\n```\r\n\r\nGenerate CSR for Server \r\n\r\n```\r\nopenssl req -new -key server1_privkey.pem \\\r\n-subj \"/C=SG/CN=Server1/O=Infineon\" \\\r\n-out server1.csr\r\n```\r\n\r\nGenerate Server certificate using CA\r\n\r\n```\r\nopenssl x509 -req -in server1.csr \\\r\n-CA scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem \\\r\n-CAkey scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA_Key.pem \\\r\n-CAcreateserial -out server1.crt \\\r\n-days 365 \\\r\n-sha256 \\\r\n-extfile ../openssl.cnf -extensions cert_ext\r\n```\r\n\r\nCreate new ECC 256 key length and Auth/Enc/Sign usage and generate a certificate request for OPTIGA™ Trust M key 0xE0F1\r\n\r\n```console\r\nopenssl req -provider trustm_provider \\\r\n-key 0xe0f1:*:NEW:0x03:0x13 \\\r\n-new -out test_e0f1.csr \\\r\n-subj \"/C=SG/CN=TrustM/O=Infineon\"\r\n```\r\n\r\nExtract the public key from certificate request for OPTIGA™ Trust M key 0xE0F1\r\n\r\n```\r\nopenssl req -in client1_e0f1.csr \\\r\n-pubkey -noout \\\r\n-out client1_e0f1.pub\r\n```\r\n\r\nIssue the certificate with keyUsage=digitalSignature,keyEncipherment on the client side with OPTIGA_Trust_M_Infineon_Test_CA.\r\n\r\n*Note : Refer to [Generating a Test Server Certificate](#test_Server_cert) for openssl.cnf*\r\n\r\n```console\r\nopenssl x509 -req -in test_e0f1.csr \\\r\n-CA scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem \\\r\n-CAkey scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA_Key.pem \\\r\n-CAcreateserial \\\r\n-out test_e0f1.crt \\\r\n-days 365 \\\r\n-sha256\r\n\r\n```\r\n\r\nRunning the test server : \r\n\r\n```console\r\nlxterminal -e openssl s_server \\\r\n-cert server1.crt \\\r\n-key privkey.pem \\\r\n-accept 5000 \\\r\n-verify_return_error \\\r\n-Verify 1 \\\r\n-CAfile scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem\r\n\r\n```\r\n\r\nRunning the test client : *(open a new console)* \r\n\r\n```console\r\nlxterminal -e openssl s_client \\\r\n-connect localhost:5000 \\\r\n-servername Server1 \\\r\n-provider trustm_provider \\\r\n-provider default \\\r\n-cert test_e0f1.crt \\\r\n-key 0xe0f1:^ \\\r\n-CAfile scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem\r\n\r\n```\r\n\r\n#### \u003ca name=\"test_tls_ecc_server\"\u003e\u003c/a\u003eScenario where OPTIGA™ Trust M is on the server :\r\n\r\nCreate new ECC 256 key length and Auth/Enc/Sign usage and generate a certificate request for OPTIGA™ Trust M key 0xE0F2\r\n\r\n```console\r\nopenssl req -provider trustm_provider \\\r\n-key 0xe0f2:*:NEW:0x03:0x13 -new \\\r\n-out test_e0f2.csr \\\r\n-subj \"/C=SG/CN=TrustM/O=Infineon\"\r\n```\r\n\r\nExtract Public Key from certificate request for OPTIGA™ Trust M key 0xE0F2\r\n\r\n```\r\nopenssl req -in test_e0f2.csr \\\r\n-pubkey -noout \\\r\n-out test_e0f2.pub\r\n```\r\n\r\nIssue the certificate with keyUsage=keyCertSign, cRLSign, digitalSignature on the server side with OPTIGA_Trust_M_Infineon_Test_CA.\r\n\r\n```console\r\nopenssl x509 -req -in test_e0f2.csr \\\r\n-CA scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem \\\r\n-CAkey scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA_Key.pem \\\r\n-CAcreateserial \\\r\n-out test_e0f2.crt \\\r\n-days 365 \\\r\n-sha256 \\\r\n-extfile openssl.cnf \\\r\n-extensions cert_ext\r\n```\r\n\r\nGenerate Client ECC Private Key\r\n\r\n```\r\nopenssl ecparam -out privkey.pem \\\r\n-name prime256v1 -genkey\r\n```\r\n\r\nGenerate Client CSR\r\n\r\n```\r\nopenssl req -new \\\r\n-key privkey.pem \\\r\n-subj \"/C=SG/CN=Server1/O=Infineon\" \\\r\n-out client.csr\r\n```\r\n\r\nGenerate Client certificate using CA\r\n\r\n```\r\nopenssl x509 -req -in client.csr \\\r\n-CA scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem \\\r\n-CAkey $CERT_PATH/OPTIGA_Trust_M_Infineon_Test_CA_Key.pem \\\r\n-CAcreateserial -out client.crt \\\r\n-days 365 \\\r\n-sha256\r\n```\r\n\r\nRunning the test server : \r\n\r\n```console\r\nlxterminal -e openssl s_server \\\r\n-cert test_e0f2.crt \\\r\n-provider trustm_provider -provider default \\\r\n-key 0xe0f2:^ \\\r\n-accept 5000 \\\r\n-verify_return_error \\\r\n-Verify 1 \\\r\n-CAfile scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem\r\n\r\n```\r\n\r\nRunning the test client : *(open a new console)* \r\n\r\n```console\r\nlxterminal -e openssl s_client \\\r\n-connect localhost:5000 \\\r\n-servername Server1 \\\r\n-cert client.crt \\\r\n-key privkey.pem \\\r\n-CAfile scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem\r\n\r\n```\r\n\r\n#### \u003ca name=\"test_tls_ecc_file\"\u003e\u003c/a\u003eTesting TLS connection with ECC Reference key in file format\r\n\r\nPlease refer to [ec_server_client_pem_file](./provider-scripts/ec_server_client_pem_file/) for detailed use cases.\r\n\r\n#### \u003ca name=\"test_curl_ecc_file\"\u003e\u003c/a\u003eTesting Curl connection using ECC Reference key in file format\r\n\r\nPlease refer to [trustm_curl_test](./provider-scripts/trustm_curl_test/) for detailed use cases.\r\n\r\n### \u003ca name=\"test_tls_rsa\"\u003e\u003c/a\u003eTesting TLS connection with RSA key\r\n\r\n#### \u003ca name=\"test_tls_rsa_client\"\u003e\u003c/a\u003eScenario where OPTIGA™ Trust M is on the client :\r\n\r\n*Note : To generate a test server certificate refer to [Generating a Test Server Certificate](#test_server_cert)* \r\n\r\nCreates new RSA 2048 key length and Auth/Enc/Sign usage and generate a certificate request for OPTIGA™ Trust M key 0xE0FC\r\n\r\n```console\r\nopenssl req -provider trustm_provider \\\r\n-key 0xe0fd:*:NEW:0x42:0x13 \\\r\n-new \\\r\n-subj \"/C=SG/CN=TrustM/O=Infineon\" \\\r\n-out test_e0fd.csr\r\n```\r\n\r\nIssue the certificate with keyUsage=digitalSignature,keyEncipherment on the client side with OPTIGA_Trust_M_Infineon_Test_CA.\r\n\r\n**Note : Refer to [Generating a Test Server Certificate](#test_server_cert) for openssl.cnf**\r\n\r\n```console\r\nopenssl x509 -req -in test_e0fd.csr \\\r\n-CA scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem \\\r\n-CAkey scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA_Key.pem \\\r\n-CAcreateserial \\\r\n-out test_e0fd.crt \\\r\n-days 365 \\\r\n-sha256 \\\r\n-extfile openssl.cnf \\\r\n-extensions cert_ext1\r\n```\r\n\r\nRunning the test server : \r\n\r\n```console\r\nopenssl s_server \\\r\n-cert test_opensslserver.crt \\\r\n-key privkey.pem -accept 5000 \\\r\n-verify_return_error \\\r\n-Verify 1 \\\r\n-CAfile scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem \\\r\n-sigalgs RSA+SHA256\r\n```\r\n\r\nRunning the test client : *(open a new console)* \r\n\r\n```console\r\nopenssl s_client -provider trustm_provider -provider default \\\r\n-client_sigalgs RSA+SHA256 \\\r\n-cert test_e0fd.crt \\\r\n-key 0xe0fd:^ \\\r\n-connect localhost:5000 \\\r\n-tls1_2 \\\r\n-CAfile scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem \\\r\n-verify 1 \r\n```\r\n\r\n#### \u003ca name=\"test_tls_rsa_server\"\u003e\u003c/a\u003eScenario where OPTIGA™ Trust M is on the server :\r\n\r\nCreates new RSA 2048 key length and Auth/Enc/Sign usage and generate a certificate request for OPTIGA™ Trust M key 0xE0FD\r\n\r\n```console\r\nopenssl req -provider trustm_provider -key 0xe0fc:*:NEW:0x42:0x13 -new -subj \"/C=SG/CN=TrustM/O=Infineon\" -out test_e0fc.csr\r\n```\r\n\r\nIssue the certificate with keyUsage=keyCertSign, cRLSign, digitalSignature on the server side with OPTIGA_Trust_M_Infineon_Test_CA.\r\n\r\n```console\r\nopenssl x509 -req -in test_e0fc.csr -CA scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem \\\r\n-CAkey scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA_Key.pem \\\r\n-CAcreateserial \\\r\n-out test_e0fc.crt \\\r\n-days 365 \\\r\n-sha256 \\\r\n-extfile openssl.cnf \\\r\n-extensions cert_ext2\r\n```\r\n\r\nRunning the test server : \r\n\r\n```console\r\nopenssl s_server -provider trustm_provider -provider default \\\r\n-cert test_e0fc.crt \\\r\n-key 0xe0fc:^ \\\r\n-accept 5000 \\\r\n-verify_return_error \\\r\n-CAfile scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem \\\r\n-sigalgs RSA+SHA256 \r\n```\r\n\r\nRunning the test client : *(open a new console)* \r\n\r\n```console\r\nopenssl s_client \\\r\n-CAfile scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem \\\r\n-connect localhost:5000 -tls1_2\r\n-client_sigalgs RSA+SHA256\r\n```\r\n\r\n### \u003ca name=\"test_server_cert\"\u003e\u003c/a\u003eGenerating a Test Server Certificate\r\n\r\nGenerate a new key pair and certificate request. Private key is output to private.pem\r\n\r\n```console\r\nopenssl req -new -nodes -subj \"/C=SG/O=Infineon\" -out test_opensslserver.csr\r\n```\r\n\r\nCreates the openssl.cnf with the below contain:\r\n\r\n```console\r\ncat openssl.cnf \r\n```\r\n\r\nCreates and displays the openssl.cnf as shown below:\r\n\r\n```console\r\n[ cert_ext ]\r\nsubjectKeyIdentifier=hash\r\nkeyUsage=critical,digitalSignature,keyEncipherment\r\nextendedKeyUsage=clientAuth,serverAuth\r\n\r\n[ cert_ext1 ]\r\nsubjectKeyIdentifier=hash\r\nkeyUsage=digitalSignature,keyEncipherment\r\nextendedKeyUsage=clientAuth\r\n\r\n[ cert_ext2 ]\r\nsubjectKeyIdentifier=hash\r\nkeyUsage=keyCertSign, cRLSign, digitalSignature\r\n```\r\n\r\nIssue the certificate with keyUsage=keyCertSign, cRLSign, digitalSignature on the server side with OPTIGA_Trust_M_Infineon_Test_CA.\r\n\r\n```console\r\nopenssl x509 -req -in test_opensslserver.csr \\\r\n-CA scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA.pem \\\r\n-CAkey scripts/certificates/OPTIGA_Trust_M_Infineon_Test_CA_Key.pem \\\r\n-CAcreateserial \\\r\n-out test_opensslserver.crt \\\r\n-days 365 \\\r\n-sha256 \\\r\n-extfile openssl.cnf \\\r\n-extensions cert_ext2\r\n```\r\n\r\n\r\n\r\n### \u003ca name=\"issue_cert\"\u003e\u003c/a\u003eUsing OPTIGA™ Trust M OpenSSL provider to sign and issue certificate\r\n\r\nIn this section, we will demonstrate how you can use OPTIGA™ Trust M OpenSSL provide/ to enable OPTIGA™ Trust M as a simple Certificate Authorities (CA) without revocation and tracking of certificate it issue.\r\n\r\n#### Generating CA key pair and Creating OPTIGA™ Trust M CA self sign certificate\r\n\r\nCreate OPTIGA™ Trust M CA key pair with the following parameters:\r\n\r\n- OID 0xE0F2\r\n- public key store in 0xF1D2\r\n- Self signed CA cert with subject\r\n - Organization : Infineon OPTIGA(TM) Trust M\r\n - Common Name : UID of Trust M\r\n - expiry days : ~10 years\r\n\r\n```console\r\nopenssl req -provider trustm_provider -provider default \\\r\n-key 0xe0f2:^:NEW:0x03:0x13 \\\r\n-new \\\r\n-x509 \\\r\n-days 3650 \\\r\n-subj /O=\"Infineon OPTIGA(TM) Trust M\"\\\r\n-sha256 \\\r\n-extensions v3_req \\\r\n-out test_e0f2.crt \\\r\n```\r\n\r\n#### Generating a Certificate Request (CSR)\r\n\r\nYou may use the example given in [req](#req) to generate a CSR or used any valid CSR\r\n\r\nor\r\n\r\nThe following command generates an Elliptic Curve Cryptography (ECC) private key.\r\n\r\n```\r\nopenssl ecparam \\\r\n-out dev_privkey.pem \\\r\n-name prime256v1 \\\r\n-genkey\r\n```\r\n\r\nFollowing command generates a CSR, which is a request to a Certificate Authority (CA) to sign the public key along with the information provided. The CSR contains the public key from the private key file and the subject information.\r\n\r\n```\r\nopenssl req -new \\\r\n-key dev_privkey.pem \\\r\n-subj /CN=TrustM_Dev1/O=Infineon/C=SG \\\r\n-out test_e0f3.csr\r\n```\r\n\r\nThese scripts are part of the initial steps for setting up a secure communication channel, enabling the device or server to prove its identity to clients or other servers. The CSR would typically be sent to a CA, who verifies the information and issues a certificate, which can then be used in SSL/TLS handshakes.\r\n\r\n#### Signing and issuing the Certificate with Trust M\r\n\r\nFollowing demonstrate how you can issue and sign certificate with OPTIGA™ Trust M with the following inputs:\r\n\r\n- input csr file : test_e0f3.csr\r\n- CA Cert : test_e0f2.crt\r\n- CA key : 0xE0F2 with public key store in 0xF1D2\r\n- Create new serial number for certificate (serial number is store in test_e0f3.srl)\r\n- using extension cert_ext in extension file\r\n- expiry days : 1 year\r\n\r\n*Note : Refer to [Generating a Test Server Certificate](#test_Server_cert) for openssl.cnf*\r\n\r\n```console\r\nopenssl ca -batch -create_serial \\\r\n-provider trustm_provider -provider default \\\r\n-keyfile 0xe0f2:^ \\\r\n-in test_e0f3.csr \\\r\n-out test_e0f3.crt \\\r\n-cert test_e0f2.crt \\\r\n-days 365 \\\r\n-config openssl.cnf \\\r\n-md sha256\r\n```\r\n\r\n## \u003ca name=\"known_observations\"\u003e\u003c/a\u003eKnown observations\r\n\r\n### Secure communication bypass\r\n\r\nThe I2C secure communication bypass option for CLI only works if the default reset protection level for OPTIGA CRYPT and UTIL APIs is set to OPTIGA_COMMS_NO_PROTECTION.\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FInfineon%2Flinux-optiga-trust-m","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FInfineon%2Flinux-optiga-trust-m","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FInfineon%2Flinux-optiga-trust-m/lists"}