Signature verification fails about optiga-trust-x HOT 11 CLOSED

I am not sure why the verify with an external is not working as expected. Can you try to wrap your public key into a certificate and store it at 0xE0E8? Then run the verify again referencing the key mentioned before?

from optiga-trust-x.

Good to hear! You can use the slot 0xE0E8 to store the public key, but it has to be inside of a x509 certificate. OPTIGA Trust X will internally parse the certificate and extract the public key which will be used during the verify command.

from optiga-trust-x.

Lets break it into more steps. Try the following:

1. Have a look at this example here
2. If you want to use public key from the device you need to store them at slot 0xE0E8 in the form of an x509 certificate.
3. Inspect the raw data of the public key that you generate, does it start with a 0x04?

from optiga-trust-x.

my pub key is : 03-42-00-04-dc-8e-c5-a9-54-43-21-c1-50-22-31-69-48-11-8b-a8-15-32-fa-b6-30-c3-6c-55-a4-7e-57-29-2c-09-4b-02-f8-d3-83-4a-f7-77-5b-14-ff-8f-11-dd-22-61-09-2e-08-53-d6-0e-94-96-95-46-e8-3a-49-4d-92-c0-b3-75

I am generating my key pairs like this , so I believe they are already stored in the device.

optiga_key_id = index + OPTIGA_KEY_STORE_ID_E0F0;

optiga_crypt_ecc_generate_keypair(OPTIGA_ECC_NIST_P_256,
                                                          (uint8_t)OPTIGA_KEY_USAGE_SIGN,
                                                          FALSE,
							  &optiga_key_id,
                                                          public_key,
                                                          &public_key_length);

from optiga-trust-x.

Try to strip away the first three bytes, does it change anything?

from optiga-trust-x.

It still fails, funny thing is I can run this example just fine, with the pre-signed digest.
verify example

from optiga-trust-x.

I had a look at your first post. Looks like you are using the wrong oid to verify signature. You have to use the public key stored at 0xF1DC instead of using the private key at 0xE0F1. Correct me if I am wrong.

from optiga-trust-x.

Valid point but how do you know public key one has the address of 0xF1DC ? It shows as GP memory in the wiki. And in the v3_verify_external function above, I inject the pubkey from outside but it gives me :

Invalid parameter in data field | 0x05 | Invalid parameter in command data field

from optiga-trust-x.

I fixed the external verification somehow :) But the verification with the public keys stored inside still doesnt work. It gives me 80001001 error which means invalid OID. What OID should I use for each public key slots ?

from optiga-trust-x.

Thanks a bunch, do you have any documents that shows the assembly of the certificate with the stored public key ? Other than this all my questions have been answered thank you.

from optiga-trust-x.

Happy to hear it works for you.
What you need to do is:

1. Generate a new keypair
2. Generate a csr with the public key
3. Generate a self signed CA
4. CA needs to sign the csr

You can find more details here

If you run into troubles create an issue and we will take it from there.

from optiga-trust-x.