[question] how to get certificate chain

[ozanoner]

Hi @ayushev ,
I am trying to download all PKI hierarchy, as mentioned in the OPTIGATM Trust X Keys and Certificates/3.1 PKI hierarchy for Productive Certificates, to host uC but I couldn't find any info (no forum, no doc, no example) about it. The only example is provided in the nordicsemi nRF SDK as below:

    // Maximum size of the certificate
    #define CHAIN_SIZE 1728
    optiga_lib_status_t optiga_lib_status;

    // print internal certificate
    // This is a TLS certificate chain and not suitable for optiga_verify
    uint8_t  chain[CHAIN_SIZE] = {0};
    uint8_t  chain2[CHAIN_SIZE] = {0};
    uint8_t  chain3[CHAIN_SIZE] = {0};
    uint16_t chain_len = CHAIN_SIZE;

    NRF_LOG_INFO("Reading/Writing certificate");
    NRF_LOG_FLUSH();

    optiga_lib_status = optiga_util_read_data(eDEVICE_PUBKEY_CERT_IFX, 0, chain, &chain_len);
    DEMO_OPTIGA_ERROR_CHECK(optiga_lib_status);
    NRF_LOG_INFO("Certificate Chain [%d bytes]:", chain_len);
    pr_hex(chain, chain_len);

    optiga_lib_status = optiga_util_read_data(eDEVICE_PUBKEY_CERT_IFX, 0, chain2, &chain_len);
    DEMO_OPTIGA_ERROR_CHECK(optiga_lib_status);
    NRF_LOG_INFO("Certificate Chain 2 [%d bytes]:", chain_len);
    pr_hex(chain2, chain_len);

    optiga_lib_status = optiga_util_read_data(eDEVICE_PUBKEY_CERT_IFX, 0, chain3, &chain_len);
    DEMO_OPTIGA_ERROR_CHECK(optiga_lib_status);
    NRF_LOG_INFO("Certificate Chain 3 [%d bytes]:", chain_len);
    pr_hex(chain3, chain_len);

However, this code reads the same certificate into different variables, and that is all. (to be honest, I didn't understand the reason for that. I hoped the code downloads the certificate chain, but it doesn't)
So I appreciate if you can help me with that,
Best regards,
Vedat

[ayushev]

Hi Vedat,

the samples you have are pre-provisioned by Infineon with the default PKI setup (the file to which you are referring). After order more than a Minimum Order Quantity it is possible to define your own configuration of the PKI. In case of the order less than this amount, there are still options to personalize the samples either via this application note, or via distributors.
That was sort of an intro. Answering your question, the end device certificate (bottom level in the picture) is the only certificate you can find by default on OPTIGA(TM) Trust X (except for Trust Anchors). The other two certificates are common among all default samples (including your sample).
These certificates can be found here:

• Intermediate Level:
  • PEM encoded
  • DER encoded
• Top Level:
  • DER encoded

The example code to read out the end device certificate can be found as you mentioned either in Nordic SDK or in the example_optiga_util_read_data.c

[ozanoner]

Thanks for the answer, Artem! So where is the corresponding private key of that default certificate? Stored in eFIRST_DEVICE_PRIKEY_1?

[ayushev]

You are welcome!
Yes, the Object ID of this slot (one of four) is 0xE0F0, which is defined in the code as eFIRST_DEVICE_PRIKEY_1

[ozanoner]

Is there anyway to extract it? I tried to read it (optiga_util_read_data), but gives error of 'Access conditions not satisfied 0x07'.

The value of its metadata (optiga_util_read_metadata):

20 06 E0 01 03 E1 01 01

E0 -> Algorithm associated with key container (value: Elliptic Curve Key on NIST P256 curve)
E1 -> Key usage associated with key container (value: Auth)
I don't see anything regarding to 'read' policy.

[ayushev]

A short answer is neither you nor anybody else can read out the private key, due to security reasons.
The private key can't be imported as well, only as a part of the keypair generation routine you can create the private part.

You can't read the private key because the access conditions are not satisfied (the access conditions for this objects is Execute/EXE, which means it can only be used internally by the Trust X; e.g. by the signature generation routine)
More about access conditions you can find here

[ozanoner]

It is clear now. I thought it needs to be queried, by looking at examples in the solution reference manual. Sorry for taking your time.

[ayushev]

You ask reasonable questions which hopefully can help others answer their.