Identity key usage
This sample shows how to use a previously written identity key with the PSA crypto APIs.
Requirements
The following development kits are supported:
Hardware platforms |
PCA |
Board name |
Board target |
|---|---|---|---|
PCA10153 |
|
||
PCA10090 |
|
||
PCA10171 |
|
||
PCA10095 |
|
The Hardware unique key library is required to generate the prerequisite Master Key Encryption Key (MKEK). The Identity key library is required to provision the identity key in KMU. Both these operations can be done by running the Identity key generation sample.
Note
Once the required identity key is provisioned on the device, only the code pages should be erased as ERASEALL removes the identity key from the system.
Overview
The identity key is an asymmetric key of type secp256r1 which can be used for attestation services. This sample shows how to load the identity key into the PSA crypto keystore for usage.
The sample performs the following operations:
The Platform Security Architecture (PSA) API is initialized.
The identity key is verified to be in the KMU.
The identity key is read from the KMU.
The identity key is imported to the PSA crypto keystore.
The public key is exported from the identity key.
Configuration
See Configuring and building for information about how to permanently or temporarily change the configuration.
Building and running
This sample can be found under samples/keys/identity_key_usage in the nRF Connect SDK folder structure.
To build the sample, follow the instructions in Building an application for your preferred building environment. See also Programming an application for programming steps and Testing and optimization for general information about testing and debugging in the nRF Connect SDK.
Note
When building repository applications in the SDK repositories, building with sysbuild is enabled by default.
If you work with out-of-tree freestanding applications, you need to manually pass the --sysbuild parameter to every build command or configure west to always use it.
Testing
After programming the sample to your development kit, complete the following steps to test it:
Connect to the kit that runs this sample with a terminal emulator (for example, nRF Connect Serial Terminal). See Testing and optimization for the required settings and steps.
Reset the kit.
Observe the following output:
Initializing PSA crypto. Reading the identity key. Importing the identity key into PSA crypto. Exporting the public key corresponding to the identity key. Success!
If an error occurs, the sample prints a message and raises a kernel panic.
Dependencies
This sample uses the following libraries: