Infineon OPTIGA Trust E Command Library

This information applies to the nRF52840 SoC only.

The Infineon OPTIGA Trust E Command Library provides a high-level API to access cryptographic and security-related functions of a discrete Infineon OPTIGA Trust E hardware security module connected via I2C. The command library utilizes the Infineon I2C Protocol Stack Library to interface via I2C to the hardware module.

Note

The Infineon OPTIGA Trust E hardware security module must be acquired separately. For more information, visit OPTIGA Trust E product website.

Configuration

Device-specific configuration related to the Infineon I2C Protocol Stack can be configured in ifx_i2c_config.h.

Library Initialization

This function initializes the Infineon OPTIGA Trust E device and the host library.

The following code example shows how to initialize the OPTIGA Trust E command library:

uint16_t err_code = optiga_open_application();
if (err_code == IFX_I2C_STACK_SUCCESS)
{
 // Continue with application logic here
}

OPTIGA Trust E Commands

This section explains the most relevant commands supported by the command library.

Note

This documentation and the library implementation cover only a subset of the functions supported by the device.

Random Number Generation

The function retrieves a cryptographic-quality random number from the Infineon OPTIGA Trust E device. This function can be used as entropy source for various security schemes. The buffer to store the random number needs to be allocated by the application. The length of the random number ranges from 8 to 256 bytes.

The following code example shows how to retrieve 16 random bytes from an OPTIGA Trust E:

uint8_t rnd[16];
uint16_t err_code = optiga_get_random(sizeof(rnd), rnd);
if (err_code == IFX_I2C_STACK_SUCCESS)
{
 // Continue with application logic here
}

Device Certificate

The function retrieves the public X.509 certificate stored in the Infineon OPTIGA Trust E device. The certificate and the contained public key can be used to verify a signature from the device. In addition, the receiver of the certificate can verify the chain of trust by validating the issuer of the certificate and the issuer's signature on the certificate. The buffer to hold the certificate is allocated inside the command library, and is only valid until the next call to the command library.

The following code example shows how to retrieve the device certificate:

uint8_t *certificate;
uint32_t certificate_len;
uint16_t err_code = optiga_read_certificate(&certificate, &certificate_len);
if (err_code == IFX_I2C_STACK_SUCCESS)
{
 // Continue with application logic here
}

Digital Signature with ECDSA

This feature can be used to implement authentication schemes based on the Elliptic Curve Digital Signature Algorithm (ECDSA). Therefore, the function optiga_sign() creates a signature, using the scheme previously selected with optiga_set_auth_scheme(). The buffer to hold the signature is allocated by the command library, and is only valid until the next call to the command library.

Note

The elliptic curve key length is determined implicitly by the device certificate.

The following code example shows how to have an ECDSA signature calculated by the Infineon OPTIGA Trust E:

uint8_t authentication_challenge[16] = /* this challenge is typically supplied by the verifying entity */
uint8_t *signature;
uint32_t signature_len;
uint16_t err_code = optiga_set_auth_scheme();
if (err_code == IFX_I2C_STACK_SUCCESS)
{
 err_code = optiga_sign(authentication_challenge, sizeof(authentication_challenge), &signature, &signature_len);
 if (err_code == IFX_I2C_STACK_SUCCESS)
 {
 // Continue with application logic here
 }
}