The Infineon OPTIGA™ Trust X Command Library provides a high-level API to access cryptographic and security-related functions of a discrete Infineon OPTIGA™ Trust X ("Trust X") hardware security module connected via I2C. The command library utilizes the Infineon I2C Protocol Stack Library to interface via I2C to the Trust X hardware module.
Device-specific configuration related to the Infineon I2C Protocol Stack can be configured in ifx_i2c_config.h.
To initialize the Trust X host library and hardware device, you must call two functions: optiga_init() and optiga_open_application().
The following code snippet shows how to initialize the Trust X host library and hardware device:
This section explains the most relevant command groups and commands supported by the command library.
The random number generation (RNG) function optiga_get_random() retrieves a cryptographic-quality random number from a Trust X device. This function can be used as entropy source for various security schemes. The buffer to store the random number must be allocated by the application. The length of the random number ranges from 8 to 256 bytes.
The following code snippet shows how to retrieve 16 random bytes from Trust X:
The function optiga_get_data_object() allows to retrieve data objects from Trust X, for example, the public X.509 certificate stored in the Trust X device. The certificate and the contained public key can be used to verify a signature computed by the Trust X device. In addition, the receiver of the certificate can verify the chain of trust by validating the issuer of the certificate and the issuer's signature on the certificate. The buffer to hold the certificate is allocated inside the command library, and is only valid until the next call to the command library.
The following code snippet shows how to retrieve the Infineon device certificate pre-personalized on a Trust X device:
The Trust X can calculate and verify ECDSA-based digital signatures using the optiga_calc_sign() and optiga_verify_signature() functions. Furthermore, the Trust X can conduct the hashing operation needed to compute or verify digital signatures, using optiga_calc_hash().
The following code snippet shows how to hash, sign, and verify a message using Trust X:
The Trust X can generate an EC key pair using optiga_generate_key_pair().
The following code snippet shows how to generate a private/public key pair and export the public key. The private key is stored in the data object slot for OID_DEVICE_PRIVATE_KEY_2. The public key is exported and returned to the application.