NXP Semiconductors
AN13500
EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device
authentication
The OpenSSL software library, written in C, includes a command-line interface for
general-purpose cryptography and managing certificates. For simplification the demos
below are using the OpenSSL CLI.
Starting with OpenSSL version 0.9.6, a new component called ENGINE, was added to
support alternative cryptography implementations. This Engine interface is used by the
Plug & Trust Middleware to interface with the A5000. The OpenSSL engine provides the
glue between applications using standard OpenSSL APIs and the Secure Authenticator
API.
Host MCU / MPU
OpenSSL
EdgeLock Plug&Trust
middleware stack
e4sss OpenSSL engine
Host Application
EdgeLock A5000
OpenSSL API
Figure 8. Principle of the OpenSSL engine
The Plug&Trust middleware OpenSSL engine allows to use the A5000 Secure
Authenticator for the following operations:
•
EC crypto: EC sign/verify and ECDH compute key
•
Fetching random data
The A5000 secure key and object management is not covered by the engine interface
but supported by the Plug & Trust Middleware
ssscli tool
as demonstrated in the
next chapters.
OpenSSL requires a key pair, consisting of a private and a public key, to be generated or
loaded into the A5000 before the cryptographic operations can be executed.
• Private Key
: The Private key is securely stored inside the A5000 Secure Authenticator
and cannot be retrieved by the OpenSSL engine.
• Reference Key
: Standard OpenSSL API needs to be called with a key. Instead of a
real private key the OpenSSL key data structure gets used with a reference to the
private key inside the Secure Authenticator. The reference key looks for OpenSSL like
a real key, but it does not contain secret data.
AN13500
All information provided in this document is subject to legal disclaimers.
© NXP B.V. 2022. All rights reserved.
Application note
Rev. 1.0 — 28 March 2022
12 / 45
