Expand description
Solo 2 PKI
Each Solo 2 device has a unique identity, its 128 bit UUID, which is set by NXP in read-only memory. Backing this up is a PKI infrastructure, hosted under https://s2pki.net/, and explained in the following.
At the root is R1
, an offline RSA-4096 keypair with a self-signed certificate.
It can be obtained via http://i.s2pki.net/r1/.
Trussed certificates
Under R1
sit the intermediate Trussed certificate authorities T1
and T2
, which have
an Ed255 and P256 keypair, respectively. They are signed by R1
with pathlen = 1.
The certificates are available via:
We have two since there is use for both NIST-based (P256) and djb-based (Ed255/X255) certificate chains.
Each Solo 2 device then has three embedded certificates, backed by three keypairs which are
generated on-device during production, after the device has been locked. In their X509v3
extension with OID 1.3.6.1.4.1.54053.1.1
they contain the UUID of the device.
The certificates are as follows:
- The Ed255 Trussed device leaf certificate (pathlen = 0), signed by
T1
, with key usagesCertificate Sign
andCRL Sign
. - The X255 Trussed device entity certificate, signed by
T1
, with key usageKey Agreement
- the P256 Trussed device leaf certificate (pathlen = 0), signed by
T2
, with key usagesCertificate Sign
,CRL Sign
, andKey Agreement
.
Firmware certificates
The NXP bootloader’s secure boot mechanism has space for four certificates, which may be revoked
individually. Correspondingly, we have four entity certificates S1
, S2
, S3
, S4
, split
designated as active/backup and US/CH development centers. They are available from
http://i.s2pki.net/s1/, etc. For firmware signing purposes, they are self-signed; from a PKI
perspective we additionally cross-certified them via R1
.
FIDO certificates
There is an intermediate CA called F1
, which signs the batch certificates for FIDO metadata,
which are used during device attestation. These batch certificates must be model specific, we
have prepared one each for Solo 2A+ (USB-A + NFC), Solo 2C+ (USB-C + NFC), Solo 2A (USB-A
only), Solo 2C (USB-C only).
Structs
x509_parser::certificate::X509Certificate
.Enums
Constants
Functions
Authority
.