Object and metadata management

Overview on data objects

An object within this library is a generic class, which represents basic functionality and features valid for all OIDs (Object IDs, except for Session Objects) located on the chip.

Here are basic features what you can do with a generic Object instance (if access condition allows):

  • Read/write data from/to the object

  • Read/write metadata from/to the object

Below you can find object maps for various supported products

OPTIGA™ Trust M v1


OPTIGA™ Trust M v3



import optigatrust as optiga

# Create an instance of object.
object = optiga.Object(0xf1d0)

# Read data


'01020304 ... 898a8b8c'

X509 object

from optigatrust import objects

cert_object = objects.X509(0xe0e0)

# Output the certificate content


================== Certificate Object [0xe0e0] ==================
Lifecycle State               :creation
Size                          :514
Access Condition: Read        :always
Access Conditions: Change     :never
PEM                           :
Issuer: Common Name           :Infineon OPTIGA(TM) Trust M CA 300
Subject: Common Name          :InfineonIoTNode
Public Key                    :042166968a258fc56b6cf097465c7f35f6154a837 ... 01c97d0df3e619b55003d30e4e48ff39706c459
Signature                     :306402303d60118b266be951dc90f168af8903e0f ... cb700e9f5b4ad5b1f1df493b0f41d21e269df4c

ECC Key object

from optigatrust import objects
import json

key_object = objects.ECCKey(0xe0f1)
print(json.dumps(key_object.meta, indent=4))


    "lcso": "creation",
    "change": [
    "execute": "always",
    "algorithm": "secp256r1",
    "key_usage": [

RSA Key object

from optigatrust import objects
import json

key_object = objects.RSAKey(0xe0fc)
print(json.dumps(key_object.meta, indent=4))


    "lcso": "creation",
    "change": [
    "execute": "always",
    "algorithm": "rsa2048",
    "key_usage": [


Every object (except for Session Objects) has a special service area called - metadata. It is a structured data which can significantly influence many aspects of the object itself, for example a lifecycle state.


Users can work with metadata directly in human-readable form. Metadata should be contructed in the following manner:

{'<metadata_tag>': '<metadata_value>'}

Where metadata can take the following values:

Metadata tags

All metadata can be changed (except for OPTIGA™ Trust M V3) only if the lifecycle state of the object is either ‘creation’ or ‘initialisation’

Metadata Tags Table


Expected values



Values are defined in the Access Conditions Table below

Define Execute Access Condition for the object. In other words under which conditions the chip can make use of the object internally; e.g. signature generation using object 0xe0f1.


Values are defined in the Access Conditions Table below

Define Change Access Condition for the object. Define when it’s possible to update/overwrite the object.


Values are defined in the Access Conditions Table below

Define Read Access Condition for the object. Define when it’s possible to read the object.


[‘creation’, ‘initialisation’, ‘operational’, ‘termination’]

Define lifecycle state of the object. Attention, in most of cases this action is one-way



Automatically calculated by the chip, can’t be defined by a user



Automatically calculated by the chip, can’t be defined by a user


Automatically set by the chip, can’t be defined by a user

This tag is applicable only for Key Objects. The chip selects automatically the value for this tag based on the key pair generation parameters.


[ ‘authentication’, ‘encryption’, ‘sign’, ‘key_agreement’]

This tag is applicable only for Key Objects. It can be defined in a list to reflect multiple options; e.g. {‘key_usage’: [[ ‘authentication’, ‘sign’, ‘key_agreement’]]}


Refer to the types Table below

Type of the object. Some functions; e.g. hmac, do work only if a specific type is defined


either one of [‘creation’, ‘initialisation’, ‘operational’, ‘termination’], or ‘flushing’, or ‘random_data’

It defines what happens with the object data in case of updating the metadata

Access conditions

The ‘<metadata_value>’ should be defined either as a list of values; e.g.

  • a constructed value
    • {‘read’: [‘lcso’, ‘<’, ‘operational’]}

    • Read is allowed only if the lifecycle state of the object is less than operational

  • a more complex constructed value
    • {‘read’: [‘lcso’, ‘<’, ‘operational’, ‘&&’, ‘conf’, ‘0xe1’, ‘0x40’]}

    • Read is allowed only if the lifecycle state of the object is less than operation and under shielded connection (using e140 OID as a binding secret)

Access Conditions Table (SRM M V3 - Table 69)




an action (for instance ‘read’) is always allowed


an action (for instance ‘read’) is forbidden


Global Lifecycle State (Object ID 0xe0c0) this tag is used as a first argument for a complex expressions; e.g. [‘lcsg’, ‘<’, ‘operational’]


Application Lifecycle State (Object ID 0xf1c0) this tag is used as a first argument for a complex expressions; e.g. [‘lcsa’, ‘<’, ‘operational’]


Object Lifecycle State (it is part of the metadata, see the section above) this tag is used as a first argument for a complex expressions; e.g. [‘lcso’, ‘<’, ‘operational’]


  • An action is permitted only if the host establishes the shielded connection with the chip using the specified Binding secret (e.g. 0xE140) and the response is requested with protection (encrypted).

  • Typical values are [‘conf’, ‘0xe1’, ‘0x40’] and [‘conf’, ‘0xf1’, ‘0xd0’], where instead of ‘0xf1’, ‘0xd0’ can be used any properly configured Application Data Object

  • In the latter case (Secret in Application Data Object) it is recommended to use as well the ‘int’ (descrebed below) Access Condition


  • An action is permitted only if the host establishes the shielded connection with the chip using the specified Binding secret (e.g. 0xE140) and the response is requested with protection (MAC).

  • Typical values are [‘int’, ‘0xe1’, ‘0x40’] and [‘int’, ‘0xe0’, ‘0xef’], where instead of ‘0xe0’, ‘0xef’ can be used any properly configured Data Object of {‘type’: ‘trust_anchor’}

  • In the latter case (Secret in Application Data Object) it is recommended to use as well the ‘int’ (described below) Access Condition

  • Example

    ta_obj = Object(0xe0ef)
    ta_obj.meta = {'type': 'trust_anchor', 'read': 'always', 'change': ['lcso', '<', 'operational']}
    ta_obj.write(<X509 Certificate>)
    # This action is one-way and can't be reverted, for demo can be skipped
    # ta_obj.meta = {'lcso': 'operational'}
    protected_obj = Object(0xf1d0)
    protected_obj.meta = {'change': ['lcso', '<', 'operational', '&&', 'int', '0xe0', '0xef']}
    # This action is one-way and can't be reverted, for demo can be skipped
    # protected_obj.meta = {'lcso': 'operational'}
    # The above means: in case of writing the f1d0 Application Data Object, the signature associated with the
    # metadata in the manifest must be verified with the addressed trust anchor e0ef.


  • An authorization reference Object ID. The action (for instance ‘execute’) is allowed only if the given object reached the AUTO (Authorised)

  • Typical values are [‘auto’, ‘0xf1’, ‘0xd0’]







“If equal”. Typical values [‘lcso’, ‘==’, ‘initialization’]


“If more”. Typical values [‘lcso’, ‘>’, ‘initialization’]


“If less”. Typical values [‘lcso’, ‘<’, ‘initialization’]


“And”. Typical values [‘lcso’, ‘<’, ‘initialization’, ‘&&’, ‘conf’, ‘0xe1’, ‘0x40’]


“or”. Typical values [‘lcso’, ‘<’, ‘initialization’, ‘&&’, ‘conf’, ‘0xe1’, ‘0x40’]

Printing all metadata in human readable form

from optigatrust import x509
import json

cert_object = x509.Certificate(0xe0e0)
print(json.dumps(cert_object.meta, indent=4))

Updating metadata of the certificate object

from optigatrust import x509

cert_object = x509.Certificate(0xe0e0)

# Print out certificate sucessfully

# Store old metadata from the chip
old_meta = cert_object.meta['read']

# Prepare new metadata to write on the chip
new_meta = {'read': 'never'}

# Update metadata on the chip
cert_object.meta = new_meta

# Try to read-out the content one more time. Result: Value Error

# Revert the metadata
cert_object.meta = old_meta

# See that printing is again possible


Python 3.8.1 (tags/v3.8.1:1b293b6, Dec 18 2019, 22:39:24) [MSC v.1916 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> from optigatrust import x509
>>> cert_object = x509.Certificate(0xe0e0)
Loaded: liboptigatrust-libusb-win-i686.dll
================== OPTIGA™ Trust Chip Info ==================
Firmware Identifier           [dwFirmwareIdentifier]:0x80101071
Build Number                  [rgbESWBuild]:0x809
Current Limitation            [OID: 0xE0C4]:0xf
Sleep Activation Delay        [OID: 0xE0C3]:0x14
Global Lifecycle State        [OID: 0xE0C0]:operational
Security Status               [OID: 0xE0C1]:0x0
Security Event Counter        [OID: 0xE0C5]:0x0
>>> print(cert_object)
================== Certificate Object [0xe0e0] ==================
Lifecycle State               :creation
Size                          :485
Access Condition: Read        :always
Access Conditions: Change     :never
PEM                           :
Issuer: Common Name           :Infineon OPTIGA(TM) Trust M CA 101
Subject: Common Name          :Infineon IoT Node
Public Key                    :04f18cdfd145da274bdd9dc189ef2086670f41eb221620f65719b12bf7bab5d19e32ffc5512cfe28c2cd628242bb98d82b13bf68e089e9a2ce3225e2351159f6bd
Signature                     :304502203767638373868b0f6b0306a18d77f09eae1f3b0b53a9d97ae06764e9f09e5c330221009179de47c1b392b9354ba7fdcef6bc27a7def0b61e8d6d797973b00f2b7b36cb
>>> old_meta = cert_object.meta['read']
>>> new_meta = {'read': 'never'}
>>> cert_object.meta = new_meta
>>> print(cert_object)
Error: 0x8007
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Users\Yushev\git\python-optiga-trust\optigatrust\cert.py", line 613, in __str__
    pem = '{0:<30}:\n{1}\n'.format("PEM", str(self.pem).replace('\\n', '\n').replace('\\t', '\t'))
  File "C:\Users\Yushev\git\python-optiga-trust\optigatrust\cert.py", line 642, in pem
    pem_cert += _break_apart(base64.b64encode(self.der).decode(), '\n', 64)
  File "C:\Users\Yushev\git\python-optiga-trust\optigatrust\cert.py", line 632, in der
    self._der = self._read()
  File "C:\Users\Yushev\git\python-optiga-trust\optigatrust\cert.py", line 768, in _read
    raise ValueError(
ValueError: Certificate Slot 57568 is empty
>>> cert_object.meta = old_meta
>>> print(cert_object)
================== Certificate Object [0xe0e0] ==================
Lifecycle State               :creation
Size                          :485
Access Condition: Read        :always
Access Conditions: Change     :never
PEM                           :
Issuer: Common Name           :Infineon OPTIGA(TM) Trust M CA 101
Subject: Common Name          :Infineon IoT Node
Public Key                    :04f18cdfd145da274bdd9dc189ef2086670f41eb221620f65719b12bf7bab5d19e32ffc5512cfe28c2cd628242bb98d82b13bf68e089e9a2ce3225e2351159f6bd
Signature                     :304502203767638373868b0f6b0306a18d77f09eae1f3b0b53a9d97ae06764e9f09e5c330221009179de47c1b392b9354ba7fdcef6bc27a7def0b61e8d6d797973b00f2b7b36cb


class optigatrust.Object(object_id)

A class used to represent an Object on the OPTIGA Trust Chip

  • id (int) – the id of the object; e.g. 0xe0e0

  • updated (bool) – This boolean variable notifies whether metadata or data has been updated and this can bu used to notify other modules to reread data if needed

property meta

A dictionary of the metadata present right now on the chip for the given object. It is writable, so user can update the metadata assigning the value to it. Example return

    "lcso": "creation",
    "change": [
    "execute": "always",
    "algorithm": "secp384r1",
    "key_usage": "0x21"
read(offset=0, force=False) bytearray

This function helps to read the data stored on the chip

  • offset (int) – An optional parameter defining whether you want to read the data with offset

  • force – This is a bool parameter which can be used to try to read the data even if id can’t be found

  • ValueError - when any of the parameters contain an invalid value

  • TypeError - when any of the parameters are of the wrong type

  • OSError - when an error is returned by the chip initialisation library


byte string

write(data, offset=0)

This function helps to write the data onto the chip

  • data – byte string to write

  • offset (int) – An optional parameter defining whether you want to read the data with offset

  • ValueError - when any of the parameters contain an invalid value

  • TypeError - when any of the parameters are of the wrong type

  • OSError - when an error is returned by the chip initialisation library

This module implements all Object manipulation related APIs of the optigatrust package

class optigatrust.objects.AESKey

A class used to represent an aes key object on the OPTIGA Trust Chip

class optigatrust.objects.AcquiredSession

A class used to represent a session object on the OPTIGA Trust Chip. This is a pseudo object, just to indicate to OPTIGA, that we would like to use the acquired session

class optigatrust.objects.AppData(object_id)

A class used to represent an Application Data object on the OPTIGA Trust Chip.

class optigatrust.objects.ECCKey(key_id: int)

A class used to represent an ecc key object on the OPTIGA Trust Chip

class optigatrust.objects.RSAKey(key_id: int)

A class used to represent an rsa key object on the OPTIGA Trust Chip

class optigatrust.objects.Session(key_id: int)

A class used to represent a session object on the OPTIGA Trust Chip.

class optigatrust.objects.X509(cert_id: int)

A class used to represent a certificate on the OPTIGA Trust Chip

property der

This property allows to get or set the certificate in der form. Input should be a valid DER encoded certificate.

property pem

This property allows to get or set the certificate in PEM form. Input should be a valid PEM formatted certificate.

property pkey

This property allows to get the public key from the certificate. In case the certificate can’t be parsed an exception will be generated

property signature

This property allows to get the signature of the certificate. In case the certificate can’t be parsed an exception will be generated