xmlns:atom="http://www.w3.org/2005/Atom" xmlns:atom="http://www.w3.org/2005/Atom"
Please note that the date you requested in the address for this web page is not an actual date upon which a change occurred to this item of legislation. You are being shown the legislation from , which is the first date before then upon which a change was made.
This command is used to set a public key for authentication purpose.
This command is compliant with ISO/IEC 7816-4. The use of this command is restricted regarding the related standard.
Byte | Length | Value | Description |
---|---|---|---|
CLA | 1 | ‘00h’ | CLA |
INS | 1 | ‘22h’ | INS |
P1 | 1 | ‘C1h’ | P1: referenced key valid for all cryptographic operations |
P2 | 1 | ‘B6h’ | P2 (referenced data concerning Digital Signature) |
Lc | 1 | ‘0Ah’ | Lc: length of subsequent data field |
#6 | 1 | ‘83h’ | Tag for referencing a public key in asymmetric cases |
#7 | 1 | ‘08h’ | Length of the key reference (key identifier) |
#8-#15 | 8 | ‘XX..XXh’ | Key identifier as specified in Appendix 11 |
Byte | Length | Value | Description |
---|---|---|---|
SW | 2 | ‘XXXXh’ | Status Words (SW1,SW2) |
If the command is successful, the card returns ‘9000’.
If the referenced key is not present into the card, the processing state returned is ‘6A88’.
If some expected data objects are missing in the secure messaging format, the processing state ‘6987’ is returned. This can happen if the tag ‘83h’ is missing.
If some data objects are incorrect, the processing state returned is ‘6988’. This can happen if the length of the key identifier is not ‘08h’.
If the selected key is considered corrupted, the processing state returned is ‘6400’ or ‘6581’.
For the Generation 2 authentication the tachograph card supports the following MSE: Set command versions which are compliant with ISO/IEC 7816-4. These command versions are not supported for the Generation 1 authentication.
The following MSE:SET AT command is used to select the parameters for the Chip Authentication that is performed by a subsequent General Authenticate command.
Byte | Length | Value | Description |
---|---|---|---|
CLA | 1 | ‘00h’ | |
INS | 1 | ‘22h’ | |
P1 | 1 | ‘41h’ | Set for internal authentication |
P2 | 1 | ‘A4h’ | Authentication |
Lc | 1 | ‘NNh’ | Lc: length of subsequent data field |
#6-#(5+L) | L | ‘80h’ + ‘0Ah’ + ‘XX..XXh’ | DER-TLV encoded cryptographic mechanism reference: Object Identifier of Chip Authentication (value only, Tag ‘06h’ is omitted). See Appendix 1 for the values of object identifiers; the byte notation shall be used. See Appendix 11 for guidance on how to select one of these object identifiers. |
The following MSE:SET AT command is used to select the parameters and keys for the VU Authentication that is performed by a subsequent External Authenticate command.
Byte | Length | Value | Description |
---|---|---|---|
CLA | 1 | ‘00h’ | |
INS | 1 | ‘22h’ | |
P1 | 1 | ‘81h’ | Set for external authentication |
P2 | 1 | ‘A4h’ | Authentication |
Lc | 1 | ‘NNh’ | Lc: length of subsequent data field |
#6-#(5+L) | L | ‘80h’ + ‘0Ah’ + ‘XX..XXh’ | DER-TLV encoded cryptographic mechanism reference: Object Identifier of VU Authentication (value only, Tag ‘06h’ is omitted). See Appendix 1 for the values of object identifiers; the byte notation shall be used. See Appendix 11 for guidance on how to select one of these object identifiers. |
‘83h’ + ‘08h’ + ‘XX..XXh’ | DER-TLV encoded reference of the VU public key by the Certificate Holder Reference mentioned in its certificate. | ||
‘91h’ + L91 + ‘XX..XXh’ | DER-TLV encoded compressed representation of the ephemeral public key of the VU that will be used during Chip Authentication (see Appendix 11) |
The following MSE:SET DST command is used to set a public key either
for the verification of a signature that is provided in a subsequent PSO: Verify Digital Signature command or
for the signature verification of a certificate that is provided in a subsequent PSO: Verify Certificate command
Byte | Length | Value | Description |
---|---|---|---|
CLA | 1 | ‘00h’ | |
INS | 1 | ‘22h’ | |
P1 | 1 | ‘81h’ | Set for verification |
P2 | 1 | ‘B6h’ | Digital Signature |
Lc | 1 | ‘NNh’ | Lc: length of subsequent data field |
#6-#(5+L) | L | ‘83h’ + ‘08h’ + ‘XX...XXh’ | DER-TLV encoded reference of a public key, i.e. the Certificate Holder Reference in the certificate of the public key (see Appendix 11) |
For all command versions the response message structure and status words are given by:
Byte | Length | Value | Description |
---|---|---|---|
SW | 2 | ‘XXXXh’ | Status Words (SW1,SW2) |
If the command is successful, the card returns ‘9000’. The protocol has been selected and initialised.
‘6A80’ indicates incorrect parameters in the command data field.
‘6A88’ indicates that referenced data (i.e. a referenced key) is not available.
[F1If the currentAuthenticatedTime of the card is later than the Expiration Date of the selected public key, the processing state returned is ‘ 6A88 ’ .
Textual Amendments
Similarly, in case an MSE: SET DST command referencing an EQT (i.e. a VU or a card) is sent to a control card, according to CSM_234 the referenced key is always an EQT_Sign key that has to be used for the verification of a digital signature. According to Figure 13 in Appendix 11, the control card will always have stored the relevant EQT_Sign public key. In some cases, the control card may have stored the corresponding EQT_MA public key. The control card shall always set the EQT_Sign public key for use when it receives an MSE: SET DST command.]