xmlns:atom="http://www.w3.org/2005/Atom" xmlns:atom="http://www.w3.org/2005/Atom"
Please note that the date you requested in the address for this web page is not an actual date upon which a change occurred to this item of legislation. You are being shown the legislation from , which is the first date before then upon which a change was made.
This command is compliant with ISO/IEC 7816-8, but has a restricted usage compared to the command defined in the norm.
The VERIFY CERTIFICATE command is used by the card to obtain a Public Key from the outside and to check its validity.
Byte | Length | Value | Description |
---|---|---|---|
CLA | 1 | ‘00h’ | |
INS | 1 | ‘2Ah’ | Perform Security Operation |
P1 | 1 | ‘00h’ | P1 |
P2 | 1 | ‘AEh’ | P2: non BER-TLV coded data (concatenation of data elements) |
Lc | 1 | ‘C2h’ | Lc: Length of the certificate, 194 bytes |
#6-#199 | 194 | ‘XX..XXh’ | Certificate: concatenation of data elements (as described in Appendix 11) |
Byte | Length | Value | Description |
---|---|---|---|
SW | 2 | ‘XXXXh’ | Status Words (SW1,SW2) |
If the command is successful, the card returns ‘9000’.
If the certificate verification fails, the processing state returned is ‘6688’. The verification and unwrapping process of the certificate is described in Appendix 11 for G1 and G2.
If no Public Key is present in the Security Environment, ‘6A88’ is returned.
If the selected public key (used to unwrap the certificate) is considered corrupted, the processing state returned is ‘6400’ or ‘6581’.
Generation 1 only: If the selected public key (used to unwrap the certificate) has a CHA.LSB () different from ‘00’ (i.e. is not the one of a Member State or of Europe), the processing state returned is ‘6985’.
Depending on the curve size ECC certificates may be so long that they cannot be transmitted in a single APDU. In this case command chaining according to ISO/IEC 7816-4 must be applied and the certificate transmitted in two consecutive PSO: Verify Certificate APDUs.
The certificate structure and the domain parameters are defined in Appendix 11.
Byte | Length | Value | Description |
---|---|---|---|
CLA | 1 | ‘X0h’ | CLA byte indicating command chaining:
|
INS | 1 | ‘2Ah’ | Perform Security Operation |
P1 | 1 | ‘00h’ | |
P2 | 1 | ‘BEh’ | Verify self-descriptive certificate |
Lc | 1 | ‘XXh’ | Length of the command data field, see TCS_88 and TCS_89. |
#6-#5+L | L | ‘XX..XXh’ | DER-TLV encoded data: ECC Certificate Body data object as first data object concatenated with the ECC Certificate Signature data object as second data object or a part of this concatenation. The tag ‘7F21’ and the corresponding length shall not be transmitted. The order of these data objects is fixed. |
Note: According to Appendix 11 the card stores the certificate or the relevant contents of the certificate and updates its currentAuthenticatedTime.U.K.
The response message structure and status words are as defined in TCS_85.
If the selected public key (used to unwrap the certificate) has a CHA.LSB (CertificateHolderAuthorisation.equipmentType) that is not suitable for the certificate verification according to Appendix 11, the processing state returned is ‘6985’.
If the currentAuthenticatedTime of the card is later than the Certificate Expiration Date, the processing state returned is ‘6985’.
If the last command of the chain is expected, the card returns ‘6883’.
If incorrect parameters are sent in the command data field, the card returns ‘6A80’ (also used in case the data objects are not sent in the specified order).