xmlns:atom="http://www.w3.org/2005/Atom" xmlns:atom="http://www.w3.org/2005/Atom"
Please note that the date you requested in the address for this web page is not an actual date upon which a change occurred to this item of legislation. You are being shown the legislation from , which is the first date before then upon which a change was made.
Depending on the curve size ECC certificates may be so long that they cannot be transmitted in a single APDU. In this case command chaining according to ISO/IEC 7816-4 must be applied and the certificate transmitted in two consecutive PSO: Verify Certificate APDUs.
The certificate structure and the domain parameters are defined in Appendix 11.
Byte | Length | Value | Description |
---|---|---|---|
CLA | 1 | ‘X0h’ | CLA byte indicating command chaining:
|
INS | 1 | ‘2Ah’ | Perform Security Operation |
P1 | 1 | ‘00h’ | |
P2 | 1 | ‘BEh’ | Verify self-descriptive certificate |
Lc | 1 | ‘XXh’ | Length of the command data field, see TCS_88 and TCS_89. |
#6-#5+L | L | ‘XX..XXh’ | DER-TLV encoded data: ECC Certificate Body data object as first data object concatenated with the ECC Certificate Signature data object as second data object or a part of this concatenation. The tag ‘7F21’ and the corresponding length shall not be transmitted. The order of these data objects is fixed. |
Note: According to Appendix 11 the card stores the certificate or the relevant contents of the certificate and updates its currentAuthenticatedTime.U.K.
The response message structure and status words are as defined in TCS_85.
If the selected public key (used to unwrap the certificate) has a CHA.LSB (CertificateHolderAuthorisation.equipmentType) that is not suitable for the certificate verification according to Appendix 11, the processing state returned is ‘6985’.
If the currentAuthenticatedTime of the card is later than the Certificate Expiration Date, the processing state returned is ‘6985’.
If the last command of the chain is expected, the card returns ‘6883’.
If incorrect parameters are sent in the command data field, the card returns ‘6A80’ (also used in case the data objects are not sent in the specified order).