C API for BALTECH SDK

§ brp_Pki_StoreX509RootCert()

brp_errcode brp_Pki_StoreX509RootCert ( brp_protocol  protocol,
unsigned  SecLevel,
brp_buf  Cert,
size_t  Cert_len 
)

Every security level that should be usable with the PKI must be provided with a root certificate.

The certificate chain provided in the brp_Pki_PfsAuthHostCert() command will be verified against this root certificate.

The root certificates must comply with the following limitations:

  • Certificates have to be X.509 v3 certificates.
  • Only ECC P-256 and SHA256 are allowed as signing algorithms.
  • The length of the tags containing the Issuer Unique Identifier and the Subject Unique Identifier must not exceed 128 Bytes.
  • The only allowed extension is basicConstraints (indicating the certificate is a CA certificate)
  • The validity period always has to be from "Jan 1 00:00:00 2000 GMT" to "Jan 19 02:14:07 2038 GMT".

A sample certificate matching all these limitations is the following:

30 82 01 9D 30 82 01 43 A0 03 02 01 02 02 01 01 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 41 31 19 30 17 06 03 55 04 03 0C 10 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 31 11 30 0F 06 03 55 04 0A 0C 08 45 71 75 69 74 72 61 63 31 11 30 0F 06 03 55 04 07 0C 08 57 61 74 65 72 6C 6F 6F 30 1E 17 0D 30 30 30 31 30 31 30 30 30 30 30 30 5A 17 0D 33 38 30 31 31 39 30 32 31 34 30 37 5A 30 41 31 19 30 17 06 03 55 04 03 0C 10 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 31 11 30 0F 06 03 55 04 0A 0C 08 45 71 75 69 74 72 61 63 31 11 30 0F 06 03 55 04 07 0C 08 57 61 74 65 72 6C 6F 6F 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 B0 13 B7 1F A6 61 47 8E 8D 2F FC C0 36 17 C0 51 5D 2A 39 C5 67 15 1A E3 85 2A 3B 9C 2E 93 FA 41 0A B5 F3 66 62 6A F8 04 D7 0E D1 DB 7A 2D 36 26 0A A5 77 D2 9C D4 65 24 70 DF 9A 74 40 C2 A7 B1 A3 2C 30 2A 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 17 06 09 2B 06 01 04 01 82 DE 55 01 01 01 FF 04 07 03 05 00 08 00 10 80 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03 48 00 30 45 02 21 00 BB 42 BB 32 8C D5 68 39 E9 40 28 10 5F 63 E1 52 9A 63 06 BF B2 69 03 0A F8 9D A5 56 95 CF 0F B2 02 20 35 D6 FF 5C 9A 42 D9 85 5E F3 16 DA 7A 53 19 F7 74 81 A4 54 B3 D4 C9 74 26 78 D2 1D 11 52 2D 2A

This sample certificate can be decoded using the following online tool: https://redkestrel.co.uk/products/decoder/

Furthermore, the access conditions mask of the security llevel running the Pki.StoreX509RootCert command has to allow setting the corresponding key (SEC_SETKEY1, SEC_SETKEY2 or SEC_SETKEY3 bit of the access condition mask must be set).

This command needs a long timeout, since the ECC operations may take up to 15 seconds.

Parameters
[in]protocolused to execute the command
[in]SecLevelSecurity level (1-3), for which the root certificate should be stored.
[in]CertX.509 root certificate encoded in ASN.1 DER format.
[in]Cert_len