 |
BALTECH Docs |
C API for BALTECH SDK
|
|
|
BALTECH Docs |
C API for BALTECH SDK
|
|
| brp_errcode brp_Pki_Tunnel2 | ( | brp_protocol | protocol, |
| unsigned | SequenceCounter, | ||
| brp_buf | CmdHMAC, | ||
| brp_buf | EncryptedCmd, | ||
| size_t | EncryptedCmd_len, | ||
| brp_buf * | RspHMAC, | ||
| brp_buf * | EncryptedRsp, | ||
| size_t * | EncryptedRsp_len, | ||
| brp_mempool * | mempool | ||
| ) |
Runs a command in the Security Level authenticated by the brp_Pki_PfsGenKey(), brp_Pki_PfsAuthHostCert(), brp_Pki_PfsAuthRdrCert() commands sequence.
The command is encrypted with the session key calculated by brp_Pki_PfsAuthRdrCert().
After the reader decrypts the received tunnelled command, it checks whether this command is blocked by the Access Condition Mask assigned to the Security Level or by one of the Access Condition Masks of the certificates in the host certificate chain. If this command is blocked by one of these Access Condition Masks, it is not allowed to be executed in the given Security Level and the ErrAccessDenied status code is returned.
| [in] | protocol | used to execute the command |
| [in] | SequenceCounter | A continuous counter that has to be incremented every time Pki.Tunnel2 is executed (no matter if successful), and that is reset to 0 after a successful execution of the brp_Pki_PfsAuthRdrCert() command. |
| [in] | CmdHMAC | An AES 128 CBC-MAC over EncryptedCmd using the session key calculated by brp_Pki_PfsAuthRdrCert() and an IV constructed from SequenceCounter. To get the IV, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x20. |
| [in] | EncryptedCmd | Encrypted command to execute in the authenticated Security Level. Data is encrypted via AES-128 CBC using the session key generated by brp_Pki_PfsAuthRdrCert() and an IV constructed from SequenceCounter. To get the IV for encryption, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x10. Before encryption, EncryptedCmd is split up into the following fields: * DevCode (1 Byte): Device code of the command which must be executed in the authenticated Security Level. * CmdCode (1 Byte): Command code of the command which must be executed in the authenticated Security Level. * PayloadLen (2 Bytes): Length of Payload in Bytes. * Payload (n Bytes): contains the parameters buffer for the command which must be executed in the authenticated Security Level. |
| [in] | EncryptedCmd_len | |
| [out] | RspHMAC | An AES 128 CBC-MAC over EncryptedRsp using the session key calculated by brp_Pki_PfsAuthRdrCert() and an IV constructed from SequenceCounter. To get the IV, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x80. |
| [out] | EncryptedRsp | Encrypted response of the command which was executed in the authenticated Security Level. Data is encrypted via AES-128 CBC using the session key generated by brp_Pki_PfsAuthRdrCert() and an IV constructed from SequenceCounter. To get the IV for encryption, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x40. Before encryption, EncryptedRsp is split up into the following fields: * StatusCode (1 Byte): Has to be 0x00 on successful execution of the encrypted command. Else, an error occurred. * RespLen (2 Bytes): Length of Resp in Bytes. * Resp (n Bytes): Contains the response buffer of the command which was executed in the authenticated Security Level. |
| [out] | EncryptedRsp_len | |
| [in] | mempool | is used to store response data. Maybe NULL to use an internal mempool, in this case the data is only available until another command uses the internal mempool |