C API for BALTECH SDK

§ brp_Pki_StoreX509Cert()

brp_errcode brp_Pki_StoreX509Cert ( brp_protocol  protocol,
unsigned  SecLevel,
brp_buf  Cert,
size_t  Cert_len 
)

After signing a CSR using the brp_Pki_GetX509Csr() command, run this command to store the resulting in the reader's certificate store.

The certificate store provides up to 3 slots (for security level 1-3). This means up to 3 different certificate authorities can store their certificates in a reader.

The certificates must comply with the following limitations:

  • Only ECC P-256 and SHA256 are allowed as signing algorithms.
  • The length of the tag containing the issuer distinguished name must not exceed 128 Bytes.
  • No extensions are allowed.

A sample certificate matching all these limitations is the following:

30 82 01 6C 30 82 01 11 A0 03 02 01 02 02 01 01 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 3C 31 23 30 21 06 03 55 04 03 0C 1A 49 6E 74 65 72 6D 65 64 69 61 74 65 20 43 41 20 66 6F 72 20 52 65 61 64 65 72 31 15 30 13 06 03 55 04 0A 0C 0C 43 75 73 74 6F 6D 65 72 20 4F 6E 65 30 1E 17 0D 30 30 30 31 30 31 30 30 30 30 30 30 5A 17 0D 33 38 30 31 31 39 30 32 31 34 30 37 5A 30 42 31 14 30 12 06 03 55 04 03 0C 0B 53 23 20 31 31 31 31 31 31 31 31 31 13 30 11 06 03 55 04 0A 0C 0A 42 61 6C 74 65 63 68 20 41 47 31 15 30 13 06 03 55 04 07 0C 0C 48 61 6C 6C 62 65 72 67 6D 6F 6F 73 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 C3 4D 0E D2 EA 8F 94 88 93 E0 16 75 06 78 67 BB 96 14 5A A9 24 F8 95 02 4F 47 87 C7 1C B3 1F D5 83 CD 8C A3 FB B2 57 51 38 BF 81 AA 9C 26 DC CA 71 A6 FE 83 1B 2C 88 60 86 69 D3 53 93 08 39 D7 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03 49 00 30 46 02 21 00 90 6F 97 EF C0 95 1C 9C FC 60 4C 1F F7 12 00 F4 C8 2C EA FE 4E 9D C9 F0 BE 29 75 C6 E6 42 3C 1B 02 21 00 BB 22 42 56 13 5A B5 BF D1 19 B7 40 EA 44 30 2B 14 3B 86 4E 0C 48 24 96 8F FB 49 69 24 71 CA DF

This sample certificate can be decoded using the following online tool: https://redkestrel.co.uk/products/decoder/

Furthermore, the access conditions mask of the security level running the Pki.StoreX509Cert command has to allow setting the corresponding key (SEC_SETKEY1, SEC_SETKEY2 or SEC_SETKEY3 bit of the access condition mask must be set).

This command needs a long timeout, since the ECC operations may take up to 15 seconds.

Parameters
[in]protocolused to execute the command
[in]SecLevelSecurity level (1-3), which you want to provide with a (new) reader certificate.
[in]CertX.509 certificate created by signing a CSR returned by brp_Pki_GetX509Csr(), encoded in ASN.1 DER format.
[in]Cert_len