C API for BALTECH SDK

§ brp_Pki_Tunnel2()

brp_errcode brp_Pki_Tunnel2 ( brp_protocol  protocol,
unsigned  SequenceCounter,
brp_buf  CmdHMAC,
brp_buf  EncryptedCmd,
size_t  EncryptedCmd_len,
brp_buf RspHMAC,
brp_buf EncryptedRsp,
size_t *  EncryptedRsp_len,
brp_mempool mempool 
)

Runs a command in the Security Level authenticated by the Pki.PfsGenKey, Pki.PfsAuthHostCert, Pki.PfsAuthRdrCert commands sequence. The command is encrypted with the session key calculated by Pki.PfsAuthRdrCert.

After the reader decrypts the received tunnelled command, it checks whether this command is blocked by the Access Condition Mask assigned to the Security Level or by one of the Access Condition Masks of the certificates in the host certificate chain. If this command is blocked by one of these Access Condition Masks, it is not allowed to be executed in the given Security Level and the ErrAccessDenied status code is returned.

Parameters
[in]protocolused to execute the command
[in]SequenceCounterA continuous counter that has to be incremented every time Pki.Tunnel2 is executed (no matter if successful), and that is reset to 0 after a successful execution of the Pki.PfsAuthRdrCert command.
[in]CmdHMACAn AES 128 CBC-MAC over EncryptedCmd using the session key calculated by Pki.PfsAuthRdrCert and an IV constructed from SequenceCounter. To get the IV, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x20.
[in]EncryptedCmdEncrypted command to execute in the authenticated Security Level. Data is encrypted via AES-128 CBC using the session key generated by Pki.PfsAuthRdrCert and an IV constructed from SequenceCounter. To get the IV for encryption, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x10. Before encryption, EncryptedCmd is split up into the following fields: * DevCode (1 Byte): Device code of the command which must be executed in the authenticated Security Level. * CmdCode (1 Byte): Command code of the command which must be executed in the authenticated Security Level. * PayloadLen (2 Bytes): Length of Payload in Bytes. * Payload (n Bytes): contains the parameters buffer for the command which must be executed in the authenticated Security Level.
[in]EncryptedCmd_len
[out]RspHMACAn AES 128 CBC-MAC over EncryptedRsp using the session key calculated by Pki.PfsAuthRdrCert and an IV constructed from SequenceCounter. To get the IV, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x80.
[out]EncryptedRspEncrypted response of the command which was executed in the authenticated Security Level. Data is encrypted via AES-128 CBC using the session key generated by Pki.PfsAuthRdrCert and an IV constructed from SequenceCounter. To get the IV for encryption, the sequence counter has to be padded by leading 0x00 and the first Byte of the IV has to be set to 0x40. Before encryption, EncryptedRsp is split up into the following fields: * StatusCode (1 Byte): Has to be 0x00 on successful execution of the encrypted command. Else, an error occurred. * RespLen (2 Bytes): Length of Resp in Bytes. * Resp (n Bytes): Contains the response buffer of the command which was executed in the authenticated Security Level.
[out]EncryptedRsp_len
[in]mempoolis used to store response data. Maybe NULL to use an internal mempool, in this case the data is only available until another command uses the internal mempool