Pki.PfsAuthRdrCert

After successfully authenticating the host against the reader using the Pki.PfsAuthHostCert command, the reader must return its own certificate to the host in order the host to verify it.

This command will finalize the PFS session setup and calculate the new AES-128 session key. This session key has to be used for all following calls of the Pki.Tunnel2 command.

This command needs a long timeout, since the ECC operations may take up to 15 seconds.

Properties

Command code: 0x0903
Command timeout: 16000 ms
Possible status codes: General status codes, Pki.ErrSeclevelUnsupported

Parameters (request frame)

None

Returned values (response frame)

Name	Type/Size	Description
Length of EncryptedResponse	Integer (16 bits)	Length of EncryptedResponse in bytes
EncryptedResponse	Raw data	Encrypted reader's certificate. The data is encrypted via AES-128 CBC using the key and IV generated by the Pki.PfsGenKey command. After decryption, EncryptedResp can be split up into the following fields: ReaderCertLen (2 Bytes): Length of the reader's certificate in Bytes. RdrCert (n Bytes): The X.509 end certificate of the reader encoded in ASN.1 DER format (set by the Pki.StoreX509Cert command). Several Bytes of padding zeros to ensure that the total length of EncryptedResponse is a multiple of 16.

Name

Type/Size

Description

Length of EncryptedResponse

Integer (16 bits)

Length of EncryptedResponse in bytes

EncryptedResponse

Raw data

Encrypted reader's certificate. The data is encrypted via AES-128 CBC using the key and IV generated by the Pki.PfsGenKey command.

After decryption, EncryptedResp can be split up into the following fields:

ReaderCertLen (2 Bytes): Length of the reader's certificate in Bytes.
RdrCert (n Bytes): The X.509 end certificate of the reader encoded in ASN.1 DER format (set by the Pki.StoreX509Cert command).
Several Bytes of padding zeros to ensure that the total length of EncryptedResponse is a multiple of 16.