Self-generated certificates
The KCM API for verifying self-generated certificates against a generated private key is kcm_certificate_verify_with_private_key()
. This API verifies the correlation between the stored private key and the public key of the self-generated certificate.
Note: We recommend that you verify the certificate against the private key before injecting it to the device.
Verifying a certificate
Example of how to verify a self-generated certificate
kcm_status_e kcm_status;
char private_key_name[] = "priv_test_key_name";
char custom_certificate_name[] = "custom_certificate";
uint8_t certificate_data[MAX_CERTIFICATE_DATA_SIZE] = { };
// Verify self-generated custom certificate against private key that was generated by the device and stored.
kcm_status = kcm_certificate_verify_with_private_key(
certificate_data,
sizeof(certificate_data),
private_key_name,
strlen(private_key_name));
if(kcm_status != KCM_STATUS_SUCCESS) {
return 1;
}
// Store verified self-generated custom certificate
kcm_status = kcm_item_store((uint8_t*)custom_certificate_name,
strlen(custom_certificate_name),
KCM_CERTIFICATE_ITEM,
true,
certificate_data,
sizeof(certificate_data),
NULL);
if(kcm_status != KCM_STATUS_SUCCESS) {
return 1;
}
Verifying a certificate chain
Example of how to verify a self-generated certificate chain
kcm_status_e kcm_status;
char private_key_name[] = "priv_test_key_name";
char certificate_chain_name[] = "custom_certificate_chain";
kcm_cert_chain_handle cert_chain_handle;
uint8_t custom_certificates[3][1024] = { {...} , {...} , {...} };
size_t chain_len = 3;
uint32_t i;
//Verify self-generated custom certificate (leaf of the chain) against private key that was generated by the device and stored.
kcm_status = kcm_certificate_verify_with_private_key(
custom_certificates[0],
sizeof(custom_certificates[0]),
private_key_name,
strlen(private_key_name));
if(kcm_status != KCM_STATUS_SUCCESS) {
return 1;
}
// Storing custom certificate chain
kcm_status = kcm_cert_chain_create(&cert_chain_handle,
(uint8_t*)custom_certificate_chain,
strlen(custom_certificate_chain),
chain_len,
true);
if(kcm_status != KCM_STATUS_SUCCESS) {
return 1;
}
for (i = 0; i < chain_len; i++) {
kcm_status = kcm_cert_chain_add_next(cert_chain_handle,
custom_certificates[i],
sizeof(custom_certificates[i]));
if(kcm_status != KCM_STATUS_SUCCESS) {
return 1;
}
}
kcm_status = kcm_cert_chain_close(cert_chain_handle);
if(kcm_status != KCM_STATUS_SUCCESS) {
return 1;
}