Mistake on this page? Email us

Self-generated certificates

The KCM API for verifying self-generated certificates against a generated private key is kcm_certificate_verify_with_private_key(). This API verifies the correlation between the stored private key and the public key of the self-generated certificate.

Note: We recommend that you verify the certificate against the private key before injecting it to the device.

Verifying a certificate

Example of how to verify a self-generated certificate

kcm_status_e kcm_status;
char private_key_name[] = "priv_test_key_name";
char custom_certificate_name[] = "custom_certificate";
uint8_t certificate_data[MAX_CERTIFICATE_DATA_SIZE] = { };

// Verify self-generated custom certificate against private key that was generated by the device and stored.
kcm_status = kcm_certificate_verify_with_private_key(
            certificate_data,
            sizeof(certificate_data),
            private_key_name,
            strlen(private_key_name));
if(kcm_status != KCM_STATUS_SUCCESS) {
    return 1;
}

// Store verified self-generated custom certificate
kcm_status = kcm_item_store((uint8_t*)custom_certificate_name,
                        strlen(custom_certificate_name),
                        KCM_CERTIFICATE_ITEM,
                        true,
                        certificate_data,
                        sizeof(certificate_data),
                        NULL);
if(kcm_status != KCM_STATUS_SUCCESS) {
    return 1;
}

Verifying a certificate chain

Example of how to verify a self-generated certificate chain

kcm_status_e kcm_status;
char private_key_name[] = "priv_test_key_name";
char certificate_chain_name[] = "custom_certificate_chain";
kcm_cert_chain_handle cert_chain_handle;
uint8_t custom_certificates[3][1024] = { {...} , {...} , {...} };
size_t chain_len = 3;
uint32_t i;

//Verify self-generated custom certificate (leaf of the chain) against private key that was generated by the device and stored.
kcm_status = kcm_certificate_verify_with_private_key(
            custom_certificates[0],
            sizeof(custom_certificates[0]),
            private_key_name,
            strlen(private_key_name));
if(kcm_status != KCM_STATUS_SUCCESS) {
    return 1;
}

// Storing custom certificate chain
kcm_status = kcm_cert_chain_create(&cert_chain_handle,
                               (uint8_t*)custom_certificate_chain,
                               strlen(custom_certificate_chain),
                               chain_len,
                               true);
if(kcm_status != KCM_STATUS_SUCCESS) {
    return 1;
}

for (i = 0; i < chain_len; i++) {
    kcm_status = kcm_cert_chain_add_next(cert_chain_handle,
                                     custom_certificates[i],
                                     sizeof(custom_certificates[i]));
    if(kcm_status != KCM_STATUS_SUCCESS) {
        return 1;
    }
}

kcm_status = kcm_cert_chain_close(cert_chain_handle);
if(kcm_status != KCM_STATUS_SUCCESS) {
    return 1;
}