| CARVIEW |
Navigation Menu
-
Notifications
You must be signed in to change notification settings - Fork 227
Extending Certificate Years
Crypto Authentication devices currently support compressed certificates with encoded issue years and expiry years, but only up to the year 2031. The cryptoauthlib aka CAL library has updated (with CALv3.7.5 release) the compressed certificate format to extend support for certificate issue and expiry years beyond the year 2031.
This section details the required changes and provides guidance on updating cryptoauthlib to use the upgraded format.
This update may impact existing users who utilize compressed certificates with CAL library versions lesser than v3.7.5.
-
Current Limitation:
CAL compressed certificates using format 0 (the default) support certificate issue and expiry years only up to 2031 -
New Support:
To allow certificate validity beyond 2031, a new compressed certificate format (format 1) is introduced -
Affected Module:
These changes specifically impact theatcacertmodule of the CAL library
- Certificate Size: 72 bytes
-
Format Version:
- Byte 70 - Lower 4 bits:
0b0000(format 0)
- Byte 70 - Lower 4 bits:
-
Encoded Dates:
- Bytes 64–66: Encoded issue and expiry years
| Bytes | Bytes/Bits | Field Name | Description |
|---|---|---|---|
| 0–63 | 64 bytes | Signature | Digital Signature |
| 64–66 | 3 bytes | Encoded Dates | Encoded date-related info |
| 67–68 | 2 bytes | Signer ID | Identifier of the signer |
| 69 | High 4 bits | Template ID | Template identifier |
| 69 | Low 4 bits | Chain ID | Identifier for chain |
| 70 | High 4 bits | SN Source | Source of serial number |
| 70 | Low 4 bits | Format Version | Version of the format |
| 71 | 1 byte | Reserved | Reserved for future use |
Encoded dates i.e., bytes 64 – 66 is detailed as below
-
Byte 70: Format Version Update
- The Format Version is incremented from
0to1to reflect the new encoding scheme.
- The Format Version is incremented from
-
Byte 71: Bit Reallocation
-
issue_yearis now constructed using:-
Byte 64→ Bits 3 to 7 (5 bits) -
Byte 71→ Bits 6 and 7 (2 bits) -
Total: 7 bits → allows representing years from
0to127
issue_year = { Byte 64 :: Bits 3–7 } + { Byte 71 :: Bits 6–7 } -
-
expire_yearsis now constructed using:-
Byte 66→ Bits 0 to 4 (5 bits) -
Byte 71→ Bits 4 and 5 (2 bits) -
Total: 7 bits → allows representing years from
0to127
expire_year = { Byte 64 :: Bits 3–7 } + { Byte 71 :: Bits 6–7 } -
For users seeking extended year (format 1) support, select the appropriate patch to add format-1 support on top of their current CAL code. This allows continued use of devices provisioned with either format 0 or 1 certificates.
| CAL Version(s) | Patch to Apply |
|---|---|
| v3.3.3, v3.4.0, v3.5.0 | extended_year_v350.patch |
| v3.6.0 | extended_year_v360.patch |
| v3.6.1, v3.7.0 | extended_year_v370.patch |
| v3.7.1, v3.7.2, v3.7.3 | extended_year_v371.patch |
| v3.7.4 | extended_year_v374.patch |
| >= v3.7.5 | Natively supported |
Make a note of an appropriate patch to be applied to your cryptoauthlib
Download the patch release file from the official GitHub release page using your browser or a command-line tool:
Download Patch Release
Based on the upgrade requirement, slect and copy the appropriate extended_year_v3xy.patch to your cryptoauthlib folder and apply it using the following command
cd <cryptoauthlib folder>git apply extended_year_v3xy.patchAlternately
patch -p1 < extended_year_v3xy.patchCheck whether the patch has been applied successfully
Refer Configuration Page for details to build CAL as per your existing build configuration
