ISO IEC 7816-8-2021 pdf Identification cards — Integrated circuit cards — Part 8: Commands and mechanisms for security operations

For example, the security object reference as well as the cryptographic mechanism reference shall be either implicitly known or specified in a CRT in a manage security environment command. NOTE A security object reference is a reference of a secret key, a reference of a public key, a reference data, a reference for computing a session key or a reference of a private key. See ISO/IEC 7816-4. Such a command can be performed only if the security status satisfies the security attributes for the operation. The successful execution of the command may be subject to successful completion of prior commands (e.g. verify before the computation of a digital signature). If present (e.g. implicitly known by the card or because it is part of the command data field), a header list or an extended header list defines the order and the data items that form the input for the security operation. For this command, when a verification related operation is considered, SW1-SW2 set to ‘6300’ or ’63CX’ indicates that a verification failed, ‘X’ ≥ ‘0’ encodes the number of further allowed retries.
The compute digital signature operation, which shall be as specified in Table 11 , initiates the computation of a digital signature. The algorithm may be either a digital signature algorithm or a combination of a hash algorithm and a digital signature algorithm. Annex A provides examples of digital signature operations.
The verify certificate operation, which shall be as specified in Table 15 , verifies a certificate. For the verification of a certificate, the digital signature of a certificate to be verified is delivered as a data object in the command data field. Annex B provides relevant examples of how to implement this operation, which may help to better understand this subclause. The public key of the certification authority to be used in the verification process is either implicitly selected or may be referenced in a DST using the manage security environment command. The algorithm to apply is implicitly known or may be referenced in a DST. If other data objects are to be used in the verification process (e.g. hash-code), then these data objects shall be present in the card or shall be transmitted using the command chaining process.