Verify - Validate and Invalidate

The Verify command can be used to validate or invalidate a public key. Only those public keys whose access policies require validation need to go through this process. Prior to a public key being used to verify a signature, it must be validated. If a validated public key needs to be updated, then it needs to be invalidated prior to being written. Only internally stored public keys can be validated or invalidated. The status of a public key is stored in the most significant nibble of byte 0 of the public key slot.

For the ATECC608A-TFLXTLS device, Slot 14 contains a validated public key.

Procedure for Validating or Invalidating a Public Key

1.Using GenKey, generate a digest of the public key to be validated or invalidated and store it in TempKey.
2.OtherData[18:0] bytes must be the same as the bytes that were used when calculating the original signature.
- OtherData[17][0] = 0 if you are going to validate the key
- OtherData[17][0] = 1 if you are going to invalidate the key
- This bit must match the Mode[2] value of the Verify Validate or Invalidate command or an error will occur.
Note: The message is created in the same manner as for the Internal mode of the Sign command, but it uses the OtherData[18:0] bytes.
3.Issue the Verify Validate or Invalidate command, including the signature R and S values and the OtherData bytes.
4.Upon successful validation or invalidation, a code of 0x00 will be returned and bits [7:4] of the LSB of the slot will be set.

Table 1. Input Parameters - Verify Validate/Invalidate
Opcode (1 Byte)	Mode (1 Byte)	Key ID (2 Bytes)	Data Field (83 Bytes)		Comment
Opcode (1 Byte)	Mode (1 Byte)	Key ID (2 Bytes)	Signature (64 Bytes)	Other Data⁽¹⁾ (19 Bytes)	Comment
0x45	0x03	0x00 0[Slot]	R value S value	OtherData[17][0] = 0	Validates public key
0x45	0x07	0x00 0[Slot]	R Value S Value	OtherData[17][0] = 1	Invalidates public key

Note:

1.Other Data byte values must align with the data used to generate the original message.

Table 2. Output Response - Verify Validate/Invalidate
Name	Size	Description
Response	1 byte	0x00 - If signature is verified 0x01 - If signature does not match Error code - If there is a failure due to some other reason
ValidateNibble of Public Key	4 bits.	Slot[n][0] [7:4] will be updated of the public key 0x5 - If the public key has been validated 0xA - If the public key has been invalidated

Table 3. Generated Message
	32 bytes 1 byte 10 bytes 1 byte 4 bytes 2 bytes 5 bytes	TempKey digest of the PublicKey (must be generated by GenKey) Sign Opcode OtherData[0:9]⁽¹⁾ SN[8] = 0x01 OtherData[10:13]⁽¹⁾ SN[0:1] = 0x01 0x23 OtherData[14:18]⁽¹⁾

Note:

1.These bytes should match the bytes used in the original message that generated the signature. The original message calculation can be found in Section Internal Message Generation. The only exception is for bit 0 of byte 17, as described above.