5.7 Verifying EMV ¢ public key certificates
This section presents the verification procedure of the Issuer Public Key Certificate in Section 5.7.1 and the verification procedure of the ICC Public Key Certificate in Section 5.7.2. Note that the verification procedure of an ICC PIN Encipherment Public Key Certificate is identical with the verification procedure of the ICC Public Key Certificate, and consequently it is not separately detailed.
5.7.1 Verification of the Issuer Public Key Certificate
The following steps describe the procedure of verifying the Issuer Public Key Certificate. The verifier of the certificate is a terminal at the point of service, and the certificate together with some other data needed for the certificate verification are received from the EMV ¢ card.

Step 1: Verify that the length of the Issuer Public Key Certificate (tag 90) data object is N _{ CA } .

Step 2: Apply the signature verification/recovery algorithm in Appendix F, Section F.3.2 (case 2), where S is the value field of the Issuer Public Key Certificate, n _{ S } = n _{ CA } , and e _{ S } = e _{ CA } . The length N of the modulus is N _{ CA } .

Step 3: The data that is recovered X is parsed as X = B M _{ R } H E . The following processing is performed on these items:

Check that E (last byte of X ), which is the recovered data trailer, equals BCh.

Check that B (first byte of X ), which is the recovered data header, equals 6Ah.

Consider the M _{ R } as the next N _{ CA } ˆ’ 22 bytes after B . Parse M _{ R } according to the nine fields identified in Section 5.6.1.

Check that the certificate format read in field 1 of M _{ R } is 02h.

Create message M ² as the concatenation from left to right of the value fields of the Issuer Public Key Remainder (tag 92), if this data object is present in the card, and of the is Issuer Public Key Exponent (tag 9F32).

Create the message M , representing the issuer public key data, as the concatenation from left to right of the recovered part M _{ R } and of the constructed part M ² (i.e., M = M _{ R } M ² ).

Read the hash algorithm indicator from field 5 of M _{ R } . Note that at the moment this value is 01h, corresponding to the SHA1 algorithm, the only approved hash algorithm in the EMV 2000 specifications (see Annex B3.1 in Book 2 [1]).

Use the indicated hash algorithm to compute the hash code h of M .

Check that h equals the hash result H , which represents the last 20 bytes in X before E .
If any of the verifications mentioned above failed, the verification of the Issuer Public Key Certificate has failed.


Step 4: Check the consistency of some fields in the recovered part M _{ R } of the issuer public key data.

Check that the IIN read from the 4 bytes of field 2, after stripping of the possible padding with the hexadecimal digit F, corresponds to the leftmost 3 to 8 digits of the card's PAN as captured by the terminal.

Check that the certificate is not expired . To this end, check that the current date is earlier or equal to the last day of the month MM specified in field 3, certificate expiration date.

If the terminal manages a revocation list of issuer public key certificates associated with a CA, check that the certificate serial number read from field 4 is not blacklisted in this revocation list. If the certificate is blacklisted, set up the bit 5, "Card appears on terminal exception file", of byte 1 of the TVR register (see Section 6.2.1).

Check that the public key algorithm specified in the Issuer Public Key Algorithm Indicator read from field 6 is among the algorithms known by the terminal. Note that at the moment this indicator has the value 01h corresponding to the RSA algorithm, which is the only approved asymmetric algorithm in the EMV 2000 specifications (according to Annex B2.1 in Book 2 [1]).
If any of the verifications mentioned above failed, the verification of the Issuer Public Key Certificate has failed.


Step 5: If all the verifications were valid, the terminal accepts the authenticity of the issuer public key. It consists of the issuer public key modulus n _{ I } and the Issuer Public Key Exponent e _{ I } (tag 9F32).
The issuer public key length N _{ I } read from field 7 of M _{ R } gives the actual length of n _{ I } .

If N _{ CA } ˆ’ 36 ˆ’ N _{ I } > 0, remove the N _{ CA } ˆ’ 36 ˆ’ N _{ I } padding bytes BBh from the rightmost side of field 9 of M _{ R } . The byte string that is obtained represents n _{ I } .

If N _{ I } > N _{ CA } ˆ’ 36, concatenate from left to right field 9 of M _{ R } and the value field of the Issuer Public Key Remainder (tag 92). The byte string that is obtained represents n _{ I } .

5.7.2 Verification of the ICC Public Key Certificate
The following steps describe the procedure of verifying the ICC Public Key Certificate. The verifier of the certificate is a terminal at the point of service, and the certificate together with some other data needed for the certificate verification are received from the EMV ¢ card.

Step 1: Verify that the length of the ICC Public Key Certificate (tag 90) data object is N _{ I } .

Step 2: Apply the signature verification/recovery algorithm in Appendix F, Section F.3.2 (case 2), where S is the value field of the ICC Public Key Certificate, n _{ S } = n _{ I } , and e _{ S } = e _{ I } . The length N of the modulus is N _{ I } .
The data that is recovered X is parsed as X = B M _{ R } H E . The following processing is performed on these items:

Check that E (last byte of X ), which is the recovered data trailer, equals BCh.

Check that B (first byte of X ), which is the recovered data header, equals 6Ah.

Consider M _{ R } as the next N _{ I } ˆ’ 22 bytes after B . Parse M _{ R } according to the nine fields identified in Section 5.6.1.

Check that the certificate format read in field 1 of M _{ R } is 04h.

Create message M ² as the concatenation from left to right of the value fields of the ICC Public Key Remainder (tag 9F48), if this data object is present in the card, of the ICC Public Key Exponent (tag 9F47), and the Static Data to Be Authenticated byte string. The details of formatting this byte string are given in Section 5.8.1.

Create the message M , representing the ICC public key data, as the concatenation from left to right of the recovered part M _{ R } and of the computed part M ² (i.e., M = M _{ R } M ² ).

Read the hash algorithm indicator from field 5 of M _{ R } . Note that at the moment this value is 01h, corresponding to the SHA1 algorithm, the only approved hash algorithm in the EMV 2000 specifications (see Annex B3.1 in Book 2 [1]).

Use the indicated hash algorithm to compute the hash code h of M .

Check that h equals the hash result H , which represents the last 20 bytes in X before E .
If any of the verifications mentioned above failed, the verification of the ICC Public Key Certificate has failed.


Step 3: Check the consistency of some fields in the recovered part M _{ R } of the issuer public key data.

Check that the PAN recovered from field 2 of M _{ R } corresponds to the PAN of the card as captured by the terminal.

Check that the certificate is not expired. To this end, check that the current date is earlier or equal to the last day of the month specified in field 3, certificate expiration date.

Check that the public key algorithm specified in the Issuer Public Key Algorithm Indicator read from field 6 is among the algorithms known by the terminal. Note that at the moment this indicator has the value 01h corresponding to the RSA algorithm, which is the only approved asymmetric algorithm in the EMV 2000 specifications (according to Annex B2.1 in Book 2 [1]).
If any of the verifications mentioned above failed, the verification of the ICC Public Key Certificate has failed.


Step 4: If all the verifications were valid, the terminal accepts the authenticity of the ICC public key. It consists of the ICC public key modulus n _{ IC } , and the ICC Public Key Exponent (tag 9F47) e _{ IC } .
The ICC public key length N _{ IC } , read from field 7 of M _{ R } gives the actual length of n _{ IC } .

If N _{ I } ˆ’ 42 ˆ’ N _{ IC } > 0, remove the N _{ I } ˆ’ 42 ˆ’ N _{ IC } padding bytes BBh from the rightmost side of field 9 of M _{ R } . The byte string that is obtained represents n _{ IC } .

If N _{ IC } > N _{ I } ˆ’ 42, concatenate from left to right field 9 of M _{ R } and the value field of the ICC Public Key Remainder (tag 9F48). The byte string that is obtained represents n _{ IC } .

The terminal stores the ICC public key ( n _{ IC } , e _{ IC } ) for the current session.