Extending Certificate Years - MicrochipTech/cryptoauthlib GitHub Wiki
Updated CAL Compressed Certificate Format: Extended Years Support
Introduction
Secure element ICs provisioned with compressed certificates after the year 2031 will be incompatible with CryptoAuthLib versions earlier than 3.7.5. To ensure compatibility and proper functionality, it is recommended to use CryptoAuthLib version 3.7.5 or later.
This section details the required changes and provides guidance on updating cryptoauthlib to use the upgraded format.
Who are all impacted?
This update may impact existing users who utilize compressed certificates with CAL library versions lesser than v3.7.5.
-
Current Limitation:
CAL compressed certificates using format 0 (the default) support certificate issue and expiry years only up to 2031 -
New Support:
To allow certificate validity beyond 2031, a new compressed certificate format (format 1) is introduced -
Affected Module:
These changes specifically impact theatcacertmodule of the CAL library
Existing Compressed Certificate Format (Format 0)
- Certificate Size: 72 bytes
- Format Version:
- Byte 70 - Lower 4 bits:
0b0000(format 0)
- Byte 70 - Lower 4 bits:
- Encoded Dates:
- Bytes 64–66: Encoded issue and expiry years
| Bytes | Bytes/Bits | Field Name | Description |
|---|---|---|---|
| 0–63 | 64 bytes | Signature | Digital Signature |
| 64–66 | 3 bytes | Encoded Dates | Encoded date-related info |
| 67–68 | 2 bytes | Signer ID | Identifier of the signer |
| 69 | High 4 bits | Template ID | Template identifier |
| 69 | Low 4 bits | Chain ID | Identifier for chain |
| 70 | High 4 bits | SN Source | Source of serial number |
| 70 | Low 4 bits | Format Version | Version of the format |
| 71 | 1 byte | Reserved | Reserved for future use |
Encoded dates i.e., bytes 64 – 66 is detailed as below
Revised Compressed Certificate Format (Format 1)
Updated Compressed Certificate Format: Byte 70 and Byte 71
🔧 Key Format Revisions
-
Byte 70: Format Version Update
- The Format Version is incremented from
0to1to reflect the new encoding scheme.
- The Format Version is incremented from
-
Byte 71: Bit Reallocation
Field Composition Breakdown
-
issue_yearis now constructed using:Byte 64→ Bits 3 to 7 (5 bits)Byte 71→ Bits 6 and 7 (2 bits)- Total: 7 bits → allows representing years from
0to127
issue_year = { Byte 64 :: Bits 3–7 } + { Byte 71 :: Bits 6–7 }
-
expire_yearsis now constructed using:Byte 66→ Bits 0 to 4 (5 bits)Byte 71→ Bits 4 and 5 (2 bits)- Total: 7 bits → allows representing years from
0to127
expire_year = { Byte 64 :: Bits 3–7 } + { Byte 71 :: Bits 6–7 }
Upgrade Options
For users seeking extended year (format 1) support, select the appropriate patch to add format-1 support on top of their current CAL code. This allows continued use of devices provisioned with either format 0 or 1 certificates.
| CAL Version(s) | Patch to Apply |
|---|---|
| v3.3.3, v3.4.0, v3.5.0 | extended_year_v350.patch |
| v3.6.0 | extended_year_v360.patch |
| v3.6.1, v3.7.0 | extended_year_v370.patch |
| v3.7.1, v3.7.2, v3.7.3 | extended_year_v371.patch |
| v3.7.4 | extended_year_v374.patch |
| >= v3.7.5 | Natively supported |
Applying Patch to CAL Library
Make a note of an appropriate patch to be applied to your cryptoauthlib
1. Download Patch Package
Download the patch release file from the official GitHub release page using your browser or a command-line tool:
Download Patch Release
Based on the upgrade requirement, slect and copy the appropriate extended_year_v3xy.patch to your cryptoauthlib folder and apply it using the following command
cd <cryptoauthlib folder>
git apply extended_year_v3xy.patch
Alternately
patch -p1 < extended_year_v3xy.patch
Check whether the patch has been applied successfully
2. Rebuild cryptoauthlib
Refer Configuration Page for details to build CAL as per your existing build configuration