Authenticity check

SpringCore devices feature a digital signature, computed by SpringCard using a private key, as a proof their are genuine.

The message that is signed is the “fingerprint” of the very device, computed other the hardware identifiers and serial numbers of all the key electronic parts in the device.

This signature and its verification against the corresponding public key allows the buyer to verify that its device has been actually manufactured by SpringCard.

Operation

Read the device’s fingerpint

SCardControl / Direct command

<<< 58 E1 // GET_SEAL_SUBJECT
>>> 58 00 433D46522C4F3D537072696E6743617264... // fingerprint (71 bytes)

Using SpringCoreTool.exe

To ‘see’ the device’s Seal subject, use:

> SpringCoreTool seal-subject --dump
subject=C=FR,O=SpringCard,OU=SpringCore,CN=8A07A5AD-9655-058D-3F9C-8D1E38AC900D

To write the device’s Seal subject into a file, use:

> SpringCoreTool seal-subject subject.txt

Read the device’s signature

SCardControl / Direct command

<<< 58 E3 // GET_SEAL_SIGNATURE
>>> 58 00 63EFF1... // signature (256 bytes)

Using SpringCoreTool.exe

To ‘see’ the device’s Seal, use:

> SpringCoreTool seal-get --dump
seal=63EFFE1C550DB46831F81D225E5D9AFE51942EB8C6DFFA55CE990A8C96B4783102A1E601877272AD6FDD32C0B5A8B4FFE78753451FB3A3EED1A48D54DE0FFD03F8C2C7D39D49B5D674E895E3A14E0A78FFCBD5EEA77DC43D645AA890253E890C15865AAD227E23835E803686D12CAA8F536EBF30A72FF8449633EF018CBF8966C9CA62061A0099E28F9CFCB264462A8DC72EA0D3B062D27E489BD76151E29565ABE0E3DE7A9F02AEC8B4E7C5BEE33BC375830238CFBA85394AB2BDEE5204DD7791246E9D16CD545D3E5F66B351601CBCD4C48E1E4D00EF5AB8A1923EB416D52D3BAA413560D01BCB8EFB707AE590E974B421993652EB0FEAA3B7CE9FFCA2EA79

To write the device’s Seal into a file, use:

> SpringCoreTool seal-get seal.bin

Verify the signature given the public key

Use the following public key to verify the signature (file SpringCard-SpringCore-SEALs.pub.pem):

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRJNrIOv+PM2mU9xBkXt
L/bLjpYjF40In7dohfQF7Qdh/Vl0doHEqNaeuoQ9aVLels/EKIE87/zz+krWuug9
mK6+5Jzno9mD38ymqCYglPJGZJYS3B4sekeOY/D1Jvc2fj5odopCvEfesNJguEXm
+JvqrD8XPJbijYHXRQ5oyLYztzXaDjgsFX7+ocUZU9V0RGrEIU8/rWO7riY3io43
quiDlCnJJmA6MJ6W+nfwPIRcHQtUXsLcR37COrF3dL6lAaGmbr5Z1G6witbAm9OO
88d8ENVD+99b/wOUiy9qAs4L+KZ7dG+30/+ZU4bI3YLgyUVqmwhnHHeZp6zsSggh
VwIDAQAB
-----END PUBLIC KEY-----

You may also extract the same public key from this certificate (file SpringCard-SpringCore-SEALs.crt):

-----BEGIN CERTIFICATE-----
MIID2zCCAsOgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYTAkZS
MRYwFAYDVQQIDA1JbGUtZGUtRnJhbmNlMRIwEAYDVQQHDAlQYWxhaXNlYXUxEzAR
BgNVBAoMClNwcmluZ0NhcmQxEzARBgNVBAsMClNwcmluZ0NvcmUxGzAZBgNVBAMM
ElNwcmluZ0NvcmUgUm9vdCBDQTAeFw0xODA4MjIxMjU1NTJaFw00ODEwMDMxMjU1
NTJaMHgxCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1JbGUtZGUtRnJhbmNlMRMwEQYD
VQQKDApTcHJpbmdDYXJkMRMwEQYDVQQLDApTcHJpbmdDb3JlMScwJQYDVQQDDB5T
cHJpbmdDb3JlIENlcnRpZmljYXRlcyBJc3N1ZXIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDIyiR5bZsx/zeGISNatg8RqADr8XgYvtZxJn1To5n3htqN
m8ce5Gn6xIy++UGpHL9RnoOWcfmwxrHIkHXGroJZPwDXUqLiUGR9XV229rJDufFc
0UYXVopclFpdu4ptaxPGFidOOMKazZ0YwiDv4OjxjEcZRzpvUutEsoI+so41WeDu
bfI0Lt664B1y3LT1irc8zfDgiYtgo0EudqPdZHCtlBv+mBzCnbr3+JB1gixeyenh
taPd7nCMJ3Bl6XzusqazTBywqVwt0FXcXLvKuQPB8tYSlM10uOl9NpN28HTi1H1i
+1bXG0eZGXwu6kyzyUNbh+GFYCF2zQEA5D25FtXDAgMBAAGjZjBkMB0GA1UdDgQW
BBSAQV4kNzvYnFmci6yA8LAtxw1gMzAfBgNVHSMEGDAWgBSFaDGu0j9KxOIrCwYg
iMWTpd2SVDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkq
hkiG9w0BAQsFAAOCAQEAM93qx5kZkDmplLhvG+6bligP5/6+jqo+ksMJNlqRY/eB
mYkMoyKAS5UvNRPVhVYwYESoz9vYqllFW3uZK7JjttmqB9WSMoY3JNRxgCm0gCPk
eC4+Q8HyjbvfQobsCYhRsWa0d6mPW8Y2wBIwhQmwf2TqC+S7emcUP16rVM7afstA
e834+7tVow7vHxnvefj8PK1uxuEUd7cqKfEBjO54EarKmybJwycvtQlKHAdZm/Nf
9fisFbYp1CzhuqXFDat5PA5cS6SS8087KhsHTc0HSqPPV+cz+gspISX1FTdh5kez
evWfaBR56t+KQcIfhZCf7Vdc/R1gI+bsVTVy7jLHxA==
-----END CERTIFICATE-----

Verification using OpenSSL

> openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify SpringCard-SpringCore-SEALs.pub.pem -signature seal.bin subject.txt

OpenSSL shall return

Verified OK