Device’s certificate and public key

SpringCoreSE is the command-line tool that gives access to all the PKI and cryptographic features of the SpringCore device. Please refer to docs.springcard.com/books/Tools/SpringCore/SpringCoreSE for reference.

To work with certificates and public key, OpenSSL is the tool. There are many tutorial on the web, for instance OpenSSL PKI Tutorial at readthedocs.io.

Read ECC public key 13 (0D)

> SpringCoreSE atecc 13 getpub <PUBLIC KEY FILE> [DEVICE CONNECTION STRING]

Have a look over the public key:

> cat <PUBLIC KEY FILE>

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6sEYGlc4Cql7jrXhke81ZLvKMPC+
sKZdZJdqj1XZn4irGzMokqRK2PKO80xk7forIuzbnlw3OfVKM+NvPeGo0g==
-----END PUBLIC KEY-----

Dump the public key using OpenSSL:

> openssl ec -noout -text -inform PEM -in <PUBLIC KEY FILE> -pubin

read EC key
Public-Key: (256 bit)
pub:
    04:ea:c1:18:1a:57:38:0a:a9:7b:8e:b5:e1:91:ef:
    35:64:bb:ca:30:f0:be:b0:a6:5d:64:97:6a:8f:55:
    d9:9f:88:ab:1b:33:28:92:a4:4a:d8:f2:8e:f3:4c:
    64:ed:fa:2b:22:ec:db:9e:5c:37:39:f5:4a:33:e3:
    6f:3d:e1:a8:d2
ASN1 OID: prime256v1
NIST CURVE: P-256

Read X509 certificate 13 (0D)

> SpringCoreSE x509 getcrt 13 <CERTIFICATE FILE> [DEVICE CONNECTION STRING]

Have a look over the certificate:

> cat <CERTIFICATE FILE>

-----BEGIN CERTIFICATE-----
MIIChTCCAW0CBBYFGXQwDQYJKoZIhvcNAQELBQAwbjELMAkGA1UEBhMCRlIxFjAU
BgNVBAgMDUlsZS1kZS1GcmFuY2UxEzARBgNVBAoMClNwcmluZ0NhcmQxEzARBgNV
BAsMClNwcmluZ0NvcmUxHTAbBgNVBAMMFFNwcmluZ0NvcmUgQ2xpZW50IENBMCAX
DTIxMDEyMjA5MTQyOFoYDzIwNTEwMzA2MDkxNDI4WjBpMQswCQYDVQQGEwJGUjEW
MBQGA1UECAwNSWxlLWRlLUZyYW5jZTETMBEGA1UECgwKU3ByaW5nQ2FyZDEaMBgG
A1UECwwRU3ByaW5nQ29yZSBDbGllbnQxETAPBgNVBAMMCDE2MDUxOTc0MFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAE6sEYGlc4Cql7jrXhke81ZLvKMPC+sKZdZJdq
j1XZn4irGzMokqRK2PKO80xk7forIuzbnlw3OfVKM+NvPeGo0jANBgkqhkiG9w0B
AQsFAAOCAQEATPSldcSlOIdGOQHFmHqury5PYS0XcKML/iNPGvcOnEhGzKrfNYRc
VXLZmn4uQwOVsc4fGRBhj+HiNQkole/KiKMv7TQuSdwwcvOmctgyNki4yUCkmjxs
QQVNgeDllTls0ty2d37TJCnm7ZZS+/G1tqra1QFM9VaXSvmD8uoJfib99gpa+8hV
rfRZVq7be5XWaFIAYSuQ53lEQbXdgwDZkcC/uYP2e4AFY3ja13jvA0R19UOcaxRS
HF/aS0IXBzbJGqqtPuqgklzpHWGVGOXoR1rC6iFGoppsIF4n4VtKbtXaVtGmoo5z
lUQ4YFhvyaXCP2fBGazuyfvnUzTdBpfN1Q==
-----END CERTIFICATE-----

Dump the certificate using OpenSSL:

> openssl x509 -noout -text -in <CERTIFICATE FILE>

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 369432948 (0x16051974)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = FR, ST = Ile-de-France, O = SpringCard, OU = SpringCore, CN = SpringCore Client CA
        Validity
            Not Before: Jan 22 09:14:28 2021 GMT
            Not After : Mar  6 09:14:28 2051 GMT
        Subject: C = FR, ST = Ile-de-France, O = SpringCard, OU = SpringCore Client, CN = 16051974
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:ea:c1:18:1a:57:38:0a:a9:7b:8e:b5:e1:91:ef:
                    35:64:bb:ca:30:f0:be:b0:a6:5d:64:97:6a:8f:55:
                    d9:9f:88:ab:1b:33:28:92:a4:4a:d8:f2:8e:f3:4c:
                    64:ed:fa:2b:22:ec:db:9e:5c:37:39:f5:4a:33:e3:
                    6f:3d:e1:a8:d2
                ASN1 OID: prime256v1
                NIST CURVE: P-256
    Signature Algorithm: sha256WithRSAEncryption
         4c:f4:a5:75:c4:a5:38:87:46:39:01:c5:98:7a:ae:af:2e:4f:
         61:2d:17:70:a3:0b:fe:23:4f:1a:f7:0e:9c:48:46:cc:aa:df:
         35:84:5c:55:72:d9:9a:7e:2e:43:03:95:b1:ce:1f:19:10:61:
         8f:e1:e2:35:09:28:95:ef:ca:88:a3:2f:ed:34:2e:49:dc:30:
         72:f3:a6:72:d8:32:36:48:b8:c9:40:a4:9a:3c:6c:41:05:4d:
         81:e0:e5:95:39:6c:d2:dc:b6:77:7e:d3:24:29:e6:ed:96:52:
         fb:f1:b5:b6:aa:da:d5:01:4c:f5:56:97:4a:f9:83:f2:ea:09:
         7e:26:fd:f6:0a:5a:fb:c8:55:ad:f4:59:56:ae:db:7b:95:d6:
         68:52:00:61:2b:90:e7:79:44:41:b5:dd:83:00:d9:91:c0:bf:
         b9:83:f6:7b:80:05:63:78:da:d7:78:ef:03:44:75:f5:43:9c:
         6b:14:52:1c:5f:da:4b:42:17:07:36:c9:1a:aa:ad:3e:ea:a0:
         92:5c:e9:1d:61:95:18:e5:e8:47:5a:c2:ea:21:46:a2:9a:6c:
         20:5e:27:e1:5b:4a:6e:d5:da:56:d1:a6:a2:8e:73:95:44:38:
         60:58:6f:c9:a5:c2:3f:67:c1:19:ac:ee:c9:fb:e7:53:34:dd:
         06:97:cd:d5

You may verify the following assertions:

  1. The public key exposed by the certificate is actually the public key returned by the SE (while the private key is kept totally secret),
  2. The complete subject of the certificate is C=FR,ST=Ile-de-France,O=SpringCard,OU=SpringCore Client,CN=Serial Number of the Device
  3. The certificate has been issued by C=FR,ST=Ile-de-France,O=SpringCard,OU=SpringCore,CN=SpringCore Client CA
  4. The Serial Number of the Certificate is equal to the Serial Number of the Device.

CA certificate

The certificate of C=FR,ST=Ile-de-France,O=SpringCard,OU=SpringCore,CN=SpringCore Client CA is stored in slot 15 (0F). It is easy to retrieve it as follow:

> SpringCoreSE x509 getcrt 15 SpringCard-SpringCore-Client.crt [DEVICE CONNECTION STRING]

Here’s the dump, for reference:

> openssl x509 -noout -text -in SpringCard-SpringCore-Client.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4125 (0x101d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = FR, ST = Ile-de-France, L = Palaiseau, O = SpringCard, OU = SpringCore, CN = SpringCore Root CA
        Validity
            Not Before: Jan 21 15:14:24 2021 GMT
            Not After : Mar  5 15:14:24 2051 GMT
        Subject: C = FR, ST = Ile-de-France, O = SpringCard, OU = SpringCore, CN = SpringCore Client CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ae:fc:68:9b:40:22:1a:c5:9d:ea:3f:6e:a8:ec:
                    f2:02:1e:7e:cd:00:9c:f7:1f:08:82:2f:af:35:2b:
                    ea:82:8c:40:0f:88:e9:fd:a4:6a:b7:7f:04:4c:b5:
                    c8:40:60:0e:c1:30:3f:e2:b6:98:7e:e1:83:cb:81:
                    8c:06:fb:92:73:de:89:d2:34:93:62:71:59:48:1e:
                    df:bb:82:2d:e8:65:03:a3:93:d2:4a:29:24:e8:49:
                    dc:58:41:f7:a4:55:d8:9e:2f:7f:7e:d5:54:ec:ac:
                    18:4b:d8:6f:21:93:ee:a4:65:c5:73:3c:bd:98:be:
                    c7:a0:84:4f:ec:ad:d5:57:04:17:6e:e7:87:5b:cc:
                    86:02:a6:11:10:cc:ca:5c:4b:0d:f5:3b:ae:7c:7e:
                    29:9e:82:aa:8b:6f:03:9e:5e:0e:e9:cf:8b:61:2f:
                    5f:06:af:79:4b:96:e4:d6:fa:48:8c:df:19:97:42:
                    3b:02:ad:8d:04:63:40:e5:d1:f5:0e:e4:cd:28:80:
                    a5:ce:29:2d:81:db:39:67:aa:aa:ba:eb:62:46:59:
                    63:19:7e:22:d2:5f:cf:f4:26:f7:a3:be:47:9d:83:
                    0d:74:0b:58:81:ad:2c:b4:e8:93:8b:3e:7c:ee:88:
                    12:48:b8:95:2d:6c:70:b1:3f:10:c5:68:71:54:96:
                    cf:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                F3:83:F9:7A:C9:F5:51:B4:3E:28:59:03:F1:2E:6C:DD:8C:47:5B:BC
            X509v3 Authority Key Identifier:
                keyid:85:68:31:AE:D2:3F:4A:C4:E2:2B:0B:06:20:88:C5:93:A5:DD:92:54

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         a7:40:e8:09:88:40:a6:28:84:30:ab:c4:b9:d8:8d:a3:9e:da:
         de:43:68:18:b9:ea:fb:7d:58:8d:5e:ad:09:52:d4:9e:f4:53:
         57:41:5f:8c:23:11:ba:3e:bd:27:00:a5:82:82:04:c6:95:f0:
         73:bb:b7:c6:33:af:98:6f:11:2e:91:3a:12:72:85:7c:4a:0d:
         47:bc:b9:37:dd:ee:df:57:7c:56:7a:24:10:c6:8e:1e:c8:d4:
         d1:e2:dd:d5:55:f3:13:c9:95:e4:da:45:b5:99:e2:46:56:1c:
         84:f6:fb:68:df:04:d6:a7:c3:0e:5c:e1:26:35:b4:b4:6f:14:
         4d:1d:0e:4f:d2:18:bd:de:5e:03:5a:4e:54:ac:8a:2c:dd:2a:
         25:1a:47:96:40:29:f3:b6:c0:27:f5:53:6e:69:c6:f3:a1:1d:
         ab:d3:11:fd:1b:7e:b5:c9:10:6f:36:cf:83:b8:25:29:d9:30:
         17:ec:16:c0:82:20:b5:4b:43:bf:4a:db:94:35:33:48:8b:f7:
         9b:d2:52:6c:3d:53:11:a5:9f:b7:f2:31:a2:9e:13:75:6f:1e:
         1b:9c:32:73:02:6c:c0:6a:4c:e6:df:e1:70:d2:7f:82:98:8f:
         a7:a4:93:9b:1e:48:aa:b0:5c:b7:57:ab:bc:d7:ee:9d:67:16:
         c0:84:50:45

You may also download this certificate here: SpringCard-SpringCore-Client.crt.