Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Example: Smart ID Mobile App certificate provisioning

Owned by Karolin Hemmingsson (Unlicensed)
Last updated: Nov 14, 2023 by Ylva AnderssonVersion comment
4 min read

 

Step-by-step instruction

  1. The application server sends provisioning request to Hermod in order to create a profile and generates keys. The certificate request data (certreq) is passed as a dummy CSR in P10 format. (Correct user info but dummy private key.) The client generates the private key locally and replaces the dummy key in the P10 and then sends the signed CSR back.
    See code example.

    Provisioning_cmd { "commandHeader":{ "lifespan":300, "timeout":300, "externalId":"my-id" }, "provCommand":{ "nonce":"123456789", "userid":"userA", "responsesignaturekey":"ATTESTATION", "responseformat":"jws", "profile":{ "servername":"nexus-cod1", "name":"TestProfile", "keygenrequests":[ { "keyid":"signer", "usage":"SIG", "keytypeprios":[ { "keytype":"RSA", "keylength":"2048", "responsemechanism":"RS256" } ], "storageprios":[ "APP" ], "keystate":"ACTIVE", "certreq":"MIIC2zCCAcMCAQAwgZUxCzAJBgNVBAYTAlNFMQwwCgYDVQQHDANTdG8xFzAVBgNVBAoMDk5leHVzIEdyb3VwIEFCMRgwFgYDVQQLDA9QZXJzb25hbCBNb2JpbGUxFzAVBgNVBAMMDkFuZGVycyBXYWxsYm9tMSwwKgYJKoZIhvcNAQkBFh1hbmRlcnMud2FsbGJvbUBuZXh1c2dyb3VwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALz8fB4D3GqijGSXOzLTgTJXOqPQVkVfGdDkeKUp3G5/43ZMtg/FuQDhg2mKP5cqEQBk+8VVPLEPfakTLuk/4YgQnjmC32UOQx8cbMgLM4X1C26zc/0eQZDcbpA/kbBWtAWErv3pHKOcamxheAjzYnXvD6IHKVXDouPFI7pNwOiaB3tONeuoefvp/OxTT3M/yjkwqF1w4f5NMaiYWYtZgUXKdJhKFkx0mzvCbVZPIkIgQht+UPkKJ22WkhRKqeSBLbP1XroMAcZqOiLvRLvkOWtPsz/WTZwvGxWDCHfv6ZyHf69MhYdePMjLB8IjVk0LhNIzGIPqmhT+Njb53/RgrfcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQApb0Pp3+1CdcZnhAlXmRq3/GWDRAgzB2ETZHT0NYB5Mq6BfckTpo55kh2D2N2x9c1S6045/I4FZve1zuguj61HL7364azWoC9zCfAzgfPYPy0AygabeRKBqZmtbKaLWOdsz27QQI1jxnINrMjY17ZM9AGkO2lAsijJTih1Qi6eA0nRZEKZRI4zWNLFDsk2hgJ0AgLr92VbcnIzBBOYGq51CC2vloFN9x0mD/Gbc7sdnhg952gOZlKvXdClSlGUieCk6AxmzcvsOgDyRdQlEUqGk2bS36b2oEbVYu6YCte8so7uBJqdeumzb2LUxcs66pKLjNV4L+RZcluLkL2Ab1jw" } ] } } }

     

 

  1. To start provisioning, send URI to the mobile device and click on it or render the URI as a QR code and scan it. The profile info including certificate request info can be displayed in the app.

    Example: Provisioning response

    { "responseHeader" : { "inReplyTo" : "https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/99678846-836a-42f2-99e4-1de31bca857f/72aec710-9337-4903-8b2d-f756359b51c9", "status" : 200 }, "provResponse" : { "code" : 0, "result" : { "contenttype" : "jws", "data" : "eyJhbGciOiJSUzI1NiIsImZxZG4iOiJleHQtY29kMS50ZXN0Lm5leHVzZ3JvdXAuY29tIiwic2NoIjoia2pUbFN6azIyUWJlaXAzUWJLM2lYKy9iMStWcVpuQmo4bDVRd0Yvem5oVT0iLCJqd2siOnsia3R5IjoiUlNBIiwibiNsZW4iOiIyMDU2IiwiYWxnIjoiUlMyNTYiLCJlIjoiQVFBQiIsImtpZCI6ImF0dGVzdGF0aW9uIiwidXNlIjoic2lnIiwibiI6IkFPSTdVLXBya0k4SFJLb2FKS0QzUXRUU05tc20xX3BfdWlYYjFRTHk5Z01TdUdqWjhITnJwVlQ0a2NSMVV1ZHczcE9LbmRuN05CZWM1YjkyQWdNNVd2U1B4R0RPWWZnSzN4S1JVYXl5d0ZEM0o2UlYxdlVYdGpXNHdMbXZ6R2J0WXdISFB5cnFoVDczS3JIaG5MaDJkcEozTU81U0NBV3VOYmlRNkVWbG5MZFN4WXBoRnhHdm5ncWNKRzZfREpoa29scjliX0xMVHQxNDl0R2t5WXFMN2FpTzZPalZ0SlJRZFVsSGFKRVZld2dvbUdCbllEV0RVdlhsSTNxQ2pJYlpBa3NvNzcwMTJxV250aV90ak5TSGJmRVFyLWRfSkc0d25xSmpVb2h3RTNWcjd1SUdCZktRWjE2UTlBZW9Hc2JIbHA0SGZJOXEtaTJpWnRuTkhRblNmTlUiLCJrZXlzdGF0ZSI6ImFjdGl2ZSJ9LCJub25jZSI6IjEyMzQ1Njc4OSJ9.eyJkZXZpY2VpbmZvIjp7Im9wZXJhdGluZ3N5c3RlbSI6ImlPUyAoMTEuMi42KSIsIm5hbWUiOiJBbmRlcnPigJlzIGlQaG9uZSIsIm1vZGVsIjoiaVBob25lIn0sInByb2ZpbGUiOnsic2lnbmVka2V5cyI6WyJleUpoYkdjaU9pSlNVekkxTmlJc0ltNXZibU5sSWpvaU1USXpORFUyTnpnNUlpd2lhMmxrSWpvaWMybG5ibVZ5SW4wLmV5SnJkSGtpT2lKU1UwRWlMQ0p1STJ4bGJpSTZJakl3TkRnaUxDSmhiR2NpT2lKU1V6STFOaUlzSW1VaU9pSkJVVUZDSWl3aWEybGtJam9pYzJsbmJtVnlJaXdpZFhObElqb2lVMGxISWl3aWJpSTZJbmhyY0dsRFMyd3dOVkpDUm1RMk9EVkZZMjVuYms5blNrVmxVbTQyVDFOeE9VNTBjM0poVkROcmNGRmZZbkp6VW5aYVRsaExVa2syYjBsbk56QTVVa3BSZFVsYVNXVXhVeTFwTTI1WFoyNDNVVEY0ZHpkRGEzY3hhRFYyYlc1VlRYWnBkMjlIYUhSdFJXcFVOMFZrUjJ4VlVWWkRWV0ZGZVhCaWNVdGFhVXRMUnpCWFFrTTBaMWhGTkVsV1ZtTldTbVl3Tm1wTmMyZEhhVmxWWjNGMGJ6WXRlbVEzWHpobFNIZzFWbXRwWW5BMVNFcFVNekEyWDBsNk5UWTFNa2RoVVU5SVJFc3hSSE5DV21GQmVEZzJVRmMxWW5CcmNtOVhVRTVYYkdWMFoweHVZbWsyVldJNGRWOU5UazVpZFRJelRHMDJYMUpQVmpGd2EzUndYMkZ4VmpJd1NWRjBlV3hETUhWZk1uaFdObWxtYUROa2VISkNhMFZTVlZOcFQzbDVNRTV4UlhWTU5qSm9TbFJsU3kwMU1tTmtXVk5sZGtKQ1psODVVWFJXV0hCQmFuTjZZM050VG1KcFptUllTVTFGTW1sdlozSlFVU0lzSW1ObGNuUnlaWEVpT2lKTlNVbERNbnBEUTBGalRVTkJVVUYzWjFwVmVFTjZRVXBDWjA1V1FrRlpWRUZzVGtaTlVYZDNRMmRaUkZaUlVVaEVRVTVVWkVjNGVFWjZRVlpDWjA1V1FrRnZUVVJyTld4bFNGWjZTVVZrZVdJelZuZEpSVVpEVFZKbmQwWm5XVVJXVVZGTVJFRTVVVnBZU25waU1qVm9Za05DVG1JeVNuQmlSMVY0Um5wQlZrSm5UbFpDUVUxTlJHdEdkVnBIVm5samVVSllXVmQ0YzFsdE9YUk5VM2QzUzJkWlNrdHZXa2xvZG1OT1FWRnJRa1pvTVdoaWJWSnNZMjVOZFdReVJuTmlSMHAyWWxWQ2RWcFlhREZqTW1SNVlqTldkMHh0VG5aaVZFTkRRVk5KZDBSUldVcExiMXBKYUhaalRrRlJSVUpDVVVGRVoyZEZVRUZFUTBOQlVXOURaMmRGUWtGTldrdFpaMmx3WkU5VlVWSllaWFpQVWtoS05FcDZiME5TU0d0YUsycHJjWFpVWW1KTE1tczVOVXRWVURJMk4wVmlNbFJXZVd0VFQzRkRTVTg1VUZWVFZVeHBSMU5JZEZWMmIzUTFNVzlLS3pCT1kyTlBkM0JOVGxsbFlqVndNVVJNTkhOTFFtOWlXbWhKTUN0NFNGSndWa1ZHVVd4SGFFMXhWelpwYlZscGFXaDBSbWRSZFVsR2VFOURSbFpZUmxOWU9VOXZla3hKUW05dFJrbExjbUZQZG5NelpTOHZTR2c0WlZaYVNXMDJaVko1VlRrNVQzWjVUU3RsZFdSb2JXdEVhSGQ1ZEZFM1FWZFhaMDFtVDJveGRWYzJXa3MyUm1wNlZuQlljbGxETlRJMGRXeEhMMHgyZWtSVVZ6ZDBkSGsxZFhZd1ZHeGtZVnBNWVdZeWNXeGtkRU5GVEdOd1VYUk1kamx6Vm1WdmJqUmtNMk5oZDFwQ1JWWkZiMnB6YzNSRVlXaE1hU3QwYjFOVk0ybDJkV1J1U0ZkRmJuSjNVVmd2TDFWTVZsWTJVVWszVFROTVNtcFhORzR6Vm5sRVFrNXZjVWxMZWpCRFFYZEZRVUZoUVVGTlFUQkhRMU54UjFOSllqTkVVVVZDUTNkVlFVRTBTVUpCVVVKRE9VOHdaVEIzUVhRdmFHUnJZbFV6ZDJWd04wUjVVM0Y0UW5GQ05qZzFPRWcyUzNGM1RIQm9SMVp5WVc1U1dtNUxZbk5WZVROMFYzbHpXa05OYzBweGFFRmpjemhUTVROS1drdEdPRmQ1TjBoVE1HRlNkM0pJVGxCWlNVUmpaVzF2UkcxelIyODNTRVl5U0VaWFJuWXpWWGxqVjJKVk1WSTVSemN2TkVnclRuVnZUSHB0Y1ZOMGNEZ3lPRk5RWnpScGIyNDRSVU5KTVRkdlZXNWpXVEZ2YjI0d1ZVeE9jMjVvT0VWcmNUbExhM0pQYURJMlZrZENNRGgyV2tsT01rRmplRWxvWkRod1NFeGFLeXRFZUZOUVIzcEZhMVYzUzBnclJXODFaSEZtUVd4RGVXaGliRmQ0TVdaUFpITlVabFZ3WVhsVGJWUjBRWEJUVjNJeFFVdHlUblJrYnpFeVpUQlpWa1pUVm1aSlpTOU9WakJvUmxScVdIVm5XR3RtTW1wcVJqVTFiREpZY1VRME9WaDVaVEJXU0dwMVYyMXFPRWRRSzNCVGVWcEZOMDlVVWs5T2JVeHFaMmg1YWxkdVRVbEZTRzl4VlNJc0ltdGxlWE4wWVhSbElqb2lZV04wYVhabEluMC5IWWNUcVhBc01aY0NEb1N6V3o5WkIzbGtqUWdOc0p4eWJHM1hEajlCS0dsZG5lVkNDZTFiSm5rLUdYbmFBMTZKeUtDNFdTYThqdVBUVkZidlJRay1ndTd3bUpnbWs2bi1uUktWN19KUDhqOUltOTk5Ml92amduSUVMWXIxMUlQN3NoM2hDSnhVbXZiZk1zWkhWM3lzVUxqc0FFWmlrenFRTFVwRzJ2d1VRZk5EYW1wZmJMVWw0UW8tME53Z3lkWElvSmxHRkI5VjhwRFg5Z2N0cGpZaWp0ckhOMWpUNWFlb0R6RzNMak00dnFrVVpDb2N6aXpEWFVreFZycnlkMFJiQ29KbUR6UFNDeFRRbkVPaENyZ2FNOWlQMFdIQ0hkdVppazJyY1NoZTNuRVpvbjlGeHh0WUFmVDl3R216YkNMU0llaXZiN3UxUjhURnJndGNhR2Vqc0EiXSwic2VydmVybmFtZSI6Im5leHVzLWNvZDEiLCJuYW1lIjoiVGVzdFByb2ZpbGUiLCJ1c2VyaWQiOiJ1c2VyQSIsImlkIjoiMzA1MWU5ZjMtMGU0ZC00MzZiLWE1MTItMmUxOGQ4YWZlMTM0IiwiYm94dXJsIjoiaHR0cHM6Ly9leHQtY29kMS50ZXN0Lm5leHVzZ3JvdXAuY29tOjIwNDAwL2hlcm1vZC9yZXN0L21zL2QwNzI5MmRmLWY3NWMtNDUzNC04NTY3LTY0Mjk1M2I2ZDg4NyJ9fQ.El_ZJ24VPn0IleEqSt6cN0oQwDnSZGmPluvHGO-Rhr2Y7z4qV2R_XSoz_RxKyZbI91UX8FkH-L8qLHUiRdwA3Ak0VsAK0MIKfr6c54LTl11khBUj5ejjIOndKnXu8GAIK0dJA8LSbtRxv2nfyQ88y2r0nqvgHaElpGZPVYQUssFjEIhFf0ZrKKLmXhw5CLs1mkk0ye3qo2Uz5R2SM1mWiUYz5oC0XnjJ82ZOSvY6aLLwMsQRsBtDwBNpmJB7Z-etho1cXXOBGZmhnHrht9bn7gHCN3-0EpSP9o_u7ZvcXMQU9xcaiBtIpKXzoXyL7TLmfV6WT1mPEdgOgjUtIipCyQ" } }, "commandId" : "18092", "externalId" : "my-id", "destinations" : [ { "to" : "@tmp", "bid" : "99678846-836a-42f2-99e4-1de31bca857f", "uri" : "com.nexusgroup.plugout:///?url=https%3a%2f%2fext-cod1.test.nexusgroup.com%3A20400%2fhermod%2Frest%2Fms%2F99678846-836a-42f2-99e4-1de31bca857f&token=2dff6242-34d8-4d31-8ac8-c53a21341a03", "mid" : "72aec710-9337-4903-8b2d-f756359b51c9", "location" : "https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/99678846-836a-42f2-99e4-1de31bca857f/72aec710-9337-4903-8b2d-f756359b51c9" } ], "commandType" : "PROV", "state" : "COMPLETED", "fqdn" : "ext-cod1.test.nexusgroup.com" }

     

 

  1. The application server validates the provisioning response and it’s attestation signature. The application server should also validate the user details in the re-signed csr and the attestation certificate/key.

 

  1. The application server generates a certificate by sending the CSR request to the certificate management server using SCEP or equivalent protocol.

  2. The certificate is sent to the mobile as a base 64 encoded DER binary X509 format.

    Example: Certificate command

    { "commandHeader" : { "to" : [ "@userA" ], "lifespan" : 60, "timeout" : 60, "externalId" : "my-id" }, "certCommand" : { "profileid" : "3051e9f3-0e4d-436b-a512-2e18d8afe134", "certificates" : [ { "keyid" : "signer", "keystate" : "ACTIVE", "data" : "MIIDyDCCArCgAwIBAgIGAWK5wT0iMA0GCSqGSIb3DQEBCwUAMIGhMSUwIwYJKoZIhvcNAQkBFhZjb250YWN0QG5leHVzZ3JvdXAuY29tMRcwFQYDVQQDDA5oZXJtb2QtdGVzdGFwcDEYMBYGA1UECwwPUGVyc29uYWwgTW9iaWxlMQ4wDAYDVQQKDAVOZXh1czEUMBIGA1UEBwwLVGVsZWZvbnBsYW4xEjAQBgNVBAgMCVN0b2NraG9sbTELMAkGA1UEBhMCU0UwHhcNMTgwNDEyMTIwNzUxWhcNMTkwNDEyMTIwNzUxWjCBlTELMAkGA1UEBhMCU0UxDDAKBgNVBAcMA1N0bzEXMBUGA1UECgwOTmV4dXMgR3JvdXAgQUIxGDAWBgNVBAsMD1BlcnNvbmFsIE1vYmlsZTEXMBUGA1UEAwwOQW5kZXJzIFdhbGxib20xLDAqBgkqhkiG9w0BCQEWHWFuZGVycy53YWxsYm9tQG5leHVzZ3JvdXAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxkpiCKl05RBFd685EcngnOgJEeRn6OSq9NtsraT3kpQ/brsRvZNXKRI6oIg709RJQuIZIe1S+i3nWgn7Q1xw7Ckw1h5vmnUMviwoGhtmEjT7EdGlUQVCUaEypbqKZiKKG0WBC4gXE4IVVcVJf06jMsgGiYUgqto6+zd7/8eHx5Vkibp5HJT306/Iz5652GaQOHDK1DsBZaAx86PW5bpkroWPNWletgLnbi6Ub8u/MNNbu23Lm6/ROV1pktp/aqV20IQtylC0u/2xV6ifh3dxrBkERUSiOyy0NqEuL62hJTeK+52cdYSevBBf/9QtVXpAjszcsmNbifdXIME2iogrPQIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCctyxKe8+Z0prD90WsiJxE6SV9luKWTWzBRVzFoG2id/4xaxn3S3tImY2kcWq6JFjaadlQ9DBNw9qWxei3P4QcZqB27fEosuL8SHWoDhWjBNMuuxR2eBeu0oKAKuv/Jg6kiy3Rl03Ol5HEJjRBvUTug+BSBJ3wxQ3nGY6p9alm8IK8B/Hnmmgb5OEEF1juU12KYJJOrnGEP6IzJcscf+suJi9EofI11aCLwuyGizg6XTLF7kmU7gx9AorbAvfePyMtOn4YrWU6Ir7+GS0e7bJEKUiiXsm76T/0nebpORUJ+AbNG7QnAl095gGdrzK05U09YYZTde7hKY/CNugAOD3b" } ] } }

     

 

 

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions