[Nitrokey HSM] What are C.DevAut and C.DICA?

Hello again

I’ve compiled and have played with libsc-hsm-pkcs11.so.
When i try to list-object:
pkcs11-tool --module /usr/local/lib/libsc-hsm-pkcs11.so --login --pin XYZXYZ -O
I can see:

Using slot 0 with a present token (0x1)
Certificate Object; type = unknown cert type
label: C.DevAut
Certificate Object; type = unknown cert type
label: C.DICA

I can download it, but I cannot parse it as certificate with openssl.
But inside I can see OID:
{iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) 24991}
{itu-t(0) identified-organization(4) etsi(0) reserved(127) etsi-identified-organization(0) bsi-de(7) protocols(2) smartcards(2) 2 2 3}
With Smart Card Shell I don’t see those certs.

Initialization dont remove those certs.

  1. What are C.DevAut and C.DICA?
  2. What format of certs has been used?
  3. How can I show those certs?

C.DevAut is the Device Authentication certificate used for P2P authentication and key attestation.

C.DICA is the Device Issuer Certification Authority’s certificate that was used to produce the HSM.

There is also a C.SRCA for the Scheme Root Certification Authority that certifies production facilities. The C.SRCA is placed as trust-anchor in applications (e.g. in OpenSC.

All certificates are Card Verifiable Certificates as defined in BSI TR-03110.

In the Smart Card Shell the certificates are displayed in the shell window:

SmartCard-HSM Version 3.4 on JCOP 3          Free memory 50604 byte
Issuer : CVC id-SC-HSM DICA CAR=DESRCACC100001 CHR=DEDICC0400001     CED=22. Oktober 2015 CXD=21. Oktober 2023 
Device : CVC id-SC-HSM Device CAR=DEDICC0400001 CHR=DECC040100200000 CED=19. August 2020 CXD=21. Oktober 2023
1 Like

Thank you sc-hsm. You are very helpful.

Can I delete C.DevAut or C.DICA?
What negative impact (if any) should I expect?
If deleted, can I restore or recover those certs? (e.g. during HSM2 initialization)?

Is any tool to display in details BSI TR-03110 certs? Something like openssl x509 -in cert.pem -text ?

No, you can’t delete C.DevAut and C.DICA. They are stored in a read/only EF in the HSM.

There is a simple CVC-Explorer available for the Smart Card Shell.

1 Like