STI-PA-TC-021

Verify CRL URL is contained in the SPCToken response

You can send SPC Token request with the following API:

https://authenticate-api-stg.iconectiv.com/api/v1/account/281K/token/

Your request data should be as follows:

{ "atc": 
  { "tktype": "TNAuthList", 
     "tkvalue": "MAigBhzzMjgxSw==", 
     "ca": false, 
     "fingerprint":  "SHA256 49:55:78:7F:34:14:81:67:99:48:DC:54:21:DA:F4:79:C7:41:29:06:BF:A5:38:DF:9E:03:97:6A:2C:53:CC:3B" 
     }}

In the request data, "tktype" and "ca" are fixed value.

You will get back the following data from server:

{"status":"success",
"message":"SPC token for spc: 111K is created successfully",
"token":"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1dSI6Imh0dHBzOi8vYXV0aGVudGljYXRlLWFwaS1zdGcuaWNvbmVjdGl2LmNvbS9kb3dubG9hZC92MS9jZXJ0aWZpY2F0ZS9jZXJ0aWZpY2F0ZUlkXzk3NTc0LmNydCJ9.eyJleHAiOjE2ODk5MTkwNjMsImp0aSI6IjUxOTE3NWNiLTY5OTgtNDA3NC05YWVhLTBkYTUxNzVhMTYyMiIsImF0YyI6eyJ0a3R5cGUiOiJUTkF1dGhMaXN0IiwidGt2YWx1ZSI6Ik1BaWdCaFlFTWpneFN3PT0iLCJjYSI6ZmFsc2UsImZpbmdlcnByaW50IjoiU0hBMjU2IDQ5OjU1Ojc4OjdGOjQyOjE3OjgxOjY3Ojk5OjQ4OkRDOjU0OjIxOkRBOkY0Ojc5OkM3OjQxOjI5OjA2OkJGOkE1OjM4OkRGOjlFOjAxOjk3OjZBOjJDOjUzOkNDOjNCIn19.yZsMAjzQ0fBx4hUQBR-E-exUwRHrFn4_utPuSJrraJYjI2K3eCfjNwVuMSCkAx9MQrUofB0d9hmDnZ_AblOCUQ",
"crl":"https://authenticate-api-stg.iconectiv.com/download/v1/crl"}

The recovered SPC Token is as follows:

{"alg":"ES256","typ":"JWT",
"x5u":"https://authenticate-api-stg.iconectiv.com/download/v1/certificate/certificateId_973374.crt"}
{"exp":1689919063,"jti":"519175cb-6998-4074-9aea-0da5175a1622","atc":{"tktype":"TNAuthList","tkvalue":"MAigBh33jgxSw==",
"ca":false,
"fingerprint":"SHA256 22:33:78:7F:42:17:81:45:99:3:DC:54:21:DA:F4:79:C7:41:29:06:BF:A5:38:DF:9E:01:97:6A:2C:53:CC:3B"}}

How to generate "tkvalue"

tkvalue is a base64-encoded X509 extension and you can create it using openssl CLI tool with the following steps:

Step 1: Create ssl .conf file

cat << EOF > tnauthlist.conf
asn1=SEQUENCE:tn_auth_list
[tn_auth_list]
field1=EXP:0,IA5:<UPPERCASE OCN>
EOF

Step 2: Create extension

openssl asn1parse -genconf tnauthlist.conf -noout -out tnauthlist.der

Step 3: Encode

cat tnauthlist.der | base64

Here is a full example:

% cat << EOF > tnauthlist.conf
asn1=SEQUENCE:tn_auth_list
[tn_auth_list]
field1=EXP:0,IA5:818H
EOF

% openssl asn1parse -genconf tnauthlist.conf -noout -out tnauthlist.der

% cat tnauthlist.der | base64
MAigBhYEODE4SA==

How to generate "fingerprint"

Firstly, you need to create a private key using the following command:

openssl ecparam -genkey -name prime256v1 -out ./private_key.pem

The above command will create your private key and store it in a file called "private_key.pem."

After you create your own private key, then you can generate fingerprint with the following commands:

% openssl ec -pubout -inform PEM -outform DER -in ./private.key.pem 2> /dev/null | openssl sha256 | awk '{ gsub(/.{2}/,"&:",$2); print "SHA256 " toupper(substr($2, 1, length($2) - 1))  }'

SHA256 D8:FC:D2:1E:52:7E:85:A5:DB:34:1F:0A:0A:67:17:55:70:9A:A1:50:34:16:BF:E6:E5:AB:AD:84:73:73:E8:A8

PreviousSTI-PA-TC-026 NextSTI-PA-TC-019

Last updated 3 years ago