AuthenticateClient Response Payload

The LPAd takes the response produced by the eUICC in the previous AuthenticateServer step and presents euiccSigned1, euiccSignature1 and the eUICC’s certificates to the SM-DP+ in the AuthenticateClient request:

The transaction ID and the base64 encoded authenticateServerResponse are sent by the LPAd to the SM-DP+:

The authenticateServerResponse field is produced by the eUICC and returned to the LPAd. It includes TransactionID, eUICCSigned1, eUICCSignature1 and the eUICC certificate as well as the EUM certificate.

Subsequently the LPAd sends this data to the SM-DP+ in the AuthenticateClient request, base 64 encoded. The following notes deconstruct the decoded hexadecimal.

eUICCSigned1 is provided first containing:

The eUICCInfo2 data structure follows along with the Matching ID and the LPAd generated ctxParams1:

ctxParams1 is generated by the LPAd and contains the Matching ID along with a Device Info data structure:

The eUICCSignature1 follows:

And finally the eUICC and EUM certificates are included:

Notice that the eUICC certificate contains the EID, expressed as a serial number in the subject line:

SGP.22 v3.0 section

The response includes profileMetaData which is provided to the LPAd to display the user with profile information. Note that the user confirmation code isn’t required if it wasn’t originally requested. Whether or not the LPAd displays any information to the user is also left to the client implementation.

smdpSigned2, smdpSignature2 and smdpCertificate are forwarded on by the LPAd to be checked by the eUICC:

The profileMetaData decoded payload:

The smdpSigned2 decoded payload:

