diff --git a/src/hsm/cvc.h b/src/hsm/cvc.h
index e4ca224..8f0c3f4 100644
--- a/src/hsm/cvc.h
+++ b/src/hsm/cvc.h
@@ -45,5 +45,6 @@ extern const uint8_t *cvc_get_chr(const uint8_t *data, size_t len, size_t *olen)
 extern const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen);
 extern int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t ca_len);
 extern mbedtls_ecp_group_id cvc_inherite_ec_group(const uint8_t *ca, size_t ca_len);
+extern int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t hash_len, const uint8_t *ca, size_t ca_len);
 
 #endif
diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c
index 5751f0d..d488faa 100644
--- a/src/hsm/sc_hsm.c
+++ b/src/hsm/sc_hsm.c
@@ -2316,9 +2316,18 @@ int cmd_pso() {
 int cmd_external_authenticate() {
     if (P1(apdu) != 0x0 || P2(apdu) != 0x0)
         return SW_INCORRECT_P1P2();
-    uint8_t *input = (uint8_t *)calloc(dev_name_len+challenge_len, sizeof(uint8_t));
-    
+    if (ef_puk_aut == NULL)
+        return SW_REFERENCE_NOT_FOUND();
+    if (apdu.nc == 0)
+        return SW_WRONG_LENGTH();
+    uint8_t *input = (uint8_t *)calloc(dev_name_len+challenge_len, sizeof(uint8_t)), hash[32];
+    memcpy(input, dev_name, dev_name_len);
+    memcpy(input+dev_name_len, challenge, challenge_len);
+    hash256(input, dev_name_len+challenge_len, hash);
+    int r = puk_verify(apdu.data, apdu.nc, hash, 32, file_get_data(ef_puk_aut), file_get_size(ef_puk_aut));
     free(input);
+    if (r != 0)
+        return SW_CONDITIONS_NOT_SATISFIED();
     return SW_OK();
 }