]> git.zerfleddert.de Git - proxmark3-svn/blame_incremental - client/emv/emvcore.c
projects / proxmark3-svn / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Add ROCA vulnerability test (RRG repository PR 76 by @merlokk) (#762)
[proxmark3-svn] / client / emv / emvcore.c
... / ...
CommitLineData
1//-----------------------------------------------------------------------------
2// Copyright (C) 2017 Merlok
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// EMV core functions
9//-----------------------------------------------------------------------------
10
11#include "emvcore.h"
12#include "emvjson.h"
13#include "util_posix.h"
14#ifdef WITH_SMARTCARD
15#include "cmdsmartcard.h"
16#endif
17
18// Got from here. Thanks)
19// https://eftlab.co.uk/index.php/site-map/knowledge-base/211-emv-aid-rid-pix
20static const char *PSElist [] = {
21 "325041592E5359532E4444463031", // 2PAY.SYS.DDF01 - Visa Proximity Payment System Environment - PPSE
22 "315041592E5359532E4444463031" // 1PAY.SYS.DDF01 - Visa Payment System Environment - PSE
23};
24//static const size_t PSElistLen = sizeof(PSElist)/sizeof(char*);
25
26char *TransactionTypeStr[] = {
27 "MSD",
28 "VSDC",
29 "qVCDCMCHIP",
30 "CDA"
31};
32
33typedef struct {
34 enum CardPSVendor vendor;
35 const char* aid;
36} TAIDList;
37
38static const TAIDList AIDlist [] = {
39 // Visa International
40 { CV_VISA, "A00000000305076010"}, // VISA ELO Credit
41 { CV_VISA, "A0000000031010" }, // VISA Debit/Credit (Classic)
42 { CV_VISA, "A000000003101001" }, // VISA Credit
43 { CV_VISA, "A000000003101002" }, // VISA Debit
44 { CV_VISA, "A0000000032010" }, // VISA Electron
45 { CV_VISA, "A0000000032020" }, // VISA
46 { CV_VISA, "A0000000033010" }, // VISA Interlink
47 { CV_VISA, "A0000000034010" }, // VISA Specific
48 { CV_VISA, "A0000000035010" }, // VISA Specific
49 { CV_VISA, "A0000000036010" }, // Domestic Visa Cash Stored Value
50 { CV_VISA, "A0000000036020" }, // International Visa Cash Stored Value
51 { CV_VISA, "A0000000038002" }, // VISA Auth, VisaRemAuthen EMV-CAP (DPA)
52 { CV_VISA, "A0000000038010" }, // VISA Plus
53 { CV_VISA, "A0000000039010" }, // VISA Loyalty
54 { CV_VISA, "A000000003999910" }, // VISA Proprietary ATM
55 // Visa USA
56 { CV_VISA, "A000000098" }, // Debit Card
57 { CV_VISA, "A0000000980848" }, // Debit Card
58 // Mastercard International
59 { CV_MASTERCARD, "A00000000401" }, // MasterCard PayPass
60 { CV_MASTERCARD, "A0000000041010" }, // MasterCard Credit
61 { CV_MASTERCARD, "A00000000410101213" }, // MasterCard Credit
62 { CV_MASTERCARD, "A00000000410101215" }, // MasterCard Credit
63 { CV_MASTERCARD, "A0000000042010" }, // MasterCard Specific
64 { CV_MASTERCARD, "A0000000043010" }, // MasterCard Specific
65 { CV_MASTERCARD, "A0000000043060" }, // Maestro (Debit)
66 { CV_MASTERCARD, "A000000004306001" }, // Maestro (Debit)
67 { CV_MASTERCARD, "A0000000044010" }, // MasterCard Specific
68 { CV_MASTERCARD, "A0000000045010" }, // MasterCard Specific
69 { CV_MASTERCARD, "A0000000046000" }, // Cirrus
70 { CV_MASTERCARD, "A0000000048002" }, // SecureCode Auth EMV-CAP
71 { CV_MASTERCARD, "A0000000049999" }, // MasterCard PayPass
72 // American Express
73 { CV_AMERICANEXPRESS, "A000000025" },
74 { CV_AMERICANEXPRESS, "A0000000250000" },
75 { CV_AMERICANEXPRESS, "A00000002501" },
76 { CV_AMERICANEXPRESS, "A000000025010402" },
77 { CV_AMERICANEXPRESS, "A000000025010701" },
78 { CV_AMERICANEXPRESS, "A000000025010801" },
79 // Groupement des Cartes Bancaires "CB"
80 { CV_CB, "A0000000421010" }, // Cartes Bancaire EMV Card
81 { CV_CB, "A0000000422010" },
82 { CV_CB, "A0000000423010" },
83 { CV_CB, "A0000000424010" },
84 { CV_CB, "A0000000425010" },
85 // JCB CO., LTD.
86 { CV_JCB, "A00000006510" }, // JCB
87 { CV_JCB, "A0000000651010" }, // JCB J Smart Credit
88 // Other
89 { CV_OTHER, "A0000001544442" }, // Banricompras Debito - Banrisul - Banco do Estado do Rio Grande do SUL - S.A.
90 { CV_OTHER, "F0000000030001" }, // BRADESCO
91 { CV_OTHER, "A0000005241010" }, // RuPay - RuPay
92 { CV_OTHER, "D5780000021010" } // Bankaxept - Bankaxept
93};
94static const size_t AIDlistLen = sizeof(AIDlist)/sizeof(TAIDList);
95
96static bool APDULogging = false;
97void SetAPDULogging(bool logging) {
98 APDULogging = logging;
99}
100
101enum CardPSVendor GetCardPSVendor(uint8_t * AID, size_t AIDlen) {
102 char buf[100] = {0};
103 if (AIDlen < 1)
104 return CV_NA;
105
106 hex_to_buffer((uint8_t *)buf, AID, AIDlen, sizeof(buf) - 1, 0, 0, true);
107
108 for(int i = 0; i < AIDlistLen; i ++) {
109 if (strncmp(AIDlist[i].aid, buf, strlen(AIDlist[i].aid)) == 0){
110 return AIDlist[i].vendor;
111 }
112 }
113
114 return CV_NA;
115}
116
117static bool print_cb(void *data, const struct tlv *tlv, int level, bool is_leaf) {
118 emv_tag_dump(tlv, stdout, level);
119 if (is_leaf) {
120 dump_buffer(tlv->value, tlv->len, stdout, level);
121 }
122
123 return true;
124}
125
126bool TLVPrintFromBuffer(uint8_t *data, int datalen) {
127 struct tlvdb *t = NULL;
128 t = tlvdb_parse_multi(data, datalen);
129 if (t) {
130 PrintAndLogEx(NORMAL, "-------------------- TLV decoded --------------------");
131
132 tlvdb_visit(t, print_cb, NULL, 0);
133 tlvdb_free(t);
134 return true;
135 } else {
136 PrintAndLogEx(WARNING, "TLV ERROR: Can't parse response as TLV tree.");
137 }
138 return false;
139}
140
141void TLVPrintFromTLVLev(struct tlvdb *tlv, int level) {
142 if (!tlv)
143 return;
144
145 tlvdb_visit(tlv, print_cb, NULL, level);
146}
147
148void TLVPrintFromTLV(struct tlvdb *tlv) {
149 TLVPrintFromTLVLev(tlv, 0);
150}
151
152void TLVPrintAIDlistFromSelectTLV(struct tlvdb *tlv) {
153 PrintAndLogEx(NORMAL, "|------------------|--------|-------------------------|");
154 PrintAndLogEx(NORMAL, "| AID |Priority| Name |");
155 PrintAndLogEx(NORMAL, "|------------------|--------|-------------------------|");
156
157 struct tlvdb *ttmp = tlvdb_find(tlv, 0x6f);
158 if (!ttmp)
159 PrintAndLogEx(NORMAL, "| none |");
160
161 while (ttmp) {
162 const struct tlv *tgAID = tlvdb_get_inchild(ttmp, 0x84, NULL);
163 const struct tlv *tgName = tlvdb_get_inchild(ttmp, 0x50, NULL);
164 const struct tlv *tgPrio = tlvdb_get_inchild(ttmp, 0x87, NULL);
165 if (!tgAID)
166 break;
167 PrintAndLogEx(NORMAL, "|%s| %s |%s|",
168 sprint_hex_inrow_ex(tgAID->value, tgAID->len, 18),
169 (tgPrio) ? sprint_hex(tgPrio->value, 1) : " ",
170 (tgName) ? sprint_ascii_ex(tgName->value, tgName->len, 25) : " ");
171
172 ttmp = tlvdb_find_next(ttmp, 0x6f);
173 }
174
175 PrintAndLogEx(NORMAL, "|------------------|--------|-------------------------|");
176}
177
178struct tlvdb *GetPANFromTrack2(const struct tlv *track2) {
179 char track2Hex[200] = {0};
180 uint8_t PAN[100] = {0};
181 int PANlen = 0;
182 char *tmp = track2Hex;
183
184 if (!track2)
185 return NULL;
186
187 for (int i = 0; i < track2->len; ++i, tmp += 2)
188 sprintf(tmp, "%02x", (unsigned int)track2->value[i]);
189
190 int posD = strchr(track2Hex, 'd') - track2Hex;
191 if (posD < 1)
192 return NULL;
193
194 track2Hex[posD] = 0;
195 if (strlen(track2Hex) % 2) {
196 track2Hex[posD] = 'F';
197 track2Hex[posD + 1] = '\0';
198 }
199
200 param_gethex_to_eol(track2Hex, 0, PAN, sizeof(PAN), &PANlen);
201
202 return tlvdb_fixed(0x5a, PANlen, PAN);
203}
204
205struct tlvdb *GetdCVVRawFromTrack2(const struct tlv *track2) {
206 char track2Hex[200] = {0};
207 char dCVVHex[100] = {0};
208 uint8_t dCVV[100] = {0};
209 int dCVVlen = 0;
210 const int PINlen = 5; // must calculated from 9F67 MSD Offset but i have not seen this tag)
211 char *tmp = track2Hex;
212
213 if (!track2)
214 return NULL;
215
216 for (int i = 0; i < track2->len; ++i, tmp += 2)
217 sprintf(tmp, "%02x", (unsigned int)track2->value[i]);
218
219 int posD = strchr(track2Hex, 'd') - track2Hex;
220 if (posD < 1)
221 return NULL;
222
223 memset(dCVVHex, '0', 32);
224 // ATC
225 memcpy(dCVVHex + 0, track2Hex + posD + PINlen + 11, 4);
226 // PAN 5 hex
227 memcpy(dCVVHex + 4, track2Hex, 5);
228 // expire date
229 memcpy(dCVVHex + 9, track2Hex + posD + 1, 4);
230 // service code
231 memcpy(dCVVHex + 13, track2Hex + posD + 5, 3);
232
233 param_gethex_to_eol(dCVVHex, 0, dCVV, sizeof(dCVV), &dCVVlen);
234
235 return tlvdb_fixed(0x02, dCVVlen, dCVV);
236}
237
238int EMVExchangeEx(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, sAPDU apdu, bool IncludeLe, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
239 uint8_t data[APDU_RES_LEN] = {0};
240
241 *ResultLen = 0;
242 if (sw) *sw = 0;
243 uint16_t isw = 0;
244 int res = 0;
245
246 if (ActivateField) {
247 DropField();
248 msleep(50);
249 }
250
251 // COMPUTE APDU
252 memcpy(data, &apdu, 5);
253 if (apdu.data)
254 memcpy(&data[5], apdu.data, apdu.Lc);
255
256 if (APDULogging)
257 PrintAndLogEx(SUCCESS, ">>>> %s", sprint_hex(data, (IncludeLe?6:5) + apdu.Lc));
258
259 switch(channel) {
260 case ECC_CONTACTLESS:
261 // 6 byes + data = INS + CLA + P1 + P2 + Lc + <data = Nc> + Le(?IncludeLe)
262 res = ExchangeAPDU14a(data, (IncludeLe?6:5) + apdu.Lc, ActivateField, LeaveFieldON, Result, (int)MaxResultLen, (int *)ResultLen);
263 if (res) {
264 return res;
265 }
266 break;
267 case ECC_CONTACT:
268 //int ExchangeAPDUSC(uint8_t *datain, int datainlen, bool activateCard, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
269#ifdef WITH_SMARTCARD
270 res = ExchangeAPDUSC(data, (IncludeLe?6:5) + apdu.Lc, ActivateField, LeaveFieldON, Result, (int)MaxResultLen, (int *)ResultLen);
271 if (res) {
272 return res;
273 }
274#endif
275 break;
276 }
277
278 if (APDULogging)
279 PrintAndLogEx(SUCCESS, "<<<< %s", sprint_hex(Result, *ResultLen));
280
281 if (*ResultLen < 2) {
282 return 200;
283 }
284
285 *ResultLen -= 2;
286 isw = Result[*ResultLen] * 0x0100 + Result[*ResultLen + 1];
287 if (sw)
288 *sw = isw;
289
290 if (isw != 0x9000) {
291 if (APDULogging) {
292 if (*sw >> 8 == 0x61) {
293 PrintAndLogEx(ERR, "APDU chaining len:%02x -->", *sw & 0xff);
294 } else {
295 PrintAndLogEx(ERR, "APDU(%02x%02x) ERROR: [%4X] %s", apdu.CLA, apdu.INS, isw, GetAPDUCodeDescription(*sw >> 8, *sw & 0xff));
296 return 5;
297 }
298 }
299 }
300
301 // add to tlv tree
302 if (tlv) {
303 struct tlvdb *t = tlvdb_parse_multi(Result, *ResultLen);
304 tlvdb_add(tlv, t);
305 }
306
307 return 0;
308}
309
310int EMVExchange(EMVCommandChannel channel, bool LeaveFieldON, sAPDU apdu, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
311 return EMVExchangeEx(channel, false, LeaveFieldON, apdu, (channel == ECC_CONTACTLESS), Result, MaxResultLen, ResultLen, sw, tlv);
312}
313
314int EMVSelect(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, uint8_t *AID, size_t AIDLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
315 return EMVExchangeEx(channel, ActivateField, LeaveFieldON, (sAPDU){0x00, 0xa4, 0x04, 0x00, AIDLen, AID}, (channel == ECC_CONTACTLESS), Result, MaxResultLen, ResultLen, sw, tlv);
316}
317
318int EMVSelectPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, uint8_t PSENum, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw) {
319 uint8_t buf[APDU_AID_LEN] = {0};
320 *ResultLen = 0;
321 int len = 0;
322 int res = 0;
323 switch (PSENum) {
324 case 1:
325 param_gethex_to_eol(PSElist[1], 0, buf, sizeof(buf), &len);
326 break;
327 case 2:
328 param_gethex_to_eol(PSElist[0], 0, buf, sizeof(buf), &len);
329 break;
330 default:
331 return -1;
332 }
333
334 // select
335 res = EMVSelect(channel, ActivateField, LeaveFieldON, buf, len, Result, MaxResultLen, ResultLen, sw, NULL);
336
337 return res;
338}
339
340int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, uint8_t PSENum, bool decodeTLV, struct tlvdb *tlv) {
341 uint8_t data[APDU_RES_LEN] = {0};
342 size_t datalen = 0;
343 uint16_t sw = 0;
344 int res;
345
346 // select PPSE
347 res = EMVSelectPSE(channel, ActivateField, true, PSENum, data, sizeof(data), &datalen, &sw);
348
349 if (!res){
350 struct tlvdb *t = NULL;
351 t = tlvdb_parse_multi(data, datalen);
352 if (t) {
353 int retrycnt = 0;
354 struct tlvdb *ttmp = tlvdb_find_path(t, (tlv_tag_t[]){0x6f, 0xa5, 0xbf0c, 0x61, 0x00});
355 if (!ttmp)
356 PrintAndLogEx(FAILED, "PPSE don't have records.");
357
358 while (ttmp) {
359 const struct tlv *tgAID = tlvdb_get_inchild(ttmp, 0x4f, NULL);
360 if (tgAID) {
361 res = EMVSelect(channel, false, true, (uint8_t *)tgAID->value, tgAID->len, data, sizeof(data), &datalen, &sw, tlv);
362
363 // retry if error and not returned sw error
364 if (res && res != 5) {
365 if (++retrycnt < 3){
366 continue;
367 } else {
368 // card select error, proxmark error
369 if (res == 1) {
370 PrintAndLogEx(WARNING, "Exit...");
371 return 1;
372 }
373
374 retrycnt = 0;
375 PrintAndLogEx(NORMAL, "Retry failed [%s]. Skiped...", sprint_hex_inrow(tgAID->value, tgAID->len));
376 }
377
378 // next element
379 ttmp = tlvdb_find_next(ttmp, 0x61);
380 continue;
381 }
382 retrycnt = 0;
383
384 // all is ok
385 if (decodeTLV){
386 PrintAndLogEx(NORMAL, "%s:", sprint_hex_inrow(tgAID->value, tgAID->len));
387 TLVPrintFromBuffer(data, datalen);
388 }
389 }
390
391 ttmp = tlvdb_find_next(ttmp, 0x61);
392 }
393
394 tlvdb_free(t);
395 } else {
396 PrintAndLogEx(WARNING, "PPSE ERROR: Can't get TLV from response.");
397 }
398 } else {
399 PrintAndLogEx(WARNING, "PPSE ERROR: Can't select PPSE AID. Error: %d", res);
400 }
401
402 if(!LeaveFieldON)
403 DropField();
404
405 return res;
406}
407
408int EMVSearch(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, bool decodeTLV, struct tlvdb *tlv) {
409 uint8_t aidbuf[APDU_AID_LEN] = {0};
410 int aidlen = 0;
411 uint8_t data[APDU_RES_LEN] = {0};
412 size_t datalen = 0;
413 uint16_t sw = 0;
414
415 int res = 0;
416 int retrycnt = 0;
417 for(int i = 0; i < AIDlistLen; i ++) {
418 param_gethex_to_eol(AIDlist[i].aid, 0, aidbuf, sizeof(aidbuf), &aidlen);
419 res = EMVSelect(channel, (i == 0) ? ActivateField : false, (i == AIDlistLen - 1) ? LeaveFieldON : true, aidbuf, aidlen, data, sizeof(data), &datalen, &sw, tlv);
420 // retry if error and not returned sw error
421 if (res && res != 5) {
422 if (++retrycnt < 3){
423 i--;
424 } else {
425 // (1) - card select error, proxmark error OR (200) - result length = 0
426 if (res == 1 || res == 200) {
427 PrintAndLogEx(WARNING, "Exit...");
428 return 1;
429 }
430
431 retrycnt = 0;
432 PrintAndLogEx(FAILED, "Retry failed [%s]. Skipped...", AIDlist[i].aid);
433 }
434 continue;
435 }
436 retrycnt = 0;
437
438 if (res)
439 continue;
440
441 if (!datalen)
442 continue;
443
444 if (decodeTLV) {
445 PrintAndLogEx(SUCCESS, "%s", AIDlist[i].aid);
446 TLVPrintFromBuffer(data, datalen);
447 }
448 }
449
450 return 0;
451}
452
453int EMVSelectApplication(struct tlvdb *tlv, uint8_t *AID, size_t *AIDlen) {
454 // check priority. 0x00 - highest
455 int prio = 0xffff;
456
457 *AIDlen = 0;
458
459 struct tlvdb *ttmp = tlvdb_find(tlv, 0x6f);
460 if (!ttmp)
461 return 1;
462
463 while (ttmp) {
464 const struct tlv *tgAID = tlvdb_get_inchild(ttmp, 0x84, NULL);
465 const struct tlv *tgPrio = tlvdb_get_inchild(ttmp, 0x87, NULL);
466
467 if (!tgAID)
468 break;
469
470 if (tgPrio) {
471 int pt = bytes_to_num((uint8_t*)tgPrio->value, (tgPrio->len < 2) ? tgPrio->len : 2);
472 if (pt < prio) {
473 prio = pt;
474
475 memcpy(AID, tgAID->value, tgAID->len);
476 *AIDlen = tgAID->len;
477 }
478 } else {
479 // takes the first application from list wo priority
480 if (!*AIDlen) {
481 memcpy(AID, tgAID->value, tgAID->len);
482 *AIDlen = tgAID->len;
483 }
484 }
485
486 ttmp = tlvdb_find_next(ttmp, 0x6f);
487 }
488
489 return 0;
490}
491
492int EMVGPO(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *PDOL, size_t PDOLLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
493 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x80, 0xa8, 0x00, 0x00, PDOLLen, PDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
494}
495
496int EMVReadRecord(EMVCommandChannel channel, bool LeaveFieldON, uint8_t SFI, uint8_t SFIrec, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
497 int res = EMVExchange(channel, LeaveFieldON, (sAPDU){0x00, 0xb2, SFIrec, (SFI << 3) | 0x04, 0, NULL}, Result, MaxResultLen, ResultLen, sw, tlv);
498 if (*sw == 0x6700) {
499 PrintAndLogEx(INFO, ">>> trying to reissue command withouth Le...");
500 res = EMVExchangeEx(channel, false, LeaveFieldON, (sAPDU){0x00, 0xb2, SFIrec, (SFI << 3) | 0x04, 0, NULL}, false, Result, MaxResultLen, ResultLen, sw, tlv);
501 }
502 return res;
503}
504
505int EMVAC(EMVCommandChannel channel, bool LeaveFieldON, uint8_t RefControl, uint8_t *CDOL, size_t CDOLLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
506 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x80, 0xae, RefControl, 0x00, CDOLLen, CDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
507}
508
509int EMVGenerateChallenge(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
510 int res = EMVExchange(channel, LeaveFieldON, (sAPDU){0x00, 0x84, 0x00, 0x00, 0x00, NULL}, Result, MaxResultLen, ResultLen, sw, tlv);
511 if (*sw == 0x6700) {
512 PrintAndLogEx(INFO, ">>> trying to reissue command withouth Le...");
513 res = EMVExchangeEx(channel, false, LeaveFieldON, (sAPDU){0x00, 0x84, 0x00, 0x00, 0x00, NULL}, false, Result, MaxResultLen, ResultLen, sw, tlv);
514 }
515 return res;
516}
517
518int EMVInternalAuthenticate(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *DDOL, size_t DDOLLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
519 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x00, 0x88, 0x00, 0x00, DDOLLen, DDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
520}
521
522int MSCComputeCryptoChecksum(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *UDOL, uint8_t UDOLlen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
523 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x80, 0x2a, 0x8e, 0x80, UDOLlen, UDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
524}
525
526// Authentication
527struct emv_pk *get_ca_pk(struct tlvdb *db) {
528 const struct tlv *df_tlv = tlvdb_get(db, 0x84, NULL);
529 const struct tlv *caidx_tlv = tlvdb_get(db, 0x8f, NULL);
530
531 if (!df_tlv || !caidx_tlv || df_tlv->len < 6 || caidx_tlv->len != 1)
532 return NULL;
533
534 PrintAndLogEx(NORMAL, "CA public key index 0x%0x", caidx_tlv->value[0]);
535 return emv_pk_get_ca_pk(df_tlv->value, caidx_tlv->value[0]);
536}
537
538int trSDA(struct tlvdb *tlv) {
539
540 struct emv_pk *pk = get_ca_pk(tlv);
541 if (!pk) {
542 PrintAndLogEx(WARNING, "Error: Key not found. Exit.");
543 return 2;
544 }
545
546 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlv);
547 if (!issuer_pk) {
548 emv_pk_free(pk);
549 PrintAndLogEx(WARNING, "Error: Issuer certificate not found. Exit.");
550 return 2;
551 }
552
553 PrintAndLogEx(SUCCESS, "Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx",
554 issuer_pk->rid[0],
555 issuer_pk->rid[1],
556 issuer_pk->rid[2],
557 issuer_pk->rid[3],
558 issuer_pk->rid[4],
559 issuer_pk->index,
560 issuer_pk->serial[0],
561 issuer_pk->serial[1],
562 issuer_pk->serial[2]
563 );
564
565 const struct tlv *sda_tlv = tlvdb_get(tlv, 0x21, NULL);
566 if (!sda_tlv || sda_tlv->len < 1) {
567 emv_pk_free(issuer_pk);
568 emv_pk_free(pk);
569 PrintAndLogEx(WARNING, "Can't find input list for Offline Data Authentication. Exit.");
570 return 3;
571 }
572
573 struct tlvdb *dac_db = emv_pki_recover_dac(issuer_pk, tlv, sda_tlv);
574 if (dac_db) {
575 const struct tlv *dac_tlv = tlvdb_get(dac_db, 0x9f45, NULL);
576 PrintAndLogEx(NORMAL, "SDA verified OK. (%02hhx:%02hhx)\n", dac_tlv->value[0], dac_tlv->value[1]);
577 tlvdb_add(tlv, dac_db);
578 } else {
579 emv_pk_free(issuer_pk);
580 emv_pk_free(pk);
581 PrintAndLogEx(WARNING, "SSAD verify error");
582 return 4;
583 }
584
585 emv_pk_free(issuer_pk);
586 emv_pk_free(pk);
587 return 0;
588}
589
590static const unsigned char default_ddol_value[] = {0x9f, 0x37, 0x04};
591static struct tlv default_ddol_tlv = {.tag = 0x9f49, .len = 3, .value = default_ddol_value };
592
593int trDDA(EMVCommandChannel channel, bool decodeTLV, struct tlvdb *tlv) {
594 uint8_t buf[APDU_RES_LEN] = {0};
595 size_t len = 0;
596 uint16_t sw = 0;
597
598 struct emv_pk *pk = get_ca_pk(tlv);
599 if (!pk) {
600 PrintAndLogEx(WARNING, "Error: Key not found. Exit.");
601 return 2;
602 }
603
604 const struct tlv *sda_tlv = tlvdb_get(tlv, 0x21, NULL);
605 if (!sda_tlv || sda_tlv->len < 1) {
606 emv_pk_free(pk);
607 PrintAndLogEx(WARNING, "Error: Can't find input list for Offline Data Authentication. Exit.");
608 return 3;
609 }
610
611 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlv);
612 if (!issuer_pk) {
613 emv_pk_free(pk);
614 PrintAndLogEx(WARNING, "Error: Issuer certificate not found. Exit.");
615 return 2;
616 }
617 PrintAndLogEx(SUCCESS, "Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
618 issuer_pk->rid[0],
619 issuer_pk->rid[1],
620 issuer_pk->rid[2],
621 issuer_pk->rid[3],
622 issuer_pk->rid[4],
623 issuer_pk->index,
624 issuer_pk->serial[0],
625 issuer_pk->serial[1],
626 issuer_pk->serial[2]
627 );
628
629 struct emv_pk *icc_pk = emv_pki_recover_icc_cert(issuer_pk, tlv, sda_tlv);
630 if (!icc_pk) {
631 emv_pk_free(pk);
632 emv_pk_free(issuer_pk);
633 PrintAndLogEx(WARNING, "Error: ICC setrificate not found. Exit.");
634 return 2;
635 }
636 PrintAndLogEx(SUCCESS, "ICC PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
637 icc_pk->rid[0],
638 icc_pk->rid[1],
639 icc_pk->rid[2],
640 icc_pk->rid[3],
641 icc_pk->rid[4],
642 icc_pk->index,
643 icc_pk->serial[0],
644 icc_pk->serial[1],
645 icc_pk->serial[2]
646 );
647
648 struct emv_pk *icc_pe_pk = emv_pki_recover_icc_pe_cert(issuer_pk, tlv);
649 if (!icc_pe_pk) {
650 PrintAndLogEx(WARNING, "WARNING: ICC PE PK recover error. ");
651 } else {
652 PrintAndLogEx(SUCCESS, "ICC PE PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
653 icc_pe_pk->rid[0],
654 icc_pe_pk->rid[1],
655 icc_pe_pk->rid[2],
656 icc_pe_pk->rid[3],
657 icc_pe_pk->rid[4],
658 icc_pe_pk->index,
659 icc_pe_pk->serial[0],
660 icc_pe_pk->serial[1],
661 icc_pe_pk->serial[2]
662 );
663 }
664
665 // 9F4B: Signed Dynamic Application Data
666 const struct tlv *sdad_tlv = tlvdb_get(tlv, 0x9f4b, NULL);
667 // DDA with internal authenticate OR fDDA with filled 0x9F4B tag (GPO result)
668 // EMV kernel3 v2.4, contactless book C-3, C.1., page 147
669 if (sdad_tlv) {
670 PrintAndLogEx(NORMAL, "\n* * Got Signed Dynamic Application Data (9F4B) form GPO. Maybe fDDA...");
671
672 const struct tlvdb *atc_db = emv_pki_recover_atc_ex(icc_pk, tlv, true);
673 if (!atc_db) {
674 PrintAndLogEx(WARNING, "Error: Can't recover IDN (ICC Dynamic Number)");
675 emv_pk_free(pk);
676 emv_pk_free(issuer_pk);
677 emv_pk_free(icc_pk);
678 return 8;
679 }
680
681 // 9f36 Application Transaction Counter (ATC)
682 const struct tlv *atc_tlv = tlvdb_get(atc_db, 0x9f36, NULL);
683 if(atc_tlv) {
684 PrintAndLogEx(NORMAL, "\nATC (Application Transaction Counter) [%zu] %s", atc_tlv->len, sprint_hex_inrow(atc_tlv->value, atc_tlv->len));
685
686 const struct tlv *core_atc_tlv = tlvdb_get(tlv, 0x9f36, NULL);
687 if(tlv_equal(core_atc_tlv, atc_tlv)) {
688 PrintAndLogEx(SUCCESS, "ATC check OK.");
689 PrintAndLogEx(SUCCESS, "fDDA (fast DDA) verified OK.");
690 } else {
691 PrintAndLogEx(WARNING, "Error: fDDA verified, but ATC in the certificate and ATC in the record not the same.");
692 }
693 } else {
694 PrintAndLogEx(NORMAL, "\nERROR: fDDA (fast DDA) verify error");
695 emv_pk_free(pk);
696 emv_pk_free(issuer_pk);
697 emv_pk_free(icc_pk);
698 return 9;
699 }
700 } else {
701 struct tlvdb *dac_db = emv_pki_recover_dac(issuer_pk, tlv, sda_tlv);
702 if (dac_db) {
703 const struct tlv *dac_tlv = tlvdb_get(dac_db, 0x9f45, NULL);
704 PrintAndLogEx(NORMAL, "SDA verified OK. (%02hhx:%02hhx)\n", dac_tlv->value[0], dac_tlv->value[1]);
705 tlvdb_add(tlv, dac_db);
706 } else {
707 PrintAndLogEx(WARNING, "Error: SSAD verify error");
708 emv_pk_free(pk);
709 emv_pk_free(issuer_pk);
710 emv_pk_free(icc_pk);
711 return 4;
712 }
713
714 PrintAndLogEx(NORMAL, "\n* Calc DDOL");
715 const struct tlv *ddol_tlv = tlvdb_get(tlv, 0x9f49, NULL);
716 if (!ddol_tlv) {
717 ddol_tlv = &default_ddol_tlv;
718 PrintAndLogEx(NORMAL, "DDOL [9f49] not found. Using default DDOL");
719 }
720
721 struct tlv *ddol_data_tlv = dol_process(ddol_tlv, tlv, 0);
722 if (!ddol_data_tlv) {
723 PrintAndLogEx(WARNING, "Error: Can't create DDOL TLV");
724 emv_pk_free(pk);
725 emv_pk_free(issuer_pk);
726 emv_pk_free(icc_pk);
727 return 5;
728 }
729
730 PrintAndLogEx(NORMAL, "DDOL data[%d]: %s", ddol_data_tlv->len, sprint_hex(ddol_data_tlv->value, ddol_data_tlv->len));
731
732 PrintAndLogEx(NORMAL, "\n* Internal Authenticate");
733 int res = EMVInternalAuthenticate(channel, true, (uint8_t *)ddol_data_tlv->value, ddol_data_tlv->len, buf, sizeof(buf), &len, &sw, NULL);
734 if (res) {
735 PrintAndLogEx(WARNING, "Internal Authenticate error(%d): %4x. Exit...", res, sw);
736 free(ddol_data_tlv);
737 emv_pk_free(pk);
738 emv_pk_free(issuer_pk);
739 emv_pk_free(icc_pk);
740 return 6;
741 }
742
743 struct tlvdb *dda_db = NULL;
744 if (buf[0] == 0x80) {
745 if (len < 3 ) {
746 PrintAndLogEx(WARNING, "Error: Internal Authenticate format1 parsing error. length=%d", len);
747 } else {
748 // 9f4b Signed Dynamic Application Data
749 dda_db = tlvdb_fixed(0x9f4b, len - 2, buf + 2);
750 tlvdb_add(tlv, dda_db);
751 if (decodeTLV){
752 PrintAndLogEx(NORMAL, "* * Decode response format 1:");
753 TLVPrintFromTLV(dda_db);
754 }
755 }
756 } else {
757 dda_db = tlvdb_parse_multi(buf, len);
758 if(!dda_db) {
759 PrintAndLogEx(WARNING, "Error: Can't parse Internal Authenticate result as TLV");
760 free(ddol_data_tlv);
761 emv_pk_free(pk);
762 emv_pk_free(issuer_pk);
763 emv_pk_free(icc_pk);
764 return 7;
765 }
766 tlvdb_add(tlv, dda_db);
767
768 if (decodeTLV)
769 TLVPrintFromTLV(dda_db);
770 }
771
772 struct tlvdb *idn_db = emv_pki_recover_idn_ex(icc_pk, dda_db, ddol_data_tlv, true);
773 free(ddol_data_tlv);
774 if (!idn_db) {
775 PrintAndLogEx(WARNING, "Error: Can't recover IDN (ICC Dynamic Number)");
776 tlvdb_free(dda_db);
777 emv_pk_free(pk);
778 emv_pk_free(issuer_pk);
779 emv_pk_free(icc_pk);
780 return 8;
781 }
782 tlvdb_free(dda_db);
783
784 // 9f4c ICC Dynamic Number
785 const struct tlv *idn_tlv = tlvdb_get(idn_db, 0x9f4c, NULL);
786 if(idn_tlv) {
787 PrintAndLogEx(NORMAL, "\nIDN (ICC Dynamic Number) [%zu] %s", idn_tlv->len, sprint_hex_inrow(idn_tlv->value, idn_tlv->len));
788 PrintAndLogEx(NORMAL, "DDA verified OK.");
789 tlvdb_add(tlv, idn_db);
790 tlvdb_free(idn_db);
791 } else {
792 PrintAndLogEx(NORMAL, "\nERROR: DDA verify error");
793 tlvdb_free(idn_db);
794
795 emv_pk_free(pk);
796 emv_pk_free(issuer_pk);
797 emv_pk_free(icc_pk);
798 return 9;
799 }
800 }
801
802 emv_pk_free(pk);
803 emv_pk_free(issuer_pk);
804 emv_pk_free(icc_pk);
805 return 0;
806}
807
808int trCDA(struct tlvdb *tlv, struct tlvdb *ac_tlv, struct tlv *pdol_data_tlv, struct tlv *ac_data_tlv) {
809
810 struct emv_pk *pk = get_ca_pk(tlv);
811 if (!pk) {
812 PrintAndLogEx(WARNING, "Error: Key not found. Exit.");
813 return 2;
814 }
815
816 const struct tlv *sda_tlv = tlvdb_get(tlv, 0x21, NULL);
817 if (!sda_tlv || sda_tlv->len < 1) {
818 PrintAndLogEx(WARNING, "Error: Can't find input list for Offline Data Authentication. Exit.");
819 emv_pk_free(pk);
820 return 3;
821 }
822
823 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlv);
824 if (!issuer_pk) {
825 PrintAndLogEx(WARNING, "Error: Issuer certificate not found. Exit.");
826 emv_pk_free(pk);
827 return 2;
828 }
829 PrintAndLogEx(SUCCESS, "Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
830 issuer_pk->rid[0],
831 issuer_pk->rid[1],
832 issuer_pk->rid[2],
833 issuer_pk->rid[3],
834 issuer_pk->rid[4],
835 issuer_pk->index,
836 issuer_pk->serial[0],
837 issuer_pk->serial[1],
838 issuer_pk->serial[2]
839 );
840
841 struct emv_pk *icc_pk = emv_pki_recover_icc_cert(issuer_pk, tlv, sda_tlv);
842 if (!icc_pk) {
843 PrintAndLogEx(WARNING, "Error: ICC setrificate not found. Exit.");
844 emv_pk_free(pk);
845 emv_pk_free(issuer_pk);
846 return 2;
847 }
848 PrintAndLogEx(SUCCESS, "ICC PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
849 icc_pk->rid[0],
850 icc_pk->rid[1],
851 icc_pk->rid[2],
852 icc_pk->rid[3],
853 icc_pk->rid[4],
854 icc_pk->index,
855 icc_pk->serial[0],
856 icc_pk->serial[1],
857 icc_pk->serial[2]
858 );
859
860 struct tlvdb *dac_db = emv_pki_recover_dac(issuer_pk, tlv, sda_tlv);
861 if (dac_db) {
862 const struct tlv *dac_tlv = tlvdb_get(dac_db, 0x9f45, NULL);
863 PrintAndLogEx(NORMAL, "SSAD verified OK. (%02hhx:%02hhx)", dac_tlv->value[0], dac_tlv->value[1]);
864 tlvdb_add(tlv, dac_db);
865 } else {
866 PrintAndLogEx(WARNING, "Error: SSAD verify error");
867 emv_pk_free(pk);
868 emv_pk_free(issuer_pk);
869 emv_pk_free(icc_pk);
870 return 4;
871 }
872
873 PrintAndLogEx(NORMAL, "\n* * Check Signed Dynamic Application Data (SDAD)");
874 struct tlvdb *idn_db = emv_pki_perform_cda_ex(icc_pk, tlv, ac_tlv,
875 pdol_data_tlv, // pdol
876 ac_data_tlv, // cdol1
877 NULL, // cdol2
878 true);
879 if (idn_db) {
880 const struct tlv *idn_tlv = tlvdb_get(idn_db, 0x9f4c, NULL);
881 PrintAndLogEx(NORMAL, "\nIDN (ICC Dynamic Number) [%zu] %s", idn_tlv->len, sprint_hex_inrow(idn_tlv->value, idn_tlv->len));
882 PrintAndLogEx(NORMAL, "CDA verified OK.");
883 tlvdb_add(tlv, idn_db);
884 } else {
885 PrintAndLogEx(NORMAL, "\nERROR: CDA verify error");
886 }
887
888 emv_pk_free(pk);
889 emv_pk_free(issuer_pk);
890 emv_pk_free(icc_pk);
891 return 0;
892}
893
894int RecoveryCertificates(struct tlvdb *tlvRoot, json_t *root) {
895
896 struct emv_pk *pk = get_ca_pk(tlvRoot);
897 if (!pk) {
898 PrintAndLog("ERROR: Key not found. Exit.");
899 return 1;
900 }
901
902 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlvRoot);
903 if (!issuer_pk) {
904 emv_pk_free(pk);
905 PrintAndLog("WARNING: Issuer certificate not found. Exit.");
906 return 2;
907 }
908 PrintAndLogEx(SUCCESS, "Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx",
909 issuer_pk->rid[0],
910 issuer_pk->rid[1],
911 issuer_pk->rid[2],
912 issuer_pk->rid[3],
913 issuer_pk->rid[4],
914 issuer_pk->index,
915 issuer_pk->serial[0],
916 issuer_pk->serial[1],
917 issuer_pk->serial[2]
918 );
919
920 JsonSaveBufAsHex(root, "$.ApplicationData.RID", issuer_pk->rid, 5);
921
922 char *issuer_pk_c = emv_pk_dump_pk(issuer_pk);
923 JsonSaveStr(root, "$.ApplicationData.IssuerPublicKeyDec", issuer_pk_c);
924 JsonSaveBufAsHex(root, "$.ApplicationData.IssuerPublicKeyModulus", issuer_pk->modulus, issuer_pk->mlen);
925 free(issuer_pk_c);
926
927 struct emv_pk *icc_pk = emv_pki_recover_icc_cert(issuer_pk, tlvRoot, NULL);
928 if (!icc_pk) {
929 emv_pk_free(pk);
930 emv_pk_free(issuer_pk);
931 PrintAndLogEx(WARNING, "WARNING: ICC certificate not found. Exit.");
932 return 2;
933 }
934 PrintAndLogEx(SUCCESS, "ICC PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
935 icc_pk->rid[0],
936 icc_pk->rid[1],
937 icc_pk->rid[2],
938 icc_pk->rid[3],
939 icc_pk->rid[4],
940 icc_pk->index,
941 icc_pk->serial[0],
942 icc_pk->serial[1],
943 icc_pk->serial[2]
944 );
945
946 char *icc_pk_c = emv_pk_dump_pk(icc_pk);
947 JsonSaveStr(root, "$.ApplicationData.ICCPublicKeyDec", icc_pk_c);
948 JsonSaveBufAsHex(root, "$.ApplicationData.ICCPublicKeyModulus", icc_pk->modulus, icc_pk->mlen);
949 free(issuer_pk_c);
950
951 return 0;
952}
Proxmark3 GIT tracking
Impressum, Datenschutz