]> git.zerfleddert.de Git - proxmark3-svn/blame_incremental - armsrc/epa.c
Add PACE replay functionality
[proxmark3-svn] / armsrc / epa.c
... / ...
CommitLineData
1//-----------------------------------------------------------------------------
2// Frederik Möllers - August 2012
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// Routines to support the German electronic "Personalausweis" (ID card)
9// Note that the functions which do not implement USB commands do NOT initialize
10// the card (with iso14443a_select_card etc.). If You want to use these
11// functions, You need to do the setup before calling them!
12//-----------------------------------------------------------------------------
13
14#include "iso14443a.h"
15#include "epa.h"
16#include "cmd.h"
17
18// Protocol and Parameter Selection Request
19// use regular (1x) speed in both directions
20// CRC is already included
21static const uint8_t pps[] = {0xD0, 0x11, 0x00, 0x52, 0xA6};
22
23// APDUs for communication with German Identification Card
24
25// General Authenticate (request encrypted nonce) WITHOUT the Le at the end
26static const uint8_t apdu_general_authenticate_pace_get_nonce[] = {
27 0x10, // CLA
28 0x86, // INS
29 0x00, // P1
30 0x00, // P2
31 0x02, // Lc
32 0x7C, // Type: Dynamic Authentication Data
33 0x00, // Length: 0 bytes
34};
35
36// MSE: Set AT (only CLA, INS, P1 and P2)
37static const uint8_t apdu_mse_set_at_start[] = {
38 0x00, // CLA
39 0x22, // INS
40 0xC1, // P1
41 0xA4, // P2
42};
43
44// SELECT BINARY with the ID for EF.CardAccess
45static const uint8_t apdu_select_binary_cardaccess[] = {
46 0x00, // CLA
47 0xA4, // INS
48 0x02, // P1
49 0x0C, // P2
50 0x02, // Lc
51 0x01, // ID
52 0x1C // ID
53};
54
55// READ BINARY
56static const uint8_t apdu_read_binary[] = {
57 0x00, // CLA
58 0xB0, // INS
59 0x00, // P1
60 0x00, // P2
61 0x38 // Le
62};
63
64
65// the leading bytes of a PACE OID
66static const uint8_t oid_pace_start[] = {
67 0x04, // itu-t, identified-organization
68 0x00, // etsi
69 0x7F, // reserved
70 0x00, // etsi-identified-organization
71 0x07, // bsi-de
72 0x02, // protocols
73 0x02, // smartcard
74 0x04 // id-PACE
75};
76
77// APDUs for replaying:
78// MSE: Set AT (initiate PACE)
79static uint8_t apdu_replay_mse_set_at_pace[41];
80// General Authenticate (Get Nonce)
81static uint8_t apdu_replay_general_authenticate_pace_get_nonce[8];
82// General Authenticate (Map Nonce)
83static uint8_t apdu_replay_general_authenticate_pace_map_nonce[75];
84// General Authenticate (Mutual Authenticate)
85static uint8_t apdu_replay_general_authenticate_pace_mutual_authenticate[75];
86// General Authenticate (Perform Key Agreement)
87static uint8_t apdu_replay_general_authenticate_pace_perform_key_agreement[18];
88// pointers to the APDUs (for iterations)
89static struct {
90 uint8_t len;
91 uint8_t *data;
92} const apdus_replay[] = {
93 {sizeof(apdu_replay_mse_set_at_pace), apdu_replay_mse_set_at_pace},
94 {sizeof(apdu_replay_general_authenticate_pace_get_nonce), apdu_replay_general_authenticate_pace_get_nonce},
95 {sizeof(apdu_replay_general_authenticate_pace_map_nonce), apdu_replay_general_authenticate_pace_map_nonce},
96 {sizeof(apdu_replay_general_authenticate_pace_mutual_authenticate), apdu_replay_general_authenticate_pace_mutual_authenticate},
97 {sizeof(apdu_replay_general_authenticate_pace_perform_key_agreement), apdu_replay_general_authenticate_pace_perform_key_agreement}
98};
99
100// lengths of the replay APDUs
101static uint8_t apdu_lengths_replay[5];
102
103//-----------------------------------------------------------------------------
104// Closes the communication channel and turns off the field
105//-----------------------------------------------------------------------------
106void EPA_Finish()
107{
108 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
109 LEDsoff();
110}
111
112//-----------------------------------------------------------------------------
113// Parses DER encoded data, e.g. from EF.CardAccess and fills out the given
114// structs. If a pointer is 0, it is ignored.
115// The function returns 0 on success and if an error occured, it returns the
116// offset where it occured.
117//
118// TODO: This function can access memory outside of the given data if the DER
119// encoding is broken
120// TODO: Support skipping elements with a length > 0x7F
121// TODO: Support OIDs with a length > 7F
122// TODO: Support elements with long tags (tag is longer than 1 byte)
123// TODO: Support proprietary PACE domain parameters
124//-----------------------------------------------------------------------------
125size_t EPA_Parse_CardAccess(uint8_t *data,
126 size_t length,
127 pace_version_info_t *pace_info)
128{
129 size_t index = 0;
130
131 while (index <= length - 2) {
132 // determine type of element
133 // SET or SEQUENCE
134 if (data[index] == 0x31 || data[index] == 0x30) {
135 // enter the set (skip tag + length)
136 index += 2;
137 // check for extended length
138 if ((data[index - 1] & 0x80) != 0) {
139 index += (data[index-1] & 0x7F);
140 }
141 }
142 // OID
143 else if (data[index] == 0x06) {
144 // is this a PACE OID?
145 if (data[index + 1] == 0x0A // length matches
146 && memcmp(data + index + 2,
147 oid_pace_start,
148 sizeof(oid_pace_start)) == 0 // content matches
149 && pace_info != NULL)
150 {
151 // first, clear the pace_info struct
152 memset(pace_info, 0, sizeof(pace_version_info_t));
153 memcpy(pace_info->oid, data + index + 2, sizeof(pace_info->oid));
154 // a PACE OID is followed by the version
155 index += data[index + 1] + 2;
156 if (data[index] == 02 && data[index + 1] == 01) {
157 pace_info->version = data[index + 2];
158 index += 3;
159 }
160 else {
161 return index;
162 }
163 // after that there might(!) be the parameter ID
164 if (data[index] == 02 && data[index + 1] == 01) {
165 pace_info->parameter_id = data[index + 2];
166 index += 3;
167 }
168 }
169 else {
170 // skip this OID
171 index += 2 + data[index + 1];
172 }
173 }
174 // if the length is 0, something is wrong
175 // TODO: This needs to be extended to support long tags
176 else if (data[index + 1] == 0) {
177 return index;
178 }
179 else {
180 // skip this part
181 // TODO: This needs to be extended to support long tags
182 // TODO: This needs to be extended to support unknown elements with
183 // a size > 0x7F
184 index += 2 + data[index + 1];
185 }
186 }
187
188 // TODO: We should check whether we reached the end in error, but for that
189 // we need a better parser (e.g. with states like IN_SET or IN_PACE_INFO)
190 return 0;
191}
192
193//-----------------------------------------------------------------------------
194// Read the file EF.CardAccess and save it into a buffer (at most max_length bytes)
195// Returns -1 on failure or the length of the data on success
196// TODO: for the moment this sends only 1 APDU regardless of the requested length
197//-----------------------------------------------------------------------------
198int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
199{
200 // the response APDU of the card
201 // since the card doesn't always care for the expected length we send it,
202 // we reserve 262 bytes here just to be safe (256-byte APDU + SW + ISO frame)
203 uint8_t response_apdu[262];
204 int rapdu_length = 0;
205
206 // select the file EF.CardAccess
207 rapdu_length = iso14_apdu((uint8_t *)apdu_select_binary_cardaccess,
208 sizeof(apdu_select_binary_cardaccess),
209 response_apdu);
210 if (rapdu_length != 6
211 || response_apdu[rapdu_length - 4] != 0x90
212 || response_apdu[rapdu_length - 3] != 0x00)
213 {
214 Dbprintf("epa - no select cardaccess");
215 return -1;
216 }
217
218 // read the file
219 rapdu_length = iso14_apdu((uint8_t *)apdu_read_binary,
220 sizeof(apdu_read_binary),
221 response_apdu);
222 if (rapdu_length <= 6
223 || response_apdu[rapdu_length - 4] != 0x90
224 || response_apdu[rapdu_length - 3] != 0x00)
225 {
226 Dbprintf("epa - no read cardaccess");
227 return -1;
228 }
229
230 // copy the content into the buffer
231 // length of data available: apdu_length - 4 (ISO frame) - 2 (SW)
232 size_t to_copy = rapdu_length - 6;
233 to_copy = to_copy < max_length ? to_copy : max_length;
234 memcpy(buffer, response_apdu+2, to_copy);
235 return to_copy;
236}
237
238//-----------------------------------------------------------------------------
239// Abort helper function for EPA_PACE_Collect_Nonce
240// sets relevant data in ack, sends the response
241//-----------------------------------------------------------------------------
242static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return)
243{
244 // power down the field
245 EPA_Finish();
246
247 // send the USB packet
248 cmd_send(CMD_ACK,step,func_return,0,0,0);
249}
250
251//-----------------------------------------------------------------------------
252// Acquire one encrypted PACE nonce
253//-----------------------------------------------------------------------------
254void EPA_PACE_Collect_Nonce(UsbCommand *c)
255{
256 /*
257 * ack layout:
258 * arg:
259 * 1. element
260 * step where the error occured or 0 if no error occured
261 * 2. element
262 * return code of the last executed function
263 * d:
264 * Encrypted nonce
265 */
266
267 // return value of a function
268 int func_return = 0;
269
270 // set up communication
271 func_return = EPA_Setup();
272 if (func_return != 0) {
273 EPA_PACE_Collect_Nonce_Abort(1, func_return);
274 return;
275 }
276
277 // read the CardAccess file
278 // this array will hold the CardAccess file
279 uint8_t card_access[256] = {0};
280 int card_access_length = EPA_Read_CardAccess(card_access, 256);
281 // the response has to be at least this big to hold the OID
282 if (card_access_length < 18) {
283 EPA_PACE_Collect_Nonce_Abort(2, card_access_length);
284 return;
285 }
286
287 // this will hold the PACE info of the card
288 pace_version_info_t pace_version_info;
289 // search for the PACE OID
290 func_return = EPA_Parse_CardAccess(card_access,
291 card_access_length,
292 &pace_version_info);
293 if (func_return != 0 || pace_version_info.version == 0) {
294 EPA_PACE_Collect_Nonce_Abort(3, func_return);
295 return;
296 }
297
298 // initiate the PACE protocol
299 // use the CAN for the password since that doesn't change
300 func_return = EPA_PACE_MSE_Set_AT(pace_version_info, 2);
301
302 // now get the nonce
303 uint8_t nonce[256] = {0};
304 uint8_t requested_size = (uint8_t)c->arg[0];
305 func_return = EPA_PACE_Get_Nonce(requested_size, nonce);
306 // check if the command succeeded
307 if (func_return < 0)
308 {
309 EPA_PACE_Collect_Nonce_Abort(4, func_return);
310 return;
311 }
312
313 // all done, return
314 EPA_Finish();
315
316 // save received information
317 cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
318}
319
320//-----------------------------------------------------------------------------
321// Performs the "Get Nonce" step of the PACE protocol and saves the returned
322// nonce. The caller is responsible for allocating enough memory to store the
323// nonce. Note that the returned size might be less or than or greater than the
324// requested size!
325// Returns the actual size of the nonce on success or a less-than-zero error
326// code on failure.
327//-----------------------------------------------------------------------------
328int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
329{
330 // build the APDU
331 uint8_t apdu[sizeof(apdu_general_authenticate_pace_get_nonce) + 1];
332 // copy the constant part
333 memcpy(apdu,
334 apdu_general_authenticate_pace_get_nonce,
335 sizeof(apdu_general_authenticate_pace_get_nonce));
336 // append Le (requested length + 2 due to tag/length taking 2 bytes) in RAPDU
337 apdu[sizeof(apdu_general_authenticate_pace_get_nonce)] = requested_length + 4;
338
339 // send it
340 uint8_t response_apdu[262];
341 int send_return = iso14_apdu(apdu,
342 sizeof(apdu),
343 response_apdu);
344 // check if the command succeeded
345 if (send_return < 6
346 || response_apdu[send_return - 4] != 0x90
347 || response_apdu[send_return - 3] != 0x00)
348 {
349 return -1;
350 }
351
352 // if there is no nonce in the RAPDU, return here
353 if (send_return < 10)
354 {
355 // no error
356 return 0;
357 }
358 // get the actual length of the nonce
359 uint8_t nonce_length = response_apdu[5];
360 if (nonce_length > send_return - 10)
361 {
362 nonce_length = send_return - 10;
363 }
364 // copy the nonce
365 memcpy(nonce, response_apdu + 6, nonce_length);
366
367 return nonce_length;
368}
369
370//-----------------------------------------------------------------------------
371// Initializes the PACE protocol by performing the "MSE: Set AT" step
372// Returns 0 on success or a non-zero error code on failure
373//-----------------------------------------------------------------------------
374int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password)
375{
376 // create the MSE: Set AT APDU
377 uint8_t apdu[23];
378 // the minimum length (will be increased as more data is added)
379 size_t apdu_length = 20;
380 // copy the constant part
381 memcpy(apdu,
382 apdu_mse_set_at_start,
383 sizeof(apdu_mse_set_at_start));
384 // type: OID
385 apdu[5] = 0x80;
386 // length of the OID
387 apdu[6] = sizeof(pace_version_info.oid);
388 // copy the OID
389 memcpy(apdu + 7,
390 pace_version_info.oid,
391 sizeof(pace_version_info.oid));
392 // type: password
393 apdu[17] = 0x83;
394 // length: 1
395 apdu[18] = 1;
396 // password
397 apdu[19] = password;
398 // if standardized domain parameters are used, copy the ID
399 if (pace_version_info.parameter_id != 0) {
400 apdu_length += 3;
401 // type: domain parameter
402 apdu[20] = 0x84;
403 // length: 1
404 apdu[21] = 1;
405 // copy the parameter ID
406 apdu[22] = pace_version_info.parameter_id;
407 }
408 // now set Lc to the actual length
409 apdu[4] = apdu_length - 5;
410 // send it
411 uint8_t response_apdu[6];
412 int send_return = iso14_apdu(apdu,
413 apdu_length,
414 response_apdu);
415 // check if the command succeeded
416 if (send_return != 6
417 || response_apdu[send_return - 4] != 0x90
418 || response_apdu[send_return - 3] != 0x00)
419 {
420 return 1;
421 }
422 return 0;
423}
424
425//-----------------------------------------------------------------------------
426// Perform the PACE protocol by replaying given APDUs
427//-----------------------------------------------------------------------------
428void EPA_PACE_Replay(UsbCommand *c)
429{
430 uint32_t timings[sizeof(apdu_lengths_replay) / sizeof(apdu_lengths_replay[0])] = {0};
431
432 // if an APDU has been passed, save it
433 if (c->arg[0] != 0) {
434 // make sure it's not too big
435 if(c->arg[2] > apdus_replay[c->arg[0] - 1].len)
436 {
437 cmd_send(CMD_ACK, 1, 0, 0, NULL, 0);
438 }
439 memcpy(apdus_replay[c->arg[0] - 1].data + c->arg[1],
440 c->d.asBytes,
441 c->arg[2]);
442 // save/update APDU length
443 if (c->arg[1] == 0) {
444 apdu_lengths_replay[c->arg[0] - 1] = c->arg[2];
445 } else {
446 apdu_lengths_replay[c->arg[0] - 1] += c->arg[2];
447 }
448 cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);
449 return;
450 }
451
452 // return value of a function
453 int func_return;
454
455 // set up communication
456 func_return = EPA_Setup();
457 if (func_return != 0) {
458 EPA_Finish();
459 cmd_send(CMD_ACK, 2, func_return, 0, NULL, 0);
460 return;
461 }
462
463 // increase the timeout (at least some cards really do need this!)/////////////
464 // iso14a_set_timeout(0x0003FFFF);
465
466 // response APDU
467 uint8_t response_apdu[300] = {0};
468
469 // now replay the data and measure the timings
470 for (int i = 0; i < sizeof(apdu_lengths_replay); i++) {
471 StartCountUS();
472 func_return = iso14_apdu(apdus_replay[i].data,
473 apdu_lengths_replay[i],
474 response_apdu);
475 timings[i] = GetCountUS();
476 // every step but the last one should succeed
477 if (i < sizeof(apdu_lengths_replay) - 1
478 && (func_return < 6
479 || response_apdu[func_return - 4] != 0x90
480 || response_apdu[func_return - 3] != 0x00))
481 {
482 EPA_Finish();
483 cmd_send(CMD_ACK, 3 + i, func_return, 0, timings, 20);
484 return;
485 }
486 }
487 EPA_Finish();
488 cmd_send(CMD_ACK,0,0,0,timings,20);
489 return;
490}
491
492//-----------------------------------------------------------------------------
493// Set up a communication channel (Card Select, PPS)
494// Returns 0 on success or a non-zero error code on failure
495//-----------------------------------------------------------------------------
496int EPA_Setup()
497{
498 int return_code = 0;
499 uint8_t uid[10];
500 uint8_t pps_response[3];
501 uint8_t pps_response_par[1];
502 iso14a_card_select_t card_select_info;
503
504 // power up the field
505 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
506 // select the card
507 return_code = iso14443a_select_card(uid, &card_select_info, NULL);
508 if (return_code != 1) {
509 return 1;
510 }
511 // send the PPS request
512 ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
513 return_code = ReaderReceive(pps_response, pps_response_par);
514 if (return_code != 3 || pps_response[0] != 0xD0) {
515 return return_code == 0 ? 2 : return_code;
516 }
517 return 0;
518}
Impressum, Datenschutz