Merge branch 'master' into topaz
[proxmark3-svn] / armsrc / epa.c
1 //-----------------------------------------------------------------------------
2 // Frederik Möllers - August 2012
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support the German electronic "Personalausweis" (ID card)
9 // Note that the functions which do not implement USB commands do NOT initialize
10 // the card (with iso14443a_select_card etc.). If You want to use these
11 // functions, You need to do the setup before calling them!
12 //-----------------------------------------------------------------------------
13
14 #include "iso14443a.h"
15 #include "epa.h"
16 #include "cmd.h"
17
18 // Protocol and Parameter Selection Request
19 // use regular (1x) speed in both directions
20 // CRC is already included
21 static const uint8_t pps[] = {0xD0, 0x11, 0x00, 0x52, 0xA6};
22
23 // APDUs for communication with German Identification Card
24
25 // General Authenticate (request encrypted nonce) WITHOUT the Le at the end
26 static const uint8_t apdu_general_authenticate_pace_get_nonce[] = {
27 0x10, // CLA
28 0x86, // INS
29 0x00, // P1
30 0x00, // P2
31 0x02, // Lc
32 0x7C, // Type: Dynamic Authentication Data
33 0x00, // Length: 0 bytes
34 };
35
36 // MSE: Set AT (only CLA, INS, P1 and P2)
37 static const uint8_t apdu_mse_set_at_start[] = {
38 0x00, // CLA
39 0x22, // INS
40 0xC1, // P1
41 0xA4, // P2
42 };
43
44 // SELECT BINARY with the ID for EF.CardAccess
45 static const uint8_t apdu_select_binary_cardaccess[] = {
46 0x00, // CLA
47 0xA4, // INS
48 0x02, // P1
49 0x0C, // P2
50 0x02, // Lc
51 0x01, // ID
52 0x1C // ID
53 };
54
55 // READ BINARY
56 static const uint8_t apdu_read_binary[] = {
57 0x00, // CLA
58 0xB0, // INS
59 0x00, // P1
60 0x00, // P2
61 0x38 // Le
62 };
63
64
65 // the leading bytes of a PACE OID
66 static const uint8_t oid_pace_start[] = {
67 0x04, // itu-t, identified-organization
68 0x00, // etsi
69 0x7F, // reserved
70 0x00, // etsi-identified-organization
71 0x07, // bsi-de
72 0x02, // protocols
73 0x02, // smartcard
74 0x04 // id-PACE
75 };
76
77 // APDUs for replaying:
78 // MSE: Set AT (initiate PACE)
79 static uint8_t apdu_replay_mse_set_at_pace[41];
80 // General Authenticate (Get Nonce)
81 static uint8_t apdu_replay_general_authenticate_pace_get_nonce[8];
82 // General Authenticate (Map Nonce)
83 static uint8_t apdu_replay_general_authenticate_pace_map_nonce[75];
84 // General Authenticate (Mutual Authenticate)
85 static uint8_t apdu_replay_general_authenticate_pace_mutual_authenticate[75];
86 // General Authenticate (Perform Key Agreement)
87 static uint8_t apdu_replay_general_authenticate_pace_perform_key_agreement[18];
88 // pointers to the APDUs (for iterations)
89 static struct {
90 uint8_t len;
91 uint8_t *data;
92 } const apdus_replay[] = {
93 {sizeof(apdu_replay_mse_set_at_pace), apdu_replay_mse_set_at_pace},
94 {sizeof(apdu_replay_general_authenticate_pace_get_nonce), apdu_replay_general_authenticate_pace_get_nonce},
95 {sizeof(apdu_replay_general_authenticate_pace_map_nonce), apdu_replay_general_authenticate_pace_map_nonce},
96 {sizeof(apdu_replay_general_authenticate_pace_mutual_authenticate), apdu_replay_general_authenticate_pace_mutual_authenticate},
97 {sizeof(apdu_replay_general_authenticate_pace_perform_key_agreement), apdu_replay_general_authenticate_pace_perform_key_agreement}
98 };
99
100 // lengths of the replay APDUs
101 static uint8_t apdu_lengths_replay[5];
102
103 //-----------------------------------------------------------------------------
104 // Closes the communication channel and turns off the field
105 //-----------------------------------------------------------------------------
106 void EPA_Finish()
107 {
108 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
109 LEDsoff();
110 }
111
112 //-----------------------------------------------------------------------------
113 // Parses DER encoded data, e.g. from EF.CardAccess and fills out the given
114 // structs. If a pointer is 0, it is ignored.
115 // The function returns 0 on success and if an error occured, it returns the
116 // offset where it occured.
117 //
118 // TODO: This function can access memory outside of the given data if the DER
119 // encoding is broken
120 // TODO: Support skipping elements with a length > 0x7F
121 // TODO: Support OIDs with a length > 7F
122 // TODO: Support elements with long tags (tag is longer than 1 byte)
123 // TODO: Support proprietary PACE domain parameters
124 //-----------------------------------------------------------------------------
125 size_t EPA_Parse_CardAccess(uint8_t *data,
126 size_t length,
127 pace_version_info_t *pace_info)
128 {
129 size_t index = 0;
130
131 while (index <= length - 2) {
132 // determine type of element
133 // SET or SEQUENCE
134 if (data[index] == 0x31 || data[index] == 0x30) {
135 // enter the set (skip tag + length)
136 index += 2;
137 // check for extended length
138 if ((data[index - 1] & 0x80) != 0) {
139 index += (data[index-1] & 0x7F);
140 }
141 }
142 // OID
143 else if (data[index] == 0x06) {
144 // is this a PACE OID?
145 if (data[index + 1] == 0x0A // length matches
146 && memcmp(data + index + 2,
147 oid_pace_start,
148 sizeof(oid_pace_start)) == 0 // content matches
149 && pace_info != NULL)
150 {
151 // first, clear the pace_info struct
152 memset(pace_info, 0, sizeof(pace_version_info_t));
153 memcpy(pace_info->oid, data + index + 2, sizeof(pace_info->oid));
154 // a PACE OID is followed by the version
155 index += data[index + 1] + 2;
156 if (data[index] == 02 && data[index + 1] == 01) {
157 pace_info->version = data[index + 2];
158 index += 3;
159 }
160 else {
161 return index;
162 }
163 // after that there might(!) be the parameter ID
164 if (data[index] == 02 && data[index + 1] == 01) {
165 pace_info->parameter_id = data[index + 2];
166 index += 3;
167 }
168 }
169 else {
170 // skip this OID
171 index += 2 + data[index + 1];
172 }
173 }
174 // if the length is 0, something is wrong
175 // TODO: This needs to be extended to support long tags
176 else if (data[index + 1] == 0) {
177 return index;
178 }
179 else {
180 // skip this part
181 // TODO: This needs to be extended to support long tags
182 // TODO: This needs to be extended to support unknown elements with
183 // a size > 0x7F
184 index += 2 + data[index + 1];
185 }
186 }
187
188 // TODO: We should check whether we reached the end in error, but for that
189 // we need a better parser (e.g. with states like IN_SET or IN_PACE_INFO)
190 return 0;
191 }
192
193 //-----------------------------------------------------------------------------
194 // Read the file EF.CardAccess and save it into a buffer (at most max_length bytes)
195 // Returns -1 on failure or the length of the data on success
196 // TODO: for the moment this sends only 1 APDU regardless of the requested length
197 //-----------------------------------------------------------------------------
198 int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
199 {
200 // the response APDU of the card
201 // since the card doesn't always care for the expected length we send it,
202 // we reserve 262 bytes here just to be safe (256-byte APDU + SW + ISO frame)
203 uint8_t response_apdu[262];
204 int rapdu_length = 0;
205
206 // select the file EF.CardAccess
207 rapdu_length = iso14_apdu((uint8_t *)apdu_select_binary_cardaccess,
208 sizeof(apdu_select_binary_cardaccess),
209 response_apdu);
210 if (rapdu_length != 6
211 || response_apdu[rapdu_length - 4] != 0x90
212 || response_apdu[rapdu_length - 3] != 0x00)
213 {
214 Dbprintf("epa - no select cardaccess");
215 return -1;
216 }
217
218 // read the file
219 rapdu_length = iso14_apdu((uint8_t *)apdu_read_binary,
220 sizeof(apdu_read_binary),
221 response_apdu);
222 if (rapdu_length <= 6
223 || response_apdu[rapdu_length - 4] != 0x90
224 || response_apdu[rapdu_length - 3] != 0x00)
225 {
226 Dbprintf("epa - no read cardaccess");
227 return -1;
228 }
229
230 // copy the content into the buffer
231 // length of data available: apdu_length - 4 (ISO frame) - 2 (SW)
232 size_t to_copy = rapdu_length - 6;
233 to_copy = to_copy < max_length ? to_copy : max_length;
234 memcpy(buffer, response_apdu+2, to_copy);
235 return to_copy;
236 }
237
238 //-----------------------------------------------------------------------------
239 // Abort helper function for EPA_PACE_Collect_Nonce
240 // sets relevant data in ack, sends the response
241 //-----------------------------------------------------------------------------
242 static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return)
243 {
244 // power down the field
245 EPA_Finish();
246
247 // send the USB packet
248 cmd_send(CMD_ACK,step,func_return,0,0,0);
249 }
250
251 //-----------------------------------------------------------------------------
252 // Acquire one encrypted PACE nonce
253 //-----------------------------------------------------------------------------
254 void EPA_PACE_Collect_Nonce(UsbCommand *c)
255 {
256 /*
257 * ack layout:
258 * arg:
259 * 1. element
260 * step where the error occured or 0 if no error occured
261 * 2. element
262 * return code of the last executed function
263 * d:
264 * Encrypted nonce
265 */
266
267 // return value of a function
268 int func_return = 0;
269
270 // set up communication
271 func_return = EPA_Setup();
272 if (func_return != 0) {
273 EPA_PACE_Collect_Nonce_Abort(1, func_return);
274 return;
275 }
276
277 // read the CardAccess file
278 // this array will hold the CardAccess file
279 uint8_t card_access[256] = {0};
280 int card_access_length = EPA_Read_CardAccess(card_access, 256);
281 // the response has to be at least this big to hold the OID
282 if (card_access_length < 18) {
283 EPA_PACE_Collect_Nonce_Abort(2, card_access_length);
284 return;
285 }
286
287 // this will hold the PACE info of the card
288 pace_version_info_t pace_version_info;
289 // search for the PACE OID
290 func_return = EPA_Parse_CardAccess(card_access,
291 card_access_length,
292 &pace_version_info);
293 if (func_return != 0 || pace_version_info.version == 0) {
294 EPA_PACE_Collect_Nonce_Abort(3, func_return);
295 return;
296 }
297
298 // initiate the PACE protocol
299 // use the CAN for the password since that doesn't change
300 func_return = EPA_PACE_MSE_Set_AT(pace_version_info, 2);
301
302 // now get the nonce
303 uint8_t nonce[256] = {0};
304 uint8_t requested_size = (uint8_t)c->arg[0];
305 func_return = EPA_PACE_Get_Nonce(requested_size, nonce);
306 // check if the command succeeded
307 if (func_return < 0)
308 {
309 EPA_PACE_Collect_Nonce_Abort(4, func_return);
310 return;
311 }
312
313 // all done, return
314 EPA_Finish();
315
316 // save received information
317 cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
318 }
319
320 //-----------------------------------------------------------------------------
321 // Performs the "Get Nonce" step of the PACE protocol and saves the returned
322 // nonce. The caller is responsible for allocating enough memory to store the
323 // nonce. Note that the returned size might be less or than or greater than the
324 // requested size!
325 // Returns the actual size of the nonce on success or a less-than-zero error
326 // code on failure.
327 //-----------------------------------------------------------------------------
328 int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
329 {
330 // build the APDU
331 uint8_t apdu[sizeof(apdu_general_authenticate_pace_get_nonce) + 1];
332 // copy the constant part
333 memcpy(apdu,
334 apdu_general_authenticate_pace_get_nonce,
335 sizeof(apdu_general_authenticate_pace_get_nonce));
336 // append Le (requested length + 2 due to tag/length taking 2 bytes) in RAPDU
337 apdu[sizeof(apdu_general_authenticate_pace_get_nonce)] = requested_length + 4;
338
339 // send it
340 uint8_t response_apdu[262];
341 int send_return = iso14_apdu(apdu,
342 sizeof(apdu),
343 response_apdu);
344 // check if the command succeeded
345 if (send_return < 6
346 || response_apdu[send_return - 4] != 0x90
347 || response_apdu[send_return - 3] != 0x00)
348 {
349 return -1;
350 }
351
352 // if there is no nonce in the RAPDU, return here
353 if (send_return < 10)
354 {
355 // no error
356 return 0;
357 }
358 // get the actual length of the nonce
359 uint8_t nonce_length = response_apdu[5];
360 if (nonce_length > send_return - 10)
361 {
362 nonce_length = send_return - 10;
363 }
364 // copy the nonce
365 memcpy(nonce, response_apdu + 6, nonce_length);
366
367 return nonce_length;
368 }
369
370 //-----------------------------------------------------------------------------
371 // Initializes the PACE protocol by performing the "MSE: Set AT" step
372 // Returns 0 on success or a non-zero error code on failure
373 //-----------------------------------------------------------------------------
374 int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password)
375 {
376 // create the MSE: Set AT APDU
377 uint8_t apdu[23];
378 // the minimum length (will be increased as more data is added)
379 size_t apdu_length = 20;
380 // copy the constant part
381 memcpy(apdu,
382 apdu_mse_set_at_start,
383 sizeof(apdu_mse_set_at_start));
384 // type: OID
385 apdu[5] = 0x80;
386 // length of the OID
387 apdu[6] = sizeof(pace_version_info.oid);
388 // copy the OID
389 memcpy(apdu + 7,
390 pace_version_info.oid,
391 sizeof(pace_version_info.oid));
392 // type: password
393 apdu[17] = 0x83;
394 // length: 1
395 apdu[18] = 1;
396 // password
397 apdu[19] = password;
398 // if standardized domain parameters are used, copy the ID
399 if (pace_version_info.parameter_id != 0) {
400 apdu_length += 3;
401 // type: domain parameter
402 apdu[20] = 0x84;
403 // length: 1
404 apdu[21] = 1;
405 // copy the parameter ID
406 apdu[22] = pace_version_info.parameter_id;
407 }
408 // now set Lc to the actual length
409 apdu[4] = apdu_length - 5;
410 // send it
411 uint8_t response_apdu[6];
412 int send_return = iso14_apdu(apdu,
413 apdu_length,
414 response_apdu);
415 // check if the command succeeded
416 if (send_return != 6
417 || response_apdu[send_return - 4] != 0x90
418 || response_apdu[send_return - 3] != 0x00)
419 {
420 return 1;
421 }
422 return 0;
423 }
424
425 //-----------------------------------------------------------------------------
426 // Perform the PACE protocol by replaying given APDUs
427 //-----------------------------------------------------------------------------
428 void EPA_PACE_Replay(UsbCommand *c)
429 {
430 uint32_t timings[sizeof(apdu_lengths_replay) / sizeof(apdu_lengths_replay[0])] = {0};
431
432 // if an APDU has been passed, save it
433 if (c->arg[0] != 0) {
434 // make sure it's not too big
435 if(c->arg[2] > apdus_replay[c->arg[0] - 1].len)
436 {
437 cmd_send(CMD_ACK, 1, 0, 0, NULL, 0);
438 }
439 memcpy(apdus_replay[c->arg[0] - 1].data + c->arg[1],
440 c->d.asBytes,
441 c->arg[2]);
442 // save/update APDU length
443 if (c->arg[1] == 0) {
444 apdu_lengths_replay[c->arg[0] - 1] = c->arg[2];
445 } else {
446 apdu_lengths_replay[c->arg[0] - 1] += c->arg[2];
447 }
448 cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);
449 return;
450 }
451
452 // return value of a function
453 int func_return;
454
455 // set up communication
456 func_return = EPA_Setup();
457 if (func_return != 0) {
458 EPA_Finish();
459 cmd_send(CMD_ACK, 2, func_return, 0, NULL, 0);
460 return;
461 }
462
463 // increase the timeout (at least some cards really do need this!)/////////////
464 // iso14a_set_timeout(0x0003FFFF);
465
466 // response APDU
467 uint8_t response_apdu[300] = {0};
468
469 // now replay the data and measure the timings
470 for (int i = 0; i < sizeof(apdu_lengths_replay); i++) {
471 StartCountUS();
472 func_return = iso14_apdu(apdus_replay[i].data,
473 apdu_lengths_replay[i],
474 response_apdu);
475 timings[i] = GetCountUS();
476 // every step but the last one should succeed
477 if (i < sizeof(apdu_lengths_replay) - 1
478 && (func_return < 6
479 || response_apdu[func_return - 4] != 0x90
480 || response_apdu[func_return - 3] != 0x00))
481 {
482 EPA_Finish();
483 cmd_send(CMD_ACK, 3 + i, func_return, 0, timings, 20);
484 return;
485 }
486 }
487 EPA_Finish();
488 cmd_send(CMD_ACK,0,0,0,timings,20);
489 return;
490 }
491
492 //-----------------------------------------------------------------------------
493 // Set up a communication channel (Card Select, PPS)
494 // Returns 0 on success or a non-zero error code on failure
495 //-----------------------------------------------------------------------------
496 int EPA_Setup()
497 {
498 int return_code = 0;
499 uint8_t uid[10];
500 uint8_t pps_response[3];
501 uint8_t pps_response_par[1];
502 iso14a_card_select_t card_select_info;
503
504 // power up the field
505 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
506 // select the card
507 return_code = iso14443a_select_card(uid, &card_select_info, NULL);
508 if (return_code != 1) {
509 return 1;
510 }
511 // send the PPS request
512 ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
513 return_code = ReaderReceive(pps_response, pps_response_par);
514 if (return_code != 3 || pps_response[0] != 0xD0) {
515 return return_code == 0 ? 2 : return_code;
516 }
517 return 0;
518 }
Impressum, Datenschutz