2 * libopenemv - a library to work with EMV family of smart cards
3 * Copyright (C) 2015 Dmitry Eremin-Solenikov
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2.1 of the License, or (at your option) any later version.
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
30 static bool strictExecution
= true;
31 void PKISetStrictExecution(bool se
) {
35 static const unsigned char empty_tlv_value
[] = {};
36 static const struct tlv empty_tlv
= {.tag
= 0x0, .len
= 0, .value
= empty_tlv_value
};
38 static size_t emv_pki_hash_psn
[256] = { 0, 0, 11, 2, 17, 2, };
40 static unsigned char *emv_pki_decode_message(const struct emv_pk
*enc_pk
,
43 const struct tlv
*cert_tlv
,
45 ... /* A list of tlv pointers */
48 struct crypto_pk
*kcp
;
57 PrintAndLogEx(ERR
, "Can't find certificate\n");
61 if (cert_tlv
->len
!= enc_pk
->mlen
) {
62 PrintAndLogEx(ERR
, "Certificate length (%zd) not equal key length (%zd)\n", cert_tlv
->len
, enc_pk
->mlen
);
65 kcp
= crypto_pk_open(enc_pk
->pk_algo
,
66 enc_pk
->modulus
, enc_pk
->mlen
,
67 enc_pk
->exp
, enc_pk
->elen
);
71 data
= crypto_pk_encrypt(kcp
, cert_tlv
->value
, cert_tlv
->len
, &data_len
);
75 PrintAndLogEx(INFO, "Recovered data:\n");
76 dump_buffer(data, data_len, stdout, 0);
79 if (data
[data_len
-1] != 0xbc || data
[0] != 0x6a || data
[1] != msgtype
) {
80 PrintAndLogEx(ERR
, "Certificate format\n");
85 size_t hash_pos
= emv_pki_hash_psn
[msgtype
];
86 if (hash_pos
== 0 || hash_pos
> data_len
){
87 PrintAndLogEx(ERR
, "Can't get hash position in the certificate\n");
92 struct crypto_hash
*ch
;
93 ch
= crypto_hash_open(data
[hash_pos
]);
95 PrintAndLogEx(ERR
, "Can't do hash\n");
100 size_t hash_len
= crypto_hash_get_size(ch
);
101 crypto_hash_write(ch
, data
+ 1, data_len
- 2 - hash_len
);
103 va_start(vl
, tlv_count
);
104 for (int i
= 0; i
< tlv_count
; i
++) {
105 const struct tlv
*add_tlv
= va_arg(vl
, const struct tlv
*);
109 crypto_hash_write(ch
, add_tlv
->value
, add_tlv
->len
);
113 uint8_t hash
[hash_len
];
114 memset(hash
, 0, hash_len
);
115 memcpy(hash
, crypto_hash_read(ch
), hash_len
);
116 if (memcmp(data
+ data_len
- 1 - hash_len
, hash
, hash_len
)) {
117 PrintAndLogEx(ERR
, "Calculated wrong hash\n");
118 PrintAndLogEx(INFO
, "decoded: %s\n",sprint_hex(data
+ data_len
- 1 - hash_len
, hash_len
));
119 PrintAndLogEx(INFO
, "calculated: %s\n",sprint_hex(hash
, hash_len
));
121 if (strictExecution
) {
122 crypto_hash_close(ch
);
128 crypto_hash_close(ch
);
130 *len
= data_len
- hash_len
- 1;
135 static unsigned emv_cn_length(const struct tlv
*tlv
)
139 for (i
= 0; i
< tlv
->len
; i
++) {
140 unsigned char c
= tlv
->value
[i
];
145 if ((c
& 0xf) == 0xf)
152 static unsigned char emv_cn_get(const struct tlv
*tlv
, unsigned pos
)
154 if (pos
> tlv
->len
* 2)
157 unsigned char c
= tlv
->value
[pos
/ 2];
165 static struct emv_pk
*emv_pki_decode_key_ex(const struct emv_pk
*enc_pk
,
166 unsigned char msgtype
,
167 const struct tlv
*pan_tlv
,
168 const struct tlv
*cert_tlv
,
169 const struct tlv
*exp_tlv
,
170 const struct tlv
*rem_tlv
,
171 const struct tlv
*add_tlv
,
172 const struct tlv
*sdatl_tlv
,
181 if (!cert_tlv
|| !exp_tlv
|| !pan_tlv
)
185 rem_tlv
= &empty_tlv
;
189 else if (msgtype
== 4)
192 PrintAndLogEx(ERR
, "Message type must be 2 or 4\n");
196 data
= emv_pki_decode_message(enc_pk
, msgtype
, &data_len
,
204 if (!data
|| data_len
< 11 + pan_length
) {
205 PrintAndLogEx(ERR
, "Can't decode message\n");
210 PrintAndLogEx(INFO
, "Recovered data:\n");
211 dump_buffer(data
, data_len
, stdout
, 0);
214 /* Perform the rest of checks here */
216 struct tlv pan2_tlv
= {
221 unsigned pan_len
= emv_cn_length(pan_tlv
);
222 unsigned pan2_len
= emv_cn_length(&pan2_tlv
);
224 if (((msgtype
== 2) && (pan2_len
< 4 || pan2_len
> pan_len
)) ||
225 ((msgtype
== 4) && (pan2_len
!= pan_len
))) {
226 PrintAndLogEx(ERR
, "Invalid PAN lengths\n");
233 for (i
= 0; i
< pan2_len
; i
++)
234 if (emv_cn_get(pan_tlv
, i
) != emv_cn_get(&pan2_tlv
, i
)) {
235 PrintAndLogEx(ERR
, "PAN data mismatch\n");
236 PrintAndLogEx(INFO
, "tlv pan=%s\n", sprint_hex(pan_tlv
->value
, pan_tlv
->len
));
237 PrintAndLogEx(INFO
, "cert pan=%s\n", sprint_hex(pan2_tlv
.value
, pan2_tlv
.len
));
243 pk_len
= data
[9 + pan_length
];
244 if (pk_len
> data_len
- 11 - pan_length
+ rem_tlv
->len
) {
245 PrintAndLogEx(ERR
, "Invalid pk length\n");
250 if (exp_tlv
->len
!= data
[10 + pan_length
]) {
255 struct emv_pk
*pk
= emv_pk_new(pk_len
, exp_tlv
->len
);
257 memcpy(pk
->rid
, enc_pk
->rid
, 5);
258 pk
->index
= enc_pk
->index
;
260 pk
->hash_algo
= data
[7 + pan_length
];
261 pk
->pk_algo
= data
[8 + pan_length
];
262 pk
->expire
= (data
[3 + pan_length
] << 16) | (data
[2 + pan_length
] << 8) | 0x31;
263 memcpy(pk
->serial
, data
+ 4 + pan_length
, 3);
264 memcpy(pk
->pan
, data
+ 2, pan_length
);
265 memset(pk
->pan
+ pan_length
, 0xff, 10 - pan_length
);
267 memcpy(pk
->modulus
, data
+ 11 + pan_length
,
268 pk_len
< data_len
- (11 + pan_length
) ?
270 data_len
- (11 + pan_length
));
271 memcpy(pk
->modulus
+ data_len
- (11 + pan_length
), rem_tlv
->value
, rem_tlv
->len
);
272 memcpy(pk
->exp
, exp_tlv
->value
, exp_tlv
->len
);
279 static struct emv_pk
*emv_pki_decode_key(const struct emv_pk
*enc_pk
,
280 unsigned char msgtype
,
281 const struct tlv
*pan_tlv
,
282 const struct tlv
*cert_tlv
,
283 const struct tlv
*exp_tlv
,
284 const struct tlv
*rem_tlv
,
285 const struct tlv
*add_tlv
,
286 const struct tlv
*sdatl_tlv
288 return emv_pki_decode_key_ex(enc_pk
, msgtype
, pan_tlv
, cert_tlv
, exp_tlv
, rem_tlv
, add_tlv
, sdatl_tlv
, false);
291 struct emv_pk
*emv_pki_recover_issuer_cert(const struct emv_pk
*pk
, struct tlvdb
*db
)
293 return emv_pki_decode_key(pk
, 2,
294 tlvdb_get(db
, 0x5a, NULL
),
295 tlvdb_get(db
, 0x90, NULL
),
296 tlvdb_get(db
, 0x9f32, NULL
),
297 tlvdb_get(db
, 0x92, NULL
),
302 struct emv_pk
*emv_pki_recover_icc_cert(const struct emv_pk
*pk
, struct tlvdb
*db
, const struct tlv
*sda_tlv
)
305 unsigned char *sdatl
= emv_pki_sdatl_fill(db
, &sdatl_len
);
306 struct tlv sda_tdata
= {
307 .tag
= 0x00, // dummy tag
312 struct emv_pk
*res
= emv_pki_decode_key(pk
, 4,
313 tlvdb_get(db
, 0x5a, NULL
),
314 tlvdb_get(db
, 0x9f46, NULL
),
315 tlvdb_get(db
, 0x9f47, NULL
),
316 tlvdb_get(db
, 0x9f48, NULL
),
320 free(sdatl
); // malloc here: emv_pki_sdatl_fill
324 struct emv_pk
*emv_pki_recover_icc_pe_cert(const struct emv_pk
*pk
, struct tlvdb
*db
)
326 return emv_pki_decode_key(pk
, 4,
327 tlvdb_get(db
, 0x5a, NULL
),
328 tlvdb_get(db
, 0x9f2d, NULL
),
329 tlvdb_get(db
, 0x9f2e, NULL
),
330 tlvdb_get(db
, 0x9f2f, NULL
),
335 unsigned char *emv_pki_sdatl_fill(const struct tlvdb
*db
, size_t *sdatl_len
) {
336 uint8_t buf
[2048] = {0};
341 const struct tlv
*sda_tl
= tlvdb_get(db
, 0x9f4a, NULL
);
342 if (!sda_tl
|| sda_tl
->len
<= 0)
345 for (int i
= 0; i
< sda_tl
->len
; i
++) {
346 uint32_t tag
= sda_tl
->value
[i
]; // here may be multibyte, but now not
347 const struct tlv
*elm
= tlvdb_get(db
, tag
, NULL
);
349 memcpy(&buf
[len
], elm
->value
, elm
->len
);
356 unsigned char *value
= malloc(len
);
357 memcpy(value
, buf
, len
);
365 struct tlvdb
*emv_pki_recover_dac_ex(const struct emv_pk
*enc_pk
, const struct tlvdb
*db
, const struct tlv
*sda_tlv
, bool showData
)
369 // Static Data Authentication Tag List
371 unsigned char *sdatl
= emv_pki_sdatl_fill(db
, &sdatl_len
);
372 struct tlv sda_tdata
= {
373 .tag
= 0x00, // dummy tag
378 unsigned char *data
= emv_pki_decode_message(enc_pk
, 3, &data_len
,
379 tlvdb_get(db
, 0x93, NULL
),
385 free(sdatl
); // malloc here: emv_pki_sdatl_fill
387 if (!data
|| data_len
< 5)
391 PrintAndLogEx(INFO
, "Recovered data:\n");
392 dump_buffer(data
, data_len
, stdout
, 0);
395 struct tlvdb
*dac_db
= tlvdb_fixed(0x9f45, 2, data
+3);
402 struct tlvdb
*emv_pki_recover_dac(const struct emv_pk
*enc_pk
, const struct tlvdb
*db
, const struct tlv
*sda_tlv
) {
403 return emv_pki_recover_dac_ex(enc_pk
, db
, sda_tlv
, false);
406 struct tlvdb
*emv_pki_recover_idn(const struct emv_pk
*enc_pk
, const struct tlvdb
*db
, const struct tlv
*dyn_tlv
) {
407 return emv_pki_recover_idn_ex(enc_pk
, db
, dyn_tlv
, false);
410 struct tlvdb
*emv_pki_recover_idn_ex(const struct emv_pk
*enc_pk
, const struct tlvdb
*db
, const struct tlv
*dyn_tlv
, bool showData
)
413 unsigned char *data
= emv_pki_decode_message(enc_pk
, 5, &data_len
,
414 tlvdb_get(db
, 0x9f4b, NULL
),
419 if (!data
|| data_len
< 3)
422 if (data
[3] < 2 || data
[3] > data_len
- 3) {
428 PrintAndLogEx(INFO
, "Recovered data:\n");
429 dump_buffer(data
, data_len
, stdout
, 0);
432 size_t idn_len
= data
[4];
433 if (idn_len
> data
[3] - 1) {
438 // 9f4c ICC Dynamic Number
439 struct tlvdb
*idn_db
= tlvdb_fixed(0x9f4c, idn_len
, data
+ 5);
446 struct tlvdb
*emv_pki_recover_atc_ex(const struct emv_pk
*enc_pk
, const struct tlvdb
*db
, bool showData
)
449 unsigned char *data
= emv_pki_decode_message(enc_pk
, 5, &data_len
,
450 tlvdb_get(db
, 0x9f4b, NULL
),
452 tlvdb_get(db
, 0x9f37, NULL
),
453 tlvdb_get(db
, 0x9f02, NULL
),
454 tlvdb_get(db
, 0x5f2a, NULL
),
455 tlvdb_get(db
, 0x9f69, NULL
),
458 if (!data
|| data_len
< 3)
461 if (data
[3] < 2 || data
[3] > data_len
- 3) {
467 PrintAndLogEx(INFO
, "Recovered data:\n");
468 dump_buffer(data
, data_len
, stdout
, 0);
471 size_t idn_len
= data
[4];
472 if (idn_len
> data
[3] - 1) {
477 // 9f36 Application Transaction Counter (ATC)
478 struct tlvdb
*atc_db
= tlvdb_fixed(0x9f36, idn_len
, data
+ 5);
485 static bool tlv_hash(void *data
, const struct tlv
*tlv
, int level
, bool is_leaf
)
487 struct crypto_hash
*ch
= data
;
491 if (tlv_is_constructed(tlv
))
494 if (tlv
->tag
== 0x9f4b)
497 tag
= tlv_encode(tlv
, &tag_len
);
498 crypto_hash_write(ch
, tag
, tag_len
);
504 struct tlvdb
*emv_pki_perform_cda(const struct emv_pk
*enc_pk
, const struct tlvdb
*db
,
505 const struct tlvdb
*this_db
,
506 const struct tlv
*pdol_data_tlv
,
507 const struct tlv
*crm1_tlv
,
508 const struct tlv
*crm2_tlv
)
510 return emv_pki_perform_cda_ex(enc_pk
, db
, this_db
, pdol_data_tlv
, crm1_tlv
, crm2_tlv
, false);
512 struct tlvdb
*emv_pki_perform_cda_ex(const struct emv_pk
*enc_pk
, const struct tlvdb
*db
,
513 const struct tlvdb
*this_db
, // AC TLV result
514 const struct tlv
*pdol_data_tlv
, // PDOL
515 const struct tlv
*crm1_tlv
, // CDOL1
516 const struct tlv
*crm2_tlv
, // CDOL2
519 const struct tlv
*un_tlv
= tlvdb_get(db
, 0x9f37, NULL
);
520 const struct tlv
*cid_tlv
= tlvdb_get(this_db
, 0x9f27, NULL
);
522 if (!un_tlv
|| !cid_tlv
)
526 unsigned char *data
= emv_pki_decode_message(enc_pk
, 5, &data_len
,
527 tlvdb_get(this_db
, 0x9f4b, NULL
),
531 if (!data
|| data_len
< 3) {
532 PrintAndLogEx(ERR
, "can't decode message. len %zd\n", data_len
);
537 PrintAndLogEx(INFO
, "Recovered data:\n");
538 dump_buffer(data
, data_len
, stdout
, 0);
541 if (data
[3] < 30 || data
[3] > data_len
- 4) {
542 PrintAndLogEx(ERR
, "Invalid data length\n");
547 if (!cid_tlv
|| cid_tlv
->len
!= 1 || cid_tlv
->value
[0] != data
[5 + data
[4]]) {
548 PrintAndLogEx(ERR
, "CID mismatch\n");
553 struct crypto_hash
*ch
;
554 ch
= crypto_hash_open(enc_pk
->hash_algo
);
556 PrintAndLogEx(ERR
, "Can't create hash\n");
562 crypto_hash_write(ch
, pdol_data_tlv
->value
, pdol_data_tlv
->len
);
564 crypto_hash_write(ch
, crm1_tlv
->value
, crm1_tlv
->len
);
566 crypto_hash_write(ch
, crm2_tlv
->value
, crm2_tlv
->len
);
568 tlvdb_visit(this_db
, tlv_hash
, ch
, 0);
570 if (memcmp(data
+ 5 + data
[4] + 1 + 8, crypto_hash_read(ch
), 20)) {
571 PrintAndLogEx(ERR
, "Calculated hash error\n");
572 crypto_hash_close(ch
);
576 crypto_hash_close(ch
);
578 size_t idn_len
= data
[4];
579 if (idn_len
> data
[3] - 1) {
580 PrintAndLogEx(ERR
, "Invalid IDN length\n");
585 struct tlvdb
*idn_db
= tlvdb_fixed(0x9f4c, idn_len
, data
+ 5);