]> git.zerfleddert.de Git - proxmark3-svn/blob - client/emv/emvcore.c
Increase threshold to 160, fix for issue 756 (#760)
[proxmark3-svn] / client / emv / emvcore.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2017 Merlok
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // EMV core functions
9 //-----------------------------------------------------------------------------
10
11 #include "emvcore.h"
12 #include "emvjson.h"
13 #include "util_posix.h"
14 #ifdef WITH_SMARTCARD
15 #include "cmdsmartcard.h"
16 #endif
17
18 // Got from here. Thanks)
19 // https://eftlab.co.uk/index.php/site-map/knowledge-base/211-emv-aid-rid-pix
20 static const char *PSElist [] = {
21 "325041592E5359532E4444463031", // 2PAY.SYS.DDF01 - Visa Proximity Payment System Environment - PPSE
22 "315041592E5359532E4444463031" // 1PAY.SYS.DDF01 - Visa Payment System Environment - PSE
23 };
24 //static const size_t PSElistLen = sizeof(PSElist)/sizeof(char*);
25
26 char *TransactionTypeStr[] = {
27 "MSD",
28 "VSDC",
29 "qVCDCMCHIP",
30 "CDA"
31 };
32
33 typedef struct {
34 enum CardPSVendor vendor;
35 const char* aid;
36 } TAIDList;
37
38 static const TAIDList AIDlist [] = {
39 // Visa International
40 { CV_VISA, "A00000000305076010"}, // VISA ELO Credit
41 { CV_VISA, "A0000000031010" }, // VISA Debit/Credit (Classic)
42 { CV_VISA, "A000000003101001" }, // VISA Credit
43 { CV_VISA, "A000000003101002" }, // VISA Debit
44 { CV_VISA, "A0000000032010" }, // VISA Electron
45 { CV_VISA, "A0000000032020" }, // VISA
46 { CV_VISA, "A0000000033010" }, // VISA Interlink
47 { CV_VISA, "A0000000034010" }, // VISA Specific
48 { CV_VISA, "A0000000035010" }, // VISA Specific
49 { CV_VISA, "A0000000036010" }, // Domestic Visa Cash Stored Value
50 { CV_VISA, "A0000000036020" }, // International Visa Cash Stored Value
51 { CV_VISA, "A0000000038002" }, // VISA Auth, VisaRemAuthen EMV-CAP (DPA)
52 { CV_VISA, "A0000000038010" }, // VISA Plus
53 { CV_VISA, "A0000000039010" }, // VISA Loyalty
54 { CV_VISA, "A000000003999910" }, // VISA Proprietary ATM
55 // Visa USA
56 { CV_VISA, "A000000098" }, // Debit Card
57 { CV_VISA, "A0000000980848" }, // Debit Card
58 // Mastercard International
59 { CV_MASTERCARD, "A00000000401" }, // MasterCard PayPass
60 { CV_MASTERCARD, "A0000000041010" }, // MasterCard Credit
61 { CV_MASTERCARD, "A00000000410101213" }, // MasterCard Credit
62 { CV_MASTERCARD, "A00000000410101215" }, // MasterCard Credit
63 { CV_MASTERCARD, "A0000000042010" }, // MasterCard Specific
64 { CV_MASTERCARD, "A0000000043010" }, // MasterCard Specific
65 { CV_MASTERCARD, "A0000000043060" }, // Maestro (Debit)
66 { CV_MASTERCARD, "A000000004306001" }, // Maestro (Debit)
67 { CV_MASTERCARD, "A0000000044010" }, // MasterCard Specific
68 { CV_MASTERCARD, "A0000000045010" }, // MasterCard Specific
69 { CV_MASTERCARD, "A0000000046000" }, // Cirrus
70 { CV_MASTERCARD, "A0000000048002" }, // SecureCode Auth EMV-CAP
71 { CV_MASTERCARD, "A0000000049999" }, // MasterCard PayPass
72 // American Express
73 { CV_AMERICANEXPRESS, "A000000025" },
74 { CV_AMERICANEXPRESS, "A0000000250000" },
75 { CV_AMERICANEXPRESS, "A00000002501" },
76 { CV_AMERICANEXPRESS, "A000000025010402" },
77 { CV_AMERICANEXPRESS, "A000000025010701" },
78 { CV_AMERICANEXPRESS, "A000000025010801" },
79 // Groupement des Cartes Bancaires "CB"
80 { CV_CB, "A0000000421010" }, // Cartes Bancaire EMV Card
81 { CV_CB, "A0000000422010" },
82 { CV_CB, "A0000000423010" },
83 { CV_CB, "A0000000424010" },
84 { CV_CB, "A0000000425010" },
85 // JCB CO., LTD.
86 { CV_JCB, "A00000006510" }, // JCB
87 { CV_JCB, "A0000000651010" }, // JCB J Smart Credit
88 // Other
89 { CV_OTHER, "A0000001544442" }, // Banricompras Debito - Banrisul - Banco do Estado do Rio Grande do SUL - S.A.
90 { CV_OTHER, "F0000000030001" }, // BRADESCO
91 { CV_OTHER, "A0000005241010" }, // RuPay - RuPay
92 { CV_OTHER, "D5780000021010" } // Bankaxept - Bankaxept
93 };
94 static const size_t AIDlistLen = sizeof(AIDlist)/sizeof(TAIDList);
95
96 static bool APDULogging = false;
97 void SetAPDULogging(bool logging) {
98 APDULogging = logging;
99 }
100
101 enum CardPSVendor GetCardPSVendor(uint8_t * AID, size_t AIDlen) {
102 char buf[100] = {0};
103 if (AIDlen < 1)
104 return CV_NA;
105
106 hex_to_buffer((uint8_t *)buf, AID, AIDlen, sizeof(buf) - 1, 0, 0, true);
107
108 for(int i = 0; i < AIDlistLen; i ++) {
109 if (strncmp(AIDlist[i].aid, buf, strlen(AIDlist[i].aid)) == 0){
110 return AIDlist[i].vendor;
111 }
112 }
113
114 return CV_NA;
115 }
116
117 static bool print_cb(void *data, const struct tlv *tlv, int level, bool is_leaf) {
118 emv_tag_dump(tlv, stdout, level);
119 if (is_leaf) {
120 dump_buffer(tlv->value, tlv->len, stdout, level);
121 }
122
123 return true;
124 }
125
126 void TLVPrintFromBuffer(uint8_t *data, int datalen) {
127 struct tlvdb *t = NULL;
128 t = tlvdb_parse_multi(data, datalen);
129 if (t) {
130 PrintAndLog("-------------------- TLV decoded --------------------");
131
132 tlvdb_visit(t, print_cb, NULL, 0);
133 tlvdb_free(t);
134 } else {
135 PrintAndLog("TLV ERROR: Can't parse response as TLV tree.");
136 }
137 }
138
139 void TLVPrintFromTLVLev(struct tlvdb *tlv, int level) {
140 if (!tlv)
141 return;
142
143 tlvdb_visit(tlv, print_cb, NULL, level);
144 }
145
146 void TLVPrintFromTLV(struct tlvdb *tlv) {
147 TLVPrintFromTLVLev(tlv, 0);
148 }
149
150 void TLVPrintAIDlistFromSelectTLV(struct tlvdb *tlv) {
151 PrintAndLog("|------------------|--------|-------------------------|");
152 PrintAndLog("| AID |Priority| Name |");
153 PrintAndLog("|------------------|--------|-------------------------|");
154
155 struct tlvdb *ttmp = tlvdb_find(tlv, 0x6f);
156 if (!ttmp)
157 PrintAndLog("| none |");
158
159 while (ttmp) {
160 const struct tlv *tgAID = tlvdb_get_inchild(ttmp, 0x84, NULL);
161 const struct tlv *tgName = tlvdb_get_inchild(ttmp, 0x50, NULL);
162 const struct tlv *tgPrio = tlvdb_get_inchild(ttmp, 0x87, NULL);
163 if (!tgAID)
164 break;
165 PrintAndLog("|%s| %s |%s|",
166 sprint_hex_inrow_ex(tgAID->value, tgAID->len, 18),
167 (tgPrio) ? sprint_hex(tgPrio->value, 1) : " ",
168 (tgName) ? sprint_ascii_ex(tgName->value, tgName->len, 25) : " ");
169
170 ttmp = tlvdb_find_next(ttmp, 0x6f);
171 }
172
173 PrintAndLog("|------------------|--------|-------------------------|");
174 }
175
176 struct tlvdb *GetPANFromTrack2(const struct tlv *track2) {
177 char track2Hex[200] = {0};
178 uint8_t PAN[100] = {0};
179 int PANlen = 0;
180 char *tmp = track2Hex;
181
182 if (!track2)
183 return NULL;
184
185 for (int i = 0; i < track2->len; ++i, tmp += 2)
186 sprintf(tmp, "%02x", (unsigned int)track2->value[i]);
187
188 int posD = strchr(track2Hex, 'd') - track2Hex;
189 if (posD < 1)
190 return NULL;
191
192 track2Hex[posD] = 0;
193 if (strlen(track2Hex) % 2) {
194 track2Hex[posD] = 'F';
195 track2Hex[posD + 1] = '\0';
196 }
197
198 param_gethex_to_eol(track2Hex, 0, PAN, sizeof(PAN), &PANlen);
199
200 return tlvdb_fixed(0x5a, PANlen, PAN);
201 }
202
203 struct tlvdb *GetdCVVRawFromTrack2(const struct tlv *track2) {
204 char track2Hex[200] = {0};
205 char dCVVHex[100] = {0};
206 uint8_t dCVV[100] = {0};
207 int dCVVlen = 0;
208 const int PINlen = 5; // must calculated from 9F67 MSD Offset but i have not seen this tag)
209 char *tmp = track2Hex;
210
211 if (!track2)
212 return NULL;
213
214 for (int i = 0; i < track2->len; ++i, tmp += 2)
215 sprintf(tmp, "%02x", (unsigned int)track2->value[i]);
216
217 int posD = strchr(track2Hex, 'd') - track2Hex;
218 if (posD < 1)
219 return NULL;
220
221 memset(dCVVHex, '0', 32);
222 // ATC
223 memcpy(dCVVHex + 0, track2Hex + posD + PINlen + 11, 4);
224 // PAN 5 hex
225 memcpy(dCVVHex + 4, track2Hex, 5);
226 // expire date
227 memcpy(dCVVHex + 9, track2Hex + posD + 1, 4);
228 // service code
229 memcpy(dCVVHex + 13, track2Hex + posD + 5, 3);
230
231 param_gethex_to_eol(dCVVHex, 0, dCVV, sizeof(dCVV), &dCVVlen);
232
233 return tlvdb_fixed(0x02, dCVVlen, dCVV);
234 }
235
236 int EMVExchangeEx(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, sAPDU apdu, bool IncludeLe, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
237 uint8_t data[APDU_RES_LEN] = {0};
238
239 *ResultLen = 0;
240 if (sw) *sw = 0;
241 uint16_t isw = 0;
242 int res = 0;
243
244 if (ActivateField){
245 DropField();
246 msleep(50);
247 }
248
249 // COMPUTE APDU
250 memcpy(data, &apdu, 5);
251 if (apdu.data)
252 memcpy(&data[5], apdu.data, apdu.Lc);
253
254 if (APDULogging)
255 PrintAndLog(">>>> %s", sprint_hex(data, (IncludeLe?6:5) + apdu.Lc));
256
257 switch(channel) {
258 case ECC_CONTACTLESS:
259 // 6 byes + data = INS + CLA + P1 + P2 + Lc + <data = Nc> + Le(?IncludeLe)
260 res = ExchangeAPDU14a(data, (IncludeLe?6:5) + apdu.Lc, ActivateField, LeaveFieldON, Result, (int)MaxResultLen, (int *)ResultLen);
261 if (res) {
262 return res;
263 }
264 break;
265 case ECC_CONTACT:
266 //int ExchangeAPDUSC(uint8_t *datain, int datainlen, bool activateCard, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
267 #ifdef WITH_SMARTCARD
268 res = ExchangeAPDUSC(data, (IncludeLe?6:5) + apdu.Lc, ActivateField, LeaveFieldON, Result, (int)MaxResultLen, (int *)ResultLen);
269 if (res) {
270 return res;
271 }
272 #endif
273 break;
274 }
275
276 if (APDULogging)
277 PrintAndLog("<<<< %s", sprint_hex(Result, *ResultLen));
278
279 if (*ResultLen < 2) {
280 return 200;
281 }
282
283 *ResultLen -= 2;
284 isw = Result[*ResultLen] * 0x0100 + Result[*ResultLen + 1];
285 if (sw)
286 *sw = isw;
287
288 if (isw != 0x9000) {
289 if (APDULogging) {
290 if (*sw >> 8 == 0x61) {
291 PrintAndLog("APDU chaining len:%02x -->", *sw & 0xff);
292 } else {
293 PrintAndLog("APDU(%02x%02x) ERROR: [%4X] %s", apdu.CLA, apdu.INS, isw, GetAPDUCodeDescription(*sw >> 8, *sw & 0xff));
294 return 5;
295 }
296 }
297 }
298
299 // add to tlv tree
300 if (tlv) {
301 struct tlvdb *t = tlvdb_parse_multi(Result, *ResultLen);
302 tlvdb_add(tlv, t);
303 }
304
305 return 0;
306 }
307
308 int EMVExchange(EMVCommandChannel channel, bool LeaveFieldON, sAPDU apdu, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
309 return EMVExchangeEx(channel, false, LeaveFieldON, apdu, true, Result, MaxResultLen, ResultLen, sw, tlv);
310 }
311
312 int EMVSelect(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, uint8_t *AID, size_t AIDLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
313 return EMVExchangeEx(channel, ActivateField, LeaveFieldON, (sAPDU){0x00, 0xa4, 0x04, 0x00, AIDLen, AID}, true, Result, MaxResultLen, ResultLen, sw, tlv);
314 }
315
316 int EMVSelectPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, uint8_t PSENum, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw) {
317 uint8_t buf[APDU_AID_LEN] = {0};
318 *ResultLen = 0;
319 int len = 0;
320 int res = 0;
321 switch (PSENum) {
322 case 1:
323 param_gethex_to_eol(PSElist[1], 0, buf, sizeof(buf), &len);
324 break;
325 case 2:
326 param_gethex_to_eol(PSElist[0], 0, buf, sizeof(buf), &len);
327 break;
328 default:
329 return -1;
330 }
331
332 // select
333 res = EMVSelect(channel, ActivateField, LeaveFieldON, buf, len, Result, MaxResultLen, ResultLen, sw, NULL);
334
335 return res;
336 }
337
338 int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, bool decodeTLV, struct tlvdb *tlv) {
339 uint8_t data[APDU_RES_LEN] = {0};
340 size_t datalen = 0;
341 uint16_t sw = 0;
342 int res;
343
344 // select PPSE
345 res = EMVSelectPSE(channel, ActivateField, true, 2, data, sizeof(data), &datalen, &sw);
346
347 if (!res){
348 struct tlvdb *t = NULL;
349 t = tlvdb_parse_multi(data, datalen);
350 if (t) {
351 int retrycnt = 0;
352 struct tlvdb *ttmp = tlvdb_find_path(t, (tlv_tag_t[]){0x6f, 0xa5, 0xbf0c, 0x61, 0x00});
353 if (!ttmp)
354 PrintAndLog("PPSE don't have records.");
355
356 while (ttmp) {
357 const struct tlv *tgAID = tlvdb_get_inchild(ttmp, 0x4f, NULL);
358 if (tgAID) {
359 res = EMVSelect(channel, false, true, (uint8_t *)tgAID->value, tgAID->len, data, sizeof(data), &datalen, &sw, tlv);
360
361 // retry if error and not returned sw error
362 if (res && res != 5) {
363 if (++retrycnt < 3){
364 continue;
365 } else {
366 // card select error, proxmark error
367 if (res == 1) {
368 PrintAndLog("Exit...");
369 return 1;
370 }
371
372 retrycnt = 0;
373 PrintAndLog("Retry failed [%s]. Skiped...", sprint_hex_inrow(tgAID->value, tgAID->len));
374 }
375
376 // next element
377 ttmp = tlvdb_find_next(ttmp, 0x61);
378 continue;
379 }
380 retrycnt = 0;
381
382 // all is ok
383 if (decodeTLV){
384 PrintAndLog("%s:", sprint_hex_inrow(tgAID->value, tgAID->len));
385 TLVPrintFromBuffer(data, datalen);
386 }
387 }
388
389 ttmp = tlvdb_find_next(ttmp, 0x61);
390 }
391
392 tlvdb_free(t);
393 } else {
394 PrintAndLog("PPSE ERROR: Can't get TLV from response.");
395 }
396 } else {
397 PrintAndLog("PPSE ERROR: Can't select PPSE AID. Error: %d", res);
398 }
399
400 if(!LeaveFieldON)
401 DropField();
402
403 return res;
404 }
405
406 int EMVSearch(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, bool decodeTLV, struct tlvdb *tlv) {
407 uint8_t aidbuf[APDU_AID_LEN] = {0};
408 int aidlen = 0;
409 uint8_t data[APDU_RES_LEN] = {0};
410 size_t datalen = 0;
411 uint16_t sw = 0;
412
413 int res = 0;
414 int retrycnt = 0;
415 for(int i = 0; i < AIDlistLen; i ++) {
416 param_gethex_to_eol(AIDlist[i].aid, 0, aidbuf, sizeof(aidbuf), &aidlen);
417 res = EMVSelect(channel, (i == 0) ? ActivateField : false, (i == AIDlistLen - 1) ? LeaveFieldON : true, aidbuf, aidlen, data, sizeof(data), &datalen, &sw, tlv);
418 // retry if error and not returned sw error
419 if (res && res != 5) {
420 if (++retrycnt < 3){
421 i--;
422 } else {
423 // (1) - card select error, proxmark error OR (200) - result length = 0
424 if (res == 1 || res == 200) {
425 PrintAndLogEx(WARNING, "Exit...");
426 return 1;
427 }
428
429 retrycnt = 0;
430 PrintAndLog("Retry failed [%s]. Skiped...", AIDlist[i].aid);
431 }
432 continue;
433 }
434 retrycnt = 0;
435
436 if (res)
437 continue;
438
439 if (decodeTLV){
440 PrintAndLog("%s:", AIDlist[i].aid);
441 TLVPrintFromBuffer(data, datalen);
442 }
443 }
444
445 return 0;
446 }
447
448 int EMVSelectApplication(struct tlvdb *tlv, uint8_t *AID, size_t *AIDlen) {
449 // check priority. 0x00 - highest
450 int prio = 0xffff;
451
452 *AIDlen = 0;
453
454 struct tlvdb *ttmp = tlvdb_find(tlv, 0x6f);
455 if (!ttmp)
456 return 1;
457
458 while (ttmp) {
459 const struct tlv *tgAID = tlvdb_get_inchild(ttmp, 0x84, NULL);
460 const struct tlv *tgPrio = tlvdb_get_inchild(ttmp, 0x87, NULL);
461
462 if (!tgAID)
463 break;
464
465 if (tgPrio) {
466 int pt = bytes_to_num((uint8_t*)tgPrio->value, (tgPrio->len < 2) ? tgPrio->len : 2);
467 if (pt < prio) {
468 prio = pt;
469
470 memcpy(AID, tgAID->value, tgAID->len);
471 *AIDlen = tgAID->len;
472 }
473 } else {
474 // takes the first application from list wo priority
475 if (!*AIDlen) {
476 memcpy(AID, tgAID->value, tgAID->len);
477 *AIDlen = tgAID->len;
478 }
479 }
480
481 ttmp = tlvdb_find_next(ttmp, 0x6f);
482 }
483
484 return 0;
485 }
486
487 int EMVGPO(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *PDOL, size_t PDOLLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
488 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x80, 0xa8, 0x00, 0x00, PDOLLen, PDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
489 }
490
491 int EMVReadRecord(EMVCommandChannel channel, bool LeaveFieldON, uint8_t SFI, uint8_t SFIrec, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
492 int res = EMVExchange(channel, LeaveFieldON, (sAPDU){0x00, 0xb2, SFIrec, (SFI << 3) | 0x04, 0, NULL}, Result, MaxResultLen, ResultLen, sw, tlv);
493 if (*sw == 0x6700) {
494 PrintAndLogEx(INFO, ">>> trying to reissue command withouth Le...");
495 res = EMVExchangeEx(channel, false, LeaveFieldON, (sAPDU){0x00, 0xb2, SFIrec, (SFI << 3) | 0x04, 0, NULL}, false, Result, MaxResultLen, ResultLen, sw, tlv);
496 }
497 return res;
498 }
499
500 int EMVAC(EMVCommandChannel channel, bool LeaveFieldON, uint8_t RefControl, uint8_t *CDOL, size_t CDOLLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
501 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x80, 0xae, RefControl, 0x00, CDOLLen, CDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
502 }
503
504 int EMVGenerateChallenge(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
505 int res = EMVExchange(channel, LeaveFieldON, (sAPDU){0x00, 0x84, 0x00, 0x00, 0x00, NULL}, Result, MaxResultLen, ResultLen, sw, tlv);
506 if (*sw == 0x6700) {
507 PrintAndLogEx(INFO, ">>> trying to reissue command withouth Le...");
508 res = EMVExchangeEx(channel, false, LeaveFieldON, (sAPDU){0x00, 0x84, 0x00, 0x00, 0x00, NULL}, false, Result, MaxResultLen, ResultLen, sw, tlv);
509 }
510 return res;
511 }
512
513 int EMVInternalAuthenticate(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *DDOL, size_t DDOLLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
514 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x00, 0x88, 0x00, 0x00, DDOLLen, DDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
515 }
516
517 int MSCComputeCryptoChecksum(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *UDOL, uint8_t UDOLlen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
518 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x80, 0x2a, 0x8e, 0x80, UDOLlen, UDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
519 }
520
521 // Authentication
522 static struct emv_pk *get_ca_pk(struct tlvdb *db) {
523 const struct tlv *df_tlv = tlvdb_get(db, 0x84, NULL);
524 const struct tlv *caidx_tlv = tlvdb_get(db, 0x8f, NULL);
525
526 if (!df_tlv || !caidx_tlv || df_tlv->len < 6 || caidx_tlv->len != 1)
527 return NULL;
528
529 PrintAndLog("CA public key index 0x%0x", caidx_tlv->value[0]);
530 return emv_pk_get_ca_pk(df_tlv->value, caidx_tlv->value[0]);
531 }
532
533 int trSDA(struct tlvdb *tlv) {
534
535 struct emv_pk *pk = get_ca_pk(tlv);
536 if (!pk) {
537 PrintAndLog("ERROR: Key not found. Exit.");
538 return 2;
539 }
540
541 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlv);
542 if (!issuer_pk) {
543 emv_pk_free(pk);
544 PrintAndLog("ERROR: Issuer certificate not found. Exit.");
545 return 2;
546 }
547
548 PrintAndLog("Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx",
549 issuer_pk->rid[0],
550 issuer_pk->rid[1],
551 issuer_pk->rid[2],
552 issuer_pk->rid[3],
553 issuer_pk->rid[4],
554 issuer_pk->index,
555 issuer_pk->serial[0],
556 issuer_pk->serial[1],
557 issuer_pk->serial[2]
558 );
559
560 const struct tlv *sda_tlv = tlvdb_get(tlv, 0x21, NULL);
561 if (!sda_tlv || sda_tlv->len < 1) {
562 emv_pk_free(issuer_pk);
563 emv_pk_free(pk);
564 PrintAndLog("ERROR: Can't find input list for Offline Data Authentication. Exit.");
565 return 3;
566 }
567
568 struct tlvdb *dac_db = emv_pki_recover_dac(issuer_pk, tlv, sda_tlv);
569 if (dac_db) {
570 const struct tlv *dac_tlv = tlvdb_get(dac_db, 0x9f45, NULL);
571 PrintAndLog("SDA verified OK. (%02hhx:%02hhx)\n", dac_tlv->value[0], dac_tlv->value[1]);
572 tlvdb_add(tlv, dac_db);
573 } else {
574 emv_pk_free(issuer_pk);
575 emv_pk_free(pk);
576 PrintAndLog("ERROR: SSAD verify error");
577 return 4;
578 }
579
580 emv_pk_free(issuer_pk);
581 emv_pk_free(pk);
582 return 0;
583 }
584
585 static const unsigned char default_ddol_value[] = {0x9f, 0x37, 0x04};
586 static struct tlv default_ddol_tlv = {.tag = 0x9f49, .len = 3, .value = default_ddol_value };
587
588 int trDDA(EMVCommandChannel channel, bool decodeTLV, struct tlvdb *tlv) {
589 uint8_t buf[APDU_RES_LEN] = {0};
590 size_t len = 0;
591 uint16_t sw = 0;
592
593 struct emv_pk *pk = get_ca_pk(tlv);
594 if (!pk) {
595 PrintAndLog("ERROR: Key not found. Exit.");
596 return 2;
597 }
598
599 const struct tlv *sda_tlv = tlvdb_get(tlv, 0x21, NULL);
600 if (!sda_tlv || sda_tlv->len < 1) {
601 emv_pk_free(pk);
602 PrintAndLog("ERROR: Can't find input list for Offline Data Authentication. Exit.");
603 return 3;
604 }
605
606 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlv);
607 if (!issuer_pk) {
608 emv_pk_free(pk);
609 PrintAndLog("ERROR: Issuer certificate not found. Exit.");
610 return 2;
611 }
612 printf("Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
613 issuer_pk->rid[0],
614 issuer_pk->rid[1],
615 issuer_pk->rid[2],
616 issuer_pk->rid[3],
617 issuer_pk->rid[4],
618 issuer_pk->index,
619 issuer_pk->serial[0],
620 issuer_pk->serial[1],
621 issuer_pk->serial[2]
622 );
623
624 struct emv_pk *icc_pk = emv_pki_recover_icc_cert(issuer_pk, tlv, sda_tlv);
625 if (!icc_pk) {
626 emv_pk_free(pk);
627 emv_pk_free(issuer_pk);
628 PrintAndLog("ERROR: ICC setrificate not found. Exit.");
629 return 2;
630 }
631 printf("ICC PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
632 icc_pk->rid[0],
633 icc_pk->rid[1],
634 icc_pk->rid[2],
635 icc_pk->rid[3],
636 icc_pk->rid[4],
637 icc_pk->index,
638 icc_pk->serial[0],
639 icc_pk->serial[1],
640 icc_pk->serial[2]
641 );
642
643 struct emv_pk *icc_pe_pk = emv_pki_recover_icc_pe_cert(issuer_pk, tlv);
644 if (!icc_pe_pk) {
645 PrintAndLog("WARNING: ICC PE PK recover error. ");
646 } else {
647 printf("ICC PE PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
648 icc_pe_pk->rid[0],
649 icc_pe_pk->rid[1],
650 icc_pe_pk->rid[2],
651 icc_pe_pk->rid[3],
652 icc_pe_pk->rid[4],
653 icc_pe_pk->index,
654 icc_pe_pk->serial[0],
655 icc_pe_pk->serial[1],
656 icc_pe_pk->serial[2]
657 );
658 }
659
660 // 9F4B: Signed Dynamic Application Data
661 const struct tlv *sdad_tlv = tlvdb_get(tlv, 0x9f4b, NULL);
662 // DDA with internal authenticate OR fDDA with filled 0x9F4B tag (GPO result)
663 // EMV kernel3 v2.4, contactless book C-3, C.1., page 147
664 if (sdad_tlv) {
665 PrintAndLog("\n* * Got Signed Dynamic Application Data (9F4B) form GPO. Maybe fDDA...");
666
667 const struct tlvdb *atc_db = emv_pki_recover_atc_ex(icc_pk, tlv, true);
668 if (!atc_db) {
669 PrintAndLog("ERROR: Can't recover IDN (ICC Dynamic Number)");
670 emv_pk_free(pk);
671 emv_pk_free(issuer_pk);
672 emv_pk_free(icc_pk);
673 return 8;
674 }
675
676 // 9f36 Application Transaction Counter (ATC)
677 const struct tlv *atc_tlv = tlvdb_get(atc_db, 0x9f36, NULL);
678 if(atc_tlv) {
679 PrintAndLog("\nATC (Application Transaction Counter) [%zu] %s", atc_tlv->len, sprint_hex_inrow(atc_tlv->value, atc_tlv->len));
680
681 const struct tlv *core_atc_tlv = tlvdb_get(tlv, 0x9f36, NULL);
682 if(tlv_equal(core_atc_tlv, atc_tlv)) {
683 PrintAndLog("ATC check OK.");
684 PrintAndLog("fDDA (fast DDA) verified OK.");
685 } else {
686 PrintAndLog("ERROR: fDDA verified, but ATC in the certificate and ATC in the record not the same.");
687 }
688 } else {
689 PrintAndLog("\nERROR: fDDA (fast DDA) verify error");
690 emv_pk_free(pk);
691 emv_pk_free(issuer_pk);
692 emv_pk_free(icc_pk);
693 return 9;
694 }
695 } else {
696 struct tlvdb *dac_db = emv_pki_recover_dac(issuer_pk, tlv, sda_tlv);
697 if (dac_db) {
698 const struct tlv *dac_tlv = tlvdb_get(dac_db, 0x9f45, NULL);
699 printf("SDA verified OK. (%02hhx:%02hhx)\n", dac_tlv->value[0], dac_tlv->value[1]);
700 tlvdb_add(tlv, dac_db);
701 } else {
702 PrintAndLog("ERROR: SSAD verify error");
703 emv_pk_free(pk);
704 emv_pk_free(issuer_pk);
705 emv_pk_free(icc_pk);
706 return 4;
707 }
708
709 PrintAndLog("\n* Calc DDOL");
710 const struct tlv *ddol_tlv = tlvdb_get(tlv, 0x9f49, NULL);
711 if (!ddol_tlv) {
712 ddol_tlv = &default_ddol_tlv;
713 PrintAndLog("DDOL [9f49] not found. Using default DDOL");
714 }
715
716 struct tlv *ddol_data_tlv = dol_process(ddol_tlv, tlv, 0);
717 if (!ddol_data_tlv) {
718 PrintAndLog("ERROR: Can't create DDOL TLV");
719 emv_pk_free(pk);
720 emv_pk_free(issuer_pk);
721 emv_pk_free(icc_pk);
722 return 5;
723 }
724
725 PrintAndLog("DDOL data[%d]: %s", ddol_data_tlv->len, sprint_hex(ddol_data_tlv->value, ddol_data_tlv->len));
726
727 PrintAndLog("\n* Internal Authenticate");
728 int res = EMVInternalAuthenticate(channel, true, (uint8_t *)ddol_data_tlv->value, ddol_data_tlv->len, buf, sizeof(buf), &len, &sw, NULL);
729 if (res) {
730 PrintAndLogEx(WARNING, "Internal Authenticate error(%d): %4x. Exit...", res, sw);
731 free(ddol_data_tlv);
732 emv_pk_free(pk);
733 emv_pk_free(issuer_pk);
734 emv_pk_free(icc_pk);
735 return 6;
736 }
737
738 struct tlvdb *dda_db = NULL;
739 if (buf[0] == 0x80) {
740 if (len < 3 ) {
741 PrintAndLog("ERROR: Internal Authenticate format1 parsing error. length=%d", len);
742 } else {
743 // 9f4b Signed Dynamic Application Data
744 dda_db = tlvdb_fixed(0x9f4b, len - 2, buf + 2);
745 tlvdb_add(tlv, dda_db);
746 if (decodeTLV){
747 PrintAndLog("* * Decode response format 1:");
748 TLVPrintFromTLV(dda_db);
749 }
750 }
751 } else {
752 dda_db = tlvdb_parse_multi(buf, len);
753 if(!dda_db) {
754 PrintAndLog("ERROR: Can't parse Internal Authenticate result as TLV");
755 free(ddol_data_tlv);
756 emv_pk_free(pk);
757 emv_pk_free(issuer_pk);
758 emv_pk_free(icc_pk);
759 return 7;
760 }
761 tlvdb_add(tlv, dda_db);
762
763 if (decodeTLV)
764 TLVPrintFromTLV(dda_db);
765 }
766
767 struct tlvdb *idn_db = emv_pki_recover_idn_ex(icc_pk, dda_db, ddol_data_tlv, true);
768 free(ddol_data_tlv);
769 if (!idn_db) {
770 PrintAndLog("ERROR: Can't recover IDN (ICC Dynamic Number)");
771 tlvdb_free(dda_db);
772 emv_pk_free(pk);
773 emv_pk_free(issuer_pk);
774 emv_pk_free(icc_pk);
775 return 8;
776 }
777 tlvdb_free(dda_db);
778
779 // 9f4c ICC Dynamic Number
780 const struct tlv *idn_tlv = tlvdb_get(idn_db, 0x9f4c, NULL);
781 if(idn_tlv) {
782 PrintAndLog("\nIDN (ICC Dynamic Number) [%zu] %s", idn_tlv->len, sprint_hex_inrow(idn_tlv->value, idn_tlv->len));
783 PrintAndLog("DDA verified OK.");
784 tlvdb_add(tlv, idn_db);
785 tlvdb_free(idn_db);
786 } else {
787 PrintAndLog("\nERROR: DDA verify error");
788 tlvdb_free(idn_db);
789
790 emv_pk_free(pk);
791 emv_pk_free(issuer_pk);
792 emv_pk_free(icc_pk);
793 return 9;
794 }
795 }
796
797 emv_pk_free(pk);
798 emv_pk_free(issuer_pk);
799 emv_pk_free(icc_pk);
800 return 0;
801 }
802
803 int trCDA(struct tlvdb *tlv, struct tlvdb *ac_tlv, struct tlv *pdol_data_tlv, struct tlv *ac_data_tlv) {
804
805 struct emv_pk *pk = get_ca_pk(tlv);
806 if (!pk) {
807 PrintAndLog("ERROR: Key not found. Exit.");
808 return 2;
809 }
810
811 const struct tlv *sda_tlv = tlvdb_get(tlv, 0x21, NULL);
812 if (!sda_tlv || sda_tlv->len < 1) {
813 PrintAndLog("ERROR: Can't find input list for Offline Data Authentication. Exit.");
814 emv_pk_free(pk);
815 return 3;
816 }
817
818 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlv);
819 if (!issuer_pk) {
820 PrintAndLog("ERROR: Issuer certificate not found. Exit.");
821 emv_pk_free(pk);
822 return 2;
823 }
824 printf("Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
825 issuer_pk->rid[0],
826 issuer_pk->rid[1],
827 issuer_pk->rid[2],
828 issuer_pk->rid[3],
829 issuer_pk->rid[4],
830 issuer_pk->index,
831 issuer_pk->serial[0],
832 issuer_pk->serial[1],
833 issuer_pk->serial[2]
834 );
835
836 struct emv_pk *icc_pk = emv_pki_recover_icc_cert(issuer_pk, tlv, sda_tlv);
837 if (!icc_pk) {
838 PrintAndLog("ERROR: ICC setrificate not found. Exit.");
839 emv_pk_free(pk);
840 emv_pk_free(issuer_pk);
841 return 2;
842 }
843 printf("ICC PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
844 icc_pk->rid[0],
845 icc_pk->rid[1],
846 icc_pk->rid[2],
847 icc_pk->rid[3],
848 icc_pk->rid[4],
849 icc_pk->index,
850 icc_pk->serial[0],
851 icc_pk->serial[1],
852 icc_pk->serial[2]
853 );
854
855 struct tlvdb *dac_db = emv_pki_recover_dac(issuer_pk, tlv, sda_tlv);
856 if (dac_db) {
857 const struct tlv *dac_tlv = tlvdb_get(dac_db, 0x9f45, NULL);
858 PrintAndLog("SSAD verified OK. (%02hhx:%02hhx)", dac_tlv->value[0], dac_tlv->value[1]);
859 tlvdb_add(tlv, dac_db);
860 } else {
861 PrintAndLog("ERROR: SSAD verify error");
862 emv_pk_free(pk);
863 emv_pk_free(issuer_pk);
864 emv_pk_free(icc_pk);
865 return 4;
866 }
867
868 PrintAndLog("\n* * Check Signed Dynamic Application Data (SDAD)");
869 struct tlvdb *idn_db = emv_pki_perform_cda_ex(icc_pk, tlv, ac_tlv,
870 pdol_data_tlv, // pdol
871 ac_data_tlv, // cdol1
872 NULL, // cdol2
873 true);
874 if (idn_db) {
875 const struct tlv *idn_tlv = tlvdb_get(idn_db, 0x9f4c, NULL);
876 PrintAndLog("\nIDN (ICC Dynamic Number) [%zu] %s", idn_tlv->len, sprint_hex_inrow(idn_tlv->value, idn_tlv->len));
877 PrintAndLog("CDA verified OK.");
878 tlvdb_add(tlv, idn_db);
879 } else {
880 PrintAndLog("\nERROR: CDA verify error");
881 }
882
883 emv_pk_free(pk);
884 emv_pk_free(issuer_pk);
885 emv_pk_free(icc_pk);
886 return 0;
887 }
888
889 int RecoveryCertificates(struct tlvdb *tlvRoot, json_t *root) {
890
891 struct emv_pk *pk = get_ca_pk(tlvRoot);
892 if (!pk) {
893 PrintAndLog("ERROR: Key not found. Exit.");
894 return 1;
895 }
896
897 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlvRoot);
898 if (!issuer_pk) {
899 emv_pk_free(pk);
900 PrintAndLog("WARNING: Issuer certificate not found. Exit.");
901 return 2;
902 }
903 PrintAndLog("Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx",
904 issuer_pk->rid[0],
905 issuer_pk->rid[1],
906 issuer_pk->rid[2],
907 issuer_pk->rid[3],
908 issuer_pk->rid[4],
909 issuer_pk->index,
910 issuer_pk->serial[0],
911 issuer_pk->serial[1],
912 issuer_pk->serial[2]
913 );
914
915 JsonSaveBufAsHex(root, "$.ApplicationData.RID", issuer_pk->rid, 5);
916
917 char *issuer_pk_c = emv_pk_dump_pk(issuer_pk);
918 JsonSaveStr(root, "$.ApplicationData.IssuerPublicKeyDec", issuer_pk_c);
919 JsonSaveBufAsHex(root, "$.ApplicationData.IssuerPublicKeyModulus", issuer_pk->modulus, issuer_pk->mlen);
920 free(issuer_pk_c);
921
922 struct emv_pk *icc_pk = emv_pki_recover_icc_cert(issuer_pk, tlvRoot, NULL);
923 if (!icc_pk) {
924 emv_pk_free(pk);
925 emv_pk_free(issuer_pk);
926 PrintAndLog("WARNING: ICC certificate not found. Exit.");
927 return 2;
928 }
929 printf("ICC PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
930 icc_pk->rid[0],
931 icc_pk->rid[1],
932 icc_pk->rid[2],
933 icc_pk->rid[3],
934 icc_pk->rid[4],
935 icc_pk->index,
936 icc_pk->serial[0],
937 icc_pk->serial[1],
938 icc_pk->serial[2]
939 );
940
941 char *icc_pk_c = emv_pk_dump_pk(icc_pk);
942 JsonSaveStr(root, "$.ApplicationData.ICCPublicKeyDec", icc_pk_c);
943 JsonSaveBufAsHex(root, "$.ApplicationData.ICCPublicKeyModulus", icc_pk->modulus, icc_pk->mlen);
944 free(issuer_pk_c);
945
946 return 0;
947 }
Impressum, Datenschutz