Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CAN support for PACE #106

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

CAN support for PACE #106

wants to merge 2 commits into from

Conversation

TWilb
Copy link

@TWilb TWilb commented May 3, 2021

You can use the Card Access Number together with PACE.
In the Example App the CAN will be used if entered and is preferred over the MRZ data.

TWilb added 2 commits May 3, 2021 21:55
@TWilb
Adding CAN as possible key to PACE.
c0dbc51 
Not falling back to BAC if PACE was tried with CAN, this is not possible.
@TWilb
Use CAN if entered preferred over MRZ
6c25bdc
@advatar
Copy link

advatar commented Jun 15, 2021

I am testing this with a German Id. It does not work out of the box. These cards have another primary AID E80704007f00070302 that has to be in Info.plist.

When I change this I can get the PACEInfos but fail with:


tagReaderSessionDidBecomeActive
tagReaderSession:didDetect - iso7816(<NFCISO7816Tag: 0x281128f90>)
tagReaderSession:connecting to tag - iso7816(<NFCISO7816Tag: 0x281128f90>)
tagReaderSession:connected to tag - starting authentication
TagReader - Number of data bytes to read - 193
data Optional([49, 129, 193, 48, 13, 6, 8, 4, 0, 127, 0, 7, 2, 2, 2, 2, 1, 2, 48, 18, 6, 10, 4, 0, 127, 0, 7, 2, 2, 3, 2, 2, 2, 1, 2, 2, 1, 65, 48, 18, 6, 10, 4, 0, 127, 0, 7, 2, 2, 4, 2, 2, 2, 1, 2, 2, 1, 13, 48, 28, 6, 9, 4, 0, 127, 0, 7, 2, 2, 3, 2, 48, 12, 6, 7, 4, 0, 127, 0, 7, 1, 2, 2, 1, 13, 2, 1, 65, 48, 42, 6, 8, 4, 0, 127, 0, 7, 2, 2, 6, 22, 30, 104, 116, 116, 112, 58, 47, 47, 98, 115, 105, 46, 98, 117, 110, 100, 46, 100, 101, 47, 99, 105, 102, 47, 110, 112, 97, 46, 120, 109, 108, 48, 62, 6, 8, 4, 0, 127, 0, 7, 2, 2, 8, 49, 50, 48, 18, 6, 10, 4, 0, 127, 0, 7, 2, 2, 3, 2, 2, 2, 1, 2, 2, 1, 69, 48, 28, 6, 9, 4, 0, 127, 0, 7, 2, 2, 3, 2, 48, 12, 6, 7, 4, 0, 127, 0, 7, 1, 2, 2, 1, 13, 2, 1, 69]) error nil
Starting Password Authenticated Connection Establishment (PACE)
Performing PACE with id-PACE-ECDH-GM-AES-CBC-CMAC-128
Error reading tag: sw1 - 0x67, sw2 - 0x00
reason: Wrong length
PACEHandler: MSESatATMutualAuth - Error - Wrong length
   OpenSSLError: 
PACE Failed - Invalid data passed - PACE Failed

@advatar
Copy link

advatar commented Jun 15, 2021

By hard coding the APDU with

    `let cmd = NFCISO7816APDU(data: Data([0x00,0x22,0xc1,0xa4,0x12,0x80,0x0a,0x04,0x00,0x7f,0x00,0x07,0x02,0x02,0x04,0x02,0x02,0x83,0x01,0x03,0x84,0x01,0x0d]))!

`
I got this from another working app I manage to do PACE with PIN. But then it fails as the app goes back to BAC later.

tagReaderSessionDidBecomeActive
tagReaderSession:didDetect - iso7816(<NFCISO7816Tag: 0x2818f5170>)
tagReaderSession:connecting to tag - iso7816(<NFCISO7816Tag: 0x2818f5170>)
tagReaderSession:connected to tag - starting authentication
TagReader - Number of data bytes to read - 193
data Optional([49, 129, 193, 48, 13, 6, 8, 4, 0, 127, 0, 7, 2, 2, 2, 2, 1, 2, 48, 18, 6, 10, 4, 0, 127, 0, 7, 2, 2, 3, 2, 2, 2, 1, 2, 2, 1, 65, 48, 18, 6, 10, 4, 0, 127, 0, 7, 2, 2, 4, 2, 2, 2, 1, 2, 2, 1, 13, 48, 28, 6, 9, 4, 0, 127, 0, 7, 2, 2, 3, 2, 48, 12, 6, 7, 4, 0, 127, 0, 7, 1, 2, 2, 1, 13, 2, 1, 65, 48, 42, 6, 8, 4, 0, 127, 0, 7, 2, 2, 6, 22, 30, 104, 116, 116, 112, 58, 47, 47, 98, 115, 105, 46, 98, 117, 110, 100, 46, 100, 101, 47, 99, 105, 102, 47, 110, 112, 97, 46, 120, 109, 108, 48, 62, 6, 8, 4, 0, 127, 0, 7, 2, 2, 8, 49, 50, 48, 18, 6, 10, 4, 0, 127, 0, 7, 2, 2, 3, 2, 2, 2, 1, 2, 2, 1, 69, 48, 28, 6, 9, 4, 0, 127, 0, 7, 2, 2, 3, 2, 48, 12, 6, 7, 4, 0, 127, 0, 7, 1, 2, 2, 1, 13, 2, 1, 69]) error nil
Starting Password Authenticated Connection Establishment (PACE)
Performing PACE with id-PACE-ECDH-GM-AES-CBC-CMAC-128
CAN_PACE_KEY_REFERENCE
sendMSESetATMutualAuth 2
oidBytes [128, 10, 4, 0, 127, 0, 7, 2, 2, 4, 2, 2]
keyTypeBytes [131, 1, 3]
cmd [0x00, 0x22, 0xC1, 0xA4, 0x12, 0x80, 0x0A, 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x04, 0x02, 0x02, 0x83, 0x01, 0x03, 0x84, 0x01, 0x0D]
Doing PACE Step1...
Doing PACE Step2...
   Using General Mapping (GM)...
Generating ECDH mapping keys from parameterSpec - 927
Sending public mapping key to passport..
Received passports public mapping key
Doing ECDH Mapping agreement
Doing PACE Step3 - Key Exchange
Generated Ephemeral key pair
Sending ephemeral public key to passport
Doing PACE Step3 Key Agreement...
Computing shared secret...
Deriving ksEnc and ksMac keys from shared secret
Generating authentication token
Sending auth token to passport
Auth token from passport matches expected token!
Restarting secure messaging using AES encryption
PACE Successful
Re-selecting eMRTD Application
Error reading tag: sw1 - 0x69, sw2 - 0x82
reason: Security status not satisfied
Reading tag - COM
Error reading tag: sw1 - 0x6A, sw2 - 0x82
reason: File not found
ERROR - File not found
Starting Basic Access Control (BAC)
BACHandler - deriving Document Basic Access Keys
BACHandler - Getting initial challenge
BACHandler - Doing mutual authentication
Error reading tag: sw1 - 0x6A, sw2 - 0x88
reason: Referenced data not found
ERROR - Referenced data not found
BAC Failed
tagReaderSession:didInvalidateWithError - Session invalidated by user

@tienngx
Copy link

tienngx commented Jul 9, 2021

By hard coding the APDU with

    `let cmd = NFCISO7816APDU(data: Data([0x00,0x22,0xc1,0xa4,0x12,0x80,0x0a,0x04,0x00,0x7f,0x00,0x07,0x02,0x02,0x04,0x02,0x02,0x83,0x01,0x03,0x84,0x01,0x0d]))!

`
I got this from another working app I manage to do PACE with PIN. But then it fails as the app goes back to BAC later.

tagReaderSessionDidBecomeActive
tagReaderSession:didDetect - iso7816(<NFCISO7816Tag: 0x2818f5170>)
tagReaderSession:connecting to tag - iso7816(<NFCISO7816Tag: 0x2818f5170>)
tagReaderSession:connected to tag - starting authentication
TagReader - Number of data bytes to read - 193
data Optional([49, 129, 193, 48, 13, 6, 8, 4, 0, 127, 0, 7, 2, 2, 2, 2, 1, 2, 48, 18, 6, 10, 4, 0, 127, 0, 7, 2, 2, 3, 2, 2, 2, 1, 2, 2, 1, 65, 48, 18, 6, 10, 4, 0, 127, 0, 7, 2, 2, 4, 2, 2, 2, 1, 2, 2, 1, 13, 48, 28, 6, 9, 4, 0, 127, 0, 7, 2, 2, 3, 2, 48, 12, 6, 7, 4, 0, 127, 0, 7, 1, 2, 2, 1, 13, 2, 1, 65, 48, 42, 6, 8, 4, 0, 127, 0, 7, 2, 2, 6, 22, 30, 104, 116, 116, 112, 58, 47, 47, 98, 115, 105, 46, 98, 117, 110, 100, 46, 100, 101, 47, 99, 105, 102, 47, 110, 112, 97, 46, 120, 109, 108, 48, 62, 6, 8, 4, 0, 127, 0, 7, 2, 2, 8, 49, 50, 48, 18, 6, 10, 4, 0, 127, 0, 7, 2, 2, 3, 2, 2, 2, 1, 2, 2, 1, 69, 48, 28, 6, 9, 4, 0, 127, 0, 7, 2, 2, 3, 2, 48, 12, 6, 7, 4, 0, 127, 0, 7, 1, 2, 2, 1, 13, 2, 1, 69]) error nil
Starting Password Authenticated Connection Establishment (PACE)
Performing PACE with id-PACE-ECDH-GM-AES-CBC-CMAC-128
CAN_PACE_KEY_REFERENCE
sendMSESetATMutualAuth 2
oidBytes [128, 10, 4, 0, 127, 0, 7, 2, 2, 4, 2, 2]
keyTypeBytes [131, 1, 3]
cmd [0x00, 0x22, 0xC1, 0xA4, 0x12, 0x80, 0x0A, 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x04, 0x02, 0x02, 0x83, 0x01, 0x03, 0x84, 0x01, 0x0D]
Doing PACE Step1...
Doing PACE Step2...
   Using General Mapping (GM)...
Generating ECDH mapping keys from parameterSpec - 927
Sending public mapping key to passport..
Received passports public mapping key
Doing ECDH Mapping agreement
Doing PACE Step3 - Key Exchange
Generated Ephemeral key pair
Sending ephemeral public key to passport
Doing PACE Step3 Key Agreement...
Computing shared secret...
Deriving ksEnc and ksMac keys from shared secret
Generating authentication token
Sending auth token to passport
Auth token from passport matches expected token!
Restarting secure messaging using AES encryption
PACE Successful
Re-selecting eMRTD Application
Error reading tag: sw1 - 0x69, sw2 - 0x82
reason: Security status not satisfied
Reading tag - COM
Error reading tag: sw1 - 0x6A, sw2 - 0x82
reason: File not found
ERROR - File not found
Starting Basic Access Control (BAC)
BACHandler - deriving Document Basic Access Keys
BACHandler - Getting initial challenge
BACHandler - Doing mutual authentication
Error reading tag: sw1 - 0x6A, sw2 - 0x88
reason: Referenced data not found
ERROR - Referenced data not found
BAC Failed
tagReaderSession:didInvalidateWithError - Session invalidated by user

I am also learning to implement PACE with PIN. Can you please share with me the sample code you made?
Thanks you very much

@TWilb
Copy link
Author

TWilb commented Jul 10, 2021

@advatar
I think the German ID is the worst to test with - it is not an ICAO compliant document and you won't be able to read out data without doing EAC2.

@tienngx Do you try to use the German ID as well?

Using the PIN instead of a CAN should not be a big problem. Afaik it is just one different parameter. I will have a look at it.

@tienngx
Copy link

tienngx commented Jul 10, 2021

@advatar
I think the German ID is the worst to test with - it is not an ICAO compliant document and you won't be able to read out data without doing EAC2.

@tienngx Do you try to use the German ID as well?

Using the PIN instead of a CAN should not be a big problem. Afaik it is just one different parameter. I will have a look at it.

@TWilb I don't use German ID.
I tried many ways with apdu to call the access card but got the error:

cmd: 00 22 C1 A4 80 83 01 02 84

Error reading tag: sw1 - 0x6A, sw2 - 0x88
reason: Referenced data not found

@tienngx
Copy link

tienngx commented Jul 10, 2021

Thanks Andy.
I have retrieved that copy but can't do it successfully with my ID card.
Best regards!

@zayphong92
Copy link

zayphong92 commented Jul 23, 2021
edited

@advatar @tienngx @TWilb

hi` all pro
I'm using readCardAccess and it's an error like this ResponseError("Instruction code not supported or invalid", 109, 0)

=========================

func readCardAccess( completed: @escaping ([UInt8]?, NFCPassportReaderError?)->() ) {

    let cmd : NFCISO7816APDU = NFCISO7816APDU(instructionClass: 0x00, instructionCode: 0xA4, p1Parameter: 0x00, p2Parameter: 0x0C, data: Data([0x3f,0x00]), expectedResponseLength: 256)
    
    send( cmd: cmd) { response, error in
        if let error = error {
            completed( nil, error )
            return
        }
        
        // Now read EC.CardAccess
        self.selectFileAndRead(tag: [0x01,0x1C]) { data, error in
            completed( data, error)
        }
    }
}
        
        // Now read EC.CardAccess
        self.selectFileAndRead(tag: [0x01,0x1C]) { data, error in
            completed( data, error)
        }
    }
}

@visav-tietoevry visav-tietoevry mentioned this pull request Oct 5, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@TWilb @advatar @tienngx @zayphong92