]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/emv/emv_pki.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
fix emv roca hash error (#781)
[proxmark3-svn] / client / emv / emv_pki.c
1 /*
2 * libopenemv - a library to work with EMV family of smart cards
3 * Copyright (C) 2015 Dmitry Eremin-Solenikov
4 *
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2.1 of the License, or (at your option) any later version.
9 *
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
14 */
15
16 #ifdef HAVE_CONFIG_H
17 #include <config.h>
18 #endif
19
20 #include "emv_pki.h"
21
22 #include <stdlib.h>
23 #include <string.h>
24 #include <stdarg.h>
25 #include "crypto.h"
26 #include "dump.h"
27 #include "util.h"
28 #include "ui.h"
29
30 static bool strictExecution = true;
31 void PKISetStrictExecution(bool se) {
32 strictExecution = se;
33 }
34
35 static const unsigned char empty_tlv_value[] = {};
36 static const struct tlv empty_tlv = {.tag = 0x0, .len = 0, .value = empty_tlv_value};
37
38 static size_t emv_pki_hash_psn[256] = { 0, 0, 11, 2, 17, 2, };
39
40 static unsigned char *emv_pki_decode_message(const struct emv_pk *enc_pk,
41 uint8_t msgtype,
42 size_t *len,
43 const struct tlv *cert_tlv,
44 int tlv_count,
45 ... /* A list of tlv pointers */
46 )
47 {
48 struct crypto_pk *kcp;
49 unsigned char *data;
50 size_t data_len;
51 va_list vl;
52
53 if (!enc_pk)
54 return NULL;
55
56 if (!cert_tlv) {
57 PrintAndLogEx(ERR, "Can't find certificate\n");
58 return NULL;
59 }
60
61 if (cert_tlv->len != enc_pk->mlen) {
62 PrintAndLogEx(ERR, "Certificate length (%zd) not equal key length (%zd)\n", cert_tlv->len, enc_pk->mlen);
63 return NULL;
64 }
65 kcp = crypto_pk_open(enc_pk->pk_algo,
66 enc_pk->modulus, enc_pk->mlen,
67 enc_pk->exp, enc_pk->elen);
68 if (!kcp)
69 return NULL;
70
71 data = crypto_pk_encrypt(kcp, cert_tlv->value, cert_tlv->len, &data_len);
72 crypto_pk_close(kcp);
73
74 /*if (true){
75 PrintAndLogEx(INFO, "Recovered data:\n");
76 dump_buffer(data, data_len, stdout, 0);
77 }*/
78
79 if (data[data_len-1] != 0xbc || data[0] != 0x6a || data[1] != msgtype) {
80 PrintAndLogEx(ERR, "Certificate format\n");
81 free(data);
82 return NULL;
83 }
84
85 size_t hash_pos = emv_pki_hash_psn[msgtype];
86 if (hash_pos == 0 || hash_pos > data_len){
87 PrintAndLogEx(ERR, "Can't get hash position in the certificate\n");
88 free(data);
89 return NULL;
90 }
91
92 struct crypto_hash *ch;
93 ch = crypto_hash_open(data[hash_pos]);
94 if (!ch) {
95 PrintAndLogEx(ERR, "Can't do hash\n");
96 free(data);
97 return NULL;
98 }
99
100 size_t hash_len = crypto_hash_get_size(ch);
101 crypto_hash_write(ch, data + 1, data_len - 2 - hash_len);
102
103 va_start(vl, tlv_count);
104 for (int i = 0; i < tlv_count; i++) {
105 const struct tlv *add_tlv = va_arg(vl, const struct tlv *);
106 if (!add_tlv)
107 continue;
108
109 crypto_hash_write(ch, add_tlv->value, add_tlv->len);
110 }
111 va_end(vl);
112
113 uint8_t hash[hash_len];
114 memset(hash, 0, hash_len);
115 memcpy(hash, crypto_hash_read(ch), hash_len);
116 if (memcmp(data + data_len - 1 - hash_len, hash, hash_len)) {
117 PrintAndLogEx(ERR, "Calculated wrong hash\n");
118 PrintAndLogEx(INFO, "decoded: %s\n",sprint_hex(data + data_len - 1 - hash_len, hash_len));
119 PrintAndLogEx(INFO, "calculated: %s\n",sprint_hex(hash, hash_len));
120
121 if (strictExecution) {
122 crypto_hash_close(ch);
123 free(data);
124 return NULL;
125 }
126 }
127
128 crypto_hash_close(ch);
129
130 *len = data_len - hash_len - 1;
131
132 return data;
133 }
134
135 static unsigned emv_cn_length(const struct tlv *tlv)
136 {
137 int i;
138
139 for (i = 0; i < tlv->len; i++) {
140 unsigned char c = tlv->value[i];
141
142 if (c >> 4 == 0xf)
143 return 2 * i;
144
145 if ((c & 0xf) == 0xf)
146 return 2 * i + 1;
147 }
148
149 return 2 * tlv->len;
150 }
151
152 static unsigned char emv_cn_get(const struct tlv *tlv, unsigned pos)
153 {
154 if (pos > tlv->len * 2)
155 return 0xf;
156
157 unsigned char c = tlv->value[pos / 2];
158
159 if (pos % 2)
160 return c & 0xf;
161 else
162 return c >> 4;
163 }
164
165 static struct emv_pk *emv_pki_decode_key_ex(const struct emv_pk *enc_pk,
166 unsigned char msgtype,
167 const struct tlv *pan_tlv,
168 const struct tlv *cert_tlv,
169 const struct tlv *exp_tlv,
170 const struct tlv *rem_tlv,
171 const struct tlv *add_tlv,
172 const struct tlv *sdatl_tlv,
173 bool showData
174 )
175 {
176 size_t pan_length;
177 unsigned char *data;
178 size_t data_len;
179 size_t pk_len;
180
181 if (!cert_tlv || !exp_tlv || !pan_tlv)
182 return NULL;
183
184 if (!rem_tlv)
185 rem_tlv = &empty_tlv;
186
187 if (msgtype == 2)
188 pan_length = 4;
189 else if (msgtype == 4)
190 pan_length = 10;
191 else {
192 PrintAndLogEx(ERR, "Message type must be 2 or 4\n");
193 return NULL;
194 }
195
196 data = emv_pki_decode_message(enc_pk, msgtype, &data_len,
197 cert_tlv,
198 5,
199 rem_tlv,
200 exp_tlv,
201 add_tlv,
202 sdatl_tlv,
203 NULL);
204 if (!data || data_len < 11 + pan_length) {
205 PrintAndLogEx(ERR, "Can't decode message\n");
206 return NULL;
207 }
208
209 if (showData){
210 PrintAndLogEx(INFO, "Recovered data:\n");
211 dump_buffer(data, data_len, stdout, 0);
212 }
213
214 /* Perform the rest of checks here */
215
216 struct tlv pan2_tlv = {
217 .tag = 0x5a,
218 .len = pan_length,
219 .value = &data[2],
220 };
221 unsigned pan_len = emv_cn_length(pan_tlv);
222 unsigned pan2_len = emv_cn_length(&pan2_tlv);
223
224 if (((msgtype == 2) && (pan2_len < 4 || pan2_len > pan_len)) ||
225 ((msgtype == 4) && (pan2_len != pan_len))) {
226 PrintAndLogEx(ERR, "Invalid PAN lengths\n");
227 free(data);
228
229 return NULL;
230 }
231
232 unsigned i;
233 for (i = 0; i < pan2_len; i++)
234 if (emv_cn_get(pan_tlv, i) != emv_cn_get(&pan2_tlv, i)) {
235 PrintAndLogEx(ERR, "PAN data mismatch\n");
236 PrintAndLogEx(INFO, "tlv pan=%s\n", sprint_hex(pan_tlv->value, pan_tlv->len));
237 PrintAndLogEx(INFO, "cert pan=%s\n", sprint_hex(pan2_tlv.value, pan2_tlv.len));
238 free(data);
239
240 return NULL;
241 }
242
243 pk_len = data[9 + pan_length];
244 if (pk_len > data_len - 11 - pan_length + rem_tlv->len) {
245 PrintAndLogEx(ERR, "Invalid pk length\n");
246 free(data);
247 return NULL;
248 }
249
250 if (exp_tlv->len != data[10 + pan_length]) {
251 free(data);
252 return NULL;
253 }
254
255 struct emv_pk *pk = emv_pk_new(pk_len, exp_tlv->len);
256
257 memcpy(pk->rid, enc_pk->rid, 5);
258 pk->index = enc_pk->index;
259
260 pk->hash_algo = data[7 + pan_length];
261 pk->pk_algo = data[8 + pan_length];
262 pk->expire = (data[3 + pan_length] << 16) | (data[2 + pan_length] << 8) | 0x31;
263 memcpy(pk->serial, data + 4 + pan_length, 3);
264 memcpy(pk->pan, data + 2, pan_length);
265 memset(pk->pan + pan_length, 0xff, 10 - pan_length);
266
267 memcpy(pk->modulus, data + 11 + pan_length,
268 pk_len < data_len - (11 + pan_length) ?
269 pk_len :
270 data_len - (11 + pan_length));
271 memcpy(pk->modulus + data_len - (11 + pan_length), rem_tlv->value, rem_tlv->len);
272 memcpy(pk->exp, exp_tlv->value, exp_tlv->len);
273
274 free(data);
275
276 return pk;
277 }
278
279 static struct emv_pk *emv_pki_decode_key(const struct emv_pk *enc_pk,
280 unsigned char msgtype,
281 const struct tlv *pan_tlv,
282 const struct tlv *cert_tlv,
283 const struct tlv *exp_tlv,
284 const struct tlv *rem_tlv,
285 const struct tlv *add_tlv,
286 const struct tlv *sdatl_tlv
287 ) {
288 return emv_pki_decode_key_ex(enc_pk, msgtype, pan_tlv, cert_tlv, exp_tlv, rem_tlv, add_tlv, sdatl_tlv, false);
289 }
290
291 struct emv_pk *emv_pki_recover_issuer_cert(const struct emv_pk *pk, struct tlvdb *db)
292 {
293 return emv_pki_decode_key(pk, 2,
294 tlvdb_get(db, 0x5a, NULL),
295 tlvdb_get(db, 0x90, NULL),
296 tlvdb_get(db, 0x9f32, NULL),
297 tlvdb_get(db, 0x92, NULL),
298 NULL,
299 NULL);
300 }
301
302 struct emv_pk *emv_pki_recover_icc_cert(const struct emv_pk *pk, struct tlvdb *db, const struct tlv *sda_tlv)
303 {
304 size_t sdatl_len;
305 unsigned char *sdatl = emv_pki_sdatl_fill(db, &sdatl_len);
306 struct tlv sda_tdata = {
307 .tag = 0x00, // dummy tag
308 .len = sdatl_len,
309 .value = sdatl
310 };
311
312 struct emv_pk *res = emv_pki_decode_key(pk, 4,
313 tlvdb_get(db, 0x5a, NULL),
314 tlvdb_get(db, 0x9f46, NULL),
315 tlvdb_get(db, 0x9f47, NULL),
316 tlvdb_get(db, 0x9f48, NULL),
317 sda_tlv,
318 &sda_tdata);
319
320 free(sdatl); // malloc here: emv_pki_sdatl_fill
321 return res;
322 }
323
324 struct emv_pk *emv_pki_recover_icc_pe_cert(const struct emv_pk *pk, struct tlvdb *db)
325 {
326 return emv_pki_decode_key(pk, 4,
327 tlvdb_get(db, 0x5a, NULL),
328 tlvdb_get(db, 0x9f2d, NULL),
329 tlvdb_get(db, 0x9f2e, NULL),
330 tlvdb_get(db, 0x9f2f, NULL),
331 NULL,
332 NULL);
333 }
334
335 unsigned char *emv_pki_sdatl_fill(const struct tlvdb *db, size_t *sdatl_len) {
336 uint8_t buf[2048] = {0};
337 size_t len = 0;
338
339 *sdatl_len = 0;
340
341 const struct tlv *sda_tl = tlvdb_get(db, 0x9f4a, NULL);
342 if (!sda_tl || sda_tl->len <= 0)
343 return NULL;
344
345 for (int i = 0; i < sda_tl->len; i++) {
346 uint32_t tag = sda_tl->value[i]; // here may be multibyte, but now not
347 const struct tlv *elm = tlvdb_get(db, tag, NULL);
348 if (elm) {
349 memcpy(&buf[len], elm->value, elm->len);
350 len += elm->len;
351 }
352 }
353
354 if (len) {
355 *sdatl_len = len;
356 unsigned char *value = malloc(len);
357 memcpy(value, buf, len);
358 return value;
359 }
360
361 return NULL;
362 }
363
364
365 struct tlvdb *emv_pki_recover_dac_ex(const struct emv_pk *enc_pk, const struct tlvdb *db, const struct tlv *sda_tlv, bool showData)
366 {
367 size_t data_len;
368
369 // Static Data Authentication Tag List
370 size_t sdatl_len;
371 unsigned char *sdatl = emv_pki_sdatl_fill(db, &sdatl_len);
372 struct tlv sda_tdata = {
373 .tag = 0x00, // dummy tag
374 .len = sdatl_len,
375 .value = sdatl
376 };
377
378 unsigned char *data = emv_pki_decode_message(enc_pk, 3, &data_len,
379 tlvdb_get(db, 0x93, NULL),
380 3,
381 sda_tlv,
382 &sda_tdata,
383 NULL);
384
385 free(sdatl); // malloc here: emv_pki_sdatl_fill
386
387 if (!data || data_len < 5)
388 return NULL;
389
390 if (showData){
391 PrintAndLogEx(INFO, "Recovered data:\n");
392 dump_buffer(data, data_len, stdout, 0);
393 }
394
395 struct tlvdb *dac_db = tlvdb_fixed(0x9f45, 2, data+3);
396
397 free(data);
398
399 return dac_db;
400 }
401
402 struct tlvdb *emv_pki_recover_dac(const struct emv_pk *enc_pk, const struct tlvdb *db, const struct tlv *sda_tlv) {
403 return emv_pki_recover_dac_ex(enc_pk, db, sda_tlv, false);
404 }
405
406 struct tlvdb *emv_pki_recover_idn(const struct emv_pk *enc_pk, const struct tlvdb *db, const struct tlv *dyn_tlv) {
407 return emv_pki_recover_idn_ex(enc_pk, db, dyn_tlv, false);
408 }
409
410 struct tlvdb *emv_pki_recover_idn_ex(const struct emv_pk *enc_pk, const struct tlvdb *db, const struct tlv *dyn_tlv, bool showData)
411 {
412 size_t data_len;
413 unsigned char *data = emv_pki_decode_message(enc_pk, 5, &data_len,
414 tlvdb_get(db, 0x9f4b, NULL),
415 2,
416 dyn_tlv,
417 NULL);
418
419 if (!data || data_len < 3)
420 return NULL;
421
422 if (data[3] < 2 || data[3] > data_len - 3) {
423 free(data);
424 return NULL;
425 }
426
427 if (showData){
428 PrintAndLogEx(INFO, "Recovered data:\n");
429 dump_buffer(data, data_len, stdout, 0);
430 }
431
432 size_t idn_len = data[4];
433 if (idn_len > data[3] - 1) {
434 free(data);
435 return NULL;
436 }
437
438 // 9f4c ICC Dynamic Number
439 struct tlvdb *idn_db = tlvdb_fixed(0x9f4c, idn_len, data + 5);
440
441 free(data);
442
443 return idn_db;
444 }
445
446 struct tlvdb *emv_pki_recover_atc_ex(const struct emv_pk *enc_pk, const struct tlvdb *db, bool showData)
447 {
448 size_t data_len;
449 unsigned char *data = emv_pki_decode_message(enc_pk, 5, &data_len,
450 tlvdb_get(db, 0x9f4b, NULL),
451 5,
452 tlvdb_get(db, 0x9f37, NULL),
453 tlvdb_get(db, 0x9f02, NULL),
454 tlvdb_get(db, 0x5f2a, NULL),
455 tlvdb_get(db, 0x9f69, NULL),
456 NULL);
457
458 if (!data || data_len < 3)
459 return NULL;
460
461 if (data[3] < 2 || data[3] > data_len - 3) {
462 free(data);
463 return NULL;
464 }
465
466 if (showData){
467 PrintAndLogEx(INFO, "Recovered data:\n");
468 dump_buffer(data, data_len, stdout, 0);
469 }
470
471 size_t idn_len = data[4];
472 if (idn_len > data[3] - 1) {
473 free(data);
474 return NULL;
475 }
476
477 // 9f36 Application Transaction Counter (ATC)
478 struct tlvdb *atc_db = tlvdb_fixed(0x9f36, idn_len, data + 5);
479
480 free(data);
481
482 return atc_db;
483 }
484
485 static bool tlv_hash(void *data, const struct tlv *tlv, int level, bool is_leaf)
486 {
487 struct crypto_hash *ch = data;
488 size_t tag_len;
489 unsigned char *tag;
490
491 if (tlv_is_constructed(tlv))
492 return true;
493
494 if (tlv->tag == 0x9f4b)
495 return true;
496
497 tag = tlv_encode(tlv, &tag_len);
498 crypto_hash_write(ch, tag, tag_len);
499 free(tag);
500
501 return true;
502 }
503
504 struct tlvdb *emv_pki_perform_cda(const struct emv_pk *enc_pk, const struct tlvdb *db,
505 const struct tlvdb *this_db,
506 const struct tlv *pdol_data_tlv,
507 const struct tlv *crm1_tlv,
508 const struct tlv *crm2_tlv)
509 {
510 return emv_pki_perform_cda_ex(enc_pk, db, this_db, pdol_data_tlv, crm1_tlv, crm2_tlv, false);
511 }
512 struct tlvdb *emv_pki_perform_cda_ex(const struct emv_pk *enc_pk, const struct tlvdb *db,
513 const struct tlvdb *this_db, // AC TLV result
514 const struct tlv *pdol_data_tlv, // PDOL
515 const struct tlv *crm1_tlv, // CDOL1
516 const struct tlv *crm2_tlv, // CDOL2
517 bool showData)
518 {
519 const struct tlv *un_tlv = tlvdb_get(db, 0x9f37, NULL);
520 const struct tlv *cid_tlv = tlvdb_get(this_db, 0x9f27, NULL);
521
522 if (!un_tlv || !cid_tlv)
523 return NULL;
524
525 size_t data_len = 0;
526 unsigned char *data = emv_pki_decode_message(enc_pk, 5, &data_len,
527 tlvdb_get(this_db, 0x9f4b, NULL),
528 2,
529 un_tlv,
530 NULL);
531 if (!data || data_len < 3) {
532 PrintAndLogEx(ERR, "can't decode message. len %zd\n", data_len);
533 return NULL;
534 }
535
536 if (showData){
537 PrintAndLogEx(INFO, "Recovered data:\n");
538 dump_buffer(data, data_len, stdout, 0);
539 }
540
541 if (data[3] < 30 || data[3] > data_len - 4) {
542 PrintAndLogEx(ERR, "Invalid data length\n");
543 free(data);
544 return NULL;
545 }
546
547 if (!cid_tlv || cid_tlv->len != 1 || cid_tlv->value[0] != data[5 + data[4]]) {
548 PrintAndLogEx(ERR, "CID mismatch\n");
549 free(data);
550 return NULL;
551 }
552
553 struct crypto_hash *ch;
554 ch = crypto_hash_open(enc_pk->hash_algo);
555 if (!ch) {
556 PrintAndLogEx(ERR, "Can't create hash\n");
557 free(data);
558 return NULL;
559 }
560
561 if (pdol_data_tlv)
562 crypto_hash_write(ch, pdol_data_tlv->value, pdol_data_tlv->len);
563 if (crm1_tlv)
564 crypto_hash_write(ch, crm1_tlv->value, crm1_tlv->len);
565 if (crm2_tlv)
566 crypto_hash_write(ch, crm2_tlv->value, crm2_tlv->len);
567
568 tlvdb_visit(this_db, tlv_hash, ch, 0);
569
570 if (memcmp(data + 5 + data[4] + 1 + 8, crypto_hash_read(ch), 20)) {
571 PrintAndLogEx(ERR, "Calculated hash error\n");
572 crypto_hash_close(ch);
573 free(data);
574 return NULL;
575 }
576 crypto_hash_close(ch);
577
578 size_t idn_len = data[4];
579 if (idn_len > data[3] - 1) {
580 PrintAndLogEx(ERR, "Invalid IDN length\n");
581 free(data);
582 return NULL;
583 }
584
585 struct tlvdb *idn_db = tlvdb_fixed(0x9f4c, idn_len, data + 5);
586 free(data);
587
588 return idn_db;
589 }
Proxmark3 GIT tracking
Impressum, Datenschutz