]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/epa.c
Add Viking demod,
[proxmark3-svn] / armsrc / epa.c
1 //-----------------------------------------------------------------------------
2 // Frederik Möllers - August 2012
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support the German electronic "Personalausweis" (ID card)
9 // Note that the functions which do not implement USB commands do NOT initialize
10 // the card (with iso14443a_select_card etc.). If You want to use these
11 // functions, You need to do the setup before calling them!
12 //-----------------------------------------------------------------------------
13
14 #include "iso14443a.h"
15 #include "iso14443b.h"
16 #include "epa.h"
17 #include "cmd.h"
18
19 // Protocol and Parameter Selection Request for ISO 14443 type A cards
20 // use regular (1x) speed in both directions
21 // CRC is already included
22 static const uint8_t pps[] = {0xD0, 0x11, 0x00, 0x52, 0xA6};
23
24 // APDUs for communication with German Identification Card
25
26 // General Authenticate (request encrypted nonce) WITHOUT the Le at the end
27 static const uint8_t apdu_general_authenticate_pace_get_nonce[] = {
28 0x10, // CLA
29 0x86, // INS
30 0x00, // P1
31 0x00, // P2
32 0x02, // Lc
33 0x7C, // Type: Dynamic Authentication Data
34 0x00, // Length: 0 bytes
35 };
36
37 // MSE: Set AT (only CLA, INS, P1 and P2)
38 static const uint8_t apdu_mse_set_at_start[] = {
39 0x00, // CLA
40 0x22, // INS
41 0xC1, // P1
42 0xA4, // P2
43 };
44
45 // SELECT BINARY with the ID for EF.CardAccess
46 static const uint8_t apdu_select_binary_cardaccess[] = {
47 0x00, // CLA
48 0xA4, // INS
49 0x02, // P1
50 0x0C, // P2
51 0x02, // Lc
52 0x01, // ID
53 0x1C // ID
54 };
55
56 // READ BINARY
57 static const uint8_t apdu_read_binary[] = {
58 0x00, // CLA
59 0xB0, // INS
60 0x00, // P1
61 0x00, // P2
62 0x38 // Le
63 };
64
65
66 // the leading bytes of a PACE OID
67 static const uint8_t oid_pace_start[] = {
68 0x04, // itu-t, identified-organization
69 0x00, // etsi
70 0x7F, // reserved
71 0x00, // etsi-identified-organization
72 0x07, // bsi-de
73 0x02, // protocols
74 0x02, // smartcard
75 0x04 // id-PACE
76 };
77
78 // APDUs for replaying:
79 // MSE: Set AT (initiate PACE)
80 static uint8_t apdu_replay_mse_set_at_pace[41];
81 // General Authenticate (Get Nonce)
82 static uint8_t apdu_replay_general_authenticate_pace_get_nonce[8];
83 // General Authenticate (Map Nonce)
84 static uint8_t apdu_replay_general_authenticate_pace_map_nonce[75];
85 // General Authenticate (Mutual Authenticate)
86 static uint8_t apdu_replay_general_authenticate_pace_mutual_authenticate[75];
87 // General Authenticate (Perform Key Agreement)
88 static uint8_t apdu_replay_general_authenticate_pace_perform_key_agreement[18];
89 // pointers to the APDUs (for iterations)
90 static struct {
91 uint8_t len;
92 uint8_t *data;
93 } const apdus_replay[] = {
94 {sizeof(apdu_replay_mse_set_at_pace), apdu_replay_mse_set_at_pace},
95 {sizeof(apdu_replay_general_authenticate_pace_get_nonce), apdu_replay_general_authenticate_pace_get_nonce},
96 {sizeof(apdu_replay_general_authenticate_pace_map_nonce), apdu_replay_general_authenticate_pace_map_nonce},
97 {sizeof(apdu_replay_general_authenticate_pace_mutual_authenticate), apdu_replay_general_authenticate_pace_mutual_authenticate},
98 {sizeof(apdu_replay_general_authenticate_pace_perform_key_agreement), apdu_replay_general_authenticate_pace_perform_key_agreement}
99 };
100
101 // lengths of the replay APDUs
102 static uint8_t apdu_lengths_replay[5];
103
104 // type of card (ISO 14443 A or B)
105 static char iso_type = 0;
106
107 //-----------------------------------------------------------------------------
108 // Wrapper for sending APDUs to type A and B cards
109 //-----------------------------------------------------------------------------
110 int EPA_APDU(uint8_t *apdu, size_t length, uint8_t *response)
111 {
112 switch(iso_type)
113 {
114 case 'a':
115 return iso14_apdu(apdu, (uint16_t) length, response);
116 break;
117 case 'b':
118 return iso14443b_apdu(apdu, length, response);
119 break;
120 default:
121 return 0;
122 break;
123 }
124 }
125
126 //-----------------------------------------------------------------------------
127 // Closes the communication channel and turns off the field
128 //-----------------------------------------------------------------------------
129 void EPA_Finish()
130 {
131 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
132 LEDsoff();
133 iso_type = 0;
134 }
135
136 //-----------------------------------------------------------------------------
137 // Parses DER encoded data, e.g. from EF.CardAccess and fills out the given
138 // structs. If a pointer is 0, it is ignored.
139 // The function returns 0 on success and if an error occured, it returns the
140 // offset where it occured.
141 //
142 // TODO: This function can access memory outside of the given data if the DER
143 // encoding is broken
144 // TODO: Support skipping elements with a length > 0x7F
145 // TODO: Support OIDs with a length > 7F
146 // TODO: Support elements with long tags (tag is longer than 1 byte)
147 // TODO: Support proprietary PACE domain parameters
148 //-----------------------------------------------------------------------------
149 size_t EPA_Parse_CardAccess(uint8_t *data,
150 size_t length,
151 pace_version_info_t *pace_info)
152 {
153 size_t index = 0;
154
155 while (index <= length - 2) {
156 // determine type of element
157 // SET or SEQUENCE
158 if (data[index] == 0x31 || data[index] == 0x30) {
159 // enter the set (skip tag + length)
160 index += 2;
161 // check for extended length
162 if ((data[index - 1] & 0x80) != 0) {
163 index += (data[index-1] & 0x7F);
164 }
165 }
166 // OID
167 else if (data[index] == 0x06) {
168 // is this a PACE OID?
169 if (data[index + 1] == 0x0A // length matches
170 && memcmp(data + index + 2,
171 oid_pace_start,
172 sizeof(oid_pace_start)) == 0 // content matches
173 && pace_info != NULL)
174 {
175 // first, clear the pace_info struct
176 memset(pace_info, 0, sizeof(pace_version_info_t));
177 memcpy(pace_info->oid, data + index + 2, sizeof(pace_info->oid));
178 // a PACE OID is followed by the version
179 index += data[index + 1] + 2;
180 if (data[index] == 02 && data[index + 1] == 01) {
181 pace_info->version = data[index + 2];
182 index += 3;
183 }
184 else {
185 return index;
186 }
187 // after that there might(!) be the parameter ID
188 if (data[index] == 02 && data[index + 1] == 01) {
189 pace_info->parameter_id = data[index + 2];
190 index += 3;
191 }
192 }
193 else {
194 // skip this OID
195 index += 2 + data[index + 1];
196 }
197 }
198 // if the length is 0, something is wrong
199 // TODO: This needs to be extended to support long tags
200 else if (data[index + 1] == 0) {
201 return index;
202 }
203 else {
204 // skip this part
205 // TODO: This needs to be extended to support long tags
206 // TODO: This needs to be extended to support unknown elements with
207 // a size > 0x7F
208 index += 2 + data[index + 1];
209 }
210 }
211
212 // TODO: We should check whether we reached the end in error, but for that
213 // we need a better parser (e.g. with states like IN_SET or IN_PACE_INFO)
214 return 0;
215 }
216
217 //-----------------------------------------------------------------------------
218 // Read the file EF.CardAccess and save it into a buffer (at most max_length bytes)
219 // Returns -1 on failure or the length of the data on success
220 // TODO: for the moment this sends only 1 APDU regardless of the requested length
221 //-----------------------------------------------------------------------------
222 int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
223 {
224 // the response APDU of the card
225 // since the card doesn't always care for the expected length we send it,
226 // we reserve 262 bytes here just to be safe (256-byte APDU + SW + ISO frame)
227 uint8_t response_apdu[262];
228 int rapdu_length = 0;
229
230 // select the file EF.CardAccess
231 rapdu_length = EPA_APDU((uint8_t *)apdu_select_binary_cardaccess,
232 sizeof(apdu_select_binary_cardaccess),
233 response_apdu);
234 if (rapdu_length < 6
235 || response_apdu[rapdu_length - 4] != 0x90
236 || response_apdu[rapdu_length - 3] != 0x00)
237 {
238 DbpString("Failed to select EF.CardAccess!");
239 return -1;
240 }
241
242 // read the file
243 rapdu_length = EPA_APDU((uint8_t *)apdu_read_binary,
244 sizeof(apdu_read_binary),
245 response_apdu);
246 if (rapdu_length <= 6
247 || response_apdu[rapdu_length - 4] != 0x90
248 || response_apdu[rapdu_length - 3] != 0x00)
249 {
250 Dbprintf("Failed to read EF.CardAccess!");
251 return -1;
252 }
253
254 // copy the content into the buffer
255 // length of data available: apdu_length - 4 (ISO frame) - 2 (SW)
256 size_t to_copy = rapdu_length - 6;
257 to_copy = to_copy < max_length ? to_copy : max_length;
258 memcpy(buffer, response_apdu+2, to_copy);
259 return to_copy;
260 }
261
262 //-----------------------------------------------------------------------------
263 // Abort helper function for EPA_PACE_Collect_Nonce
264 // sets relevant data in ack, sends the response
265 //-----------------------------------------------------------------------------
266 static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return)
267 {
268 // power down the field
269 EPA_Finish();
270
271 // send the USB packet
272 cmd_send(CMD_ACK,step,func_return,0,0,0);
273 }
274
275 //-----------------------------------------------------------------------------
276 // Acquire one encrypted PACE nonce
277 //-----------------------------------------------------------------------------
278 void EPA_PACE_Collect_Nonce(UsbCommand *c)
279 {
280 /*
281 * ack layout:
282 * arg:
283 * 1. element
284 * step where the error occured or 0 if no error occured
285 * 2. element
286 * return code of the last executed function
287 * d:
288 * Encrypted nonce
289 */
290
291 // return value of a function
292 int func_return = 0;
293
294 // set up communication
295 func_return = EPA_Setup();
296 if (func_return != 0) {
297 EPA_PACE_Collect_Nonce_Abort(1, func_return);
298 return;
299 }
300
301 // read the CardAccess file
302 // this array will hold the CardAccess file
303 uint8_t card_access[256] = {0};
304 int card_access_length = EPA_Read_CardAccess(card_access, 256);
305 // the response has to be at least this big to hold the OID
306 if (card_access_length < 18) {
307 EPA_PACE_Collect_Nonce_Abort(2, card_access_length);
308 return;
309 }
310
311 // this will hold the PACE info of the card
312 pace_version_info_t pace_version_info;
313 // search for the PACE OID
314 func_return = EPA_Parse_CardAccess(card_access,
315 card_access_length,
316 &pace_version_info);
317 if (func_return != 0 || pace_version_info.version == 0) {
318 EPA_PACE_Collect_Nonce_Abort(3, func_return);
319 return;
320 }
321
322 // initiate the PACE protocol
323 // use the CAN for the password since that doesn't change
324 func_return = EPA_PACE_MSE_Set_AT(pace_version_info, 2);
325
326 // now get the nonce
327 uint8_t nonce[256] = {0};
328 uint8_t requested_size = (uint8_t)c->arg[0];
329 func_return = EPA_PACE_Get_Nonce(requested_size, nonce);
330 // check if the command succeeded
331 if (func_return < 0)
332 {
333 EPA_PACE_Collect_Nonce_Abort(4, func_return);
334 return;
335 }
336
337 // all done, return
338 EPA_Finish();
339
340 // save received information
341 cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
342 }
343
344 //-----------------------------------------------------------------------------
345 // Performs the "Get Nonce" step of the PACE protocol and saves the returned
346 // nonce. The caller is responsible for allocating enough memory to store the
347 // nonce. Note that the returned size might be less or than or greater than the
348 // requested size!
349 // Returns the actual size of the nonce on success or a less-than-zero error
350 // code on failure.
351 //-----------------------------------------------------------------------------
352 int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
353 {
354 // build the APDU
355 uint8_t apdu[sizeof(apdu_general_authenticate_pace_get_nonce) + 1];
356 // copy the constant part
357 memcpy(apdu,
358 apdu_general_authenticate_pace_get_nonce,
359 sizeof(apdu_general_authenticate_pace_get_nonce));
360 // append Le (requested length + 2 due to tag/length taking 2 bytes) in RAPDU
361 apdu[sizeof(apdu_general_authenticate_pace_get_nonce)] = requested_length + 4;
362
363 // send it
364 uint8_t response_apdu[262];
365 int send_return = EPA_APDU(apdu,
366 sizeof(apdu),
367 response_apdu);
368 // check if the command succeeded
369 if (send_return < 6
370 || response_apdu[send_return - 4] != 0x90
371 || response_apdu[send_return - 3] != 0x00)
372 {
373 return -1;
374 }
375
376 // if there is no nonce in the RAPDU, return here
377 if (send_return < 10)
378 {
379 // no error
380 return 0;
381 }
382 // get the actual length of the nonce
383 uint8_t nonce_length = response_apdu[5];
384 if (nonce_length > send_return - 10)
385 {
386 nonce_length = send_return - 10;
387 }
388 // copy the nonce
389 memcpy(nonce, response_apdu + 6, nonce_length);
390
391 return nonce_length;
392 }
393
394 //-----------------------------------------------------------------------------
395 // Initializes the PACE protocol by performing the "MSE: Set AT" step
396 // Returns 0 on success or a non-zero error code on failure
397 //-----------------------------------------------------------------------------
398 int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password)
399 {
400 // create the MSE: Set AT APDU
401 uint8_t apdu[23];
402 // the minimum length (will be increased as more data is added)
403 size_t apdu_length = 20;
404 // copy the constant part
405 memcpy(apdu,
406 apdu_mse_set_at_start,
407 sizeof(apdu_mse_set_at_start));
408 // type: OID
409 apdu[5] = 0x80;
410 // length of the OID
411 apdu[6] = sizeof(pace_version_info.oid);
412 // copy the OID
413 memcpy(apdu + 7,
414 pace_version_info.oid,
415 sizeof(pace_version_info.oid));
416 // type: password
417 apdu[17] = 0x83;
418 // length: 1
419 apdu[18] = 1;
420 // password
421 apdu[19] = password;
422 // if standardized domain parameters are used, copy the ID
423 if (pace_version_info.parameter_id != 0) {
424 apdu_length += 3;
425 // type: domain parameter
426 apdu[20] = 0x84;
427 // length: 1
428 apdu[21] = 1;
429 // copy the parameter ID
430 apdu[22] = pace_version_info.parameter_id;
431 }
432 // now set Lc to the actual length
433 apdu[4] = apdu_length - 5;
434 // send it
435 uint8_t response_apdu[6];
436 int send_return = EPA_APDU(apdu,
437 apdu_length,
438 response_apdu);
439 // check if the command succeeded
440 if (send_return != 6
441 || response_apdu[send_return - 4] != 0x90
442 || response_apdu[send_return - 3] != 0x00)
443 {
444 return 1;
445 }
446 return 0;
447 }
448
449 //-----------------------------------------------------------------------------
450 // Perform the PACE protocol by replaying given APDUs
451 //-----------------------------------------------------------------------------
452 void EPA_PACE_Replay(UsbCommand *c)
453 {
454 uint32_t timings[sizeof(apdu_lengths_replay) / sizeof(apdu_lengths_replay[0])] = {0};
455
456 // if an APDU has been passed, save it
457 if (c->arg[0] != 0) {
458 // make sure it's not too big
459 if(c->arg[2] > apdus_replay[c->arg[0] - 1].len)
460 {
461 cmd_send(CMD_ACK, 1, 0, 0, NULL, 0);
462 }
463 memcpy(apdus_replay[c->arg[0] - 1].data + c->arg[1],
464 c->d.asBytes,
465 c->arg[2]);
466 // save/update APDU length
467 if (c->arg[1] == 0) {
468 apdu_lengths_replay[c->arg[0] - 1] = c->arg[2];
469 } else {
470 apdu_lengths_replay[c->arg[0] - 1] += c->arg[2];
471 }
472 cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);
473 return;
474 }
475
476 // return value of a function
477 int func_return;
478
479 // set up communication
480 func_return = EPA_Setup();
481 if (func_return != 0) {
482 EPA_Finish();
483 cmd_send(CMD_ACK, 2, func_return, 0, NULL, 0);
484 return;
485 }
486
487 // response APDU
488 uint8_t response_apdu[300] = {0};
489
490 // now replay the data and measure the timings
491 for (int i = 0; i < sizeof(apdu_lengths_replay); i++) {
492 StartCountUS();
493 func_return = EPA_APDU(apdus_replay[i].data,
494 apdu_lengths_replay[i],
495 response_apdu);
496 timings[i] = GetCountUS();
497 // every step but the last one should succeed
498 if (i < sizeof(apdu_lengths_replay) - 1
499 && (func_return < 6
500 || response_apdu[func_return - 4] != 0x90
501 || response_apdu[func_return - 3] != 0x00))
502 {
503 EPA_Finish();
504 cmd_send(CMD_ACK, 3 + i, func_return, 0, timings, 20);
505 return;
506 }
507 }
508 EPA_Finish();
509 cmd_send(CMD_ACK,0,0,0,timings,20);
510 return;
511 }
512
513 //-----------------------------------------------------------------------------
514 // Set up a communication channel (Card Select, PPS)
515 // Returns 0 on success or a non-zero error code on failure
516 //-----------------------------------------------------------------------------
517 int EPA_Setup()
518 {
519 int return_code = 0;
520 uint8_t uid[10];
521 uint8_t pps_response[3];
522 uint8_t pps_response_par[1];
523 iso14a_card_select_t card_select_info;
524
525 // first, look for type A cards
526 // power up the field
527 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
528 // select the card
529 return_code = iso14443a_select_card(uid, &card_select_info, NULL);
530 if (return_code == 1) {
531 // send the PPS request
532 ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
533 return_code = ReaderReceive(pps_response, pps_response_par);
534 if (return_code != 3 || pps_response[0] != 0xD0) {
535 return return_code == 0 ? 2 : return_code;
536 }
537 Dbprintf("ISO 14443 Type A");
538 iso_type = 'a';
539 return 0;
540 }
541
542 // if we're here, there is no type A card, so we look for type B
543 // power up the field
544 iso14443b_setup();
545 // select the card
546 return_code = iso14443b_select_card();
547 if (return_code == 1) {
548 Dbprintf("ISO 14443 Type B");
549 iso_type = 'b';
550 return 0;
551 }
552 Dbprintf("No card found.");
553 return 1;
554 }
Impressum, Datenschutz