def external_authenticate(self, p1, p2, resp_data):
"""Performs the basic access control protocol as defined in
the ICAO MRTD standard"""
rnd_icc = self.last_challenge
# Receive Mutual Authenticate APDU from terminal
# Decrypt data and check MAC
Eifd = resp_data[:-8]
padded_Eifd = vsCrypto.append_padding(self.current_SE.cct.blocklength,
Eifd)
Mifd = vsCrypto.crypto_checksum("CC", self.KMac, padded_Eifd)
# Check the MAC
if not Mifd == resp_data[-8:]:
raise SwError(SW["ERR_SECMESSOBJECTSINCORRECT"])
# Decrypt the data
plain = vsCrypto.decrypt("DES3-CBC", self.KEnc, resp_data[:-8])
if plain[8:16] != rnd_icc:
raise SwError(SW["WARN_NOINFO63"])
# Extract keying material from IFD, generate ICC keying material
Kifd = plain[16:]
rnd_ifd = plain[:8]
Kicc = urandom(16)
# Generate Answer
data = plain[8:16] + plain[:8] + Kicc
Eicc = vsCrypto.encrypt("DES3-CBC", self.KEnc, data)
padded_Eicc = vsCrypto.append_padding(self.current_SE.cct.blocklength,
Eicc)
Micc = vsCrypto.crypto_checksum("CC", self.KMac, padded_Eicc)
# Derive the final keys and set the current SE
KSseed = vsCrypto.operation_on_string(Kicc, Kifd, lambda a, b: a ^ b)
self.current_SE.ct.key = self.derive_key(KSseed, 1)
self.current_SE.cct.key = self.derive_key(KSseed, 2)
self.current_SE.ssc = stringtoint(rnd_icc[-4:] + rnd_ifd[-4:])
return SW["NORMAL"], Eicc + Micc
