def __eac_pace_step1(self, data): tlv_data = nPA_SE.__unpack_general_authenticate(data) if tlv_data != []: raise SwError(SW["WARN_NOINFO63"]) if self.at.keyref_is_mrz(): self.PACE_SEC = PACE_SEC(self.sam.mrz, eac.PACE_MRZ) elif self.at.keyref_is_can(): self.PACE_SEC = PACE_SEC(self.sam.can, eac.PACE_CAN) elif self.at.keyref_is_pin(): if self.sam.counter <= 0: print("Must use PUK to unblock") return 0x63c0, b"" if self.sam.counter == 1 and not self.sam.active: print("Must use CAN to activate") return 0x63c1, b"" self.PACE_SEC = PACE_SEC(self.sam.eid_pin, eac.PACE_PIN) self.sam.counter -= 1 if self.sam.counter <= 1: self.sam.active = False elif self.at.keyref_is_puk(): if self.sam.counter_puk <= 0: raise SwError(SW["WARN_NOINFO63"]) self.PACE_SEC = PACE_SEC(self.sam.puk, eac.PACE_PUK) self.sam.counter_puk -= 1 else: raise SwError(SW["ERR_INCORRECTPARAMETERS"]) self.sec = self.PACE_SEC.sec if not self.eac_ctx: eac.EAC_init() self.EAC_CTX = EAC_CTX() self.eac_ctx = self.EAC_CTX.ctx eac.CA_disable_passive_authentication(self.eac_ctx) ef_card_security = self.mf.select('fid', 0x011d) ef_card_security_data = ef_card_security.data eac.EAC_CTX_init_ef_cardsecurity(ef_card_security_data, self.eac_ctx) if self.ca_key: ca_pubkey = eac.CA_get_pubkey(self.eac_ctx, ef_card_security_data) if 1 != eac.CA_set_key(self.eac_ctx, self.ca_key, ca_pubkey): eac.print_ossl_err() raise SwError(SW["WARN_NOINFO63"]) else: # we don't have a good CA key, so we simply generate an # ephemeral one comp_pubkey = eac.TA_STEP3_generate_ephemeral_key(self.eac_ctx) pubkey = eac.CA_STEP2_get_eph_pubkey(self.eac_ctx) if not comp_pubkey or not pubkey: eac.print_ossl_err() raise SwError(SW["WARN_NOINFO63"]) # save public key in EF.CardSecurity (and invalidate the # signature) # FIXME this only works for the default EF.CardSecurity. # Better use an ASN.1 parser to do this manipulation ef_card_security = self.mf.select('fid', 0x011d) ef_card_security_data = ef_card_security.data ef_card_security_data = \ ef_card_security_data[:61+4+239+2+1] + pubkey + \ ef_card_security_data[61+4+239+2+1+len(pubkey):] ef_card_security.data = ef_card_security_data nonce = eac.PACE_STEP1_enc_nonce(self.eac_ctx, self.sec) if not nonce: eac.print_ossl_err() raise SwError(SW["WARN_NOINFO63"]) resp = nPA_SE.__pack_general_authenticate([[0x80, len(nonce), nonce]]) self.eac_step += 1 return 0x9000, resp
11) == 1 # our certificates aren't up to date eac.TA_disable_checks(ta.ctx) assert eac.EAC_CTX_init_ta(ta.ctx, None, CVCA) == 1 assert eac.TA_STEP2_import_certificate(ta.ctx, DVCA) == 1 assert eac.TA_STEP2_import_certificate(ta.ctx, CHAIN_CVC) == 1 nonce = eac.TA_STEP4_get_nonce(ta.ctx) assert nonce is not None def catest(): eac_ctx = EAC_CTX() assert eac.EAC_CTX_init_ef_cardsecurity(EF_CARDSECURITY, eac_ctx.ctx) == 1 def oidtest(): assert (eac.OBJ_txt2nid("id-CA-ECDH-AES-CBC-CMAC-128") == eac.id_CA_ECDH_AES_CBC_CMAC_128) if __name__ == "__main__": eac.EAC_init() pacetest() cvctest() catest() oidtest() tatest() eac.EAC_cleanup()