def test_CAPDU(self): a = C_APDU(1, 2, 3, 4) # case 1 b = C_APDU(1, 2, 3, 4, 5) # case 2 c = C_APDU((1, 2, 3), cla = 0x23, data = "hallo") # case 3 d = C_APDU(1, 2, 3, 4, 2, 4, 6, 0) # case 4 print() print(a) print(b) print(c) print(d) print() print(repr(a)) print(repr(b)) print(repr(c)) print(repr(d)) print() for i in a, b, c, d: print(hexdump(i.render())) print() g = C_APDU(0x00, 0xb0, 0x9c, 0x00, 0x00, 0x00, 0x00) #case 2 extended length print() print(g) print(repr(g)) print(hexdump(g.render())) h = C_APDU('\x0c\x2a\x00\xbe\x00\x01\x5f\x87\x82\x01\x51\x01\xf0\xa2\x21\xa1\x36\x27\xb1\x30\x31\x3e\xd0\x97\x09\xb5\xde\x73\x5e\x29\x90\xce\xf1\x3d\x8a\xfd\xe7\x92\xe5\xa4\x70\xb9\x5d\x31\xe2\x34\xe7\xe2\x06\x13\x17\x7a\x3e\xca\x06\x39\x24\x2e\x75\x8c\x29\x6d\xd8\xa3\x1b\x1a\x68\x58\xd0\x1a\x98\xd4\xd8\x19\x50\xe9\x1b\x3c\xd1\xfd\x10\x53\x5b\xf2\x3b\xff\x4a\xf6\x05\xd0\x72\xad\xae\xaa\x93\x1a\x0a\x90\xc8\xa1\xb1\xf1\x0a\xba\x5b\xd2\x23\x38\xf8\x9a\x38\x9e\xa2\x04\x8b\xcb\x8b\x8b\xc0\x80\xd9\x2a\x04\x47\x26\x83\xda\xfe\x57\x68\x6b\x00\xb9\xa2\xea\x96\xf2\x07\x7f\xc5\x9c\xee\xbe\xf3\x81\xbf\x24\x19\x1e\x49\x1e\x9a\x85\x8f\x34\xcb\x1a\x23\xae\x6d\x7f\xa4\xb6\x7b\x60\x5d\x56\x79\x1c\xec\x18\xcc\x09\xdb\xb2\xbb\xf4\x31\xee\x08\x54\x26\xd5\xde\x99\xfa\x43\xa2\x49\x8e\x60\xc0\xaa\x4f\xfd\xf7\xe5\xc8\x89\x43\x5e\x11\xa2\x28\xc4\x92\x11\xda\xba\xe4\x91\xec\x04\xc9\x2c\xbd\x91\x6a\x5e\x7e\xb9\x85\xa2\xfa\x07\xc9\x47\x24\xa4\x3b\x63\xef\x75\x65\xef\xaf\xac\x22\x75\x99\x8b\x19\xde\x95\x76\xc9\xc8\xbc\x30\x23\x48\x07\x28\x19\x1e\x49\x9e\xcb\x99\xc3\x48\xdd\x1d\x0f\x44\x62\x64\x2a\x19\x7b\xeb\xee\xdf\xa1\xa6\xae\x87\x6d\x93\x36\x2d\x35\x8f\xd9\x61\x73\xef\x2d\x39\xb5\xc5\xe2\x75\x4b\x63\x0b\x41\x94\x8c\xbb\x55\xf6\x98\x5f\x9c\x07\xca\xe3\x15\xe4\xe6\x93\xd0\xa3\x9b\x22\xfa\x62\x18\xc5\x63\xfa\x2d\x57\xbb\x29\x2d\x57\x10\xd3\x0c\x05\x80\x15\x27\x4b\xc0\x84\x23\x62\x22\x6b\xae\x39\xa2\x8f\x55\xac\x8e\x08\x34\x46\xcc\x83\xf9\x9d\x2a\x75\x00\x00') print() print(h) print(repr(h))
def test_CAPDU(self): a = C_APDU(1, 2, 3, 4) # case 1 b = C_APDU(1, 2, 3, 4, 5) # case 2 c = C_APDU((1, 2, 3), cla=0x23, data="hallo") # case 3 d = C_APDU(1, 2, 3, 4, 2, 4, 6, 0) # case 4 print() print(a) print(b) print(c) print(d) print() print(repr(a)) print(repr(b)) print(repr(c)) print(repr(d)) print() for i in a, b, c, d: print(hexdump(i.render())) # case 2 extended length print() g = C_APDU(0x00, 0xb0, 0x9c, 0x00, 0x00, 0x00, 0x00) print() print(g) print(repr(g)) print(hexdump(g.render())) h = C_APDU('\x0c\x2a\x00\xbe\x00\x01\x5f\x87\x82\x01\x51\x01\xf0\xa2' '\x21\xa1\x36\x27\xb1\x30\x31\x3e\xd0\x97\x09\xb5\xde\x73' '\x5e\x29\x90\xce\xf1\x3d\x8a\xfd\xe7\x92\xe5\xa4\x70\xb9' '\x5d\x31\xe2\x34\xe7\xe2\x06\x13\x17\x7a\x3e\xca\x06\x39' '\x24\x2e\x75\x8c\x29\x6d\xd8\xa3\x1b\x1a\x68\x58\xd0\x1a' '\x98\xd4\xd8\x19\x50\xe9\x1b\x3c\xd1\xfd\x10\x53\x5b\xf2' '\x3b\xff\x4a\xf6\x05\xd0\x72\xad\xae\xaa\x93\x1a\x0a\x90' '\xc8\xa1\xb1\xf1\x0a\xba\x5b\xd2\x23\x38\xf8\x9a\x38\x9e' '\xa2\x04\x8b\xcb\x8b\x8b\xc0\x80\xd9\x2a\x04\x47\x26\x83' '\xda\xfe\x57\x68\x6b\x00\xb9\xa2\xea\x96\xf2\x07\x7f\xc5' '\x9c\xee\xbe\xf3\x81\xbf\x24\x19\x1e\x49\x1e\x9a\x85\x8f' '\x34\xcb\x1a\x23\xae\x6d\x7f\xa4\xb6\x7b\x60\x5d\x56\x79' '\x1c\xec\x18\xcc\x09\xdb\xb2\xbb\xf4\x31\xee\x08\x54\x26' '\xd5\xde\x99\xfa\x43\xa2\x49\x8e\x60\xc0\xaa\x4f\xfd\xf7' '\xe5\xc8\x89\x43\x5e\x11\xa2\x28\xc4\x92\x11\xda\xba\xe4' '\x91\xec\x04\xc9\x2c\xbd\x91\x6a\x5e\x7e\xb9\x85\xa2\xfa' '\x07\xc9\x47\x24\xa4\x3b\x63\xef\x75\x65\xef\xaf\xac\x22' '\x75\x99\x8b\x19\xde\x95\x76\xc9\xc8\xbc\x30\x23\x48\x07' '\x28\x19\x1e\x49\x9e\xcb\x99\xc3\x48\xdd\x1d\x0f\x44\x62' '\x64\x2a\x19\x7b\xeb\xee\xdf\xa1\xa6\xae\x87\x6d\x93\x36' '\x2d\x35\x8f\xd9\x61\x73\xef\x2d\x39\xb5\xc5\xe2\x75\x4b' '\x63\x0b\x41\x94\x8c\xbb\x55\xf6\x98\x5f\x9c\x07\xca\xe3' '\x15\xe4\xe6\x93\xd0\xa3\x9b\x22\xfa\x62\x18\xc5\x63\xfa' '\x2d\x57\xbb\x29\x2d\x57\x10\xd3\x0c\x05\x80\x15\x27\x4b' '\xc0\x84\x23\x62\x22\x6b\xae\x39\xa2\x8f\x55\xac\x8e\x08' '\x34\x46\xcc\x83\xf9\x9d\x2a\x75\x00\x00') print() print(h) print(repr(h))
def execute(self, msg): try: c = C_APDU(msg) self.logAPDU(parsed=c, unparsed=msg) except ValueError as e: # ignore the parse failure, just don't log the parsed APDU logging.warning("Could not parse APDU:%s", str(e)) # sendCommandAPDU() expects a list of APDU bytes apdu = map(ord, msg) try: rapdu, sw1, sw2 = self.session.sendCommandAPDU(apdu) except smartcard.Exceptions.CardConnectionException as e: logging.error("Error transmitting APDU: %s", str(e)) sys.exit() # XXX this is a workaround, see on sourceforge bug #3083586 # should better use # rapdu = rapdu + [sw1, sw2] if rapdu[-2:] == [sw1, sw2]: pass else: rapdu = rapdu + [sw1, sw2] # return the response APDU as string return "".join([chr(b) for b in rapdu])
def execute(self, msg): def notImplemented(*argz, **args): raise SwError(SW["ERR_INSNOTSUPPORTED"]) try: c = C_APDU(msg) except ValueError as e: logging.debug("Failed to parse APDU %s", msg) return self.formatResult(False, 0, 0, "", SW["ERR_INCORRECTPARAMETERS"]) try: sw, result = self.ins2handler.get(c.ins, notImplemented)(c.p1, c.p2, c.data) #print type(result) except SwError as e: logging.info(e.message) #traceback.print_exception(*sys.exc_info()) sw = e.sw result = "" r = self.formatResult(c.ins, c.le, result, sw) return r
def execute(self, msg): c = C_APDU(msg) if (c.ins == 0xa4 and c.p1 == 0x02): # The belpic applet is a bit loose with interpretation of # the ISO 7816 standard on the A4 command: # - The MF can be selected by name from anywhere with P1 == # 0x02, rather than 0x00 as ISO 7816 requires if (c.data == '3F00'.decode('hex')): logging.info("Original APDU:\n%s\nRewritten to:\n", str(c)) c.p1 = 0 msg = c.render() # - Child DFs can be selected with P1 == 0x02, rather than # 0x01 as ISO 7816 requires if (c.data == 'DF00'.decode('hex') or c.data == 'DF01'.decode('hex')): logging.info("Original APDU:\n%s\nRewritten to:\n", str(c)) c.p1 = 1 msg = c.render() return Iso7816OS.execute(self, msg)
def parse_SM_CAPDU(self, CAPDU, authenticate_header): """ This methods parses a data field including Secure Messaging objects. SM_header indicates whether or not the header of the message shall be authenticated. It returns an unprotected command APDU :param CAPDU: The protected CAPDU to be parsed :param authenticate_header: Whether or not the header should be included in authentication mechanisms :returns: Unprotected command APDU """ structure = unpack(CAPDU.data) return_data = [ "", ] cla = None ins = None p1 = None p2 = None le = None if authenticate_header: to_authenticate = inttostring(CAPDU.cla) + inttostring(CAPDU.ins)+\ inttostring(CAPDU.p1) + inttostring(CAPDU.p2) to_authenticate = vsCrypto.append_padding(self.cct.blocklength, to_authenticate) else: to_authenticate = "" for tlv in structure: tag, length, value = tlv if tag % 2 == 1: #Include object in checksum calculation to_authenticate += bertlv_pack([[tag, length, value]]) #SM data objects for encapsulating plain values if tag in (SM_Class["PLAIN_VALUE_NO_TLV"], SM_Class["PLAIN_VALUE_NO_TLV_ODD"]): return_data.append(value) #FIXME: Need TLV coding? #Encapsulated SM objects. Parse them #FIXME: Need to pack value into a dummy CAPDU elif tag in (SM_Class["PLAIN_VALUE_TLV_INCULDING_SM"], SM_Class["PLAIN_VALUE_TLV_INCULDING_SM_ODD"]): return_data.append( self.parse_SM_CAPDU(value, authenticate_header)) #Encapsulated plaintext BER-TLV objects elif tag in (SM_Class["PLAIN_VALUE_TLV_NO_SM"], SM_Class["PLAIN_VALUE_TLV_NO_SM_ODD"]): return_data.append(value) elif tag in (SM_Class["Ne"], SM_Class["Ne_ODD"]): le = value elif tag == SM_Class["PLAIN_COMMAND_HEADER"]: if len(value) != 8: raise SwError(SW["ERR_SECMESSOBJECTSINCORRECT"]) else: cla = value[:2] ins = value[2:4] p1 = value[4:6] p2 = value[6:8] #SM data objects for confidentiality if tag in (SM_Class["CRYPTOGRAM_PLAIN_TLV_INCLUDING_SM"], SM_Class["CRYPTOGRAM_PLAIN_TLV_INCLUDING_SM_ODD"]): #The cryptogram includes SM objects. #We decrypt them and parse the objects. plain = self.decipher(tag, 0x80, value) #TODO: Need Le = length return_data.append( self.parse_SM_CAPDU(plain, authenticate_header)) elif tag in (SM_Class["CRYPTOGRAM_PLAIN_TLV_NO_SM"], SM_Class["CRYPTOGRAM_PLAIN_TLV_NO_SM_ODD"]): #The cryptogram includes BER-TLV encoded plaintext. #We decrypt them and return the objects. plain = self.decipher(tag, 0x80, value) return_data.append(plain) elif tag in (SM_Class["CRYPTOGRAM_PADDING_INDICATOR"], SM_Class["CRYPTOGRAM_PADDING_INDICATOR_ODD"]): #The first byte of the data field indicates the padding to use: """ Value Meaning '00' No further indication '01' Padding as specified in 6.2.3.1 '02' No padding '1X' One to four secret keys for enciphering information, not keys ('X' is a bitmap with any value from '0' to 'F') '11' indicates the first key (e.g., an "even" control word in a pay TV system) '12' indicates the second key (e.g., an "odd" control word in a pay TV system) '13' indicates the first key followed by the second key (e.g., a pair of control words in a pay TV system) '2X' Secret key for enciphering keys, not information ('X' is a reference with any value from '0' to 'F') (e.g., in a pay TV system, either an operational key for enciphering control words, or a management key for enciphering operational keys) '3X' Private key of an asymmetric key pair ('X' is a reference with any value from '0' to 'F') '4X' Password ('X' is a reference with any value from '0' to 'F') '80' to '8E' Proprietary """ padding_indicator = stringtoint(value[0]) plain = self.decipher(tag, 0x80, value[1:]) plain = vsCrypto.strip_padding(self.ct.blocklength, plain, padding_indicator) return_data.append(plain) #SM data objects for authentication if tag == SM_Class["CHECKSUM"]: auth = vsCrypto.append_padding(self.cct.blocklength, to_authenticate) checksum = self.compute_cryptographic_checksum( 0x8E, 0x80, auth) if checksum != value: raise SwError(SW["ERR_SECMESSOBJECTSINCORRECT"]) elif tag == SM_Class["DIGITAL_SIGNATURE"]: auth = to_authenticate #FIXME: Need padding? signature = self.compute_digital_signature(0x9E, 0x9A, auth) if signature != value: raise SwError(SW["ERR_SECMESSOBJECTSINCORRECT"]) elif tag in (SM_Class["HASH_CODE"], SM_Class["HASH_CODE_ODD"]): hash = self.hash(p1, p2, to_authenticate) if hash != value: raise SwError(SW["ERR_SECMESSOBJECTSINCORRECT"]) #Form unprotected CAPDU if cla == None: cla = CAPDU.cla if ins == None: ins = CAPDU.ins if p1 == None: p1 = CAPDU.p1 if p2 == None: p2 = CAPDU.p2 # FIXME #if expected != "": #raise SwError(SW["ERR_SECMESSOBJECTSMISSING"]) if isinstance(le, str): # FIXME C_APDU only handles le with strings of length 1. Better patch utils.py to support extended length apdus le_int = stringtoint(le) if le_int == 0 and len(le) > 1: le_int = MAX_EXTENDED_LE le = le_int c = C_APDU(cla=cla, ins=ins, p1=p1, p2=p2, le=le, data="".join(return_data)) return c
def execute(self, msg): def notImplemented(*argz, **args): """ If an application tries to use a function which is not implemented by the currently emulated smartcard we raise an exception which should result in an appropriate response APDU being passed to the application. """ raise SwError(SW["ERR_INSNOTSUPPORTED"]) logging.info("Command APDU (%d bytes):\n %s", len(msg), hexdump(msg, indent=2)) try: c = C_APDU(msg) logging.debug("%s", str(c)) except ValueError as e: logging.warning(str(e)) return self.formatResult(False, 0, b"", SW["ERR_INCORRECTPARAMETERS"], False) # Handle Class Byte # {{{ class_byte = c.cla SM_STATUS = None logical_channel = 0 command_chaining = 0 header_authentication = 0 # Ugly Hack for OpenSC-explorer if (class_byte == 0xb0): logging.debug("Open SC APDU") SM_STATUS = "No SM" # If Bit 8,7,6 == 0 then first industry values are used if (class_byte & 0xE0 == 0x00): # Bit 1 and 2 specify the logical channel logical_channel = class_byte & 0x03 # Bit 3 and 4 specify secure messaging secure_messaging = class_byte >> 2 secure_messaging &= 0x03 if (secure_messaging == 0x00): SM_STATUS = "No SM" elif (secure_messaging == 0x01): SM_STATUS = "Proprietary SM" # Not supported ? elif (secure_messaging == 0x02): SM_STATUS = "Standard SM" elif (secure_messaging == 0x03): SM_STATUS = "Standard SM" header_authentication = 1 # If Bit 8,7 == 01 then further industry values are used elif (class_byte & 0x0C == 0x0C): # Bit 1 to 4 specify logical channel. 4 is added, value range is # from four to nineteen logical_channel = class_byte & 0x0f logical_channel += 4 # Bit 6 indicates secure messaging secure_messaging = class_byte >> 6 if (secure_messaging == 0x00): SM_STATUS = "No SM" elif (secure_messaging == 0x01): SM_STATUS = "Standard SM" else: # Bit 8 is set to 1, which is not specified by ISO 7816-4 SM_STATUS = "Proprietary SM" # In both cases Bit 5 specifies command chaining command_chaining = class_byte >> 5 command_chaining &= 0x01 # }}} sm = False try: if SM_STATUS == "Standard SM" or SM_STATUS == "Proprietary SM": c = self.SAM.parse_SM_CAPDU(c, header_authentication) logging.info("Decrypted APDU:\n%s", str(c)) sm = True sw, result = self.ins2handler.get(c.ins, notImplemented)(c.p1, c.p2, c.data) answer = self.formatResult(Iso7816OS.seekable(c.ins), c.effective_Le, result, sw, sm) except SwError as e: logging.debug(traceback.format_exc().rstrip()) logging.info(e.message) sw = e.sw result = b"" answer = self.formatResult(False, 0, result, sw, sm) return answer