laforge has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/35769?usp=email )
Change subject: SCP02: Only C-MAC/C-ENCRYPT APDUs whose CLA byte indicates GlobalPlatform ...................................................................... SCP02: Only C-MAC/C-ENCRYPT APDUs whose CLA byte indicates GlobalPlatform I'm not entirely sure if this is the right thing to do. For sure I do have cards which don't like SELECT with C-MAC appended... and GlobalPlatform clearly states SELECT is coded with CLA value that has the MSB not set (i.e. not a GlobalPlatform command). Change-Id: Ieda75c865a6ff2725fc3c8772bb274d96b8a5a43 --- M pySim/global_platform/scp02.py 1 file changed, 28 insertions(+), 9 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/69/35769/1 diff --git a/pySim/global_platform/scp02.py b/pySim/global_platform/scp02.py index a7325e1..4df0aff 100644 --- a/pySim/global_platform/scp02.py +++ b/pySim/global_platform/scp02.py @@ -94,14 +94,6 @@ CLA_SM = 0x04 class SCP(SecureChannel): - pass - -class SCP02(SCP): - """An instance of the GlobalPlatform SCP02 secure channel protocol.""" - - constr_iur = Struct('key_div_data'/Bytes(10), 'key_ver'/Int8ub, Const(b'\x02'), - 'seq_counter'/Int16ub, 'card_challenge'/Bytes(6), 'card_cryptogram'/Bytes(8)) - def __init__(self, card_keys: 'GpCardKeyset', lchan_nr: int = 0): self.lchan_nr = lchan_nr self.card_keys = card_keys @@ -121,6 +113,19 @@ ret = ret | CLA_SM return ret + self.lchan_nr + def wrap_cmd_apdu(self, apdu: bytes) -> bytes: + # only protect those APDUs that actually are global platform commands + if apdu[0] & 0x80: + return self._wrap_cmd_apdu(apdu) + else: + return apdu + +class SCP02(SCP): + """An instance of the GlobalPlatform SCP02 secure channel protocol.""" + + constr_iur = Struct('key_div_data'/Bytes(10), 'key_ver'/Int8ub, Const(b'\x02'), + 'seq_counter'/Int16ub, 'card_challenge'/Bytes(6), 'card_cryptogram'/Bytes(8)) + def _compute_cryptograms(self, card_challenge: bytes, host_challenge: bytes): logger.debug("host_challenge(%s), card_challenge(%s)", b2h(host_challenge), b2h(card_challenge)) self.host_cryptogram = self.sk.calc_mac_3des(self.sk.counter.to_bytes(2, 'big') + card_challenge + host_challenge) @@ -168,7 +173,7 @@ mac = self.sk.calc_mac_1des(header + self.host_cryptogram, True) return bytes([self._cla(True), INS_EXT_AUTH, self.security_level, 0, 16]) + self.host_cryptogram + mac - def wrap_cmd_apdu(self, apdu: bytes) -> bytes: + def _wrap_cmd_apdu(self, apdu: bytes) -> bytes: """Wrap Command APDU for SCP02: calculate MAC and encrypt.""" lc = len(apdu) - 5 assert len(apdu) >= 5, "Wrong APDU length: %d" % len(apdu) -- To view, visit https://gerrit.osmocom.org/c/pysim/+/35769?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: Ieda75c865a6ff2725fc3c8772bb274d96b8a5a43 Gerrit-Change-Number: 35769 Gerrit-PatchSet: 1 Gerrit-Owner: laforge <lafo...@osmocom.org> Gerrit-MessageType: newchange