[S] Change in pysim[master]: SCP02: Only C-MAC/C-ENCRYPT APDUs whose CLA byte indicates GlobalPlat...

Thu, 01 Feb 2024 10:43:12 -0800 

laforge has uploaded this change for review. ( 
https://gerrit.osmocom.org/c/pysim/+/35769?usp=email )


Change subject: SCP02: Only C-MAC/C-ENCRYPT APDUs whose CLA byte indicates 
GlobalPlatform
......................................................................

SCP02: Only C-MAC/C-ENCRYPT APDUs whose CLA byte indicates GlobalPlatform

I'm not entirely sure if this is the right thing to do.  For sure I do
have cards which don't like SELECT with C-MAC appended... and
GlobalPlatform clearly states SELECT is coded with CLA value that has
the MSB not set (i.e. not a GlobalPlatform command).

Change-Id: Ieda75c865a6ff2725fc3c8772bb274d96b8a5a43
---
M pySim/global_platform/scp02.py
1 file changed, 28 insertions(+), 9 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/69/35769/1

diff --git a/pySim/global_platform/scp02.py b/pySim/global_platform/scp02.py
index a7325e1..4df0aff 100644
--- a/pySim/global_platform/scp02.py
+++ b/pySim/global_platform/scp02.py
@@ -94,14 +94,6 @@
 CLA_SM = 0x04

 class SCP(SecureChannel):
-    pass
-
-class SCP02(SCP):
-    """An instance of the GlobalPlatform SCP02 secure channel protocol."""
-
-    constr_iur = Struct('key_div_data'/Bytes(10), 'key_ver'/Int8ub, 
Const(b'\x02'),
-                        'seq_counter'/Int16ub, 'card_challenge'/Bytes(6), 
'card_cryptogram'/Bytes(8))
-
     def __init__(self, card_keys: 'GpCardKeyset', lchan_nr: int = 0):
         self.lchan_nr = lchan_nr
         self.card_keys = card_keys
@@ -121,6 +113,19 @@
             ret = ret | CLA_SM
         return ret + self.lchan_nr

+    def wrap_cmd_apdu(self, apdu: bytes) -> bytes:
+        # only protect those APDUs that actually are global platform commands
+        if apdu[0] & 0x80:
+            return self._wrap_cmd_apdu(apdu)
+        else:
+            return apdu
+
+class SCP02(SCP):
+    """An instance of the GlobalPlatform SCP02 secure channel protocol."""
+
+    constr_iur = Struct('key_div_data'/Bytes(10), 'key_ver'/Int8ub, 
Const(b'\x02'),
+                        'seq_counter'/Int16ub, 'card_challenge'/Bytes(6), 
'card_cryptogram'/Bytes(8))
+
     def _compute_cryptograms(self, card_challenge: bytes, host_challenge: 
bytes):
         logger.debug("host_challenge(%s), card_challenge(%s)", 
b2h(host_challenge), b2h(card_challenge))
         self.host_cryptogram = 
self.sk.calc_mac_3des(self.sk.counter.to_bytes(2, 'big') + card_challenge + 
host_challenge)
@@ -168,7 +173,7 @@
         mac = self.sk.calc_mac_1des(header + self.host_cryptogram, True)
         return bytes([self._cla(True), INS_EXT_AUTH, self.security_level, 0, 
16]) + self.host_cryptogram + mac

-    def wrap_cmd_apdu(self, apdu: bytes) -> bytes:
+    def _wrap_cmd_apdu(self, apdu: bytes) -> bytes:
         """Wrap Command APDU for SCP02: calculate MAC and encrypt."""
         lc = len(apdu) - 5
         assert len(apdu) >= 5, "Wrong APDU length: %d" % len(apdu)

--
To view, visit https://gerrit.osmocom.org/c/pysim/+/35769?usp=email
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: pysim
Gerrit-Branch: master
Gerrit-Change-Id: Ieda75c865a6ff2725fc3c8772bb274d96b8a5a43
Gerrit-Change-Number: 35769
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <lafo...@osmocom.org>
Gerrit-MessageType: newchange

Reply via email to