Hi Arijen,
Arijen Geerts wrote:
Hi all,
I do not know if you are able to help me but will give it a try.
Currently I need to write my finals at University and decided to write
about national identity cards.
Since I am Belgium citizen I am focussing on the Belpic card. I
got/collected already all belpic documentation freely available.
You already checked out
http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/BelgianEidCardGraphsTOC
?
Now I am considering to write a small "ADPU Script" to demonstrate how
to sign a simple SHA1 Hash (RSA).
FYI: there's a middleware (based on opensc) available that already does
this:-)
Unfortunatly I do not have my card yet so I cannot write it myself.
Reading the documentation it should be only a few commands. So maybe
somebody can send them to me?
Let me write what I figured out till now.
1. First I select the root 3f00 with select file
2. Then I select the belpic application with the AID
You can first select the AID (optional), then the pkcs15 dir: 3f00/df00
3. Now I verify PIN. (But which format does it has to be? PIN2, Ascii....)
It's open platform encoding (or so): first byte = 0x20 + number of
digits, then the digits in BCD, then pad with 0xF
E.g. PIN = 1234 -> 24 12 34 FF FF FF FF FF
4. Now switch the security environment (But which one do I have to use?)
04 80 xx 84 yy
with xx = the algo ref (e.g. 01 for PKCS1) and yy the key ref (0x82 for
the auth key, 0x3 for the nonrep key)
5. Now I call the command to sign the hash. But do I send just the
simple hash to the card or do I have to include it in an ASN.1 structure.
It would be really great if somebody could correct my points 1-5. Even
greater would be if somebody even knows the ADPU commands.
Here you are:
opensc-tool -s 00:A4:08:0C:04:3F:00:DF:00 -s
00:22:41:B6:05:04:80:01:84:82 -s 00:20:00:01:08:24:12:34:FF:FF:FF:FF:FF
-s
00:2A:9E:9A:23:30:21:30:09:06:05:2B:0E:03:02:1A:05:00:04:14:29:B0:E7:87:82:71:64:5F:FF:B7:EE:C7:DB:4A:74:73:A1:C0:0B:C1:00
Sending: 00 A4 08 0C 04 3F 00 DF 00
Received (SW1=0x90, SW2=0x00)
Sending: 00 22 41 B6 05 04 80 01 84 82
Received (SW1=0x90, SW2=0x00)
Sending: 00 20 00 01 08 24 12 34 FF FF FF FF FF
Received (SW1=0x90, SW2=0x00)
Sending: 00 2A 9E 9A 23 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 29
B0 E7 87 82 71 64 5F FF B7 EE C7 DB 4A 74 73 A1 C0 0B C1 00
Received (SW1=0x90, SW2=0x00):
4D 3E 12 C0 97 95 02 E5 16 57 4D 29 F8 87 88 32 M>.......WM)...2
78 FB 62 29 D7 7A 09 D5 BA BA 78 9B 05 F0 44 BF x.b).z....x...D.
03 AC 31 91 1C 76 24 83 25 AD 95 C0 09 A4 DE 4A ..1..v$.%......J
73 69 4A DC C1 40 F0 ED 65 07 69 69 E4 26 3E 9F [EMAIL PROTECTED]&>.
D4 C2 EA 9A 66 15 BB 50 01 AA EE F7 20 95 4C E7 ....f..P.... .L.
34 39 AC 7A C3 3B 40 41 18 BB E7 08 0B 78 1D 69 49.z.;@A.....x.i
16 D7 14 2B 1D 9A 89 13 32 21 1A E0 CA F3 08 70 ...+....2!.....p
59 21 D1 A4 D9 78 6B 8A 43 8B 3E 6D 1C 92 C6 F9 Y!...xk.C.>m....
So the pkcs1 algo is used, in which key with have to pre-pend the 'SHA-1
AID'
(30 21 30 09 ... 00 04 14) before the SHA-1 hash (29 B0 .. C1 00). So
you could
also use the pkcs1+SHA-1 algo (algo ref = 2) directly: 00 22 41 B6 05 04
80 02 84 82
and then 00 2A 9E 9A 14 29 B0 E7 ... 0B C1 00
TIA and Kind Regards
Arijen Geerts
Good luck,
Stef
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
