Working with APDU commands using the EToken example
"... The path is not so difficult to understand. Forces of nature, natural inclinations, patterns of events ...
Primitive understanding of the world notices only four elements and does not go further. As if the universe is reduced to four accessible contemplation clear phenomena. "
Stephen Erickson.
"Midnight Tide".
Hi, Habr!
')
The APDU theme has been raised here more than once, but mainly concerned smart cards, for which a reader is needed and a card that is not a pity, plus software, since working with the OpenSC console interface, at least in Window $, is, to put it mildly, inconvenient.
For this, I wrote a small program with a window interface that works through winscard.
Sources and binaries can be downloaded here .
Compiled this under Visual studio 2008, you need to add to the project WinSCard.Lib from Microsoft Windows SDK.
Probably many will find blue EToken PRO Java 72 K fishes with EDS certificates that have expired many years ago (it is strongly not recommended to use a “combat”, with a valid EDS, a token for experiments!).
Also suitable JaCarta Pro, from etokenov differing only in appearance.
You can also try working with Gemalto SafeNet eToken 5100, you can view the contents of directories, but you will not be able to read the file because of a very small (probably several milliseconds) timeout between the commands to select and read the file, as a result of which the command read the file during manual input already for nothing (error code 69 85). Perhaps this is one of the reasons that on some platforms on these tokens no longer see the keys. Regarding SafeNet eToken 5100 (with an honest inscription on the side “Made in China”) I note the following: “JaCarta single client” does not want to work with it and displays a message that this product is not supported, 64-bit eToken PKI Client 5.1 from Aladdin it does not see, but the 32 version under Win XP works with it, although for this token it is certainly desirable to install the original SafeNet Authentication Client.
Other tokens, including the JaCarta family, will not work, since the APDU commands are all completely different and their numerical value described in ISO7816 does not match.
Details about the format of the APDU commands can be found, for example, here .
A reader with a blue fish can get acquainted with the work of the APDU without getting up from the sofa.
You need to install the driver for eToken eToken PKI Client 5.1 or “JaCarta Single Client” and connect the token.
For a detailed view of the contents of the token in a convenient form and verification of what the APDU commands give, you can use it written by me on Autoit JaCarta Editor .
Launch APDUExplorer, select “Aladdin Token JC 0” or “ARDS JaCarta 0” or “SafeNet Token JC 0” from the list of readers and you can enter commands.
You can enter either through the colon or through spaces or everything is merged.
For starters, you can check the performance by clicking "Check ATR" and get the response of the token.
The first command is to select the default applet and go to the root directory with the identifier 3f00 (this identifier is perhaps the only thing common to tokens of any vendors).
00: A4: 00: 04: 00
Next we get a list of folders in the root directory.
80: 01: 01: 00: 04: 09: 02: 00: 00: CD (the command is a "Report Folder List" constant).
A response must be received:
0a 02 66 66 0b 01 00 90 00
The second byte in the response is the size of the data received - two bytes, that is, only one folder (the file or folder ID in the APDU always takes two bytes).
And we see only one folder with ID 66 66, called the Aladdin AID directory.
Report file list (also constant)
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Must be received
0a 00 0b 01 00 90 00
Answer in position 01 - files 00.
Go to the directory 66 66
00 A4 08 04 02 66 66 00
This is the SELECT FILE command, its format: the four bytes itself is the command 00 A4 08 04, then the size of the full path data field (in the example, 02 bytes), then the path itself (in example 66 66) and the completion 00.
Report folder list 66 66
80: 01: 01: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 04 50 01 50 00 0b 01 00 90 00
The response field 01 (the size of the response) indicates 04, i.e. 4 bytes = two folders 50 01 and 50 00, with 50 01 being official, and 50 00 is the main folder, called PKCS # 11 directory, where all data is stored
Report the file list of the directory 66 66
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 00 0b 01 00 90 00
There are no files here.
As studies have shown visible folders and files in the directory 50 01 not, so go to the main directory 50 00
00 A4 08 04 04 66 66 50 00
Report Folder List
80: 01: 01: 00: 04: 09: 02: 00: 00: CD
The answer will depend on what is stored on the token.
Report file list
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 14 00 0f 00 02 00 03 00 04 00 05 00 06 00 07 00 08 00 00 00 0 a 0b 01 00 90 00
We see 14 files (the response field is 01), then every 2 bytes are the file names, then the service information.
Each token of the studied models always has a system directory b000 and system file 0002 in it, we will try to read it, other files can be read on the same principle.
Go to the directory b0 00
00 A4 08 04 06 66 66 50 00 B0 00 00
Get the list of files
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 02 00 02 0b 01 00 90 00
We see the file 00 02 (byte in the response field 01 - the size of the name (each name always occupies two bytes, the following fields are the names of the files, in this case, the file is only one, which is determined by the value of the field 01).
Select file 0002 from B000 in full path
00 A4 08 04 08 66 66 50 00 B0 00 00 02 00
Resv bytes:
01 01 02 02 02 00 02 03 02 00 10 04 08 00 ff 00 00 ff ff ff ff 05 00 90 00
The answer format is as follows: preamble - 2 bytes, file type - 1 byte (02 file, 01 folder), separator - 2 bytes, file name - 2 bytes, separator - 2 bytes, file size - 2 bytes, separator - 2 bytes, access rights - 1 byte (00 - available for all, 63 protected by pin code). Next comes some service information, culminating in the APDU command successful execution code - 90 00.
Read this file, the last two bytes of the command are the size of the buffer you need to read (in this case it is equal to the file size).
80 18 00 00 04 0E 02 00 00 10
Resv bytes: (the value in each case will be its own):
00 06 63 61 72 64 63 66 00 00 00 00 00 00 00 00 90 00
I do not consider authentication on the etoken here, since it consists of a sequence of question-answer commands and occurs in an encrypted form (there is an Antitoken project where the authorization problem on these products was solved dramatically).
Some other tokens, such as JaCarta GOST-2, support authentication by simply passing a pin code.
You can get the values ​​of the APDU commands of any smart cards and tokens by intercepting WinSCard.dll traffic by running the sniffer compiled from here (as experiments have shown, this sniffer is installed and launched only under Win XP).
For reference, the possible results of the execution of the APDU commands:
90 00 - OK
69 85 - Conditions of use not stisfied
63 00 - Authentication of host cryptogram failed (Ext auth)
64 00 - No specific diagnosis
67 00 - Wrong length in Lc
67 XX - Error, incorrect parameter P3 (ISO code)
68 81 - Logical channel not supported or not active
69 82 - Security status not satisfied
69 83 - Secret code locked
69 85 - No currently selected EF, no command to monitor / no Transaction Manager File
6A 80 - The parameters in the data field are incorrect
6A 81 - Card is not supported
6A 82 - File not found
6A 85 - Lc inconsistent with TLV structure
6A 86 - Incorrect P1 P2
6A 88 - Referenced data not found (Init upd)
6D 00 - Invalid instruction
6E 00 - Invalid class
Primitive understanding of the world notices only four elements and does not go further. As if the universe is reduced to four accessible contemplation clear phenomena. "
Stephen Erickson.
"Midnight Tide".
Hi, Habr!
')
The APDU theme has been raised here more than once, but mainly concerned smart cards, for which a reader is needed and a card that is not a pity, plus software, since working with the OpenSC console interface, at least in Window $, is, to put it mildly, inconvenient.
For this, I wrote a small program with a window interface that works through winscard.
Sources and binaries can be downloaded here .
Compiled this under Visual studio 2008, you need to add to the project WinSCard.Lib from Microsoft Windows SDK.
Probably many will find blue EToken PRO Java 72 K fishes with EDS certificates that have expired many years ago (it is strongly not recommended to use a “combat”, with a valid EDS, a token for experiments!).
Also suitable JaCarta Pro, from etokenov differing only in appearance.
You can also try working with Gemalto SafeNet eToken 5100, you can view the contents of directories, but you will not be able to read the file because of a very small (probably several milliseconds) timeout between the commands to select and read the file, as a result of which the command read the file during manual input already for nothing (error code 69 85). Perhaps this is one of the reasons that on some platforms on these tokens no longer see the keys. Regarding SafeNet eToken 5100 (with an honest inscription on the side “Made in China”) I note the following: “JaCarta single client” does not want to work with it and displays a message that this product is not supported, 64-bit eToken PKI Client 5.1 from Aladdin it does not see, but the 32 version under Win XP works with it, although for this token it is certainly desirable to install the original SafeNet Authentication Client.
Other tokens, including the JaCarta family, will not work, since the APDU commands are all completely different and their numerical value described in ISO7816 does not match.
Details about the format of the APDU commands can be found, for example, here .
A reader with a blue fish can get acquainted with the work of the APDU without getting up from the sofa.
You need to install the driver for eToken eToken PKI Client 5.1 or “JaCarta Single Client” and connect the token.
For a detailed view of the contents of the token in a convenient form and verification of what the APDU commands give, you can use it written by me on Autoit JaCarta Editor .
Launch APDUExplorer, select “Aladdin Token JC 0” or “ARDS JaCarta 0” or “SafeNet Token JC 0” from the list of readers and you can enter commands.
You can enter either through the colon or through spaces or everything is merged.
For starters, you can check the performance by clicking "Check ATR" and get the response of the token.
The first command is to select the default applet and go to the root directory with the identifier 3f00 (this identifier is perhaps the only thing common to tokens of any vendors).
00: A4: 00: 04: 00
Next we get a list of folders in the root directory.
80: 01: 01: 00: 04: 09: 02: 00: 00: CD (the command is a "Report Folder List" constant).
A response must be received:
0a 02 66 66 0b 01 00 90 00
The second byte in the response is the size of the data received - two bytes, that is, only one folder (the file or folder ID in the APDU always takes two bytes).
And we see only one folder with ID 66 66, called the Aladdin AID directory.
Report file list (also constant)
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Must be received
0a 00 0b 01 00 90 00
Answer in position 01 - files 00.
Go to the directory 66 66
00 A4 08 04 02 66 66 00
This is the SELECT FILE command, its format: the four bytes itself is the command 00 A4 08 04, then the size of the full path data field (in the example, 02 bytes), then the path itself (in example 66 66) and the completion 00.
Report folder list 66 66
80: 01: 01: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 04 50 01 50 00 0b 01 00 90 00
The response field 01 (the size of the response) indicates 04, i.e. 4 bytes = two folders 50 01 and 50 00, with 50 01 being official, and 50 00 is the main folder, called PKCS # 11 directory, where all data is stored
Report the file list of the directory 66 66
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 00 0b 01 00 90 00
There are no files here.
As studies have shown visible folders and files in the directory 50 01 not, so go to the main directory 50 00
00 A4 08 04 04 66 66 50 00
Report Folder List
80: 01: 01: 00: 04: 09: 02: 00: 00: CD
The answer will depend on what is stored on the token.
Report file list
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 14 00 0f 00 02 00 03 00 04 00 05 00 06 00 07 00 08 00 00 00 0 a 0b 01 00 90 00
We see 14 files (the response field is 01), then every 2 bytes are the file names, then the service information.
Each token of the studied models always has a system directory b000 and system file 0002 in it, we will try to read it, other files can be read on the same principle.
Go to the directory b0 00
00 A4 08 04 06 66 66 50 00 B0 00 00
Get the list of files
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 02 00 02 0b 01 00 90 00
We see the file 00 02 (byte in the response field 01 - the size of the name (each name always occupies two bytes, the following fields are the names of the files, in this case, the file is only one, which is determined by the value of the field 01).
Select file 0002 from B000 in full path
00 A4 08 04 08 66 66 50 00 B0 00 00 02 00
Resv bytes:
01 01 02 02 02 00 02 03 02 00 10 04 08 00 ff 00 00 ff ff ff ff 05 00 90 00
The answer format is as follows: preamble - 2 bytes, file type - 1 byte (02 file, 01 folder), separator - 2 bytes, file name - 2 bytes, separator - 2 bytes, file size - 2 bytes, separator - 2 bytes, access rights - 1 byte (00 - available for all, 63 protected by pin code). Next comes some service information, culminating in the APDU command successful execution code - 90 00.
Read this file, the last two bytes of the command are the size of the buffer you need to read (in this case it is equal to the file size).
80 18 00 00 04 0E 02 00 00 10
Resv bytes: (the value in each case will be its own):
00 06 63 61 72 64 63 66 00 00 00 00 00 00 00 00 90 00
I do not consider authentication on the etoken here, since it consists of a sequence of question-answer commands and occurs in an encrypted form (there is an Antitoken project where the authorization problem on these products was solved dramatically).
Some other tokens, such as JaCarta GOST-2, support authentication by simply passing a pin code.
You can get the values ​​of the APDU commands of any smart cards and tokens by intercepting WinSCard.dll traffic by running the sniffer compiled from here (as experiments have shown, this sniffer is installed and launched only under Win XP).
For reference, the possible results of the execution of the APDU commands:
90 00 - OK
69 85 - Conditions of use not stisfied
63 00 - Authentication of host cryptogram failed (Ext auth)
64 00 - No specific diagnosis
67 00 - Wrong length in Lc
67 XX - Error, incorrect parameter P3 (ISO code)
68 81 - Logical channel not supported or not active
69 82 - Security status not satisfied
69 83 - Secret code locked
69 85 - No currently selected EF, no command to monitor / no Transaction Manager File
6A 80 - The parameters in the data field are incorrect
6A 81 - Card is not supported
6A 82 - File not found
6A 85 - Lc inconsistent with TLV structure
6A 86 - Incorrect P1 P2
6A 88 - Referenced data not found (Init upd)
6D 00 - Invalid instruction
6E 00 - Invalid class
Source: https://habr.com/ru/post/446552/
All Articles