00001
00002
00003
00004
00005
00006
00007 #include <ccid.h>
00008 #include <list.h>
00009 #include <emv.h>
00010 #include <ber.h>
00011 #include "emv-internal.h"
00012
00013 struct dda_req {
00014 unsigned int ca_pk_idx;
00015 const uint8_t *pk_cert;
00016 size_t pk_cert_len;
00017 const uint8_t *pk_r;
00018 size_t pk_r_len;
00019 const uint8_t *pk_exp;
00020 size_t pk_exp_len;
00021 const uint8_t *icc_cert;
00022 size_t icc_cert_len;
00023 const uint8_t *icc_r;
00024 size_t icc_r_len;
00025 size_t icc_mod_len;
00026 const uint8_t *icc_exp;
00027 size_t icc_exp_len;
00028 const uint8_t *ddol;
00029 size_t ddol_len;
00030 const uint8_t *ssa_data;
00031 size_t ssa_data_len;
00032 uint8_t pan[10];
00033 };
00034
00035 static int get_required_data(struct _emv *e, struct dda_req *req)
00036 {
00037 const struct _emv_data *d;
00038 int i;
00039
00040 d = _emv_retrieve_data(e, EMV_TAG_CA_PK_INDEX);
00041 i = emv_data_int(d);
00042 if ( i < 0 )
00043 return 0;
00044
00045 req->ca_pk_idx = (unsigned int)i;
00046
00047 d = _emv_retrieve_data(e, EMV_TAG_ISS_PK_CERT);
00048 if ( NULL == d )
00049 return 0;
00050 req->pk_cert = d->d_data;
00051 req->pk_cert_len = d->d_len;
00052 if ( NULL == req->pk_cert )
00053 return 0;
00054
00055 d = _emv_retrieve_data(e, EMV_TAG_ISS_PK_R);
00056 if ( NULL == d )
00057 return 0;
00058 req->pk_r = d->d_data;
00059 req->pk_r_len = d->d_len;
00060 if ( NULL == req->pk_r )
00061 return 0;
00062
00063 d = _emv_retrieve_data(e, EMV_TAG_ISS_PK_EXP);
00064 if ( NULL == d )
00065 return 0;
00066 req->pk_exp = d->d_data;
00067 req->pk_exp_len = d->d_len;
00068 if ( NULL == req->pk_exp)
00069 return 0;
00070
00071 d = _emv_retrieve_data(e, EMV_TAG_ICC_PK_CERT);
00072 if ( NULL == d )
00073 return 0;
00074 req->icc_cert = d->d_data;
00075 req->icc_cert_len = d->d_len;
00076 if ( NULL == req->icc_cert )
00077 return 0;
00078
00079 d = _emv_retrieve_data(e, EMV_TAG_ICC_PK_R);
00080 if ( NULL == d )
00081 return 0;
00082 req->icc_r = d->d_data;
00083 req->icc_r_len = d->d_len;
00084 if ( NULL == req->icc_r )
00085 return 0;
00086
00087 d = _emv_retrieve_data(e, EMV_TAG_ICC_PK_EXP);
00088 if ( NULL == d )
00089 return 0;
00090 req->icc_exp = d->d_data;
00091 req->icc_exp_len = d->d_len;
00092 if ( NULL == req->icc_exp)
00093 return 0;
00094
00095 d = _emv_retrieve_data(e, EMV_TAG_DDOL);
00096 if ( NULL == d )
00097 return 0;
00098 req->ddol = d->d_data;
00099 req->ddol_len = d->d_len;
00100 if ( NULL == req->ddol )
00101 return 0;
00102
00103 d = _emv_retrieve_data(e, EMV_TAG_PAN);
00104 if ( NULL == d )
00105 return 0;
00106 memset(req->pan, 0xff, sizeof(req->pan));
00107 if ( d->d_len > sizeof(req->pan) )
00108 return 0;
00109 memcpy(req->pan, d->d_data, d->d_len);
00110
00111 return 1;
00112 }
00113
00114 static RSA *get_ca_key(unsigned int idx, emv_mod_cb_t mod,
00115 emv_exp_cb_t exp, size_t *key_len, void *priv)
00116 {
00117 const uint8_t *modulus, *exponent;
00118 size_t mod_len, exp_len;
00119 RSA *key;
00120
00121 modulus = (*mod)(priv, idx, &mod_len);
00122 if ( NULL == modulus )
00123 return NULL;
00124
00125 exponent = (*exp)(priv, idx, &exp_len);
00126 if ( NULL == exponent )
00127 return NULL;
00128
00129 key = RSA_new();
00130 if ( NULL == key )
00131 return NULL;
00132
00133 key->n = BN_bin2bn(modulus, mod_len, NULL);
00134 if ( NULL == key->n )
00135 goto err_free_key;
00136
00137 key->e = BN_bin2bn(exponent, exp_len, NULL);
00138 if ( NULL == key->e )
00139 goto err_free_mod;
00140
00141 *key_len = mod_len;
00142
00143 return key;
00144 err_free_mod:
00145 BN_free(key->n);
00146 err_free_key:
00147 RSA_free(key);
00148 return NULL;
00149 }
00150
00151 static int recover(uint8_t *ptr, size_t len, RSA *key)
00152 {
00153 uint8_t *tmp;
00154 int ret;
00155
00156 tmp = malloc(len);
00157 if ( NULL == tmp )
00158 return 0;
00159
00160 ret = RSA_public_encrypt(len, ptr, tmp, key, RSA_NO_PADDING);
00161 if ( ret < 0 || (unsigned)ret != len ) {
00162 free(tmp);
00163 return 0;
00164 }
00165
00166 memcpy(ptr, tmp, len);
00167 free(tmp);
00168
00169 return 1;
00170 }
00171
00172 static int check_pk_cert(struct _emv *e, struct dda_req *req)
00173 {
00174 uint8_t *msg, *tmp;
00175 size_t msg_len;
00176 int ret;
00177
00178 if ( req->pk_cert[0] != 0x6a ) {
00179 printf("emv-dda: bad certificate header\n");
00180 return 0;
00181 }
00182
00183 if ( req->pk_cert[1] != 0x02 ) {
00184 printf("emv-dda: bad certificate format\n");
00185 return 0;
00186 }
00187
00188 if ( req->pk_cert[11] != 0x01 ) {
00189 printf("emv-dda: unexpected hash algorithm\n");
00190 return 0;
00191 }
00192
00193 msg_len = req->pk_cert_len - (SHA_DIGEST_LENGTH + 2) +
00194 req->pk_r_len + req->pk_exp_len;
00195 tmp = msg = malloc(msg_len);
00196 if ( NULL == msg ) {
00197 _emv_sys_error(e);
00198 return 0;
00199 }
00200
00201 memcpy(tmp, req->pk_cert + 1, req->pk_cert_len -
00202 (SHA_DIGEST_LENGTH + 2));
00203 tmp += req->pk_cert_len - (SHA_DIGEST_LENGTH + 2);
00204 memcpy(tmp, req->pk_r, req->pk_r_len);
00205 tmp += req->pk_r_len;
00206 memcpy(tmp, req->pk_exp, req->pk_exp_len);
00207
00208
00209
00210
00211 ret = _emsa_pss_decode(msg, msg_len, req->pk_cert, req->pk_cert_len);
00212 if ( !ret )
00213 _emv_error(e, EMV_ERR_CERTIFICATE);
00214 free(msg);
00215
00216 return ret;
00217 }
00218
00219 static RSA *make_issuer_pk(struct _emv *e, struct dda_req *req)
00220 {
00221 uint8_t *tmp;
00222 const uint8_t *kb;
00223 size_t kb_len;
00224 RSA *key;
00225
00226 tmp = malloc(req->pk_cert_len);
00227 if ( NULL == tmp ) {
00228 _emv_sys_error(e);
00229 return NULL;
00230 }
00231
00232 kb = req->pk_cert + 15;
00233 kb_len = req->pk_cert_len - (15 + SHA_DIGEST_LENGTH + 1);
00234
00235 memcpy(tmp, kb, kb_len);
00236 memcpy(tmp + kb_len, req->pk_r, req->pk_r_len);
00237
00238
00239 key = RSA_new();
00240 if ( NULL == key ) {
00241 _emv_sys_error(e);
00242 free(tmp);
00243 return NULL;
00244 }
00245
00246 key->n = BN_bin2bn(tmp, req->pk_cert_len, NULL);
00247 key->e = BN_bin2bn(req->pk_exp, req->pk_exp_len, NULL);
00248 free(tmp);
00249 if ( NULL == key->n || NULL == key->e ) {
00250 _emv_sys_error(e);
00251 RSA_free(key);
00252 return NULL;
00253 }
00254
00255 return key;
00256 }
00257
00258 static RSA *get_issuer_pk(struct _emv *e, struct dda_req *req,
00259 RSA *ca_key, size_t key_len)
00260 {
00261
00262 if ( req->pk_cert_len != key_len ) {
00263 _emv_error(e, EMV_ERR_KEY_SIZE_MISMATCH);
00264 return NULL;
00265 }
00266
00267 if ( !recover((uint8_t *)req->pk_cert, key_len, ca_key) ) {
00268 _emv_error(e, EMV_ERR_RSA_RECOVERY);
00269 return NULL;
00270 }
00271
00272
00273
00274
00275 if ( !check_pk_cert(e, req) )
00276 return NULL;
00277
00278 return make_issuer_pk(e, req);
00279 }
00280
00281 static RSA *make_icc_pk(struct _emv *e, struct dda_req *req)
00282 {
00283 uint8_t *tmp;
00284 const uint8_t *kb;
00285 size_t kb_len;
00286 RSA *key;
00287
00288 tmp = malloc(req->icc_cert_len);
00289 if ( NULL == tmp ) {
00290 _emv_sys_error(e);
00291 return NULL;
00292 }
00293
00294 kb = req->icc_cert + 21;
00295 kb_len = req->icc_cert_len - (21 + SHA_DIGEST_LENGTH + 1);
00296 req->icc_mod_len = kb_len + req->icc_r_len;
00297
00298 memcpy(tmp, kb, kb_len);
00299 memcpy(tmp + kb_len, req->icc_r, req->icc_r_len);
00300
00301
00302 key = RSA_new();
00303 if ( NULL == key ) {
00304 _emv_sys_error(e);
00305 free(tmp);
00306 return NULL;
00307 }
00308
00309 key->n = BN_bin2bn(tmp, req->icc_mod_len, NULL);
00310 key->e = BN_bin2bn(req->icc_exp, req->icc_exp_len, NULL);
00311 free(tmp);
00312 if ( NULL == key->n || NULL == key->e ) {
00313 _emv_sys_error(e);
00314 RSA_free(key);
00315 return NULL;
00316 }
00317
00318 return key;
00319 }
00320
00321 static int check_icc_cert(struct _emv *e, struct dda_req *req)
00322 {
00323 struct _emv_data **rec;
00324 unsigned int num_rec, i;
00325 size_t msg_len, data_len;
00326 uint8_t *msg, *tmp;
00327 int ret;
00328
00329 if ( req->icc_cert[0] != 0x6a ) {
00330 printf("emv-dda: bad certificate header\n");
00331 return 0;
00332 }
00333
00334 if ( req->icc_cert[1] != 0x04 ) {
00335 printf("emv-dda: bad certificate format\n");
00336 return 0;
00337 }
00338
00339 if ( req->icc_cert[17] != 0x01 ) {
00340 printf("emv-dda: unexpected hash algorithm\n");
00341 return 0;
00342 }
00343
00344 rec = e->e_db.db_sda;
00345 num_rec = e->e_db.db_numsda;
00346
00347 for(data_len = sizeof(e->e_aip), i = 0; i < num_rec; i++)
00348 data_len += rec[i]->d_len;
00349
00350 msg_len = req->icc_cert_len - (SHA_DIGEST_LENGTH + 2) +
00351 req->icc_r_len + req->icc_exp_len + data_len;
00352 tmp = msg = malloc(msg_len);
00353 if ( NULL == msg ) {
00354 _emv_sys_error(e);
00355 return 0;
00356 }
00357
00358 memcpy(tmp, req->icc_cert + 1, req->icc_cert_len -
00359 (SHA_DIGEST_LENGTH + 2));
00360 tmp += req->icc_cert_len - (SHA_DIGEST_LENGTH + 2);
00361 memcpy(tmp, req->icc_r, req->icc_r_len);
00362 tmp += req->icc_r_len;
00363 memcpy(tmp, req->icc_exp, req->icc_exp_len);
00364 tmp += req->icc_exp_len;
00365
00366 for(i = 0; i < num_rec; i++) {
00367 memcpy(tmp, rec[i]->d_data, rec[i]->d_len);
00368 tmp += rec[i]->d_len;
00369 }
00370 memcpy(tmp, e->e_aip, sizeof(e->e_aip));
00371
00372
00373
00374
00375 ret = _emsa_pss_decode(msg, msg_len, req->icc_cert, req->icc_cert_len);
00376 if ( !ret )
00377 _emv_error(e, EMV_ERR_CERTIFICATE);
00378 free(msg);
00379
00380 if ( ret && memcmp(req->icc_cert + 2, req->pan, sizeof(req->pan)) ) {
00381 printf("emv-dda: ICC certificate PAN mismatch\n");
00382 return 0;
00383 }
00384
00385 e->e_sda_ok = 1;
00386
00387 return ret;
00388 }
00389
00390 static RSA *get_icc_pk(struct _emv *e, struct dda_req *req,
00391 RSA *iss_key, size_t key_len)
00392 {
00393 if ( req->icc_cert_len != key_len ) {
00394 _emv_error(e, EMV_ERR_KEY_SIZE_MISMATCH);
00395 return NULL;
00396 }
00397
00398 if ( !recover((uint8_t *)req->icc_cert, key_len, iss_key) ) {
00399 _emv_error(e, EMV_ERR_RSA_RECOVERY);
00400 return NULL;
00401 }
00402
00403
00404
00405
00406 if ( !check_icc_cert(e, req) )
00407 return NULL;
00408
00409 return make_icc_pk(e, req);
00410 }
00411
00412 static int dol_cb(uint16_t tag, uint8_t *ptr, size_t len, void *priv)
00413 {
00414
00415 switch(tag) {
00416 case EMV_TAG_UNPREDICTABLE_NUMBER:
00417 #if 0
00418 unsigned int i;
00419 for(i = 0; i < len; i++)
00420 i = rand() & 0xff;
00421 return 1;
00422 #else
00423 memset(ptr, 0, len);
00424 #endif
00425 return 1;
00426 default:
00427 return 0;
00428 break;
00429 }
00430 }
00431
00432 static int verify_dynamic_sig(emv_t e, size_t icc_pk_len,
00433 const uint8_t *ddol, size_t ddol_len)
00434 {
00435 uint8_t hbuf[icc_pk_len + ddol_len];
00436 uint8_t md[SHA_DIGEST_LENGTH];
00437 uint8_t da[icc_pk_len];
00438 uint8_t *dol;
00439 size_t dol_len;
00440 const uint8_t *sig;
00441 size_t sig_len;
00442 int ret = 0;
00443
00444 dol = _emv_construct_dol(dol_cb, ddol, ddol_len, &dol_len, NULL);
00445 if ( NULL == dol )
00446 return 0;
00447
00448
00449
00450
00451 if ( !_emv_int_authenticate(e, dol, dol_len) )
00452 goto out;
00453
00454 sig = xfr_rx_data(e->e_xfr, &sig_len);
00455 if ( NULL == sig )
00456 goto out;
00457
00458 if ( sig_len != icc_pk_len + 2 || icc_pk_len < 24 ||
00459 sig[0] != 0x80 || sig[1] != icc_pk_len ) {
00460 printf("Signed dynamic application data is corrupt\n");
00461 _emv_error(e, EMV_ERR_BER_DECODE);
00462 goto out;
00463 }
00464
00465 memcpy(da, sig + 2, icc_pk_len);
00466 if ( !recover(da, icc_pk_len, e->e_icc_pk) ) {
00467 _emv_error(e, EMV_ERR_CERTIFICATE);
00468 goto out;
00469 }
00470
00471 if ( da[0] != 0x6a || da[1] != 0x05 || da[2] != 0x01) {
00472 printf("Dynamic application data is corrupt\n");
00473 _emv_error(e, EMV_ERR_CERTIFICATE);
00474 goto out;
00475 }
00476
00477
00478
00479
00480 memcpy(hbuf, da + 1, icc_pk_len - 22);
00481 memcpy(hbuf + (icc_pk_len - 22), dol, dol_len);
00482
00483
00484
00485 SHA1(hbuf, (icc_pk_len - 22) + dol_len, md);
00486
00487 if ( memcmp(md, (da + icc_pk_len) - (SHA_DIGEST_LENGTH + 1),
00488 SHA_DIGEST_LENGTH) ) {
00489 goto out;
00490 }
00491 ret = 1;
00492 out:
00493 free(dol);
00494 return ret;
00495 }
00496
00497 int emv_authenticate_dynamic(emv_t e, emv_mod_cb_t mod, emv_exp_cb_t exp,
00498 void *priv)
00499 {
00500 struct dda_req req;
00501 size_t ca_key_len;
00502 RSA *ca_key;
00503
00504 if ( e->e_dda_ok )
00505 return 1;
00506
00507 if ( !(e->e_aip[0] & EMV_AIP_DDA) ) {
00508 _emv_error(e, EMV_ERR_FUNC_NOT_SUPPORTED);
00509 return 0;
00510 }
00511
00512 if ( !get_required_data(e, &req) ) {
00513 _emv_error(e, EMV_ERR_DATA_ELEMENT_NOT_FOUND);
00514 return 0;
00515 }
00516
00517 ca_key = get_ca_key(req.ca_pk_idx, mod, exp, &ca_key_len, priv);
00518 if ( NULL == ca_key ) {
00519 _emv_error(e, EMV_ERR_KEY_NOT_FOUND);
00520 return 0;
00521 }
00522
00523 e->e_ca_pk = ca_key;
00524
00525 e->e_iss_pk = get_issuer_pk(e, &req, ca_key, ca_key_len);
00526 if ( NULL == e->e_iss_pk )
00527 return 0;
00528
00529 e->e_icc_pk = get_icc_pk(e, &req, e->e_iss_pk, ca_key_len);
00530 if ( NULL == e->e_icc_pk )
00531 return 0;
00532
00533 if ( !verify_dynamic_sig(e, req.icc_mod_len, req.ddol, req.ddol_len) )
00534 return 0;
00535
00536 e->e_dda_ok = 1;
00537 return 1;
00538 }
00539
00540 int emv_dda_ok(emv_t e)
00541 {
00542 return !!e->e_dda_ok;
00543 }