Working with APDU Commands Using the Example EToken
"... The path is not so difficult to understand. Forces of nature, natural inclinations, schemes of events ...
A primitive understanding of the world notices only four elements and does not go any further. It is as if the universe comes down to four understandable phenomena that can be contemplated."
Stephen Erickson.
"Midnight Tide."
Hello, Habr!
The APDU topic has been raised here repeatedly, but mainly concerned smart cards, for which you need a card reader and a card that is not a pity, plus software, since working with the OpenSC console interface, at least in Window $, is inconvenient to say the least.
To do this, I wrote a small program with a window interface that works through winscard.
Sources and binaries can be downloaded here .
This compiled under Visual studio 2008, you need to add the WinSCard.Lib project from the Microsoft Windows SDK to the project.
Most likely, many of them will have blue fish EToken PRO Java 72 K with EDS certificates expired many years ago (using a “battle” with a valid EDS, the token is not recommended for experiments!).
Also suitable are JaCarta Pro, which differ from etokens only externally.
You can also try working with the Gemalto SafeNet eToken 5100, they can view the contents of directories, but they won’t be able to read the file due to the very small (probably several milliseconds) timeout between the commands to select and read the file, as a result of which the command to read the file refers manually already on an empty place (error code 69 85). Perhaps this is one of the reasons that on some platforms on these tokens they no longer see the keys. Regarding SafeNet eToken 5100 (with an honest inscription on the side “Made in China”) I note the following: “JaCarta Single Client” does not want to work with it and displays a message that this product is not supported, Aladdin's 64-bit eToken PKI Client 5.1 He doesn’t see it, but the 32 version for Win XP works with it, although for this token it is advisable to certainly install the original SafeNet Authentication Client.
Other tokens, including the JaCarta family, will not work, since the APDU commands for them all are completely different and their digital value described in the ISO7816 standard does not match.
Details about the format of APDU commands can be found, for example, here .
A reader with a blue fish can get acquainted with the work of APDU without getting up off the couch.
It is necessary to install the driver for eToken eToken PKI Client 5.1 or "JaCarta Single Client" and connect the token.
For a detailed view of the contents of the token in a convenient form and reconciliation with what the APDU commands give, you can use the one written by me on Autoit JaCarta Editor .
Launch APDUExplorer, select “Aladdin Token JC 0” or “ARDS JaCarta 0” or “SafeNet Token JC 0” from the list of readers and you can enter commands.
You can enter both through colons and through spaces or all together.
First, you can check the performance by clicking “Check ATR” and get a token response.
The first command is to select the default applet and go to the root directory with the identifier 3f00 (this identifier is perhaps the only thing common to tokens of any vendors).
00: A4: 00: 04: 00
Next, we get a list of folders in the root directory
80: 01: 01: 00: 04: 09: 02: 00: 00: CD (the command is the constant “Report folder list”).
A response should be received:
0a 02 66 66 0b 01 00 90 00
The second byte in the response is the size of the received data - two bytes, that is, only one folder (the file or folder identifier in the APDU always takes two bytes).
And we see only one folder with identifier 66 66, called the Aladdin AID directory.
Report the list of files (also constant)
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Should be received
0a 00 0b 01 00 90 00 The
answer is at position 01 - files 00.
We go to the directory 66 66
00 A4 08 04 02 66 66 66 00
This is a SELECT FILE command, its format: four bytes is the command 00 A4 08 04, then the size of the data field of the full path (in the example 02 bytes), then the path itself (in the example 66 66) and must be completed 00 .
Report folder list directory 66 66
80: 01: 01: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 04 50 01 50 00 0b 01 00 90 00
Answer field 01 (response size) indicates 04, i.e. 4 bytes = two folders 50 01 and 50 00, while 50 01 is the service folder, and 50 00 is the main one, called PKCS # 11 directory, where all the data is stored
Report list of directory files 66 66
80: 01: 02: 00: 04: 09 : 02: 00: 00: CD
Resv bytes:
0a 00 0b 01 00 90 00
No files here.
Studies have shown that there are no visible folders and files in the 50 01 directory, so go to the main directory 50 00
00 A4 08 04 04 66 66 50 00 00
Report the list of folders
80: 01: 01: 00: 04: 09: 02: 00: 00 : CD The
answer will depend on what is stored on the token.
Report file list
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 14 00 0f 00 02 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0a 0b 01 00 90 00
We we see 14 files (response field 01), then every 2 bytes these are file names, then there is service information.
Each token of the studied models always has a b000 system directory and the 0002 system file in it, try to read it, and other files can be read by the same principle.
Go to the directory b0 00
00 A4 08 04 06 66 66 50 50 B0 00 00
Get the list of files
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 02 00 02 0b 01 00 90 00
We see file 00 02 (the byte in the response field 01 is the name size (each name always takes two bytes, the following fields are the file names, in this case the file is only one, which is determined by the value of field 01).
Select file 0002 from B000 in the full path
00 A4 08 04 08 66 66 50 00 B0 00 00 02 00
Resv bytes:
01 01 02 02 02 00 02 03 02 00 10 04 08 00 ff 00 00 ff ff ff ff 05 00 90 00
Answer format here is as follows: preamble - 2 bytes, file type - 1 byte (02 file, 01 folder), delimiter - 2 bytes, file name - 2 bytes, delimiter - 2 bytes, file size - 2 bytes, delimiter - 2 bytes, access rights - 1 byte (00 - accessible to all, 63 protected PIN code.) Then comes some service information that ends with the code for successful execution of the APDU command - 90 00.
Read this file, the last two bytes of the command are the size of the buffer how much to read (in this case, it is equal to the file size).
80 18 00 00 04 0E 02 00 00 10
Resv bytes: (the value in each case will be different):
00 06 63 61 72 64 63 66 00 00 00 00 00 00 00 00 00 90 00
I will not consider authentication on this Token, since it consists of a sequence of question-answer commands and occurs in encrypted form (there is an Antitoken project where the authorization problem on these products was radically solved).
Some other tokens, such as JaCarta GOST-2, support authentication by simply passing a pin code.
You can get the APDU values of commands of any smart cards and tokens by intercepting WinSCard.dll traffic by running the sniffer compiled from here(as experiments showed, this sniffer is installed and runs only under Win XP).
For reference, the possible results of executing APDU commands are:
90 00 - OK
69 85 - Conditions of use not stisfied
63 00 - Authentication of host cryptogram failed (Ext auth)
64 00 - No specific diagnosis
67 00 - Wrong length in Lc
67 XX - Error, incorrect parameter P3 (ISO code)
68 81 - Logical channel not supported or is not active
69 82 - Security status not satisfied
69 83 - Secret code locked
69 85 - No currently selected EF, no command to monitor / no Transaction Manager File
6A 80 - The parameters in the data field are incorrect
6A 81 - Card is blocked or command not supported
6A 82 - File not found
6A 85 - Lc inconsistent with TLV structure
6A 86 - Incorrect P1 P2
6A 88 - Referenced data not found (Init upd)
6D 00 - Invalid instruction
6E 00 - Invalid class
A primitive understanding of the world notices only four elements and does not go any further. It is as if the universe comes down to four understandable phenomena that can be contemplated."
Stephen Erickson.
"Midnight Tide."
Hello, Habr!
The APDU topic has been raised here repeatedly, but mainly concerned smart cards, for which you need a card reader and a card that is not a pity, plus software, since working with the OpenSC console interface, at least in Window $, is inconvenient to say the least.
To do this, I wrote a small program with a window interface that works through winscard.
Sources and binaries can be downloaded here .
This compiled under Visual studio 2008, you need to add the WinSCard.Lib project from the Microsoft Windows SDK to the project.
Most likely, many of them will have blue fish EToken PRO Java 72 K with EDS certificates expired many years ago (using a “battle” with a valid EDS, the token is not recommended for experiments!).
Also suitable are JaCarta Pro, which differ from etokens only externally.
You can also try working with the Gemalto SafeNet eToken 5100, they can view the contents of directories, but they won’t be able to read the file due to the very small (probably several milliseconds) timeout between the commands to select and read the file, as a result of which the command to read the file refers manually already on an empty place (error code 69 85). Perhaps this is one of the reasons that on some platforms on these tokens they no longer see the keys. Regarding SafeNet eToken 5100 (with an honest inscription on the side “Made in China”) I note the following: “JaCarta Single Client” does not want to work with it and displays a message that this product is not supported, Aladdin's 64-bit eToken PKI Client 5.1 He doesn’t see it, but the 32 version for Win XP works with it, although for this token it is advisable to certainly install the original SafeNet Authentication Client.
Other tokens, including the JaCarta family, will not work, since the APDU commands for them all are completely different and their digital value described in the ISO7816 standard does not match.
Details about the format of APDU commands can be found, for example, here .
A reader with a blue fish can get acquainted with the work of APDU without getting up off the couch.
It is necessary to install the driver for eToken eToken PKI Client 5.1 or "JaCarta Single Client" and connect the token.
For a detailed view of the contents of the token in a convenient form and reconciliation with what the APDU commands give, you can use the one written by me on Autoit JaCarta Editor .
Launch APDUExplorer, select “Aladdin Token JC 0” or “ARDS JaCarta 0” or “SafeNet Token JC 0” from the list of readers and you can enter commands.
You can enter both through colons and through spaces or all together.
First, you can check the performance by clicking “Check ATR” and get a token response.
The first command is to select the default applet and go to the root directory with the identifier 3f00 (this identifier is perhaps the only thing common to tokens of any vendors).
00: A4: 00: 04: 00
Next, we get a list of folders in the root directory
80: 01: 01: 00: 04: 09: 02: 00: 00: CD (the command is the constant “Report folder list”).
A response should be received:
0a 02 66 66 0b 01 00 90 00
The second byte in the response is the size of the received data - two bytes, that is, only one folder (the file or folder identifier in the APDU always takes two bytes).
And we see only one folder with identifier 66 66, called the Aladdin AID directory.
Report the list of files (also constant)
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Should be received
0a 00 0b 01 00 90 00 The
answer is at position 01 - files 00.
We go to the directory 66 66
00 A4 08 04 02 66 66 66 00
This is a SELECT FILE command, its format: four bytes is the command 00 A4 08 04, then the size of the data field of the full path (in the example 02 bytes), then the path itself (in the example 66 66) and must be completed 00 .
Report folder list directory 66 66
80: 01: 01: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 04 50 01 50 00 0b 01 00 90 00
Answer field 01 (response size) indicates 04, i.e. 4 bytes = two folders 50 01 and 50 00, while 50 01 is the service folder, and 50 00 is the main one, called PKCS # 11 directory, where all the data is stored
Report list of directory files 66 66
80: 01: 02: 00: 04: 09 : 02: 00: 00: CD
Resv bytes:
0a 00 0b 01 00 90 00
No files here.
Studies have shown that there are no visible folders and files in the 50 01 directory, so go to the main directory 50 00
00 A4 08 04 04 66 66 50 00 00
Report the list of folders
80: 01: 01: 00: 04: 09: 02: 00: 00 : CD The
answer will depend on what is stored on the token.
Report file list
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 14 00 0f 00 02 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0a 0b 01 00 90 00
We we see 14 files (response field 01), then every 2 bytes these are file names, then there is service information.
Each token of the studied models always has a b000 system directory and the 0002 system file in it, try to read it, and other files can be read by the same principle.
Go to the directory b0 00
00 A4 08 04 06 66 66 50 50 B0 00 00
Get the list of files
80: 01: 02: 00: 04: 09: 02: 00: 00: CD
Resv bytes:
0a 02 00 02 0b 01 00 90 00
We see file 00 02 (the byte in the response field 01 is the name size (each name always takes two bytes, the following fields are the file names, in this case the file is only one, which is determined by the value of field 01).
Select file 0002 from B000 in the full path
00 A4 08 04 08 66 66 50 00 B0 00 00 02 00
Resv bytes:
01 01 02 02 02 00 02 03 02 00 10 04 08 00 ff 00 00 ff ff ff ff 05 00 90 00
Answer format here is as follows: preamble - 2 bytes, file type - 1 byte (02 file, 01 folder), delimiter - 2 bytes, file name - 2 bytes, delimiter - 2 bytes, file size - 2 bytes, delimiter - 2 bytes, access rights - 1 byte (00 - accessible to all, 63 protected PIN code.) Then comes some service information that ends with the code for successful execution of the APDU command - 90 00.
Read this file, the last two bytes of the command are the size of the buffer how much to read (in this case, it is equal to the file size).
80 18 00 00 04 0E 02 00 00 10
Resv bytes: (the value in each case will be different):
00 06 63 61 72 64 63 66 00 00 00 00 00 00 00 00 00 90 00
I will not consider authentication on this Token, since it consists of a sequence of question-answer commands and occurs in encrypted form (there is an Antitoken project where the authorization problem on these products was radically solved).
Some other tokens, such as JaCarta GOST-2, support authentication by simply passing a pin code.
You can get the APDU values of commands of any smart cards and tokens by intercepting WinSCard.dll traffic by running the sniffer compiled from here(as experiments showed, this sniffer is installed and runs only under Win XP).
For reference, the possible results of executing APDU commands are:
90 00 - OK
69 85 - Conditions of use not stisfied
63 00 - Authentication of host cryptogram failed (Ext auth)
64 00 - No specific diagnosis
67 00 - Wrong length in Lc
67 XX - Error, incorrect parameter P3 (ISO code)
68 81 - Logical channel not supported or is not active
69 82 - Security status not satisfied
69 83 - Secret code locked
69 85 - No currently selected EF, no command to monitor / no Transaction Manager File
6A 80 - The parameters in the data field are incorrect
6A 81 - Card is blocked or command not supported
6A 82 - File not found
6A 85 - Lc inconsistent with TLV structure
6A 86 - Incorrect P1 P2
6A 88 - Referenced data not found (Init upd)
6D 00 - Invalid instruction
6E 00 - Invalid class