(Smart Card) APDU Command to sign

0
votes

I'm developing an application that require a client authentication to a server using a smart card. As a guide, i'm tracing a normal web authentication with a browser and i've seen that the SSL/TLS packet containing the "Certificate Verify" structure is created using the signing session of the card.

Analizing the CCID-APDU packet sent to the card reader i've seen this dump:

6f 05 01 00 00 00 41 00 01 00 00 2a 80 86 00 01 01 00 00 01 ff ff ........

The answer of this command is actually the content sent to the 'Certificate Verify' SSL/TLS structure.

The strange thing is that the APDU command sent is

00 2a 80 86 00

Looking at the APDU documentation this is a "PSO: DECIPHER" command but shouldn't it be a signature command? (00 2A 9E 9A xx)

Would anyone be able to clarify this behavior?

Tnx

1
digital-signaturesmartcardsignapdusmartcard-reader
Please refer to this SO Answer for Web Authentication if it can be of any help... You have not mentioned OS of the client where browser is running...?!Bharat Vasant

1 Answers

0
votes

PSO DECIPHER shares with signature generation that it applies the private key. It is significantly simpler, since it is restricted to one data block, i. e. the command data field of the APDU. PSO CDS for Compute Digital Signature has lots of additional complications like chaining (data split to several commands), hashing (with various algorithms to use), padding (with various padding schemes) to ensure correct data length etc.

So it seems, that your analyzed solution is optimized for the specific scenario required, and as many optimizations clarity is somewhat reduced as side effect.