Trying to read data from National eID (T=0) using ICAO 9303 BAC

1
votes

Been trying to read data from my National eID using an ACS ACR1281 1S Dual Reader ICC. It requires Basic Access Control (BAC) authentication. I'm able to properly authenticate but I'm getting an error when I try to Select EF.COM (01 1E) using secure messaging following specifications from ICAO Doc 9303 Part 11

Below is the APDU Command I'm sending

Select EF.COM

// Send APDU
00 A4 02 0C 02 01 1E 00 
// APDU Response
90 00

a) Mask class byte and pad command header:
 CmdHeader = ‘0CA4020C80000000’
b) Pad data:
 Data = ‘011E800000000000’
c) Encrypt data with KSEnc:
 EncryptedData = ‘6375432908C044F6’
d) Build DO‘87’:
 DO87 = ‘8709016375432908C044F6’
e) Concatenate CmdHeader and DO‘87’:
 M = ‘0CA4020C800000008709016375432908C044F6’
 App D-6 Machine Readable Travel Documents
f) Compute MAC of M:
    i) Increment SSC with 1:
    SSC = ‘887022120C06C227’
    ii) Concatenate SSC and M and add padding:
    N = ‘887022120C06C2270CA4020C800000008709016375432908C044F68000000000’
    iii) Compute MAC over N with KSMAC:
    CC = ‘BF8B92D635FF24F8’
g) Build DO‘8E’:
 DO8E = ‘8E08BF8B92D635FF24F8’
h) Construct and send protected APDU:
 ProtectedAPDU = ‘0CA4020C158709016375432908C044F68E08BF8B92D635FF24F800’

// Send APDU
00 A4 02 0C 15 87 09 01 7C 76 3C 70 98 06 45 BD 8E 08 20 42 68 2C D0 BE 14 A0 00
// APDU Response
6A 87

KsEnc and KsMac are computed Session keys after external authenticate 0x82. But I keep getting 6A 87 - Lc inconsistent with P1-P2 as feedback. I'm using PCSC 5.0.0 library to talk to the card (ICC). I'm not sure where I'm missing it kindly help.

1
smartcardapdusmartcard-readereid
Following the Send APDU comment the class byte has to be 0C again. For a plain text APDU an LC byte of 15 would match the obtained status... Typo?guidot
Thank you I missed that when I was sending the command indeed you are right it is supposed to be 0x0C and not 0x00 now I'm getting 69 85 - Conditions of use not satisfied. will look into why I'm getting that errorHenry
@guidot So I'm still getting the same 69 85 here is the full APDU 00 A4 04 0C 07 A0 00 00 02 47 10 01 00 90 00 00 84 00 00 08 82 30 34 55 E5 F8 47 FF 90 00 00 82 00 00 28 99 D1 B5 D7 AC 08 A4 75 90 5D 6B CA 9D C8 65 A4 F2 3A 60 B5 E2 B3 53 AA 24 5E 51 E9 57 14 59 DB 18 48 76 1B 8A 39 06 FC 28 78 E8 AE 7E B4 CC D2 58 73 26 C1 57 C7 29 A7 3B C3 AE A7 ED 22 90 3B 64 EC 82 E9 8D DF 9D 40 63 5F 07 DF 55 E5 A8 2A 47 90 00 00 A4 02 0C 02 01 1E 00 90 00 0C A4 02 0C 15 87 09 01 63 75 43 29 08 C0 44 F6 8E 08 2D E9 45 86 95 A1 79 B1 00 69 85Henry

1 Answers

2
votes

Henry, from your latest comment to @guidot it looks like you send the SELECT EF.COM twice? First without Secure Messaging which will destroy your trusted channel established with BAC, followed by the secured APDU, which then tries to use the session keys / trusted channel that no longer exists.