Search in sources :

Example 1 with ProtocolException

use of org.openecard.common.ifd.protocol.exception.ProtocolException in project open-ecard by ecsec.

the class PACEImplementation method mseSetAT.

/**
 * Initialize Chip Authentication. Sends an MSE:Set AT APDU. (S
 * Step 1: Initialise PACE.
 * See BSI-TR-03110, version 2.10, part 3, B.11.1.
 */
private void mseSetAT(byte passwordID, byte[] chat) throws Exception {
    byte[] oID = ObjectIdentifierUtils.getValue(psip.getPACEInfo().getProtocol());
    CardCommandAPDU mseSetAT = new MSESetATPACE(oID, passwordID, psip.getPACEInfo().getParameterID(), chat);
    try {
        response = mseSetAT.transmit(dispatcher, slotHandle);
        // Continue with step 2
        generalAuthenticateEncryptedNonce();
    } catch (APDUException e) {
        if (e.getResponseAPDU() == null) {
            if (e.getCause() instanceof Exception) {
                throw (Exception) e.getCause();
            } else {
                throw new ProtocolException(ECardConstants.Minor.IFD.UNKNOWN_ERROR, e.getMessage());
            }
        }
        LOG.error(e.getMessage(), e);
        short sw = e.getResponseAPDU().getSW();
        if (sw == PACEConstants.PASSWORD_DEACTIVATED) {
            // Password is deactivated
            throw new ProtocolException(ECardConstants.Minor.IFD.PASSWORD_DEACTIVATED);
        } else if ((sw & (short) 0xFFF0) == (short) 0x63C0) {
            retryCounter = (byte) (sw & (short) 0x000F);
            if (retryCounter == (byte) 0x00) {
                // The password is blocked
                LOG.warn("The password is blocked. The password MUST be unblocked.");
                if (passwordID == PACEConstants.PASSWORD_PUK) {
                    generalAuthenticateEncryptedNonce();
                } else {
                    throw new ProtocolException(ECardConstants.Minor.IFD.PASSWORD_BLOCKED, "The password is blocked. The password MUST be unblocked.");
                }
            } else if (retryCounter == (byte) 0x01) {
                // The password is suspended
                LOG.warn("The password is suspended. The password MUST be resumed.");
                // TODO check for an existing SM-Channel with the CAN
                // if (mseSetAT.isSecureMessaging()) {
                generalAuthenticateEncryptedNonce();
            /*} else {
			throw new ProtocolException(
				ECardConstants.Minor.IFD.PASSWORD_SUSPENDED,
				"The password is suspended. The password MUST be resumed.");
		    }*/
            } else if (retryCounter == (byte) 0x02) {
                // The password is suspended
                LOG.warn("The password is wrong.");
                generalAuthenticateEncryptedNonce();
            }
        }
    } catch (ProtocolException e) {
        LOG.error(e.getMessage(), e);
        throw e;
    } catch (Exception e) {
        LOG.error(e.getMessage(), e);
        throw new ProtocolException(ECardConstants.Minor.IFD.UNKNOWN_ERROR, e.getMessage());
    }
}
Also used : CardCommandAPDU(org.openecard.common.apdu.common.CardCommandAPDU) MSESetATPACE(org.openecard.ifd.protocol.pace.apdu.MSESetATPACE) ProtocolException(org.openecard.common.ifd.protocol.exception.ProtocolException) APDUException(org.openecard.common.apdu.exception.APDUException) APDUException(org.openecard.common.apdu.exception.APDUException) GeneralSecurityException(java.security.GeneralSecurityException) ProtocolException(org.openecard.common.ifd.protocol.exception.ProtocolException)

Example 2 with ProtocolException

use of org.openecard.common.ifd.protocol.exception.ProtocolException in project open-ecard by ecsec.

the class PACEImplementation method generalAuthenticateMutualAuthentication.

/**
 * Step 5: Mutual authentication
 */
private void generalAuthenticateMutualAuthentication() throws Exception {
    // Calculate shared key k
    byte[] k = cryptoSuite.generateSharedSecret(keyPCD.getEncodedPrivateKey(), keyPICC.getEncodedPublicKey());
    // Derive key MAC
    keyMAC = kdf.deriveMAC(k);
    // Derive key ENC
    keyENC = kdf.deriveENC(k);
    // Calculate token T_PCD
    AuthenticationToken tokenPCD = new AuthenticationToken(psip.getPACEInfo());
    tokenPCD.generateToken(keyMAC, keyPICC.getEncodedPublicKey());
    CardCommandAPDU gaMutualAuth = new GeneralAuthenticate((byte) 0x85, tokenPCD.toByteArray());
    // Calculate token T_PICC
    AuthenticationToken tokenPICC = new AuthenticationToken(psip.getPACEInfo());
    tokenPICC.generateToken(keyMAC, keyPCD.getEncodedPublicKey());
    try {
        response = gaMutualAuth.transmit(dispatcher, slotHandle);
        if (tokenPICC.verifyToken(response.getData(), specifiedCHAT)) {
            currentCAR = tokenPICC.getCurrentCAR();
            previousCAR = tokenPICC.getPreviousCAR();
        } else {
            throw new GeneralSecurityException("Cannot verify authentication token.");
        }
    } catch (APDUException e) {
        if (e.getResponseAPDU() == null) {
            if (e.getCause() instanceof Exception) {
                throw (Exception) e.getCause();
            } else {
                throw new ProtocolException(ECardConstants.Minor.IFD.UNKNOWN_ERROR, e.getMessage());
            }
        }
        LOG.error(e.getMessage(), e);
        int sw = e.getResponseAPDU().getSW();
        if ((sw & (short) 0xFFF0) == (short) 0x63C0) {
            retryCounter = (byte) (sw & (short) 0x000F);
            if (retryCounter == (byte) 0x00) {
                // The password is blocked.
                LOG.warn("The password is blocked. The password MUST be unblocked.");
                throw new ProtocolException(ECardConstants.Minor.IFD.PASSWORD_BLOCKED, "The password is blocked. The password MUST be unblocked.");
            } else if (retryCounter == (byte) 0x01) {
                // The password is suspended.
                LOG.warn("The password is suspended. The password MUST be resumed.");
                throw new ProtocolException(ECardConstants.Minor.IFD.PASSWORD_SUSPENDED, "The password is suspended. The password MUST be resumed.");
            } else if (retryCounter == (byte) 0x02) {
                // The password is wrong.
                LOG.warn("The password is wrong.");
                throw new ProtocolException(ECardConstants.Minor.IFD.PASSWORD_ERROR, "The password is wrong.");
            }
        } else {
            throw new ProtocolException(ECardConstants.Minor.IFD.AUTHENTICATION_FAILED, "Authentication failed.");
        }
    } catch (Exception e) {
        LOG.error(e.getMessage(), e);
        throw new ProtocolException(ECardConstants.Minor.IFD.UNKNOWN_ERROR, e.getMessage());
    }
}
Also used : CardCommandAPDU(org.openecard.common.apdu.common.CardCommandAPDU) ProtocolException(org.openecard.common.ifd.protocol.exception.ProtocolException) AuthenticationToken(org.openecard.ifd.protocol.pace.crypto.AuthenticationToken) APDUException(org.openecard.common.apdu.exception.APDUException) GeneralSecurityException(java.security.GeneralSecurityException) GeneralAuthenticate(org.openecard.common.apdu.GeneralAuthenticate) APDUException(org.openecard.common.apdu.exception.APDUException) GeneralSecurityException(java.security.GeneralSecurityException) ProtocolException(org.openecard.common.ifd.protocol.exception.ProtocolException)

Example 3 with ProtocolException

use of org.openecard.common.ifd.protocol.exception.ProtocolException in project open-ecard by ecsec.

the class PACEImplementation method generalAuthenticateMapNonce.

/**
 * Step 3: Mapping nonce
 */
private void generalAuthenticateMapNonce() throws Exception {
    byte[] pkMapPCD = null;
    PACEMapping mapping = cryptoSuite.getMapping();
    if (mapping instanceof PACEGenericMapping) {
        PACEGenericMapping gm = (PACEGenericMapping) mapping;
        pkMapPCD = gm.getMappingKey().getEncodedPublicKey();
    } else if (mapping instanceof PACEIntegratedMapping) {
        throw new UnsupportedOperationException("Not implemented yet.");
    }
    CardCommandAPDU gaMapNonce = new GeneralAuthenticate((byte) 0x81, pkMapPCD);
    gaMapNonce.setChaining();
    try {
        response = gaMapNonce.transmit(dispatcher, slotHandle);
    } catch (APDUException e) {
        LOG.error(e.getMessage(), e);
        throw new ProtocolException(e.getResult());
    }
    if (mapping instanceof PACEGenericMapping) {
        PACEGenericMapping gm = (PACEGenericMapping) mapping;
        PACEKey keyMapPICC = new PACEKey(domainParameter);
        keyMapPICC.decodePublicKey(response.getData());
        byte[] pkMapPICC = keyMapPICC.getEncodedPublicKey();
        if (ByteUtils.compare(pkMapPICC, pkMapPCD)) {
            throw new GeneralSecurityException("PACE security violation: equal keys");
        }
        domainParameter = gm.map(pkMapPICC, s);
    } else if (mapping instanceof PACEIntegratedMapping) {
        throw new UnsupportedOperationException("Not implemented yet.");
    }
    // Continue with Step 4
    generalAuthenticateKeyAgreement();
}
Also used : CardCommandAPDU(org.openecard.common.apdu.common.CardCommandAPDU) PACEGenericMapping(org.openecard.ifd.protocol.pace.crypto.PACEGenericMapping) ProtocolException(org.openecard.common.ifd.protocol.exception.ProtocolException) PACEKey(org.openecard.ifd.protocol.pace.crypto.PACEKey) APDUException(org.openecard.common.apdu.exception.APDUException) PACEMapping(org.openecard.ifd.protocol.pace.crypto.PACEMapping) GeneralSecurityException(java.security.GeneralSecurityException) PACEIntegratedMapping(org.openecard.ifd.protocol.pace.crypto.PACEIntegratedMapping) GeneralAuthenticate(org.openecard.common.apdu.GeneralAuthenticate)

Example 4 with ProtocolException

use of org.openecard.common.ifd.protocol.exception.ProtocolException in project open-ecard by ecsec.

the class PACEImplementation method generalAuthenticateEncryptedNonce.

/**
 * Step 2: Encrypted nonce
 */
private void generalAuthenticateEncryptedNonce() throws Exception {
    CardCommandAPDU gaEncryptedNonce = new GeneralAuthenticate();
    gaEncryptedNonce.setChaining();
    // Derive key PI
    byte[] keyPI = kdf.derivePI(password);
    try {
        response = gaEncryptedNonce.transmit(dispatcher, slotHandle);
        s = cryptoSuite.decryptNonce(keyPI, response.getData());
        // Continue with Step 3
        generalAuthenticateMapNonce();
    } catch (APDUException e) {
        LOG.error(e.getMessage(), e);
        throw new ProtocolException(e.getResult());
    } catch (GeneralSecurityException e) {
        LOG.error(e.getMessage(), e);
        throw new ProtocolException(e.getMessage());
    }
}
Also used : CardCommandAPDU(org.openecard.common.apdu.common.CardCommandAPDU) ProtocolException(org.openecard.common.ifd.protocol.exception.ProtocolException) APDUException(org.openecard.common.apdu.exception.APDUException) GeneralSecurityException(java.security.GeneralSecurityException) GeneralAuthenticate(org.openecard.common.apdu.GeneralAuthenticate)

Example 5 with ProtocolException

use of org.openecard.common.ifd.protocol.exception.ProtocolException in project open-ecard by ecsec.

the class PACEImplementation method generalAuthenticateKeyAgreement.

/**
 * Step 4: Key agreement
 *
 * @param mapPK_PICC
 */
private void generalAuthenticateKeyAgreement() throws Exception {
    keyPCD = new PACEKey(domainParameter);
    keyPCD.generateKeyPair();
    byte[] keyPKPCD = keyPCD.getEncodedPublicKey();
    CardCommandAPDU gaKeyAgreement = new GeneralAuthenticate((byte) 0x83, keyPKPCD);
    gaKeyAgreement.setChaining();
    try {
        response = gaKeyAgreement.transmit(dispatcher, slotHandle);
        keyPICC = new PACEKey(domainParameter);
        byte[] keyPKPICC = keyPICC.decodePublicKey(response.getData());
        if (!ByteUtils.compare(keyPKPCD, keyPKPICC)) {
            // Continue with Step 5
            generalAuthenticateMutualAuthentication();
        } else {
            throw new GeneralSecurityException("PACE security violation: equal keys");
        }
    } catch (APDUException e) {
        LOG.error(e.getMessage(), e);
        throw new ProtocolException(e.getResult());
    } catch (GeneralSecurityException e) {
        LOG.error(e.getMessage(), e);
        throw new ProtocolException(e.getMessage());
    }
}
Also used : CardCommandAPDU(org.openecard.common.apdu.common.CardCommandAPDU) ProtocolException(org.openecard.common.ifd.protocol.exception.ProtocolException) PACEKey(org.openecard.ifd.protocol.pace.crypto.PACEKey) APDUException(org.openecard.common.apdu.exception.APDUException) GeneralSecurityException(java.security.GeneralSecurityException) GeneralAuthenticate(org.openecard.common.apdu.GeneralAuthenticate)

Aggregations

ProtocolException (org.openecard.common.ifd.protocol.exception.ProtocolException)6 GeneralSecurityException (java.security.GeneralSecurityException)5 CardCommandAPDU (org.openecard.common.apdu.common.CardCommandAPDU)5 APDUException (org.openecard.common.apdu.exception.APDUException)5 GeneralAuthenticate (org.openecard.common.apdu.GeneralAuthenticate)4 PACEKey (org.openecard.ifd.protocol.pace.crypto.PACEKey)2 EstablishChannelResponse (iso.std.iso_iec._24727.tech.schema.EstablishChannelResponse)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 CardResponseAPDU (org.openecard.common.apdu.common.CardResponseAPDU)1 PACEInputType (org.openecard.common.ifd.anytype.PACEInputType)1 PACEOutputType (org.openecard.common.ifd.anytype.PACEOutputType)1 FCP (org.openecard.common.tlv.iso7816.FCP)1 PACESecurityInfos (org.openecard.crypto.common.asn1.eac.PACESecurityInfos)1 SecurityInfos (org.openecard.crypto.common.asn1.eac.SecurityInfos)1 EFCardAccess (org.openecard.crypto.common.asn1.eac.ef.EFCardAccess)1 MSESetATPACE (org.openecard.ifd.protocol.pace.apdu.MSESetATPACE)1 AuthenticationToken (org.openecard.ifd.protocol.pace.crypto.AuthenticationToken)1 PACEGenericMapping (org.openecard.ifd.protocol.pace.crypto.PACEGenericMapping)1 PACEIntegratedMapping (org.openecard.ifd.protocol.pace.crypto.PACEIntegratedMapping)1 PACEMapping (org.openecard.ifd.protocol.pace.crypto.PACEMapping)1