keycard-go/globalplatform/command_set.go

package globalplatform

import (
	"crypto/rand"
	"errors"
	"os"

	"github.com/status-im/keycard-go/apdu"
	"github.com/status-im/keycard-go/identifiers"
	"github.com/status-im/keycard-go/types"
)

var ErrSecureChannelNotOpen = errors.New("secure channel not open")

type LoadingCallback = func(loadingBlock, totalBlocks int)

type CommandSet struct {
	c       types.Channel
	sc      *SecureChannel
	session *Session
}

func NewCommandSet(c types.Channel) *CommandSet {
	return &CommandSet{
		c: c,
	}
}

func (cs *CommandSet) Select() error {
	return cs.SelectAID(nil)
}

func (cs *CommandSet) SelectAID(aid []byte) error {
	cmd := apdu.NewCommand(
		0x00,
		InsSelect,
		uint8(0x04),
		uint8(0x00),
		aid,
	)

	cmd.SetLe(0)
	resp, err := cs.c.Send(cmd)

	return cs.checkOK(resp, err)
}

func (cs *CommandSet) OpenSecureChannel() error {
	hostChallenge, err := generateHostChallenge()
	if err != nil {
		return err
	}

	err = cs.initializeUpdate(hostChallenge)
	if err != nil {
		return err
	}

	return cs.externalAuthenticate()
}

func (cs *CommandSet) DeleteKeycardInstancesAndPackage() error {
	if cs.sc == nil {
		return ErrSecureChannelNotOpen
	}

	instanceAID, err := identifiers.KeycardInstanceAID(identifiers.KeycardDefaultInstanceIndex)
	if err != nil {
		return err
	}

	ids := [][]byte{
		identifiers.NdefInstanceAID,
		instanceAID,
		identifiers.PackageAID,
	}

	for _, id := range ids {
		cmd := NewCommandDelete(id)
		resp, err := cs.sc.Send(cmd)
		if cs.checkOK(resp, err, SwOK, SwReferencedDataNotFound) != nil {
			return err
		}
	}

	return nil
}

func (cs *CommandSet) LoadKeycardPackage(capFile *os.File, callback LoadingCallback) error {
	if cs.sc == nil {
		return ErrSecureChannelNotOpen
	}

	preLoad := NewCommandInstallForLoad(identifiers.PackageAID, []byte{})
	resp, err := cs.sc.Send(preLoad)
	if err = cs.checkOK(resp, err); err != nil {
		return err
	}

	load, err := NewLoadCommandStream(capFile)
	if err != nil {
		return err
	}

	for load.Next() {
		cmd := load.GetCommand()
		callback(int(load.Index()), load.BlocksCount())
		resp, err = cs.sc.Send(cmd)
		if err = cs.checkOK(resp, err); err != nil {
			return err
		}
	}

	return nil
}

func (cs *CommandSet) InstallNDEFApplet(ndefRecord []byte) error {
	return cs.installForInstall(
		identifiers.PackageAID,
		identifiers.NdefAID,
		identifiers.NdefInstanceAID,
		ndefRecord)
}

func (cs *CommandSet) InstallKeycardApplet() error {
	instanceAID, err := identifiers.KeycardInstanceAID(identifiers.KeycardDefaultInstanceIndex)
	if err != nil {
		return err
	}

	return cs.installForInstall(
		identifiers.PackageAID,
		identifiers.KeycardAID,
		instanceAID,
		[]byte{})
}

func (cs *CommandSet) installForInstall(packageAID, appletAID, instanceAID, params []byte) error {
	cmd := NewCommandInstallForInstall(packageAID, appletAID, instanceAID, params)
	resp, err := cs.sc.Send(cmd)
	return cs.checkOK(resp, err)
}

func (cs *CommandSet) initializeUpdate(hostChallenge []byte) error {
	cmd := NewCommandInitializeUpdate(hostChallenge)
	resp, err := cs.c.Send(cmd)
	if err = cs.checkOK(resp, err); err != nil {
		return err
	}

	// verify cryptogram and initialize session keys
	keys := NewSCP02Keys(identifiers.CardTestKey, identifiers.CardTestKey)
	session, err := NewSession(keys, resp, hostChallenge)
	if err != nil {
		return err
	}
	cs.sc = NewSecureChannel(session, cs.c)
	cs.session = session

	return nil
}

func (cs *CommandSet) externalAuthenticate() error {
	if cs.session == nil {
		return errors.New("session must be initialized using initializeUpdate")
	}

	encKey := cs.session.Keys().Enc()
	cmd, err := NewCommandExternalAuthenticate(encKey, cs.session.CardChallenge(), cs.session.HostChallenge())
	if err != nil {
		return err
	}

	resp, err := cs.sc.Send(cmd)
	return cs.checkOK(resp, err)
}

func (cs *CommandSet) checkOK(resp *apdu.Response, err error, allowedResponses ...uint16) error {
	if len(allowedResponses) == 0 {
		allowedResponses = []uint16{apdu.SwOK}
	}

	for _, code := range allowedResponses {
		if code == resp.Sw {
			return nil
		}
	}

	return apdu.NewErrBadResponse(resp.Sw, "unexpected response")
}

func generateHostChallenge() ([]byte, error) {
	c := make([]byte, 8)
	_, err := rand.Read(c)
	return c, err
}
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`package globalplatform`

			`import (`
			`"crypto/rand"`
			`"errors"`
			`"os"`

			`"github.com/status-im/keycard-go/apdu"`
add identifiers package 2019-03-06 10:30:00 +00:00			`"github.com/status-im/keycard-go/identifiers"`
add Delete to Installer 2019-03-11 10:49:00 +00:00			`"github.com/status-im/keycard-go/types"`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`)`

explicitly use secure channel and check if open 2019-03-11 12:11:41 +00:00			`var ErrSecureChannelNotOpen = errors.New("secure channel not open")`

add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`type LoadingCallback = func(loadingBlock, totalBlocks int)`

			`type CommandSet struct {`
add Delete to Installer 2019-03-11 10:49:00 +00:00			`c types.Channel`
explicitly use secure channel and check if open 2019-03-11 12:11:41 +00:00			`sc *SecureChannel`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`session *Session`
			`}`

add Delete to Installer 2019-03-11 10:49:00 +00:00			`func NewCommandSet(c types.Channel) *CommandSet {`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`return &CommandSet{`
			`c: c,`
			`}`
			`}`

don't parse ISD 2019-03-06 12:45:32 +00:00			`func (cs *CommandSet) Select() error {`
check if applet is already installed 2019-03-06 13:31:40 +00:00			`return cs.SelectAID(nil)`
			`}`

			`func (cs *CommandSet) SelectAID(aid []byte) error {`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`cmd := apdu.NewCommand(`
			`0x00,`
			`InsSelect,`
			`uint8(0x04),`
			`uint8(0x00),`
check if applet is already installed 2019-03-06 13:31:40 +00:00			`aid,`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`)`

remove card manager AID in select and install for load 2019-03-06 11:48:12 +00:00			`cmd.SetLe(0)`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`resp, err := cs.c.Send(cmd)`
remove card manager AID in select and install for load 2019-03-06 11:48:12 +00:00
don't parse ISD 2019-03-06 12:45:32 +00:00			`return cs.checkOK(resp, err)`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`}`

			`func (cs *CommandSet) OpenSecureChannel() error {`
			`hostChallenge, err := generateHostChallenge()`
			`if err != nil {`
			`return err`
			`}`

			`err = cs.initializeUpdate(hostChallenge)`
			`if err != nil {`
			`return err`
			`}`

			`return cs.externalAuthenticate()`
			`}`

			`func (cs *CommandSet) DeleteKeycardInstancesAndPackage() error {`
explicitly use secure channel and check if open 2019-03-11 12:11:41 +00:00			`if cs.sc == nil {`
			`return ErrSecureChannelNotOpen`
			`}`

use identifiers.KeycardDefaultInstanceIndex 2019-03-11 11:56:22 +00:00			`instanceAID, err := identifiers.KeycardInstanceAID(identifiers.KeycardDefaultInstanceIndex)`
add identifiers package 2019-03-06 10:30:00 +00:00			`if err != nil {`
			`return err`
			`}`

add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`ids := [][]byte{`
add identifiers package 2019-03-06 10:30:00 +00:00			`identifiers.NdefInstanceAID,`
			`instanceAID,`
			`identifiers.PackageAID,`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`}`

			`for _, id := range ids {`
			`cmd := NewCommandDelete(id)`
explicitly use secure channel and check if open 2019-03-11 12:11:41 +00:00			`resp, err := cs.sc.Send(cmd)`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`if cs.checkOK(resp, err, SwOK, SwReferencedDataNotFound) != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

			`func (cs CommandSet) LoadKeycardPackage(capFile os.File, callback LoadingCallback) error {`
explicitly use secure channel and check if open 2019-03-11 12:11:41 +00:00			`if cs.sc == nil {`
			`return ErrSecureChannelNotOpen`
			`}`

remove card manager AID in select and install for load 2019-03-06 11:48:12 +00:00			`preLoad := NewCommandInstallForLoad(identifiers.PackageAID, []byte{})`
explicitly use secure channel and check if open 2019-03-11 12:11:41 +00:00			`resp, err := cs.sc.Send(preLoad)`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`if err = cs.checkOK(resp, err); err != nil {`
			`return err`
			`}`

			`load, err := NewLoadCommandStream(capFile)`
			`if err != nil {`
			`return err`
			`}`

			`for load.Next() {`
			`cmd := load.GetCommand()`
			`callback(int(load.Index()), load.BlocksCount())`
explicitly use secure channel and check if open 2019-03-11 12:11:41 +00:00			`resp, err = cs.sc.Send(cmd)`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`if err = cs.checkOK(resp, err); err != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

			`func (cs *CommandSet) InstallNDEFApplet(ndefRecord []byte) error {`
add identifiers package 2019-03-06 10:30:00 +00:00			`return cs.installForInstall(`
			`identifiers.PackageAID,`
			`identifiers.NdefAID,`
			`identifiers.NdefInstanceAID,`
			`ndefRecord)`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`}`

			`func (cs *CommandSet) InstallKeycardApplet() error {`
use identifiers.KeycardDefaultInstanceIndex 2019-03-11 11:56:22 +00:00			`instanceAID, err := identifiers.KeycardInstanceAID(identifiers.KeycardDefaultInstanceIndex)`
add identifiers package 2019-03-06 10:30:00 +00:00			`if err != nil {`
			`return err`
			`}`

			`return cs.installForInstall(`
			`identifiers.PackageAID,`
			`identifiers.KeycardAID,`
			`instanceAID,`
			`[]byte{})`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`}`

			`func (cs *CommandSet) installForInstall(packageAID, appletAID, instanceAID, params []byte) error {`
			`cmd := NewCommandInstallForInstall(packageAID, appletAID, instanceAID, params)`
explicitly use secure channel and check if open 2019-03-11 12:11:41 +00:00			`resp, err := cs.sc.Send(cmd)`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`return cs.checkOK(resp, err)`
			`}`

			`func (cs *CommandSet) initializeUpdate(hostChallenge []byte) error {`
			`cmd := NewCommandInitializeUpdate(hostChallenge)`
			`resp, err := cs.c.Send(cmd)`
			`if err = cs.checkOK(resp, err); err != nil {`
			`return err`
			`}`

			`// verify cryptogram and initialize session keys`
add identifiers package 2019-03-06 10:30:00 +00:00			`keys := NewSCP02Keys(identifiers.CardTestKey, identifiers.CardTestKey)`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`session, err := NewSession(keys, resp, hostChallenge)`
check if card is blocked 2019-03-06 11:55:57 +00:00			`if err != nil {`
			`return err`
			`}`
explicitly use secure channel and check if open 2019-03-11 12:11:41 +00:00			`cs.sc = NewSecureChannel(session, cs.c)`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`cs.session = session`

			`return nil`
			`}`

			`func (cs *CommandSet) externalAuthenticate() error {`
			`if cs.session == nil {`
			`return errors.New("session must be initialized using initializeUpdate")`
			`}`

			`encKey := cs.session.Keys().Enc()`
			`cmd, err := NewCommandExternalAuthenticate(encKey, cs.session.CardChallenge(), cs.session.HostChallenge())`
			`if err != nil {`
			`return err`
			`}`

explicitly use secure channel and check if open 2019-03-11 12:11:41 +00:00			`resp, err := cs.sc.Send(cmd)`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`return cs.checkOK(resp, err)`
			`}`

			`func (cs CommandSet) checkOK(resp apdu.Response, err error, allowedResponses ...uint16) error {`
			`if len(allowedResponses) == 0 {`
			`allowedResponses = []uint16{apdu.SwOK}`
			`}`

			`for _, code := range allowedResponses {`
			`if code == resp.Sw {`
			`return nil`
			`}`
			`}`

check if applet is already installed 2019-03-06 13:31:40 +00:00			`return apdu.NewErrBadResponse(resp.Sw, "unexpected response")`
add globalplatform.CommandSet 2019-03-06 09:45:52 +00:00			`}`

			`func generateHostChallenge() ([]byte, error) {`
			`c := make([]byte, 8)`
			`_, err := rand.Read(c)`
			`return c, err`
			`}`