verify init-update cryptogram with globalplatform or keycard keys

globalplatform/command_set.go

@@ -158,17 +158,48 @@ func (cs *CommandSet) initializeUpdate(hostChallenge []byte) error {
 	}
 
 	// verify cryptogram and initialize session keys
-	keys := NewSCP02Keys(identifiers.CardTestKey, identifiers.CardTestKey)
-	session, err := NewSession(keys, resp, hostChallenge)
+	session, err := cs.initializeSession(resp, hostChallenge)
 	if err != nil {
 		return err
 	}
+
 	cs.sc = NewSecureChannel(session, cs.c)
 	cs.session = session
 
 	return nil
 }
 
+func (cs *CommandSet) initializeSession(resp *apdu.Response, hostChallenge []byte) (session *Session, err error) {
+	keySets := []struct {
+		name string
+		key  []byte
+	}{
+		{"globalplatform", identifiers.GlobalPlatformDefaultKey},
+		{"keycard", identifiers.KeycardDevelopmentKey},
+	}
+
+	for _, set := range keySets {
+		logger.Debug("initialize session", "keys", set.name)
+		keys := NewSCP02Keys(set.key, set.key)
+		session, err = NewSession(keys, resp, hostChallenge)
+
+		// good keys
+		if err == nil {
+			break
+		}
+
+		// try the next keys
+		if err == errBadCryptogram {
+			continue
+		}
+
+		// unexpected error
+		return nil, err
+	}
+
+	return session, err
+}
+
 func (cs *CommandSet) externalAuthenticate() error {
 	if cs.session == nil {
 		return errors.New("session must be initialized using initializeUpdate")

identifiers/identifiers.go

@@ -3,7 +3,8 @@ package identifiers
 import "errors"
 
 var (
-	CardTestKey = []byte{0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f}
+	GlobalPlatformDefaultKey = []byte{0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f}
+	KeycardDevelopmentKey    = []byte{0xc2, 0x12, 0xe0, 0x73, 0xff, 0x8b, 0x4b, 0xbf, 0xaf, 0xf4, 0xde, 0x8a, 0xb6, 0x55, 0x22, 0x1f}
 
 	PackageAID      = []byte{0xA0, 0x00, 0x00, 0x08, 0x04, 0x00, 0x01}
 	KeycardAID      = []byte{0xA0, 0x00, 0x00, 0x08, 0x04, 0x00, 0x01, 0x01}