'How to perform Terminal Authentication on smart card?

I am trying to digitally sign document using the smart card eSign application. It is a national ID card, and I am following ICAO 9303 and TR-03110 specifications. If I am not mistaken, before selecting the eSign application I should perform Terminal Authentication as Signature Terminal beforehand.

In ICAO 9303 it is stated:

The following sequence of commands SHALL be used with secure messaging to implement Terminal Authentication:

MSE:Set DST
PSO:Verify Certificate
MSE:Set AT
Get Challenge
External Authenticate

Steps 1 and 2 are repeated for every CV certificate to be verified (CVCA Link Certificates, DV Certificate, Terminal Certificate).

To Perform MSE:Set DST the following APDU should be used:

INS - 0x22
P1/P2 - 0x81B6
Data - 0x83 Reference of a public key, ISO 8859-1 encoded name of the public key to be set

It is the Data part I do not understand. What exactly do I need to provide there? How do I find the public key or its name?

nfcdigital-signaturesmartcardapducontactless-smartcard


Solution 1:[1]

What exactly do I need to provide there? How do I find the public key or its name?

Before start TA you should be sure that terminal has its own valid chain of CV-certificates + proper private key:

  1. DV cetitificate
  2. IS certificate of the terminal
  3. private key corresponding to IS certificate

Initial step of TA is certificate chain verificattion:

  1. Read EF.CVCA and find CHRs of root certificates known to chip
  2. Select one that is a parent of the terminal's DV certificate. CHR from EF.CVCA must be equal to CAR from DV certificate.
  3. Send MSE:Set DST with chosen CHR
  4. Send PSO:Verify Certificate with terminal's DV certificate
  5. Send MSE:Set DST with CHR of terminal's DV certificate (it must be equal to CAR from IS certificate)
  6. Send PSO:Verify Certificate with terminal's IS certificate Now chip knows terminal's public key and can use it to verify a cryptogram signed by terminal with its private key.

Certificate holder reference (CHR) and certificate authourity reference (CAR) are IDs encoded as string values.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 nvf

Related Questions

libudev-dev is not installed in debian

onNewIntent in Fragments in android

Flutter: Is it possible to make a P2P connection with nfc_in_flutter package?

android nfc reading Driver license BAC vs BAP

Read and write text to NFC Card from android

Some Androids requires manually sending RATS and adding block numbers in transceive() for NfcA tags (ISO 14443-4A)

Apple Passkit: use NFC to open an URL

Difference result by using sign and verify for signature

Digital certificates: What is the difference between encrypting and signing

Extract metadata info and Validate digital signature from PDF file using Python

Why isn't my assembly signed even after I specified it to be in properties

add namespace to the SignedInfo node when signing an XML document

How long is a document signed with a Digital Signature Certificate valid after the time it is signed?

Sign PDF with new Belgian id card (eid middleware and itext)

SignedCms.CheckSignature with SAP certificate is failing