...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
An encoding description contains the information for the electronic personalization of a card. You import the encoding description from a file. This can be used in Smart ID Identity Manager (PRIME).
This article describes how to use Application Protocol Data Unit (APDU) commands in an encoding description.
The CardOS middleware includes an extension for executing APDU commands through PKCS#11. Below are some examples of scripts and corresponding encoding examples.
Prerequisites and features
...
title | Prerequisites |
---|
...
Info |
---|
This article includes updates for Smart ID 22.10. |
An encoding description contains the information for the electronic personalization of a card. You import the encoding description from a file. This can be used in Smart ID Identity Manager.
This article describes how to use Application Protocol Data Unit (APDU) commands in an encoding description.
This feature is specific to PKI cards and still requires a PKCS#11 middleware for certain operations. RFID cards are not supported - refer to Nexus Card SDK for encoding of RFID cards.
Note |
---|
Smart ID 20.11 introduces breaking changes to the syntax of APDU scripts. Existing scripts must be changed to the new syntax - see section PIN line format for details. |
Important information regarding Smart ID 20.11
Expand | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
Renamed parameters Some encoding description parameters were renamed with Smart ID 20.11, so you must adjust any encoding description which includes APDU scripts:
Two supported channels Since Smart ID 20.11 there are two supported channels for sending APDUs within a PKI card encoding:
Depending on your use case and PKCS#11 middleware, you have these options for APDU encodings of PKI cards:
|
Prerequisites and features
Expand | ||
---|---|---|
| ||
|
Expand | ||
---|---|---|
| ||
|
...
|
...
|
About APDU commands
Expand | ||
---|---|---|
|
...
You can have spaces in APDU commands for better readability |
...
:
|
...
|
...
|
...
|
Expand | |
---|---|
|
...
|
...
This format is for non-parameterized APDUs only, which are passed in full as hex-string, for example:
Code Block | ||
---|---|---|
| ||
RAW[MY_OUT_FIELD]:00CA018202 |
The output field name is optional and can be omitted if you are not interested in the response data, for example:
Code Block | ||
---|---|---|
| ||
RAW[]:00AABBCC |
...
title | DYN APDU line format |
---|
This format allows for parametrization of the APDU's command data, which can be read from fields and concatenated, for example:
Code Block | ||
---|---|---|
| ||
DYN[]:002C0001;NEW_PUK+NEW_PIN |
If a field has an empty or null value, it will resolve to an empty byte array, otherwise the field value will be parsed as hex string.
Note |
---|
The DYN format automatically sets the appropriate length for the input data, so do not add the input length byte(s) manually. |
The expected result length is given as a decimal value, for example:
Code Block | ||
---|---|---|
| ||
DYN[OUTPUT]:00CA0188;;255 |
You can have just the header plus field(s) and/or result length, for example:
...
DYN[]:00AABBCC;;0
...
PRIME 3.10.2 extends the DYN format to include fixed hex values in the command-data as well, for example:
...
title | PIN line format |
---|
Note |
---|
|
This custom format allows for displaying a PIN dialog where the user can choose a new PIN.
Optionally input of an existing transport PIN can be requested and/or a PIN validation rule can be specified. Specifying a PIN validation rule is highly recommended to avoid wasting cards.
Code Block |
---|
PIN[OUTPUT]:TARGET_PIN_DESCRIPTION_FIELD;TRANSPORT_PIN_FIELD;VALIDATION_RULE;OLD_VALUE_OUTPUT |
For example:
...
SIGNATURE_NAME describes the signature PIN,
NEW_PIN will contain the PIN chosen by the user; Dialog has new PIN + confirmation.
...
PRIME 3.10.6 / 3.11.1 and higher ONLY:
AUTH_NAME contains the name of the auth PIN, allows 8-12 alphanumeric chars,
OLD_PIN will contain the old PIN entered by the user,
NEW_PIN will contain the new PIN chosen by the user,
TRANSPORT_PIN_FIELD must be empty if OLD_PIN is set
Note |
---|
PIN values used in APDU scripts are read and written as HEX values, even though the user enters them as UTF-8 in the dialog. For example, if the user enters 12345678 this will result in 3132333435363738 being stored in the output field. |
...
title | CR line format (for Challenge/Response) |
---|
Note |
---|
PRIME 3.10.2 is required. |
This custom format allows for calculating a response to a challenge based on a given key (see GET CHALLENGE / EXTERNAL AUTHENTICATION commands in the CardOS firmware docs).
It supports three C/R algorithms, none of which use any padding, so make sure the input has the proper size:
...
CMAC_AES
...
MAC_DES3
...
ECB_DES3
...
The format in an APDU script looks as follows:
Code Block |
---|
CR[OUTPUT]:ALGORITHM;KEY;CHALLENGE |
For example:
...
Uses fixed key
...
A suitable challenge can be acquired as follows:
Code Block |
---|
DYN[CHALLENGE]:00840000;;16 # get 16 bytes challenge, store in CHALLENGE var |
Each challenge is valid within the same session until it is used by an authentication command or replaced with a new challenge.
Note |
---|
After changing the AES256 issuer key it is not possible to immediately authenticate with the new key, so you cannot easily change it back and forth like you can with the 3DES admin key. |
Expand | ||
---|---|---|
| ||
As response data can be arbitrary binary data, and they are always stored as hex string in the output field. If they are to be interpreted as, for example, UTF-8 string, conversion has to be done on the process side. |
Examples of APDU scripts
...
title | Example scripts |
---|
Read version and patch
Code Block | ||
---|---|---|
| ||
# this is an APDU script
RAW[CARDOS_VERSION]:00CA018202 # read CardOS version into field CARDOS_VERSION
DYN[PACKAGE_INFO]:00CA0188;;255 # read package info into field PACKAGE_INFO |
Write ef gdo (Elementary File Global Data Object)
...
| |||||
Smart ID 20.11 allows input and output variables (with some exceptions in PIN lines) to use a format other than hex strings. To configure the format, set the prefix <hex> / <string> / <base64> in front of the variable name (hex is default if no prefix is given).
|
Expand | |||||
---|---|---|---|---|---|
| |||||
The output field name is optional and can be omitted if you are not interested in the response data, for example:
|
Expand | |||||
---|---|---|---|---|---|
| |||||
This format is for non-parameterized APDUs only, which are passed in full as hex-string, with the output type being configurable, see this example:
|
Expand | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||
This format allows for parametrization of the APDU's command data, which can be read from fields and concatenated, for example:
If a field has an empty or null value, it will resolve to an empty byte array, otherwise the field value will be parsed according to the specified input format (refer to the section "Configure format for variables").
The expected result length is given as a decimal value, for example:
You can have just the header plus field(s) and/or result length, for example:
You can include fixed hex values (prefixed with 0x) in the command-data as well, for example:
|
Expand | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||
This custom format allows for displaying a PIN dialog where the user can choose a new PIN. Optionally input of an existing transport PIN can be requested and/or a PIN validation rule can be specified. Specifying a PIN validation rule is highly recommended to avoid wasting cards due to repeated entering of an incorrect PIN.
Also, you can now specify the format of the output variables to be something other than a hex string, if desired.
For example:
|
Expand | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||
This custom format allows for calculating a response to a challenge based on a given key (see GET CHALLENGE / EXTERNAL AUTHENTICATION commands in the CardOS firmware docs). It supports three C/R algorithms, none of which use any padding, so make sure the input has the proper size:
The format in an APDU script looks as follows:
For example:
A suitable challenge can be acquired as follows:
Each challenge is valid within the same session until it is used by an authentication command or replaced with a new challenge.
|
Expand | ||
---|---|---|
| ||
Since Smart ID 20.11, response data can be returned as UTF-8 string or base64 string instead of hex, so you do not have to do such conversion in the process anymore. Refer to section "Configure format for variables" for details. |
Examples of APDU scripts
Note |
---|
The examples below are valid for Smart ID 20.11 and are not backwards compatible. |
Expand | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||
Read version and patch
Write ef gdo (Elementary File Global Data Object)
Change key
|
...
|
...
|
...
|
...
|
...
|
...
|
...
Change ma key
...
title | change_ma_key.apdu |
---|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
Encodings using APDU scripts
Note |
---|
The examples below are valid for Smart ID 20.11 (dropping the prefix CardOS from APDU parameter names) and are not backwards compatible. Also they are configured for exclusive use with Smart ID Desktop App (Devices=8711). |
Expand | ||
---|---|---|
| ||
These are example encoding using the script examples above (set the "read" flag on CARDOS_VERSION, PACKAGE_VERSION and APDU_RESPONSE_CODES_*, as those provide output. The Application_X section represents an application, that is, one part of the chip that should be encoded in a certain way.
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
Related information
...
- Encoding description in Identity Manager
- Set up an encoding description file in Identity Manager
- Structure of an encoding description in Identity Manager