I need to be able to read card and company identification data from European digital tachograph company cards (smart cards). These are described within the document COMMISSION REGULATION (EC) No 1360/2002 but I have run into a problem. The data I need to be able to read is contained within the file EF Identification, which must be read with secure messaging and I therefore need to issue a Manage Secure Environment APDU command that requires a key identifier that identifies a key residing on the card.
I don't know where to find these key identifiers or the data that makes them up (described in an appendix of the document). I am waiting for feedback from our partners in Europe but thought I would take a chance an ask here in the hope that someone will have done this and be able to offer some advice.
The key identifier is made up of an equipment serial number, a date, a manufacturer code and a manufacturer specific type. This suggests a problem as I need to be able to access the data from any company card, regardless of manufacturer, issuer or holder. Not sure how I can get the data to compose the key.
I realise that this is pretty specialised information but have been stalled for over a week so am pretty desperate to find a solution so I can continue.
I believe that you first have to obtain a certificate from a country CA. You can then perform the following algorithm (simplified from Appendix 11, section 4):
- Select and read the card certificate (EF_CERTIFICATE)
- Issue a Manage Security Environment command to select the Root CA public key
- Issue a Verify Certificate with the country CA certificate
- Issue a Manage Security Environment command to select the country CA public key
- Issue a Verify Certificate with your certificate
- Issue a Manage Security Environment command to select your public key
- Issue an Internal authenticate command. Verify response.
- Issue a Get Challenge command
- Issue an External authenticate command
- Calculate the session key
- Select File EF_IDENTIFICATION
- Perform a Read Binary command using secure messaging (you need the session key to calculate the checksum and decrypt the result).
I don't know the standard, but I would assume that you read out EF Card_Certificate
, recover the certificate content and extract the key identifier from that.
Assuming you have the root certificate (it is published here: http://dtc.jrc.it/erca_of_doc/EC_PK.zip), you will need to:
- Read EF CA_Certificate
- Follow the algorithm in Appendix 11, section 3.3.3
- Extract the CA public key from the certificate content
- Read EF Card_Certificate
- Follow the algorithm in Appendix 11, section 3.3.3
- The Key Identifier should now be byte 20-27 of the recovered certificate content.