Help with MSE:SET command for ECDSA signing with non-repudiation key
18 views
Skip to first unread message
Mamisoa Andriantafika
Jan 2, 2025, 12:22:01 PMJan 2
to eID Middleware Dev
I'm trying to implement digital signature using the Belgian eID card's non-repudiation key. I've successfully:
1. Selected the Belpic applet (AID: A0 00 00 00 30 29 05 70 00 AD 13 10 01 01 FF)
2. Selected the non-repudiation key file (path: 3F 00 DF 00 50 38)
However, I'm getting stuck at the MSE:SET command. Here's my current workflow:
1. Select non-repudiation key file:
```
Command: 00 A4 08 0C 06 3F 00 DF 00 50 38
Response: SW1=0x90, SW2=0x00 (Success)
```
2. Set up security environment with MSE:SET:
```
Command: 00 22 41 B6 06 80 01 40 84 01 83
Response: SW1=0x67, SW2=0x00 (Wrong length)
```
The MSE:SET command data consists of:
- Algorithm reference (80 01 40): ECDSA mechanism
- Key reference (84 01 83): Non-repudiation key
I've tried several variations:
- Different algorithm references (01 for SHA-256, 40 for ECDSA)
- Different key references (82, 83)
- Different command structures (with/without algorithm reference)
But I keep getting SW1=0x67, SW2=0x00 (Wrong length) for all attempts.
Questions:
1. What is the correct MSE:SET command structure for ECDSA signing with the non-repudiation key?
2. Should the algorithm reference (tag 0x80) specify ECDSA or SHA-256 or both?
3. Is there a specific order or format required for the TLV data?
Environment:
- Belgian eID card (latest)
- Linux 6.8.0-51-generic
- Python with pyscard
I feel my difficulties come from the understanding of MSE:SET command:
Data: Length of following data =’04’ ||
Tag for Algorithm reference =’80’ ||
Algorithm reference (refer to Table 14) ||
Tag for private key reference =’84’ ||
Private key reference (refer to Table 16) = ‘82’, ‘83’
--> can you give me an example ? What means "length of following data" ?
Any help or pointers to documentation would be greatly appreciated.
1. Selected the Belpic applet (AID: A0 00 00 00 30 29 05 70 00 AD 13 10 01 01 FF)
2. Selected the non-repudiation key file (path: 3F 00 DF 00 50 38)
However, I'm getting stuck at the MSE:SET command. Here's my current workflow:
1. Select non-repudiation key file:
```
Command: 00 A4 08 0C 06 3F 00 DF 00 50 38
Response: SW1=0x90, SW2=0x00 (Success)
```
2. Set up security environment with MSE:SET:
```
Command: 00 22 41 B6 06 80 01 40 84 01 83
Response: SW1=0x67, SW2=0x00 (Wrong length)
```
The MSE:SET command data consists of:
- Algorithm reference (80 01 40): ECDSA mechanism
- Key reference (84 01 83): Non-repudiation key
I've tried several variations:
- Different algorithm references (01 for SHA-256, 40 for ECDSA)
- Different key references (82, 83)
- Different command structures (with/without algorithm reference)
But I keep getting SW1=0x67, SW2=0x00 (Wrong length) for all attempts.
Questions:
1. What is the correct MSE:SET command structure for ECDSA signing with the non-repudiation key?
2. Should the algorithm reference (tag 0x80) specify ECDSA or SHA-256 or both?
3. Is there a specific order or format required for the TLV data?
Environment:
- Belgian eID card (latest)
- Linux 6.8.0-51-generic
- Python with pyscard
I feel my difficulties come from the understanding of MSE:SET command:
Data: Length of following data =’04’ ||
Tag for Algorithm reference =’80’ ||
Algorithm reference (refer to Table 14) ||
Tag for private key reference =’84’ ||
Private key reference (refer to Table 16) = ‘82’, ‘83’
--> can you give me an example ? What means "length of following data" ?
Any help or pointers to documentation would be greatly appreciated.
Frederik Vernelen
Jan 2, 2025, 12:24:02 PMJan 2
to eID Middleware Dev
Hello,
The key and algo references are both only 1 byte long.
So the LC byte (Length of subsequent data field) is '05'
"0x04 as Length of following data" means 4 bytes will follow
You can find a good example in the minidriver here:
https://github.com/Fedict/eid-mw/blob/master/cardcomm/minidriver/src/SmartCard.c#L755C7-L755C14
/* Prepare SET COMMAND before a VERIFY PIN */
Cmd [0] = 0x00;
Cmd [1] = 0x22; /* MSE: SET COMMAND */
Cmd [2] = 0x41;
Cmd [3] = 0xB6;
Cmd [4] = 0x05;
Cmd [5] = 0x04; /* Length of following data */
Cmd [6] = 0x80; /* ALGO Rreference */
Cmd [7] = bAlgo;//0x01; /* RSA PKCS#1 */
Cmd [8] = 0x84; /* TAG for private key reference */
Cmd [9] = bKey; /*0x82 for AUTH, 0x83 for NONREP*/
Wkr,
Frederik
The key and algo references are both only 1 byte long.
So the LC byte (Length of subsequent data field) is '05'
"0x04 as Length of following data" means 4 bytes will follow
You can find a good example in the minidriver here:
https://github.com/Fedict/eid-mw/blob/master/cardcomm/minidriver/src/SmartCard.c#L755C7-L755C14
/* Prepare SET COMMAND before a VERIFY PIN */
Cmd [0] = 0x00;
Cmd [1] = 0x22; /* MSE: SET COMMAND */
Cmd [2] = 0x41;
Cmd [3] = 0xB6;
Cmd [4] = 0x05;
Cmd [5] = 0x04; /* Length of following data */
Cmd [6] = 0x80; /* ALGO Rreference */
Cmd [7] = bAlgo;//0x01; /* RSA PKCS#1 */
Cmd [8] = 0x84; /* TAG for private key reference */
Cmd [9] = bKey; /*0x82 for AUTH, 0x83 for NONREP*/
Wkr,
Frederik
--
You received this message because you are subscribed to the Google Groups "eID Middleware Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/eid-middleware-dev/1765c729-2420-4692-9709-abe08dd4aa47n%40googlegroups.com.
Mamisoa Andriantafika
Jan 2, 2025, 3:52:03 PMJan 2
to eID Middleware Dev
Thanks a lot for your help !
Reply all
Reply to author
Forward
0 new messages