HSM 10K KW COMMAND

[Chandrasekhar Rout]

hello all,

  Can anyone give KW command ( Thales PAYSHIELD 10k hsm)data for arqc validation and arpc generation.

(For CVN 18) .

getting error code 15 from hsm .

 

[Raman Verma]

Hi Chandrasekhar
You can refer below :- 

      command: 'KW'
      mode: '3'
      scheme-id: '2'
      key-scheme: 'U'
      mk-ac: 'YOUR-KEY'
      pan: 'YOUR-PAN'
      atc: '0079'
      txn-data-length: '28'
      txn-data: '000000000000000000000000084080000100000840200120009badbcab2000007906010a03a00000'
      delimiter-txn: ';'
      arqc: '091b98e29f944f94'
      csu: '00000000'
      proprietary-auth-data-length: '0'
      delimiter: '%'
      lmk-identifier: '00'

[Raman Verma]

you should not share the official snapshot of this document here as this is a Thales proprietary doc.

On Tue, Mar 19, 2024 at 3:23 PM Brave <hoav...@gmail.com> wrote:

This is KW command.

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to a topic in the Google Groups "jPOS Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jpos-users/8KTVJMi7M54/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/24dceadb-f157-4efc-98d7-fd3314c3f11fn%40googlegroups.com.

--

Thanks and Regards,

Raman Verma

Developer  :  FPLabs

Mobile        :  +91 8219341138

[Chandrasekhar Rout]

I have that document and I am using schemeid 2 for CVN 18 

But getting response 0000KX15

0000 RESPONSE HEADER

KX

15 FOR INVALID INPUT DATA ( INVALID FORMAT, INVALID CHARECTER OR NOT ENOUGH DATA)  MOST PROBABLY THIS ERROR IS COMING FOR BYTE VALUES OF( PANSN,ATC,TXNDATA ,ARQC AND CSU) .

I AM USING this values like PANSN.getbytes() for byte values 

But getting error as 15 

You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CACCCwBQ-P0vj6qL0Pty%3DWLTPtJWaenyMAxyfWuO2RZwbFNAKjA%40mail.gmail.com.

[Mark Salter]

That is the whole point.

You need to make sure that all the values are being presented in the correct format and all needed fields are present .

That is why I asked what you had so far and why I knew someone sharing an example would not help.

So, check each field value and format you are writing to the network connection to the hsm;  Every single byte matters.

The example previously provided was a character form, but you will see that some fields and values are not character and also some parts (the LMK re-emergence that are not strictly needed at all)

If you want to share what you have then someone might be able to spot what you have wrong.  You will need to share the request in a hexadecimal dump format for it be be legible/useful.


-- 
Mark

-------- Original Message --------

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAAGCvrBs2tOBXnO4r%2BQdQFdnUgTg1ahrVoSmLRP%3D8t6T1UF0Rg%40mail.gmail.com.

[Raman Verma]

Agree with Mark on the part that you should check each and every byte that you are sending to HSM. This is the most important thing. I have already been with this issue and the issue is in the final bytes that are being sent to HSM. Existing Thales code packs the the FSD msg to string and then removes the spaces from the string in command function(public String command (String request, LogEvent evt) ) which causes this problem. I have fixed the same with some tweeks in the code and it is working fine for me now. 

Again Every single byte matters. In many cases you will have to take care of message that is being sent to HSM. Use ISOUtil.hexdump(byte[]) to validate what is being sent to HSM at the very last stage from application and act accordingly. 

Hope below code may help you.

public FSDMsg command (FSDMsg request) {
LogEvent evt = trace ? getLog().createTrace () : null;
FSDMsg resp = null;
try {
if (trace)
evt.addMessage (request);
byte[] s = command (request.pack().getBytes(ISOUtil.CHARSET), evt);
if (s != null) {
resp = new FSDMsg ("jar:fsd/thales/hsm-resp-");
resp.unpack (s);
if (trace)
evt.addMessage (resp);
} else {
if (trace)
evt.addMessage ("TIMEOUT");
}
} catch (Exception e) {
if (trace)
evt.addMessage (e);
else
getLog().error (e);
} finally {
if (trace)
Logger.log (evt);
}
return resp;
}

public byte[] command (byte[] request, LogEvent evt) {
String header = Long.toString(
10000L + (SpaceUtil.nextLong (sp, this.toString() + ".seq") % 10000L)
).substring(1);
request = ISOUtil.concat(header.getBytes(), request);
long start = System.currentTimeMillis ();
String response = null;
byte[] b = request (request, timeout);
if (b != null && b.length > 4) {
if (!header.equals(new String (b, 0, 4))) {
getLog().error (
"warning: expected header='" + header +
"', received header='"+new String(b,0,4) + "'"
);
}
response = new String (b, 4, b.length-4);
return Arrays.copyOfRange(b, 4, b.length);
}
if (trace)
evt.addMessage (" elapsed: " + (System.currentTimeMillis() - start) + "ms");
return null;
}

[Chandrasekhar Rout]

Hello mark , I have correct format data when we are using python  application to send data to HSM 

For these data 

Pansn,ATC, TXNDATA, ARQC and CSU (in

Getting successful( for byte values of above 5 parameters using binary.a2bhex ()) 

While in jave I am giving these value in bytes but getting response code 15

0000 header 

Kw  command

3 arpc method 2 

2 for CVN 18

Mkac key s+na format ( keyblock LMK)

Pansn 16 digit (pan+pansn)

0008-atc 

30 data len ( hex representation of 48 byte 96 Len txndata)

96 CHARECTER txn data

;

16 CHARECTER arqc

00000000

0 ---propriertory authentication data length

Getting response

0000KW15

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/ppIRvtwDP9TMx1JDQdtIPbevBFU2g85g_CoxjXMVX7I2XqjivXyR4dvZXVw-Q2bJFbN8jasoX_tnrObyQYY4YjMw5RcSxnOqAN-H2nbslPE%3D%40pm.me.

[Mark S]

Perfectly stated.

Breaching copyright - for whatever reason is totally unacceptable;  'Brave' is now moderated and his inconsiderate post deleted.

[Mark S]

So you are not using jpos;  why are you asking here then I do wonder?

Anyway, if you can share the precise bytes flowing to the hsm then we can help.  any interpreted form is pointless.  If you can't do that from your code, then capture and share the specific network traffic - perhaps using wireshark or similar.  Otherwise you are on your own.  Refer to the manual and make it match, the error is in your code and not the HSM.

You need to match your java code to the python in terms of function.

Perhaps use the jpos way instead as referenced in this thread; at least then you are here for a right reason?

-- 

Mark

[Chandrasekhar Rout]

Hello Raman are you sending FSD MSG TO THALES PAYSHIELD HSM

I

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/66d6b6a4-f218-4f3f-a331-6d3fe15f9c38n%40googlegroups.com.

[Mark Salter]

Not Raman, but Thales is Thales.  If there was variation I would be surprised.  With FSDMsg as a starter, tuning it to any variations (if needed) would be easy.

-- 
Mark

-------- Original Message --------

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAAGCvrDrpYbxmK3HUvt8nzSk2%3DXo-KA-%3DiePwWU0qYx3agZyNg%40mail.gmail.com.

[Chandrasekhar Rout]

Hlo mark could you help me .in which format i have to send Pansn ,ATC ,txndata ,arqc (I am sending these data in bytes ( pansn.getbytes() in java) but not getting successful result from hsm while sending kw command.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/gAGVSTZ4Q8wLPNNylh70H7fl-_uYpCfpqU4_QzQIxjbxEfUV6tiFDOa6yhAulJzarBy-REXOL8b7zY_1HOo4809pMlLZBAFjO8V3gCXkRMA%3D%40pm.me.

[Mark Salter]

On 20/03/2024 05:31, Chandrasekhar Rout wrote:
> Hlo
Your keyboard appears to have broken!

> mark could you help me .in which format i have to send Pansn ,ATC ,txndata
> ,arqc (I am sending these data in bytes ( pansn.getbytes() in java) but not
> getting successful result from hsm while sending kw command.

The detail needed here is in the Thales manual - best you refer to that
again and again (and again) - for the required format/content of the
bytes you are putting on the wire to your HSM.

I would expect that you are getting unicode 'noise' within the
String.getBytes() against possible binary data.
At least specify the StandardCharsets.UTF_8 , on those getBytes calls. 
I append into a ByteArrayOutputStream to have full control of the
ultimate byte[] that is sent to the HSM.

My suggestion is that you capture and look at the network bytes - it is
what your HSM is seeing and what must conform with the Thales manual
definitions.

Given you apparently have a working python version, capture the network
bytes sent to the HSM from your python (of the KW/KX) and capture the
same exchange from your java code for the exact same starting data and keys.

Compare them and work focus on the differences.

If you can just share the network trace of the java version, it will be
obvious what is wrong and I expect easy to highlight which fields are
not to spec.

--

Mark

[Raman Verma]

You need to make sure that you are formatting psn correctly. I suppose you know how to do that. 

As I said you need to verify what is being sent to HSM because that matters in the end. You might be setting the right fields but conversion might lead to data loss. 15 error code you only get when you are not sending the correct data. There is a high chance of data loss. 

Also, make sure to build the txn data as per EMV specs. If that is not in the right order and anything is missing in that then you will get the same error again and again. 

If its possible to you to share the command data here then may be I will be able to help to identify where is the issue.  

[Chandrasekhar Rout]

Pf below request format to HSM

0000=== header

KW=== command code

3===ARPC method 2

2====cvn 18

S10096E0TN00N000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx====mk-ac

6584130596096601===pan+pansn (last 14 digit of pan + last 2 digit of pansn) 

0008===ATC 

30=== data len

00000002100000000000000003560000048000035624022700FB1450933800000806011203A0B8028000000000000000=== txn data 

;

9505C442034C5A9A===ARQC 

00000000====csu

 

0===Proprietary 

Authentication Data 

Length

txn data formatting

000000021000 ====9F02

000000000000==== 9F03

 0356 ===== 9F1A

 0000048000 ===95

 0356=== 5F2A

 240220===9A 

 00 ==== 9C

 2DB0BEA7===9F37

 3800 ====82

 0007===9F36

 06011203A08002===9F10

8000000000000000 padding in txn data

Response:

0000----header

KX------- command code 

15------- error code 

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/868144de-7aa9-415e-8b8c-dc2d6c508cf1n%40googlegroups.com.

[Mark Salter]

On 21/03/2024 06:03, Raman Verma wrote:

As I said you need to verify what is being sent to HSM because that matters in 
the end. You might be setting the right fields but conversion might lead to data 
loss. 15 error code you only get when you are not sending the correct data. 

Or a missing field, or bad length, but all in all - we know the OP has something wrong in their java code (unshared/unknown) and that they say they have a working python version.
They are selectively ignoring the hard bits and so I am about done - I have even shared explicitly how they can solve they problem if the really wanted to.

If its possible to you to share the command data here then may be I will be able 
to help to identify where is the issue.

I really appreciate that you are trying, but without direct access to the network data stream  an interpreted command as shared below is not going to help - as stated, we need the byte stream to have any chance to assist.

I think this OP is on his own for now until they can provide the detail requested or indeed can simply follow the guidance I have shared to resolve this on their own without needing to share this interpreted and masked!!!! data - from 'test'.

Ah well.

--

Mark

[Mark Salter]

On 21/03/2024 06:47, Chandrasekhar Rout wrote:

Pf below request format to HSM

The detail presented here and in this format is pointless.

Please take and apply the guidance on capturing the network data on a working python call and this java one and you can compare byte for byte and then trace back to the source of your issue.

As you are, you are wasting your own time as well as ours :-)

--

Mark

[Chandrasekhar Rout]

Hello Mark ,

For all other command like BU ,A6,A0,CW,CY, CA,M2 ,JE,M6 ,M8,DE,EA,JG,PE we are getting successful result from HSM through java application. 

But especially in KW command i think we are failing in data format for these parameters Pansn,ATC,arqc,CSU ,txndata .as per document we are giving these parameters in bytes .

--

--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/8ecd366a-a4cb-4966-9266-6f427d2544b0%40protonmail.com.

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.  Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/8ecd366a-a4cb-4966-9266-6f427d2544b0%40protonmail.com.

[Mark Salter]

On 21/03/2024 08:27, Chandrasekhar Rout wrote:

For all other command like BU ,A6,A0,CW,CY, CA,M2 ,JE,M6 ,M8,DE,EA,JG,PE we are 
getting successful result from HSM through java application.

Great, other more basic commands can work, we know though that the your KW is not - I have already explained what is likely wrong.

But especially in KW command i think we are failing in data format for these 
parameters Pansn,ATC,arqc,CSU ,txndata .as per document we are giving these 
parameters in bytes .

It is probably not the data you are converting from, but the bytes you are sending to the HSM that are wrong.

As suggested, you have to compare the working to the non-working, capture the test exchange from python and from java - they are different, the difference will help you see the error.
I have given you the means to solve this, to chose to ignore that is up to you; I can't help you here more, until you stop (perhaps go back and read each of my replies fully) and look or share.

--
Mark

[Raman Verma]

remove the padding data from the txn data. You are already providing the CSU separately so there is no need to pad in the txn data. You should left with 28 HEX length txn data. Other than this I do not see any issue with your command data at least in the setting front. Still I can not comment on the data that you are sending to HSM. 

Try with the solution I have provided if this still fails then sadly you are on your own buddy. :-)

[Chandrasekhar Rout]

Yes I have tried what u suggested. Still getting the same error. 

Do you have working kw command request and response

Please share with me that would be highly appreciated. 

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/b58c7e26-357b-427f-8daf-b5c5527c4bb5n%40googlegroups.com.

[Mark Salter]

On 21/03/2024 10:23, Chandrasekhar Rout wrote:
> Yes I have tried what u suggested. Still getting the same error.

Because it is the bytes you are sending to the HSM and not what you are
providing.

> Do you have working kw command request and response
> Please share with me that would be highly appreciated.

Please take my guide and look at the network bytes now, this is going on
way longer than it needed to.

You hope others will share what you appear not to be able to - very odd.

--

Mark

[Raman Verma]

I have already shared the details of the command data. you can refer to that. 

As Mark said, pls check the network bytes that you are sending to HSM and match them with the data you set in your application. 

If still not able to find the solution,  I would recommend you to reach out to the Thales team for support. They will provide you a software which is helpful in checking and validating the data. 

I personally used the same when I was stuck in the application development and it turns out that the bytes that are being sent to HSM were corrupted. Highly chance that you also have the same problem here.

[Chandrasekhar Rout]

Hello Raman 

How did you connecting to HSM in Jpos 

Are you connecting with socket or used channel adopter and  mux.

If you are using mux .is it possible to send isomsg to HSM??

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/079d3581-70d6-4535-9e7a-cf1b913c5728n%40googlegroups.com.

[murtuza chhil]

Ideally you should have started a new thread.

You can talk to the HSM via a MUX.

mux can be used when the message is an ISOMsg.

Define your HSM messages using a FSDMsg schemas.

FSDMsg can be wrapped in an FSDISOMsg.

Mux needs a key to match request / response.

HSMs can be configured for headers which are echoed back.

Use the header as the key for the mux request response matching.

We pass an incremental number in the header for every request.

-chhil

[Mark Salter]

On 23/03/2024 00:53, murtuza chhil wrote:

Ideally you should have started a new thread.

Ideally, the OP would have taken my guidance and have fixed this for themselves shortly after my second reply :-D

Imagine choosing not to do that ;-).

--

Mark

[Chandrasekhar Rout]

Thanks for nothing , I have resolved it.  

#ThalesIsThales  :)

[Mark Salter]

On 12/06/2024 10:54, Chandrasekhar Rout wrote:
> Thanks for nothing , I have resolved it.

You only have yourself to thank.

Care to share what yopu were doing wrong for everyone else to learn from
and avoid doing?

--

Mark