FreeRDP/tools/smartcard-interpreter.py

727 lines
21 KiB
Python
Raw Normal View History

#!/usr/bin/env python3
#
# Copyright 2022 David Fort <contact@hardening-consulting.com>
#
# This script is meant to parse some FreeRDP logs in DEBUG mode (WLOG_LEVEL=DEBUG) and interpret the
# smartcard traffic, dissecting the PIV or GIDS commands
#
# usage:
# * live: WLOG_LEVEL=DEBUG xfreerdp <args with smartcard> | python3 smartcard-interpreter.py
# * on an existing log file: python3 smartcard-interpreter.py <log file>
#
import sys
import codecs
CMD_NAMES = {
0x04: "DESACTIVATE FILE",
0x0C: "ERASE RECORD",
0x0E: "ERASE BINARY",
0x0F: "ERASE BINARY",
0x20: "VERIFY",
0x21: "VERIFY",
0x22: "MSE",
0x24: "CHANGE REFERENCE DATA",
0x25: "MSE",
0x26: "DISABLE VERIFICATION REQUIREMENT",
0x28: "ENABLE VERIFICATION REQUIREMENT",
0x2A: "PSO",
0x2C: "RESET RETRY COUNTER",
0x2D: "RESET RETRY COUNTER",
0x44: "ACTIVATE FILE",
0x46: "GENERATE ASYMMETRIC KEY PAIR",
0x47: "GENERATE ASYMMETRIC KEY PAIR",
0x84: "GET CHALLENGE",
0x86: "GENERAL AUTHENTICATE",
0x87: "GENERAL AUTHENTICATE",
0x88: "INTERNAL AUTHENTICATE",
0xA0: "SEARCH BINARY",
0xA1: "SEARCH BINARY",
0xA2: "SEARCH RECORD",
0xA4: "SELECT",
0xB0: "READ BINARY",
0xB1: "READ BINARY",
0xB2: "READ RECORD",
0xB3: "READ RECORD",
0xC0: "GET RESPONSE",
0xC2: "ENVELOPPE",
0xC3: "ENVELOPPE",
0xCA: "GET DATA",
0xCB: "GET DATA",
0xD0: "WRITE BINARY",
0xD1: "WRITE BINARY",
0xD2: "WRITE RECORD",
0xD6: "UPDATE BINARY",
0xD7: "UPDATE BINARY",
0xDA: "PUT DATA",
0xDB: "PUT DATA",
0xDC: "UPDATE RECORD",
0xDD: "UPDATE RECORD",
0xE0: "CREATE FILE",
0xE2: "APPEND RECORD",
0xE4: "DELETE FILE",
0xE6: "TERMINATE DF",
0xE8: "TERMINATE EF",
0xFE: "TERMINATE CARD USAGE",
}
AIDs = {
"a00000039742544659": "MsGidsAID",
"a000000308": "PIV",
"a0000003974349445f0100": "SC PNP",
"a0000001510000": "GPC",
}
FIDs = {
0x0000: "Current EF",
0x2F00: "EF.DIR",
0x2F01: "EF.ATR",
0x3FFF: "Current application(ADF)",
}
DOs = {
"df1f": "DO_FILESYSTEMTABLE",
"df20": "DO_CARDID",
"df21": "DO_CARDAPPS",
"df22": "DO_CARDCF",
"df23": "DO_CMAPFILE",
"df24": "DO_KXC00",
}
ERROR_CODES = {
0x9000: "success",
0x6100: "more bytes",
0x6282: "end of file or record",
0x6283: "card locked",
0x63C0: "warning counter 0",
0x63C1: "warning counter 1",
0x63C2: "warning counter 2",
0x63C3: "warning counter 3",
0x63C4: "warning counter 4",
0x63C5: "warning counter 5",
0x63C6: "warning counter 6",
0x63C7: "warning counter 7",
0x63C8: "warning counter 8",
0x63C9: "warning counter 9",
0x6982: "security status not satisfied",
0x6882: "Secure messaging not supported",
0x6985: "condition of use not satisfied",
0x6A80: "incorrect parameter cmd data field",
0x6A81: "function not suppported",
0x6A82: "file or application not found",
0x6A83: "record not found",
0x6A88: "REFERENCE DATA NOT FOUND",
0x6D00: "unsupported",
}
PIV_OIDs = {
"5fc101": "X.509 Certificate for Card Authentication",
"5fc102": "Card Holder Unique Identifier",
"5fc103": "Cardholder Fingerprints",
"5fc105": "X.509 Certificate for PIV Authentication",
"5fc106": "Security Object",
"5fc107": "Card Capability Container",
"5fc108": "Cardholder Facial Image",
"5fc10a": "X.509 Certificate for Digital Signature",
"5fc10b": "X.509 Certificate for Key Management",
"5fc10d": "Retired X.509 Certificate for Key Management 1",
"5fc10e": "Retired X.509 Certificate for Key Management 2",
"5fc10f": "Retired X.509 Certificate for Key Management 3",
}
class ApplicationDummy(object):
"""Base application"""
def __init__(self, aid):
self.aid = aid
def getAID(self):
return self.aid
def selectResult(self, fci, status, body):
return 'selectResult(fci=%s, status=0x%x) = %s\n' %(fci, status, body.hex())
def getData(self, fileId, bytes):
return 'getData(status=0x%x) = %s\n' %(fileId, bytes.hex())
def getDataResult(self, status, body):
return 'getDataResult(status=0x%x) = %s\n' %(status, body.hex())
def mse(self, body):
return body.hex()
def mseResult(self, status, body):
return body.hex()
def pso(self, body):
return body.hex()
def psoResult(self, status, body):
return body.hex()
def getResponse(self, status, body):
return body.hex()
def getResponseResult(self, status, body):
return body.hex()
def verify(self, status, body):
return "verify(%s)" % body.hex()
def verifyResult(self, status, body):
return "verify(%s)" % body.hex()
'''
'''
class ApplicationGpc(object):
"""GlobalPlatform application"""
def __init__(self, aid):
self.aid = aid
self.lastGetData = None
def getAID(self):
return self.aid
def selectResult(self, fci, status, body):
return 'selectResult(fci=%s, status=0x%x) = %s\n' %(fci, status, body.hex())
def getData(self, fileId, bytes):
tags = {
0x42: 'Issuer Identification Number',
0x45: 'Card Image Number',
0x66: 'Card Data',
0x67: 'Card Capability Information' # ???
}
self.lastGetData = fileId
return 'getData(%s)\n' % tags.get(fileId, '<unknown 0x%x>' % fileId)
def getDataResult(self, status, body):
if self.lastGetData == 0x66:
# Card Data
pass
return 'getDataResult(0x%x) = %s\n' %(status, body.hex())
def mse(self, body):
return body.hex()
def mseResult(self, status, body):
return body.hex()
def pso(self, body):
return body.hex()
def psoResult(self, status, body):
return body.hex()
def getResponse(self, status, body):
return body.hex()
def getResponseResult(self, status, body):
return body.hex()
class ApplicationPIV(object):
"""PIV application"""
def __init__(self, aid):
self.lastGet = None
self.aid = aid
def getAID(self):
return self.aid
def selectResult(self, selectT, status, body):
ret = ''
appTag = body[0]
appLen = body[1]
body = body[2:2+appLen]
while len(body) > 2:
tag = body[0]
tagLen = body[1]
if tagLen != 1:
pass
if selectT == "FCI":
if tag == 0x4f:
ret += "\tpiv version: %s\n" % body[2:2 + tagLen].hex()
elif tag == 0x79:
subBody = body[2:2 + tagLen]
subTag = subBody[0]
subLen = subBody[1]
content = subBody.hex()
if subTag == 0x4f:
v = content[4:]
if v.startswith('a000000308'):
content = 'NIST RID'
ret += '\tCoexistent tag allocation authority: %s\n' % content
elif tag == 0x50:
ret += '\tapplication label: %s\n' % body[2:2+tagLen].decode('utf8')
elif tag == 0xac:
ret += '\tCryptographic algorithms supported: %s\n' % body[2:2+tagLen].hex()
else:
rety += '\tunknown tag 0x%x\n' % tag
else:
ret += "\tTODO: selectType %s\n" % selectT
body = body[2+tagLen:]
return ret
def getData(self, fileId, bytes):
ret = "\tfileId=%s(%0.4x)\n" % (FIDs.get(fileId, ""), fileId)
if len(bytes) < 7:
return ret + "\t/!\\ too short !!!!"
lc = bytes[4]
tag = bytes[5]
tagLen = bytes[6]
if lc == 4:
ret += "\tdoId=%0.4x\n"% (bytes[7] * 256 + bytes[8])
elif lc == 0xa:
keyStr = ''
# TLV
i = 7
tag = bytes[i]
tagLen = bytes[i+1]
keyRef = bytes[i+3]
keyStr = "key(tag=0x%x len=%d ref=0x%x)=" % (tag, tagLen, keyRef)
i = i + 2 + tagLen
tag = bytes[i]
tagLen = bytes[i+1]
keyStr += "value(tag=0x%x len=%d)"
elif lc == 3:
ret += "\tDiscovery Object\n"
elif lc == 4:
ret += "\tBiometric Information Templates (BIT) Group Template\n"
elif lc == 5:
if tag == 0x5C:
tagStr = bytes[7:10].hex()
ret += '\ttag: %s(%s)\n' % (tagStr, PIV_OIDs.get(tagStr, '<unknown>'))
self.lastGet = tagStr
else:
ret += "\tunknown key access(lc=0x%x)\n" % lc
return ret
def getDataResult(self, status, body):
ret = ''
if not len(body):
return ''
appTag = body[0]
appLen = body[1]
body = body[2:2+appLen]
while len(body) > 2:
tag = body[0]
tagLen = body[1]
tagBody = body[2:2+tagLen]
if self.lastGet in ('5fc102',):
# Card holder Unique Identifier
if tag == 0x30:
ret += '\tFASC-N: %s\n' % tagBody.hex()
elif tag == 0x34:
ret += '\tGUID: %s\n' % tagBody.hex()
elif tag == 0x35:
ret += '\texpirationDate: %s\n' % tagBody.decode('utf8')
elif tag == 0x3e:
ret += '\tIssuer Asymmetric Signature: %s\n' % tagBody.hex()
else:
ret += "\tunknown tag=0x%x len=%d content=%s\n" % (tag, tagLen, tagBody.hex())
elif self.lastGet in ('5fc107',):
# Card Capability Container
capas = {
0xf0: "Card Identifier",
0xf1: "Capability Container version number",
0xf2: "Capability Grammar version number",
0xf3: "Applications CardURL",
0xf4: "PKCS#15",
0xf5: "Registered Data Model number",
0xf6: "Access Control Rule Table",
0xf7: "Card APDUs",
0xfa: "Redirection Tag",
0xfb: "Capability Tuples (CTs)",
0xfc: "Status Tuples (STs)",
0xfd: "Next CCC",
0xe3: "Extended Application CardURL",
0xb4: "Security Object Buffer",
0xfe: "Error Detection Code"
}
if tag in capas.keys():
if tagLen:
ret += "\t%s: len=%d %s\n" % (capas[tag], tagLen, tagBody.hex())
else:
ret += "\tunknown capa tag 0x%x: %s\n" % (tag, tagBody.hex())
elif self.lastGet == '5fc105':
# X.509 Certificate for PIV Authentication
pass
else:
ret += "\t%s: unimplemented tag=0x%x len=%d content=%s\n" % (self.lastGet, tag, tagLen, tagBody.hex())
body = body[2+tagLen:]
return ret
def getResponse(self, status, body):
return body.hex()
def getResponseResult(self, status, body):
return body.hex()
def mse(self, body):
return body.hex()
def mseResult(self, status, body):
return body.hex()
def pso(self, body):
return body.hex()
def psoResult(self, status, body):
return body.hex()
def verify(self, status, body):
return "verify(%s)" % body.hex()
def verifyResult(self, status, body):
return "verify(%s)" % body.hex()
class ApplicationGids(object):
"""GIDS application"""
def __init__(self, aid):
self.aid = aid
self.lastDo = None
def getAID(self):
return self.aid
def parseFcp(self, bytes):
ret = ''
tag = bytes[0]
tagLen = bytes[1]
body = bytes[2:2+tagLen]
if tag == 0x62:
ret += '\tFCP\n'
while len(body) > 2:
tag2 = body[0]
tag2Len = body[1]
tag2Body = body[2:2+tag2Len]
if tag2 == 0x82:
ret += '\t\tFileDescriptor: %s\n' % tag2Body.hex()
elif tag2 == 0x8a:
ret += '\t\tLifeCycleByte: %s\n' % tag2Body.hex()
elif tag2 == 0x84:
ret += '\t\tDF name: %s\n' % tag2Body.encode('utf8')
elif tag2 == 0x8C:
ret += '\t\tSecurityAttributes: %s\n' % tag2Body.hex()
else:
ret += '\t\tunhandled tag=0x%x body=%s\n' % (tag2, tag2Body.hex())
body = body[2+tag2Len:]
return ret
def parseFci(self, bytes):
ret = ''
tag = bytes[0]
tagLen = bytes[1]
body = bytes[2:2+tagLen]
if tag == 0x61:
ret += '\tFCI\n'
while len(body) > 2:
tag2 = body[0]
tag2Len = body[1]
tag2Body = body[2:2+tag2Len]
if tag2 == 0x4F:
ret += '\t\tApplication AID: %s\n' % tag2Body.hex()
elif tag2 == 0x50:
ret += '\t\tApplication label: %s\n' % tag2Body.encode('utf8')
elif tag2 == 0x73:
body2 = tag2Body
tokens = []
while len(body2) > 2:
tag3 = body2[0]
tag3Len = body2[1]
if tag3 == 0x40:
v = body2[2]
if v & 0x80:
tokens.append('mutualAuthSymAlgo')
if v & 0x40:
tokens.append('extAuthSymAlgo')
if v & 0x20:
tokens.append('keyEstabIntAuthECC')
body2 = body2[2+tag3Len:]
ret += '\t\tDiscretionary data objects: %s\n' % ",".join(tokens)
else:
ret += '\t\tunhandled tag=0x%x body=%s\n' % (tag2, tag2Body.hex())
body = body[2+tag2Len:]
return ret
def selectResult(self, selectT, status, body):
if not len(body):
return ''
if selectT == 'FCP':
return self.parseFcp(body)
elif selectT == 'FCI':
return self.parseFci(body)
else:
return '\tselectResult(fci=%s, status=0x%x) = %s\n' % (selectT, status, body.hex())
def getData(self, fileId, bytes):
lc = bytes[4]
tag = bytes[5]
tagLen = bytes[6]
if tag == 0x5c:
doStr = bytes[7:7+tagLen].hex()
ret = '\tDO=%s\n' % DOs.get(doStr, "<%s>" % doStr)
self.lastDo = doStr
else:
ret = '\tunknown tag=0%x len=%d v=%s' % (tag, tagLen, bytes[7:7+tagLen].hex())
return ret
def getDataResult(self, status, body):
ret = ''
'''
while len(body) > 2:
tag = body[0]
tagLen = body[1]
ret += '\ttag=0x%x len=%d content=%s\n' % (tag, tagLen, body[2:2+tagLen].hex())
body = body[2+tagLen:]
'''
return ret
def mse(self, body):
return body.hex()
def mseResult(self, status, body):
return body.hex()
def getResponse(self, status, body):
return body.hex()
def getResponseResult(self, status, body):
return body.hex()
def pso(self, body):
return body.hex()
def psoResult(self, status, body):
return body.hex()
def createAppByAid(aid):
if aid in ("a000000308", 'a00000030800001000',):
return ApplicationPIV(aid)
elif aid in ('a00000039742544659',):
return ApplicationGids(aid)
elif aid in ('a0000001510000',):
return ApplicationGpc(aid)
return ApplicationDummy(aid)
def getErrorCode(status):
if status & 0x6100:
return "%d more bytes" % (status & 0xff)
return ERROR_CODES.get(status, "<unknown>")
if __name__ == '__main__':
if len(sys.argv) > 1:
fin = open(sys.argv[1], "r")
else:
fin = sys.stdin
lineno = 0
lastCmd = 0
lastSelect = None
lastSelectFCI = False
lastGetItem = None
currentApp = None
for l in fin.readlines():
lineno += 1
if not len(l):
continue
# smartcard loggers have changed
#if l.find("[DEBUG][com.freerdp.channels.smartcard.client]") == -1:
# continue
body = ''
recvKey = 'pbRecvBuffer: { '
pos = l.find(recvKey)
if pos != -1:
toCard = False
pos += len(recvKey)
pos2 = l.find(' }', pos)
if pos2 == -1:
print("line %d: invalid recvBuffer")
continue
else:
toCard = True
sendKey = 'pbSendBuffer: { '
pos = l.find(sendKey)
if pos == -1:
continue
pos += len(sendKey)
pos2 = l.find(' }', pos)
if pos2 == -1:
print("line %d: invalid sendBuffer")
continue
body = l[pos:pos2]
print(l[0:-1])
bytes = codecs.decode(body, 'hex')
if toCard:
(cla, ins, p1, p2) = bytes[0:4]
cmdName = CMD_NAMES.get(ins, "<COMMAND 0x%x>" % ins)
print(cmdName + ":")
if cmdName == "SELECT":
lc = bytes[4]
i = 5
if p1 == 0x00:
print("\tselectByFID: %0.2x%0.2x" % (bytes[i], bytes[i+1]))
i = i + lc
elif p1 == 0x4:
aid = bytes[i:i+lc].hex()
lastSelect = AIDs.get(aid, '<unknown %s>' % aid)
print("\tselectByAID: %s(%s)" % (aid, lastSelect))
if p2 == 0x00:
lastSelectT = "FCI"
print('\tFCI')
elif p2 == 0x04:
print('\tFCP')
lastSelectT = "FCP"
elif p2 == 0x08:
print('\tFMD')
lastSelectT = "FMD"
if not currentApp or currentApp.getAID() != aid:
currentApp = createAppByAid(aid)
elif cmdName == "VERIFY":
lc = bytes[4]
P2_DATA_QUALIFIER = {
0x00: "Card global password",
0x01: "RFU",
0x80: "Application password",
0x81: "Application resetting password",
0x82: "Application security status resetting code",
}
pin=''
if lc:
pin = ", pin='" + bytes[5:5+lc-2].decode('utf8)') + "'"
print("\t%s%s" % (P2_DATA_QUALIFIER.get(p2, "<unknown>"), pin))
elif cmdName == "GET DATA":
lc = bytes[4]
fileId = p1 * 256 + p2
ret = currentApp.getData(fileId, bytes)
print("%s" % ret)
elif cmdName == "GET RESPONSE":
#lc = bytes[4]
#fileId = p1 * 256 + p2
#ret = currentApp.getResponse(fileId, bytes)
#print("%s" % ret)
pass
elif cmdName == "MSE":
ret = currentApp.mse(bytes[5:5+lc])
print("%s" % ret)
elif cmdName == "PSO":
ret = currentApp.pso(bytes[5:5+lc])
print("%s" % ret)
else:
print('handle %s' % cmdName)
lastCmd = cmdName
else:
# Responses
if not len(bytes):
continue
status = bytes[-1] + bytes[-2] * 256
body = bytes[0:-2]
print("status=0x%0.4x(%s)" % (status, getErrorCode(status)))
if not len(body):
continue
ret = ''
if lastCmd == "SELECT":
ret = currentApp.selectResult(lastSelectT, status, body)
elif lastCmd == "GET DATA":
ret = currentApp.getDataResult(status, body)
elif lastCmd == "MSE":
ret = currentApp.mseResult(status, body)
elif lastCmd == "PSO":
ret = currentApp.psoResult(status, body)
elif lastCmd == "GET RESPONSE":
ret = currentApp.getResponseResult(status, body)
elif lastCmd == "VERIFY":
ret = currentApp.verifyResult(status, body)
if ret:
print("%s" % ret)