I works on a Gemalto Smard Card and I try to get the content of two certificates stored on this. For this, I've sent several APDU commands with success. But, I've never found the content of my certificates.
First, I get the ODF (Object Directory File):
00 A4 00 0C 02 50 31
00 B0 00 00 3C
I obtain the following response:
A0 06 30 04 04 02 70 02 A1 06 30 04 04 02 70 04 A4 06 30 04 04 02 70 05 A7 06 30 04 04 02 70 06 A8 06 30 04 04 02 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00
Now, I get the CDF (Certificate Directory File):
00 A4 00 00 02 70 05
00 B0 00 00 E7
I obtain the following response:
30 6D 30 3D 0C 1B 43 65 72 74 69 66 69 63 61 74 20 53 69 67 6E 61 74 75 72 65 20 49 47 43 2D 43 41 03 02 06 40 30 1A 30 06 03 02 07 80 05 00 30 07 03 02 06 40 04 01 C1 30 07 03 02 04 10 04 01 C1 30 22 04 20 34 63 33 38 38 64 34 31 38 65 39 37 33 39 66 61 30 31 34 65 62 66 35 61 39 38 64 31 32 31 36 35 A1 08 30 06 30 04 04 02 B0 01 30 74 30 44 0C 22 43 65 72 74 69 66 69 63 61 74 20 41 75 74 68 65 6E 74 69 66 69 63 61 74 69 6F 6E 20 49 47 43 2D 43 41 03 02 06 40 30 1A 30 06 03 02 07 80 05 00 30 07 03 02 06 40 04 01 C1 30 07 03 02 04 10 04 01 C1 30 22 04 20 66 34 62 66 65 35 35 34 64 37 65 39 35 36 31 38 35 39 61 38 31 62 65 65 66 36 62 35 36 39 32 33 A1 08 30 06 30 04 04 02 B0 02 FF FF 90 00
When I translate this response above from Hexa to ASCII (http://www.rapidtables.com/convert/number/hex-to-ascii.htm), I can read the name of my two certificates followed by an incomprehensible string. For example:
First certificate:
Name of certificate : "Certificat Signature IGC-CA"
Incomprehensible string : 4c388d418e9739fa014ebf5a98d12165
Second certificate:
Name of certificate : "Certificat Authentification IGC-CA"
Incomprehensible string : f4bfe554d7e9561859a81beef6b56923
So, with that, I think that is possible to get all the content of my certificate, but how to do this? What informations contains the "Incomprehensible string"?
The response that you received for the certificate directory file is a list of certificates (in DER tag-length-value encoded format). You can decode it based on the ASN.1 notation described in the PKCS #15 specification:
30 6D
-> x509Certificate PKCS15Object SEQUENCE
30 3D
-> commonObjectAttributes CommonObjectAttributes SEQUENCE
0C 1B
-> label Label UTF8String
43 65 72 74 69 66 69 63 61 74 20 53 69 67 6E 61
74 75 72 65 20 49 47 43 2D 43 41
-> "Certificat Signature IGC-CA"
03 02
-> flags CommonObjectFlags BIT STRING
06 40
-> "01------" (private = 0, modifiable = 1)
30 1A
-> accessControlRules SEQUENCE OF AccessControlRule
30 06
-> AccessControlRule SEQUENCE
03 02
-> accessMode AccessMode BIT STRING
07 80
-> "1-------" (read = 1)
05 00
-> SecurityCondition NULL
30 07
-> AccessControlRule SEQUENCE
03 02
-> accessMode AccessMode BIT STRING
06 40
-> "01------" (read = 0, update = 1)
04 01
-> securityCondition.authId Identifier OCTET STRING
C1
30 07
-> AccessControlRule SEQUENCE
03 02
-> accessMode AccessMode BIT STRING
04 10
-> "0001----" (read = 0, update = 0, execute = 0, ??? = 1)
04 01
-> securityCondition.authId Identifier OCTET STRING
C1
30 22
-> classAttributes CommonCertificateAttributes SEQUENCE
04 20
-> iD Identifier OCTET STRING
34 63 33 38 38 64 34 31 38 65 39 37 33 39 66 61
30 31 34 65 62 66 35 61 39 38 64 31 32 31 36 35
}
A1 08
-> typeAttributes [1]
30 06
-> X509CertificateAttributes SEQUENCE
30 04
-> value.indirect.path Path SEQUENCE
04 02
-> path OCTET STRING
B0 01
-> ISO/IEC 7816-4 file identifier "B001"
30 74
-> x509Certificate PKCS15Object SEQUENCE
30 44
-> commonObjectAttributes CommonObjectAttributes SEQUENCE
0C 22
-> label Label UTF8String
43 65 72 74 69 66 69 63 61 74 20 41 75 74 68 65
6E 74 69 66 69 63 61 74 69 6F 6E 20 49 47 43 2D
43 41
-> "Certificat Authentification IGC-CA"
03 02
-> flags CommonObjectFlags BIT STRING
06 40
-> "01------" (private = 0, modifiable = 1)
30 1A
-> accessControlRules SEQUENCE OF AccessControlRule
30 06
-> AccessControlRule SEQUENCE
03 02
-> accessMode AccessMode BIT STRING
07 80
-> "1-------" (read = 1)
05 00
-> SecurityCondition NULL
30 07
-> AccessControlRule SEQUENCE
03 02
-> accessMode AccessMode BIT STRING
06 40
-> "01------" (read = 0, update = 1)
04 01
-> securityCondition.authId Identifier OCTET STRING
C1
30 07
-> AccessControlRule SEQUENCE
03 02
-> accessMode AccessMode BIT STRING
04 10
-> "0001----" (read = 0, update = 0, execute = 0, ??? = 1)
04 01
-> securityCondition.authId Identifier OCTET STRING
C1
30 22
-> classAttributes CommonCertificateAttributes SEQUENCE
04 20
-> iD Identifier OCTET STRING
66 34 62 66 65 35 35 34 64 37 65 39 35 36 31 38
35 39 61 38 31 62 65 65 66 36 62 35 36 39 32 33
A1 08
-> typeAttributes [1]
30 06
-> X509CertificateAttributes SEQUENCE
30 04
-> value.indirect.path Path SEQUENCE
04 02
-> path OCTET STRING
B0 02
-> ISO/IEC 7816-4 file identifier "B002"
So this list gives you the file identifiers of the files that contain the actual certificates as
B001 for the first certificate (named "Certificat Signature IGC-CA"), andB002 for the second certificate (named "Certificat Authentification IGC-CA").You can then SELECT those files:
00 A4 00 0C 02 <FILE ID>
and read the data from the file using the READ BINARY command.