According to GlobalPlatform Secure Channel Protocol '03' Card Specification v2.3 – amendment DVersion 1.1.2, I am trying to verify the cryptogram I received from eUICC in order to establish an SCP03 to the target ISD-P. I can generate manually and verify the card challenge, but I cannot generate card cryptogram. What am I missing?
Host challenge: AF6B2B0E174BA140
Card challenge: E7359F8EEC577E51
Card cryptogram: 86B91FBEA0E67D33
Sequence Number: 000007
keyMAC = keyENC = AA75D7A83CF20FE79C606FF1B7E2CEB4
L = 0040
derviationConstant = 00
Label = 11 x '00' + derviationConstant
context = host challenge + card challenge
input data for CMAC = Label + '00' + L + '01' + context
S-MAC = CMAC('00000000000000000000000600008001AF6B2B0E174BA140E7359F8EEC577E51', keyENC)
(which is S-MAC: D8CA1E32C16EC4528E4BAC561F029DE3)
cardCryptogram = CMAC('00000000000000000000000000004001AF6B2B0E174BA140E7359F8EEC577E51', S-MAC)
(which gives EE97D403A7508CF2D6D0E6002C0FE126 that its 8 most left bytes are not as same as what I got from the eUICC)
I verified the cryptogram. According to the eUICC's burning template, I thought keyENC and keyMAC are the same. On the other hand, in the extracting of static keys based on the X9.63 method, I was setting the length to 32 (16 bytes for receipt verification, and the rest keyENC and keyMAC). I set the length to 48, got the keyMAC, generated the S-MAC from keyMAC, and CMAC(fixedInputData, S-MAC) == cardCryptogram.