Been trying to read data from my National eID using an ACS ACR1281 1S Dual Reader ICC. It requires Basic Access Control (BAC) authentication. I'm able to properly authenticate but I'm getting an error when I try to Select EF.COM (01 1E) using secure messaging following specifications from ICAO Doc 9303 Part 11
Below is the APDU Command I'm sending
Select EF.COM
// Send APDU
00 A4 02 0C 02 01 1E 00
// APDU Response
90 00
a) Mask class byte and pad command header:
CmdHeader = ‘0CA4020C80000000’
b) Pad data:
Data = ‘011E800000000000’
c) Encrypt data with KSEnc:
EncryptedData = ‘6375432908C044F6’
d) Build DO‘87’:
DO87 = ‘8709016375432908C044F6’
e) Concatenate CmdHeader and DO‘87’:
M = ‘0CA4020C800000008709016375432908C044F6’
App D-6 Machine Readable Travel Documents
f) Compute MAC of M:
i) Increment SSC with 1:
SSC = ‘887022120C06C227’
ii) Concatenate SSC and M and add padding:
N = ‘887022120C06C2270CA4020C800000008709016375432908C044F68000000000’
iii) Compute MAC over N with KSMAC:
CC = ‘BF8B92D635FF24F8’
g) Build DO‘8E’:
DO8E = ‘8E08BF8B92D635FF24F8’
h) Construct and send protected APDU:
ProtectedAPDU = ‘0CA4020C158709016375432908C044F68E08BF8B92D635FF24F800’
// Send APDU
00 A4 02 0C 15 87 09 01 7C 76 3C 70 98 06 45 BD 8E 08 20 42 68 2C D0 BE 14 A0 00
// APDU Response
6A 87
KsEnc and KsMac are computed Session keys after external authenticate 0x82. But I keep getting 6A 87 - Lc inconsistent with P1-P2 as feedback. I'm using PCSC 5.0.0 library to talk to the card (ICC). I'm not sure where I'm missing it kindly help.
Henry, from your latest comment to @guidot it looks like you send the SELECT EF.COM twice? First without Secure Messaging which will destroy your trusted channel established with BAC, followed by the secured APDU, which then tries to use the session keys / trusted channel that no longer exists.