VERIFY-PIN APDU command

Similar Messages

• Status 69c2 on Verify APDU command

  Hi,
  I have successfully complete the APDU command new CommandAPDU(0x00, 0x20, 0x00, 0x01, new byte[]{ 0x31, 0x32, 0x33, 0x34, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF } ) for verify with the correct pin code (1234). I get status 0x9000.
  But when i try with wrong pin code i get status response 0x69C2. Why I get this status instead of 0x63Cx, as ISO7816-4 states? If i get 0x63Cx i can use the last value to calculate how many tries remaining!
  Beside this, not so much information exist for status response 0x69C2. It means "swAccessDenied 69C2 -The required access conditions were not satisfied".
  What an i doing wrong? What to do to get status 0x63Cx if the pin is wrong?
  Thank you
  Edited by: Valentino on Aug 22, 2012 5:02 AM

  Hi,
  Valentino wrote:
  Is this behavior normal?The status word bytes SW1-SW2 are defined by specification for your card application. What application are you using?
  May be a developer of your card application mistook with the status word SW1 0x69 instead of 0x63 for VERIFY command as a status for wrong PIN-code? ;)
  The value x in the status word SW2 0xCx defines the amount of the attempts remained.
  So it would be normal for each next wrong PIN-code entered to get the status words: 69C2 -> 69C1 -> 69C0 -> 6983

• APDU commands for Globalplatform card

  Hi,
  I'm trying to develop embedded software that talks to a Oberthur Cosmo 64 card via low level APDU commands. I've looked at the Globalplatform 2.1.1 specs as well as the cosmo 64 technical brief, but it seems that there are only a few APDU commands. I've only worked with native cards before this, and native cards seem to have a lot more commands. For example, I can't even find a "Get Challenge" command nor any kind of authentication/key generation/pin verification commands.
  Would like to know how I can get started just sending simple APDU commands for key generation, challenge-response, authentication, etc?

  galapogos wrote:
  Well I only see 10 commands under Part IV(APDU Command Reference) of the GPP 2.1.1 specs.
  However when I see Appendix D I realize there's actually an initialize update and external authenticate APDU command, neither of which are found in Part IV.Yes, the commands for secure channel protocol are located in the Appendices. One can argue if this commands should be listed in APDU Command Reference, but GP Committee wanted to make is as flexible as possible in case another SCP is added, with different commands.
  From what I've read so far in Appendices D/E, it seems that the difference is that
  1) SCP01 supports mutual auth while for SCP02, only the card auths the host, with an option for the reverse.
  2) For SCP01, card ensures host is genuine, but no mention of the reverse to be true. For SCP02, both host and card must be ensured to be genuine.
  3) For SCP01, data from host to card is not susceptible to sniffing(encryption?), but no mention of the reverse to be true. For SCP02, both directions are not susceptible to sniffing.You are referencing the R-MAC option. It is only present in SCP02. There is no encryption from the card side (smthg like R-ENCRYPTION), you would need to handle this in your Applet. Be aware that R-MAC is optional, depending on the security policy of the issuer. For example in JCOP, only C-MAC and C-DECRYPTION is supported. Another differences between SCP01 and SCP02:
  - The DEK in SCP02 is a session key, and in SCP01 it is static
  - The INITIALIZE UPDATE command is different regarding the P2 parameter and the structure of the response
  In the latest version of GP 2.2 SCP01 is deprecated.
  Seems like other than the initial authentication, SCP02 is always more secure than SCP01?I would only conclude this if R-MAC is supported in SCP02.
  Also, where can I find Java Card 2.2.1/2.2.2 specs? I'm not interested in using the API since I'm developing embedded firmware, so I need to talk to the card directly via APDU commands.http://java.sun.com/products/javacard/specs.html

• 'Get Response' APDU command in a script for apdutool

  Dear all,
  I'm facing some problems with apdutool (javacard 2.2.2 distribution) in executing the 'Get Response' command.
  In fact its syntax differs from the one specified for other APDU commands accepted by apdutool, as Lc is replaced by the expected response lenght, i.e. by Le.
  I tried inserting a fake P3 (Lc), but I always get ParseException errors.
  All previous commands in the script are properly executed, including the one for which the subsequent 'Get Response' is tried. In particular, the SW2 byte returned by the latter command contains the right expected length.
  I'm working with T0 algorithm and non-extended mode is specified in the APDU script.
  Thank you very much to anyone who could help.
  Best regards
  Marco

  Hi,
  You could ensure that both of the text fields are not empty on your 'dashboard' before executing the FS00 tcode. This would negate the popup from ever appearing.
  To do this you can use the "IF <text field control ID> Is Empty" statement in your script and then output a custom error message to another text box if the condition is true. then use an "IF <text field control ID> Is NOT Empty" statement to copy the value/s execute the FS00 tcode if the condition is true.
  Now if you're going to check multiple fields for entries before executing the FS00 you'll have to get a little more creative and do something like I did in one my scripts (thanks again to Steve Rumsby for the tips) and create a 'check field' where you can enter values for items checked successfully and then use a little bit of javascript to count up the checks and check the result before executing the next part of the script.
  Another idea is to check for the existence of the popup and navigate past it in your script, to do this you can use the "IF <control ID> control exists" statement.
  Either one should work.

• What is the data associated with the APDU commands

  hi,
  Please guide me on what data should be associated with the command APDU.
  for eg. we send 00 a4 04 00 for the select command followed by the AID.
  Similarly what should be sent as a data (eg. AID in case of SELECT) with following APDU commands::::
  LOAD,, InItUPDATE,, External Authentication,, Install
  regards,,
  PhadkeA

  I have the book Javacard technology for smartcards by Zhiqun Chen so
  I" ll try to help you. About the install command it's syntax is:
  install(byte[] bArray,short bOffset,byte bLength)
  The bArray contains the installation parameters, but from what I read in
  the book they are optional. From the example of the book it seems
  that generally they are some initialization values for the variables of
  the applet.
  I didn't find any info about the other commands that you mention.Sorry!

• Apdu command length

  Hi
  I want to get the length of the entire command in my applet.
  I want to know "5" for the following example.
  /send 8084000000
  Is there such API?

  a command parser in process method can be something like that:
  byte MY_CLA = (byte)0x80;
  byte MY_INS = (byte)0x84;
  // get the APDU buffer bytes (get header first)
  byte[] apduBuffer = apdu.getBuffer();
  // Checking CLA values
  switch(apduBuffer[ISO7816.OFFSET_CLA]){
    case MY_CLA:
      // For a given CLA value, checking INS values
      switch(apduBuffer[ISO7816.OFFSET_INS]){
        case MY_INS:
          // For a given INS value, checking P1, P2, P3 for example:
          if((apduBuffer[ISO7816.OFFSET_P1] != (byte)0x00) || (apduBuffer[ISO7816.OFFSET_P2] != (byte)0x00))
             ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2);
          if(apduBuffer[ISO7816.OFFSET_LC] != (byte)0x08)
             ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
          // After the command format checking, i can continue the processing that my command is supposed to do
        break;
        default:
          // Throw iso exception: bad instruction byte value
          ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
        break;
    break;
    default:
      // Throw iso exception: bad class byte value
      ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
    break;
  }This example is for a case 3 apdu command.
  If your command is a case 2, you will need to get Le by invoking setOutgoing() method and checking the expected value of Le.
  Thomas
  http://jaccal.sourceforge.net/

• APDU command chaining

  Hello, I am sending some byte array by portions of 255 bytes to my on-card Applet using a sequence of APDU command-response operations. I just wanted to know, in case there is any possibility to make on-side chaining: send some sequence of APDU commands and receive only one response from the applet after the last portion of data received.
  Best regards,
  Eve

  According to ISO 7816-4 the chaining possibilities are
  - Extended APDU --> up to 65k data field
  - Command chaining --> ICCD responds after each APDU
  Your requirement would fit only to extended APDU. Java Card adopts only a certain class of the APDU structure from ISO 7816-4, which does not allow extended APDU: JC 2.2.1 API, javacard.framework.APDU (p. 44) ..
  This class does not support extended length fields.
  ..This is one of the reasons it won't work with a card compliant to Java Card. The other reason are the fixed constants for the ISO7816 interface (e.g. javacard.framework.ISO7816.OFFSET_CDATA, which is 5 --> extended length field not possible).

• "GemSafeXpresso Card returns "6D 00" for most of APDU commands"

  Hi everyone,
  I am confused with GemSafeXpresso smart card, GemSafeXpresso card can be authenticate with CardManager but I can not delete the instance of applet with GlobalPlatform Delete APDU command,it returns "6D 00"
  In following you can find what was happend on my card:
  At first,I installed GemSafe V2.04 applet that is placed on Rom of the card,I mean I created an instance of GemSafe applet with "A0 00 00 00 18 0A 00 00 01 63 42 00" ID successfully, after that I selectd GemSafe applet and Root and then I created some EFs under root ,but now I can not delete the instance of applet that I have created,The card returns "6D 00" ,I can authenticate with CardManager but I can not delete , create or install ,...
  I should say ,at first I installed and deleted the instance some times but I can not do now ,I would like to know what is the reason of this problem.
  I appreciate for any help,
  Yours sincerely,
  Orchid

  Dear lexdabear,
  Thanks a lot for your reply,
  Gemalto has written GemSafe applet and has loaded on Rom of GemSafeXpresso card but I can just install it and make an instance of it on the card ,So I don not have source of applet.
  In following you can find the APDU command for install ,delete ,...
  Authenticate
  key file: C:\GemXpressoJCardManager\keyfiles\jc2.2.1 - gp2.1.1\default.keys
  key set 0 (Card Defined)
  Select the CardManager
  -> 00 A4 04 00 08 A0 00 00 00 18 43 4D 00
  <- 61 1B [Normal ending of the command with <27> bytes of extra information.]
  Initialize Update
  80 50 00 01 08 00 01 02 03 04 05 06 07 (00)
  4D 00 72 38 02 04 7D 89 0C 77 FF 01 D2 89 12 21 AA 07 FE 36 07 F0 51 9F 2D D1 88 10, 90 00 [Normal ending of the command.]
  Card info KeySet=-1
  (SCP 01,implementation i05)
  External Authenticate
  84 82 00 00 10 01 93 6B 90 77 1F 72 F7 A4 6F 6D 63 B5 D3 0D AF
  90 00 [Normal ending of the command.]
  *1)Install for Install*
  80 E6 04 00 44 10 A0 00 00 00 18 30 08 01 00 00 00 00 00 00 00 FF 10 A0 00 00 00 18 30 08 01 00 00 00 00 00 00 00 00 0C A0 00 00 00 18 0A 00 00 01 63 42 00 01 00 11 C9 0F DF 0A 06 02 0F 00 01 0C 01 DF 0B 03 06 E1 E1 00 (00)
  00, 90 00 [Normal ending of the command.]
  2) Install for Make Selectable
  80 E6 08 00 13 00 00 0C A0 00 00 00 18 0A 00 00 01 63 42 00 01 00 00 00 (00)
  00, 90 00 [Normal ending of the command.]
  3)*Select Applet*
  00 A4 04 00 0C A0 00 00 00 18 0A 00 00 01 63 42 00 (10)
  90 00 [Normal ending of the command.]
  4) Select Root
  00 A4 00 00 02 3F 00 (30)
  6F 17 83 02 3F 00 8C 03 06 E1 E1 84 0C A0 00 00 00 18 0C 00 00 01 63 42 00, 90 00 [Normal ending of the command.]
  5)*Create EF SN-0001*
  00 E0 00 00 15 62 13 81 02 00 08 82 01 01 83 02 00 01 8A 01 01 8C 03 03 FF 00
  90 00 [Normal ending of the command.]
  6) Authenticate
  key file: C:\GemXpressoJCardManager\keyfiles\jc2.2.1 - gp2.1.1\default.keys
  Select the CardManager
  -> 00 A4 04 00 08 A0 00 00 00 18 43 4D 00
  <- 61 1B [Normal ending of the command with <27> bytes of extra information.]
  key set 0 (Card Defined)
  Initialize Update
  -> 80 50 00 01 08 00 01 02 03 04 05 06 07 (00)
  <- 4D 00 72 38 02 04 7C 89 0C 77 FF 01 6A E1 C6 FD AB 43 12 E1 18 CC 97 8C 3A B2 25 29, 90 00 [Normal ending of the command.]
  Card info KeySet=-1
  (SCP 01,implementation i05)
  External Authenticate
  -> 84 82 00 00 10 6B AD 05 2C 70 42 67 01 C5 53 31 90 1B 50 15 10
  <- 90 00 [Normal ending of the command.]
  7)*Delete instance of applet*
  -> 80 E4 00 00 0E 4F 0C A0 00 00 00 18 0A 00 00 01 63 42 00 (00)
  [ERROR  ] <- 6D 00
  [ERROR  ] <- Invalid instruction.
  Thanks in advance for your help.
  yours sincerely,
  Orchid
  Edited by: NewOrchid on May 8, 2008 7:40 AM

• Issuing apdu commands

  I am experiencing problems running the demos that come with the java card kit such as the wallet and javapurse. i am able to run the apdutool utility with the the specified script file as input without any problems. But does it just end there? I thought it was possible for me to key in specific commands for crediting or debiting electronic cash in the wallet applet, for example. My question is-once I generate the output file, how do i proceeed from there - so that finally i can be able to send specific apdu commands to the sample applets. I would appreciate help soon so that i can be able to apply in a project i am undertaking.

  I am experiencing problems running the demos that come with the java card kit such as the wallet and javapurse. i am able to run the apdutool utility with the the specified script file as input without any problems. But does it just end there? I thought it was possible for me to key in specific commands for crediting or debiting electronic cash in the wallet applet, for example. My question is-once I generate the output file, how do i proceeed from there - so that finally i can be able to send specific apdu commands to the sample applets. I would appreciate help soon so that i can be able to apply in a project i am undertaking.

• APDU Commands - How they work ?

  Hi,
  Iam all new to the JavaCard programming and wanted to understand some basics. The APDU Commands (CLA, INS, P1, P2, ...) are they reserved commands (as in reserved words). If so, how do I get a listing of the same.
  Eg. I am looking into one of the programs which have the following few lines,
  SetLength(DataToSend, 13);
  DataToSend[0] := $88;
  DataToSend[1] := $10;
  DataToSend[2] := $11;
  DataToSend[3] := $00;
  DataToSend[4] := $08;
  DataToSend[5] := $F9;
  DataToSend[6] := $FD;
  DataToSend[7] := $CE;
  DataToSend[8] := $8B;
  DataToSend[9] := $F6;
  DataToSend[10] := $F4;
  DataToSend[11] := $14;
  DataToSend[12] := $E0;
  FSCard.SendCustomAPDU(DataToSend, ReceiveBuffer);
  I believe the above writes info. to the card.
  If Yes, how do I retrive the same from Card?
  If No, then what does the instruction stand for?
  Appreciate your help ....

  hI,
  Iam trying to write a sample code by trying to write data to card using XOR, converting the same back in the applet to the original string and retriving the same. The return value is still in XOR value and not the original i sent. Please let me know what iam doing wrong here?
  WRITING DATA:
  CLIENT PROGRAM:
  SetLength(DataToSend, 9);
  DataToSend[0] := $88;
  DataToSend[1] := $10;
  DataToSend[2] := $9A;
  DataToSend[3] := $00;
  DataToSend[4] := $4;
  DataToSend[5] := $A;
  DataToSend[6] := $B;
  DataToSend[7] := $C;
  DataToSend[8] := $D;
  DataToSend[5] := DataToSend[5] XOR DataToSend[6];
  DataToSend[6] := DataToSend[6] XOR DataToSend[7];
  DataToSend[7] := DataToSend[7] XOR DataToSend[8];
  DataToSend[8] := DataToSend[8] XOR DataToSend[5];
  FSCard.SendCustomAPDU(DataToSend, ReceiveBuffer);
  APPLET CALLS THIS PROCEDURE :
  private void SetStringSec5(APDU apdu) {
            byte buffer[] = apdu.getBuffer();
            byte size = (byte)(apdu.setIncomingAndReceive());
            byte index;
  byte indexsn;
  indexsn=0;
            // Store the length of the string and the string itself
            TheBuffer[80] = size;
            for (index = 80; index < (byte)(81+(int)(size)); index++){
                 TheBuffer[(byte)(index + 1)] = buffer[(byte)(ISO7816.OFFSET_CDATA + indexsn)];
  indexsn++;
            CalcSri();
  apdu.setOutgoing();
            apdu.setOutgoingLength((short)size);
  apdu.sendBytesLong(TheBuffer,(short)0,(short)size);
            return;
  private void CalcSri() {
            TheBuffer[(byte)(8)]=(byte)(((int)(TheBuffer[(byte)(5)])) ^ ((int)(TheBuffer[(byte)(8)])));
  TheBuffer[(byte)(7)]=(byte)(((int)(TheBuffer[(byte)(8)])) ^ ((int)(TheBuffer[(byte)(7)])));
            TheBuffer[(byte)(6)]=(byte)(((int)(TheBuffer[(byte)(7)])) ^ ((int)(TheBuffer[(byte)(6)])));
            TheBuffer[(byte)(5)]=(byte)(((int)(TheBuffer[(byte)(6)])) ^ ((int)(TheBuffer[(byte)(5)])));
            return;
  READING DATA:
  CLIENT PROGRAM :
  //Get string from the card
  SetLength(DataToSend, 5);
  DataToSend[0] := $88;
  DataToSend[1] := $10;
  DataToSend[2] := $BE;
  DataToSend[3] := $00;
  DataToSend[4] := $4;
  FSCard.SendCustomAPDU(DataToSend, ReceiveBuffer);
  APPLET CODE CALLING THE PROCEDURE:
  private void GetStr(APDU apdu) {
            byte buffer[] = apdu.getBuffer();
            byte numBytes = buffer[ISO7816.OFFSET_LC];
            apdu.setOutgoing();
            apdu.setOutgoingLength(numBytes);
            byte index;
  byte indexsn;
  indexsn=0;
            for (index = 80; index <= (byte)(80+(int)(numBytes)); index++){
                 buffer[(byte)(indexsn)] = TheBuffer[(byte)(index + 1)];
  indexsn++;
  apdu.sendBytesLong(buffer,(short)0,(short)numBytes);
            return;
  }

• How can i use the c-mac in the apdu command

  I work with JCOP31 card, JCOP tools and eclipse 2.1. with the Jcop shell�s command , I pass the initial-update and the ext-auth , but at that time I couldn�t do mac with my command apdu, (security status not satisfied!!) ,because during the external authentication , the P1 parameter is set to 00 by the JCOP shell tools(ext-auth ${EA_OPTS}
  => 84 82 00 00 10 A1 6A 8D 3C 05 A3 8F 9A 49 AF 43
  34 39 B2 8E 94
  (31 msec)
  <= 90 00
  ),then if I want to use C-MAC with the follows apdu , what should I do???
  any help will be appreciated.thanks!!!!

  I assume you are using a real card, and not a JCOP simulation. In the launch configuration, there's an option to set that the CardManager is in SECURED lifecycle state. (Run > Run, if "Card Reader" is selected as target, there's a "Card Type" tab; check the "SECURED" check box at teh bottom.)

• URPF (ip verify unicast reachable) command not found on Cat3550

  Hello,
  I can't find "ip verify unicast ~~" command on cat3550 with 12.1(22)EA1a.
  Os code name is c3550-i5q3l2-mz.121-22.EA1a.
  but i found that command on Cat3550 with 12.1(11)EA1, it's code name is c3550-i5q3l2-mz.121-11.EA1.
  Cisco do not support higher version?
  Regard,
  John.

  Hi John,
  uRPF has never been supported on the 3550. The hardware cannot perform the function. The command was included in the CLI in older versions, but was eventually removed to prevent confusion.
  HTH,
  Bobby
  *Please rate helpful posts.

• Perform APDU Command

  Hi all.
  I have a question for you, when you try to execute the Perform APDU proactive command you must indicate the card number, my questios is if it is posible that the card send a APDU itself. If it is posible what number of card may we put in the APDU? may be 0?
  Regards

  What is a proactive command ?
  Information concerning a card number would be contained in the ATR, such as the burn date, historical data, etc.

• How handle short "apdu" command ?

  Hi,
  I'm currently working on a project where I have to develop an applet to anwser to some specific commands.
  But some of these commands are only 2 byte length and consequently, don't match with APDU ISO schema (4 byte mandatory).
  So the answer I obtain from the applet is only an error (6881) and I'm wondering if there is a way to do handle short commands.
  Nico

  To describe a little more my problem :
  cm>  /send 00
  => 00                                                 .
  (680533 nsec)
  <= 00 00 00 00 00 90 00                               .......
  Status: No Error
  cm>  /send 01
  => 01                                                 .
  (419327 nsec)
  <= 68 81                                              h.
  Status: 0x6881
  cm>  /send A0
  => A0                                                 .
  (554260 nsec)
  <= 6D 00                                              m.
  Status: INS value not supportedIndeed, I don't understand why, with some byte, it works such as 0x00 or 0xA0 and with other it doesn't (0x01).
  Have you any idea how make it work ?

• OT: PIN VERIFY, PIN BLOCK formats ISO-1/ISO-3 reference ?

  Slightly Off topic.
  Does anyone have a reference for ISO-1/ISO-3 PIN block formats, and maybe DUKPT too. I am familar with ISO-0 X9.8, but have marginal information about ISO-1/ISO-3 so am looking for a point of reference.
  I am looking to allow a JCOP10 to verify an encrypted PIN directly from a PIN PAD device.
  Or does know of a better forum to post this request into ?
  Thanks,

  ISO 1:
  1LPPPPrrrrrrrrRR
  (each char a nibble)
  L = 4 to 12
  P = 0 to 9 (pin digit)
  r = R or P
  R = Random value added but not known
  No account code is XORed with the value.
  Support DES or 3DES keys.
  ISO 3:
  Same format as the above except leading nibble is 3.
  Also the account code is XORed with the pin block, like ISO 0.
  3DES keys only.
  Both protocols are designed to be decrypted first, then ISO 2 is XORed with account code. Then the resultant pin block from both is in the format above. The added randomness does not matter since the length nibbles tells us how long the PIN is. The added randomness just introduces variation into the resultant PIN block encrypted result.