search

jpos / jPOS

jPOS Project
http://jpos.org
GNU Affero General Public License v3.0
599 stars 458 forks source link

Help validate ARQC using JCESecurityModule #573

Closed T-eli closed 7 months ago

T-eli commented 7 months ago

hello , i am trying to use jPOS Security Module to validate a cryptogram sent from an EMV Card (CPA), however it keeps returning false.

initialize the SMAdapter and encrypte the Key to lmk:

byte[] decoded = ISOUtil.hex2byte("00112233445566778899AABBCCDDEEFF");  // Issuer Master Key used for derivation (16 bytes)
JCESecurityModule sm = new JCESecurityModule();

sm.setConfiguration(cfg);

SecureDESKey kek =   sm.generateKey((short) 64,TYPE_RSA_PK );

final byte[] encoded = sm.encryptData( CipherMode.ECB, kek ,decoded, new byte[8]);

SecureDESKey sec_key =  sm.importKey((short) 128, TYPE_MK_AC, encoded, kek, false );

cfg:

<property name="lmk" value="./LMK" />
<property name="rebuildlmk" value="true" />
<property name="provider" value="org.bouncycastle.jce.provider.BouncyCastleProvider"/>

ARQC verification code:

          boolean result= sm.verifyARQC(
                    MKDMethod.OPTION_A,
                    SKDMethod.EMV_CSKD,
                    sec_key, 
                    PAN, //1234567890123456
                    PANSeq, //01
                    APPLICATION_CRYPTOGRAM_0x9F26,
                    APPLICATION_TRANSACTION_COUNTER_0x9F36,
                    UNPREDICTABLE_NUMBER_0x9F37,
                    ISOUtil.hex2byte(transaction_data)
            );

result:

cryptogram generated does not match the card cryptogram

notes:

what i tried :

question:

what should transaction data format be ?

any help is really appreciated. thanks.

alcarraz commented 7 months ago

This seems to be a question for https://groups.google.com/g/jpos-users, please continue there.

Anyway, you are rebuilding the lmk every time? that’s what your cfg sugests.

If that’s the case, how are you importing the sec_key?

But please continue this in the mailing list and not here, because it doesn't seem to be a jPOS issue.

rainer010 commented 7 months ago

You can find some examples of transaction_data generation here:

https://github.com/jpos/jPOS/tree/master/jpos/src/test/java/org/jpos/emv/cryptogram

This way you could validate a cryptogram (Visa or MC), maybe this example will help you:


ISOMsg request = ...;
TLVList tlv = parse(request.get(55));
IssuerApplicationData iad = new IssuerApplicationData(tlv.getString(0x9f10));
CryptogramSpec spc = iad.getCryptogramSpec();
CryptogramDataBuilder dataBuilder = spc.getDataBuilder();

boolean isValid = hsm.validateARQC(
spc.getMKDMethod(), 
spc.getSKDMethod(), 
 ..., 
ISOUtil.hex2byte(dataBuilder.buildARQCRequest(tlv, iad)));

[!NOTE]
If you use JCESecurityModule you must add padding to the transaction data, for example for visa CVN18: ISOUtil.hex2byte(dataBuilder.buildARQCRequest(tlv, iad)+"80000000"));

Assuming the keys are correct, the error could be that transaction_data is invalid or missing padding.

T-eli commented 7 months ago

@rainer010 thanks for the example . I did not know there was a cryptogram builder interface that I could use.

unfortunately there is no EMV CPA (Common Payment Application) implementation , which is the card I am using for this test.

T-eli commented 7 months ago

Apologies @alcarraz I needed help and didn't know where else to post. I will be closing this issue with this comment

Anyway, you are rebuilding the lmk every time? that’s what your cfg sugests.

this is just a testing scenario I am using to verify the cryptogram.

If that’s the case, how are you importing the sec_key?

for now I am just entering it in clear as you can see it in the first code block, because I am using a test card.