Use APDU commands to get some information for a card

angelreyes17 picture angelreyes17 · Nov 17, 2016 · Viewed 26k times · Source

I have a terminal that has its own API to stablish and send commands between chip and terminal, there is a function that transmits the APDU command and returns the answer in a byte array.

For example, if a want to read the tag 5A (Application PAN), I send the following command:

byte[] byteArrayAPDU = new byte[]{(byte)0x00, (byte)0xCA, (byte)0x00, (byte)0x5A};
int nResult = SmartCardInterface.transmit(nCardHandle, byteArrayAPDU, byteArrayResponse);

The variable byteArrayResponse gets the response to the APDU command.

When I translate the value of byteArrayAPDU to a string of hexadecimal digits, this gives me: 00 CA 00 5A. And the response to that command is 6E 00 (class not supported).

My device works with ISO 7816 as technical specifications. Is the way in which I am sending APDU commands correct? I ask this because I have read that an APDU command must have 5 values at least, but I don't know what to send in the fifth parameter. I don't know what the lenght of the response is.

Can you give an example of how to get the tag 5A or something else in APDU commands?

If the command where correct, in place of where I see 6E 00 at the moment, would I see the information as plain text when cast to a string?

Answer

Michael Roland picture Michael Roland · Nov 18, 2016

The input and output values that you showed in your question suggest that your use of the method transceive() is correct, i.e. the second argument is a command APDU and the third argument is filled with the response APDU:

resultCode = SmartCardInterface.transmit(cardHandle, commandAPDU, ResponseAPDU);

Your question regarding the format and validity of APDU commands is rather broad. In general, the format of APDUs and a basic set of commands is defined in ISO/IEC 7816-4. Since you tagged the question with and mention the application primary account number, you are probably interacting with some form of EMV payment card (e.g. a credit or debit card from one of the major schemes). In that case, you would probably want to study the various specifications for EMV payment systems which define the data structures and application-specific commands for those cards.

Regarding your specific questions:

Do APDUs always consist of at least 5 bytes?

No, certainly not. Command APDUs consist of at least 4 bytes (the header bytes). These are

+-----+-----+-----+-----+
| CLA | INS | P1  | P2  |
+-----+-----+-----+-----+

Such a 4-byte APDU is called "case 1". This means that the command APDU does not contain a data field sent to the card and that the card is not expected to generate a response data field. So the response APDU is expected to only contain a response status word:

+-----+-----+
| SW1 | SW2 |
+-----+-----+

What is the 5th byte of a command APDU?

The 5th byte is a length field (or part of a length field in case of extended length APDUs, which I won't further explain in this post). Depending on the case, this length field may have two meanings:

  1. If the command APDU does not have a data field, that length field indicates the expected length (Ne) of the response data field:

    +-----+-----+-----+-----+-----+
    | CLA | INS | P1  | P2  | Le  |
    +-----+-----+-----+-----+-----+
    
    • Le = 0x01 .. 0xFF: This means that the expected response data length Ne is 1, 2, ... 255 bytes (i.e. exactly the value of Le).
    • Le = 0x00: This means that the expected response data length Ne is 256 bytes. This is typically used to instruct the card to give you as much bytes as it has available (up to 256 bytes). So even if Le is set to 0x00, you won't always get exactly 256 bytes from the card.
  2. If the command APDU itself has a data field, that length field indicates the length (Nc) of the command data field:

    +-----+-----+-----+-----+-----+-----------------+
    | CLA | INS | P1  | P2  | Lc  | DATA (Nc bytes) |
    +-----+-----+-----+-----+-----+-----------------+
    
    • Lc = 0x01 .. 0xFF: This means that the command data length Nc is 1, 2, ... 255 bytes (i.e. exactly the value of Lc).
    • Lc = 0x00: This is used to indicate an extended length APDU.
  3. If there is a command data field and the command is expected to generate response data, that command APDU may again be followed by an Le field:

    +-----+-----+-----+-----+-----+-----------------+-----+
    | CLA | INS | P1  | P2  | Lc  | DATA (Nc bytes) | Le  |
    +-----+-----+-----+-----+-----+-----------------+-----+
    

Is the command 00 CA 00 5A correct?

Probably not, for several reasons:

  1. Since you expect the card to deliver a response data field (i.e. the data object 0x5A), you need to specify an Le field. Hence, a valid format would be

    +------+------+------+------+------+
    | CLA  | INS  | P1   | P2   | Le   |
    +------+------+------+------+------+
    | 0x00 | 0xCA | 0x00 | 0x5A | 0x00 |
    +------+------+------+------+------+
    
  2. You receive the status word 6E 00 in response to the command. The meaning of this status word is "class not supported". This indicates that commands with the CLA byte set to 0x00 are not supported in the current state. With some cards this also simply means that this combination of CLA and INS (00 CA) is not supported, eventhough this contradicts the definition in ISO/IEC 7816-4.

    Overall, you can assume that your card does not support this command in its current execution state.

  3. Assuming you are interacting with an EMV payment card, you typically need to select an application first. Your question does not indicate if you do this already, so I assume, you don't do this right now. Selecting an application is done by sending a SELECT (by AID) command:

    +------+------+------+------+------+-----------------+------+
    | CLA  | INS  | P1   | P2   | Le   | DATA            | Le   |
    +------+------+------+------+------+-----------------+------+
    | 0x00 | 0xA4 | 0x04 | 0x00 | 0xXX | Application AID | 0x00 |
    +------+------+------+------+------+-----------------+------+
    

    The value of the application AID, of course, depends on the card application and may be obtained by following the discovery procedures defined in the EMV specifications.

  4. Even after application selection, the GET DATA APDU command for EMV applications is defined in the proprietary class. Consequently, the CLA byte must be set to 0x80:

    +------+------+------+------+------+
    | CLA  | INS  | P1   | P2   | Le   |
    +------+------+------+------+------+
    | 0x80 | 0xCA | 0x00 | 0x5A | 0x00 |
    +------+------+------+------+------+
    
  5. Finally, even then, I'm not aware of any schemes where cards would allow you to retrieve the PAN through a GET DATA command. Usually, the PAN is only accessible through file/record based access. Since you did not reveal the specific type/brand of your card, it's impossible to tell what your card may or may not actually support.