This article provides a complete set of API commands implemented by ImportCard with basic usage information for external audit purposes.


Personalization


Personalization of ImportCard is one-off procedure. Once it is completed with "Switch Operational" command, it can't be repeated or amended.

  1. Generate Card Key Pair - generates an RSA identity key for the card (0xB6 0xE4 0x00 0x00 0x00)
  2. Export Card Public Key - exports the public card of the identity RSA key (0xB6 0xE1 0x00 0x00 0x00) - the result is an RSA public key in PKCS1 format
  3. Import Signed Card Public Key - imports a certificate for the card (0xB6 0xE2 0x00 0x00 0x00) - the content of the certificate is not analyzed
  4. Import Security Domain Public Key - imports a public key used to sign the card identity key (0xB6 0xE5 0x00 0x00 <1B - pub_key_length> <byte array - public_key>)
  5. Import Seed Card Public Key - imports a public key for encrypting objects for the Enigma Bridge service (0xB6 0x34 0x00 0x00 <1B - pub_key_length> <byte array - public_key>)
  6. Switch Operational - (0xB6 0xE2 0x00 0x00 0x0B 0x04 0x04 0x04 0x04 0x04 0x04 0x04 0x04 0x04 0x04 0x04 ) - closes personalization and switches the card to Operational state.

Operation

  1. Export Card Public Key - exports the public card of the identity RSA key (0xB6 0xE1 0x00 0x00 0x00) - the result is an RSA public key in PKCS1 format
  2. Export Signed Card Public Key - exports a certificate for the card (TODO - version 2)
  3. Export Signing Key - exports the key used to sign the card's certificate (TODO - version 2)
  4. Import New Key Component/Share - imports a new component of a symmetric key (0xB6 0x31 0x00 0x00 <data_length>)
    1. data: 0xA9  | <key length - 2B> | <share index - 1 B> | <key type - 1 B> |<share value> | 0xAD | <message length - 2B> | <text message - max 16B>
  5. Get Components/Shares Info - returns information (type, KCV, label) of key components in the card (0xB6 0x35 0x00 0x00 0x00) and the KCV of all components combined
  6. Erase Components/Shares - deletes of key components from the card (0xB6 0x33 0x00 0x00 0x00)
  7. Create Object - creates an object for import into the Enigma Bridge service (0xB6 0x32 0x00 0x00 <length> <template>)
  8. Get Operations Log - returns log of operations performed by the card (0xB6 0xE7 0x00 0x00 0x00)
  9. Set Derivation Key - sets a key for internal derivation of application keys (derive_keys) (TODO - version 2)




General - Sending Long Data to Card
If the length of the data is larger than 249 bytes, it has to be sent in several APDU commands with chaining. This is done by amending the CLA byte of the command (the first byte):
  1. first APDU of chain - CLA | 0x40
  2. next (but not last!) APDI of chain - CLA | 0x08
  3. last APDU of chain - CLA | 0x48