An encoding description contains the information for the electronic personalization of a card. You import the encoding description from a file. This can be used in Smart ID Identity Manager.
This article describes how to use Application Protocol Data Unit (APDU) commands in an encoding description.
This feature is specific to PKI cards and still requires a PKCS#11 middleware for certain operations. RFID cards are not supported - refer to Nexus Card SDK for encoding of RFID cards.
Smart ID 20.11 introduces breaking changes to the syntax of APDU scripts. Existing scripts must be changed to the new syntax - see section PIN line format for details.
Important information regarding Smart ID 20.11
Some encoding description parameters were renamed with Smart ID 20.11, so you must adjust any encoding description which includes APDU scripts:
- CardOSApduFile => ApduFile
- CardOSApduResponseCodesField => ApduResponseCodesField
Two supported channels
Since Smart ID 20.11 there are two supported channels for sending APDUs within a PKI card encoding:
- PKCS#11 extension in CardOS middleware (used via Card SDK+JPKIEncoder only).
- Smart ID Desktop App
|Smart ID Desktop App|
|Other (for example Cryptovision, Nexus Personal Desktop Client)|
Prerequisites and features
- APDU scripts have to be bundled in the DSZ file that is uploaded. The file extension shall be apdu.
- When using CardOS middleware, its version needs to be at least 5.4W14, unless Smart ID Desktop App is used, which will also work with older versions.
- For APDU encodings through Nexus Card SDK, you need at least Card SDK version 22.214.171.124.
- APDU commands can either be given as full hex string or with parameterized command data read from fields.
- APDU commands have support for challenge response algorithms.
- Comments are allowed, starting with #.
- Empty lines are allowed.
- Do not do other things in the application (like requesting certificates), use dedicated applications for APDUs instead.
- Applications reference a script by filename.
- You can execute one script containing potentially multiple APDUs per application.
- Authentication with challenge/response keys via APDU.
- Format selection for most variables (hex/base64/string, hex being the default) - new in 20.11.
About APDU commands
You can have spaces in APDU commands for better readability:
Smart ID 20.11 allows input and output variables (with some exceptions in PIN lines) to use a format other than hex strings.
To configure the format, set the prefix <hex> / <string> / <base64> in front of the variable name (hex is default if no prefix is given).
The output field name is optional and can be omitted if you are not interested in the response data, for example:
This format is for non-parameterized APDUs only, which are passed in full as hex-string, with the output type being configurable, see this example:
This format allows for parametrization of the APDU's command data, which can be read from fields and concatenated, for example:
If a field has an empty or null value, it will resolve to an empty byte array, otherwise the field value will be parsed according to the specified input format (refer to the section "Configure format for variables").
The DYN format automatically sets the appropriate length for the input data, so do not add the input length byte(s) manually.
The expected result length is given as a decimal value, for example:
The expected result length will not necessarily match with the number of bytes in the output field, especially if format conversion (for example, to base64) is used.
You can have just the header plus field(s) and/or result length, for example:
|Header without command-data, expect no result data, no data output field|
|Same as above|
|Same as above|
|Same as above|
|Header and command-data from hex FIELD_A, expect no result data|
|Same as above|
|Same as above|
|Header and command-data from hex FIELD_A concatenated with hex FIELD_B, expect 300 bytes result data, stored to MY_RESULT as hex|
|Header without command-data, expect 13 bytes result data, stored to OUTPUT as hex|
You can include fixed hex values (prefixed with 0x) in the command-data as well, for example:
|Header and command-data F00D concatenated with FIELD_A concatenated with C0FFEE|
This custom format allows for displaying a PIN dialog where the user can choose a new PIN.
Optionally input of an existing transport PIN can be requested and/or a PIN validation rule can be specified. Specifying a PIN validation rule is highly recommended to avoid wasting cards due to repeated entering of an incorrect PIN.
The format differs between Smart ID 20.11 and earlier versions, so you have to adjust existing scripts using a PIN line:
Also, you can now specify the format of the output variables to be something other than a hex string, if desired.
Description and transport PIN are still interpreted as plain UTF-8 strings without any conversion done.
SIGNATURE_NAME describes the signature PIN,
|AUTH_NAME contains the name of the auth PIN,|
TPIN contains transport PIN to be entered, allows 8-12 alphanumeric chars,
NEW_PIN will contain the PIN chosen by the user, as plain UTF-8 string
AUTH_NAME contains the name of the auth PIN, allows 8-12 alphanumeric chars,
When using Smart ID Desktop App, a PIN entered by the user is never returned in the encoding result - it is only available to other APDU commands in the same encoding!
This custom format allows for calculating a response to a challenge based on a given key (see GET CHALLENGE / EXTERNAL AUTHENTICATION commands in the CardOS firmware docs).
It supports three C/R algorithms, none of which use any padding, so make sure the input has the proper size:
|Algorithm||Description||Input Size||Output Size|
|CMAC with AES(256) key||multiples of 16 bytes||8 bytes|
|MAC3 / RetailMAC with 3DES key||multiples of 8 bytes||8 bytes|
|direct encryption with 3DES key in ECB mode||multiples of 8 bytes||multiples of 8 bytes|
The format in an APDU script looks as follows:
Uses fixed key, read challenge as hex, write response as hex
Uses fixed key, read challenge as UTF-8 string, write response as base64 (since Smart ID 20.11)
|Uses key from KEY_FIELD|
A suitable challenge can be acquired as follows:
Each challenge is valid within the same session until it is used by an authentication command or replaced with a new challenge.
For some keys it may not possible to immediately authenticate with the new key after changing it.
Since Smart ID 20.11, response data can be returned as UTF-8 string or base64 string instead of hex, so you do not have to do such conversion in the process anymore.
Refer to section "Configure format for variables" for details.
Examples of APDU scripts
The examples below are valid for Smart ID 20.11 and are not backwards compatible.
Read version and patch
Write ef gdo (Elementary File Global Data Object)
Encodings using APDU scripts
The examples below are valid for Smart ID 20.11 (dropping the prefix CardOS from APDU parameter names) and are not backwards compatible. Also they are configured for exclusive use with Smart ID Desktop App (Devices=8711).
These are example encoding using the script examples above (set the "read" flag on CARDOS_VERSION, PACKAGE_VERSION and APDU_RESPONSE_CODES_*, as those provide output. The Application_X section represents an application, that is, one part of the chip that should be encoded in a certain way.
Define like this is the encoding description:
Specify the correct order in ApplicationList=, especially if one script depends on the output of another.
It is optional to set the ApduResponseCodesField for execution, but it is needed if you want to process the result code data.
Result code data uses the following format:
For example, these are the values if all scripts in the above encoding returned code 0x9000:
There is no response code for the CR command from the third script, as it does not execute an APDU:
Although the maximum length of command- and result data for APDUs is 65535, there is a limit of 2000 chars on string process variables in Identity Manager. For example, when using hex format (2 chars per byte), keep command data and result lengths to ~950 bytes to be on the safe side.
Also, the cards themselves may limit this further (for example, 382 bytes max on the tested cards).
This article is valid for Smart ID 20.11 and later.