Reading of Smart Cards on Apple iOS devices - Part 2

In previous tutorial we have started reading smart card's data using Thursby's PKard reader and their SDK. We can read data from "Printed Information" and get data of facial image. Let's start to read from "CHUID". 

CHUID - Card Holder Unique Identifier 

The CHUID is defined to provide the basis for interoperable identification of individuals and to extend capabilities over magnetic stripe technology for Physical Access Control System applications. It contains a series of mandatory and optional tagged objects. Some of these include the Federal Agency Smart Credential Number (FASC-N), the Global Unique ID (GUID), and the Asymmetric Signature. 

FASC-N 

Let's dive deeper into grabbing FASC-N data. First step is to get CHUID data.

// CHUID

TSS_PKI_Data *CHUID = [TSS_PKI_Data dataObjectWithName:@"CHUID"];

Next step is to get NSData of FASC-N.

if (CHUID) {

   // FASC-N

   NSData *FASCN = [CHUID dataWithBerTlvTag:0x30];

   

   ...

}

Now it's necessary to get string format of FASC-N from NSData. It needs 3 steps to do it.
1) Convert FASC-N NSData to binary string. It should looks like this: "110101001110011....."
2) Divide this binary string into parts each 5 characters long.
3) Replace with corresponding character due to this part of code:
    

// The 40-character FASC-N credential is encoded as a 200 bit (25-byte) record    

// Packed BCD 4-Bit Decimal Format with Odd Parity.

         if ([bits isEqualToString:@"00001"]) return @"0";

    else if ([bits isEqualToString:@"10000"]) return @"1";

    else if ([bits isEqualToString:@"01000"]) return @"2";

    else if ([bits isEqualToString:@"11001"]) return @"3";

    else if ([bits isEqualToString:@"00100"]) return @"4";

    else if ([bits isEqualToString:@"10101"]) return @"5";

    else if ([bits isEqualToString:@"01101"]) return @"6";

    else if ([bits isEqualToString:@"11100"]) return @"7";

    else if ([bits isEqualToString:@"00010"]) return @"8";

    else if ([bits isEqualToString:@"10011"]) return @"9";

    else if ([bits isEqualToString:@"11010"]) return @"S"; // Start Sentinel

    else if ([bits isEqualToString:@"10110"]) return @"F"; // Field Separator

    else if ([bits isEqualToString:@"11111"]) return @"E"; // End Sentinel

Final string format of FASC-N should looks like this: "S9999F9999F999999F1F1F1234567890199991E8". But how to interpret this string? I found all important informations in documentation in TIG SCEPACS v2.3 by the Physical Access Interagency Interoperability Working Group, December 20, 2005.  - Refer to section 6.1

You will find all informations about FASC-N in the documentation. Here we have FASC-N description:

and here we have FASC-N field description:

Now it's easy to get anything from FASC-N string. Let's take our example string "S9999F9999F999999F1F1F1234567890199991E8", if you want to display Agency code, you have to look at the tables above. You will find, that Agency code is located after start sentinel, which has length of 1 digit. Agency code has 4 digits and it is located after sentinel. Required agency code is 9999. This way, you can continue parsing all the FASC-N string and get required parts of FASC-N. 

GIUD 

Extending our code we can start grabbing GUID data.

// CHUID

TSS_PKI_Data *CHUID = [TSS_PKI_Data dataObjectWithName:@"CHUID"];

NSUUID *UUID = nil;

VLFASCNData *FASCNData = nil;

if (CHUID) {

        

   // FASC-N

   NSData *FASCN = [CHUID dataWithBerTlvTag:0x30];

   if (FASCN) {

      FASCNData = [[VLFASCNData alloc] initWithFASCNData:FASCN];

   }

        

   // GUID

   NSData *GUID = [CHUID dataWithBerTlvTag:0x34];

   if (GUID) {

      // RFC 4122 - conformant UUID value

      UUID = [[NSUUID alloc]initWithUUIDBytes:GUID.bytes];

   }

}

X.509 / X.509 Extension 

At the end of this tutorial, here is example code how to grab subject name, email or Authority Key Identifier (AKI) / Subject Key Identifier (SKI) from X.509 extension.

NSArray *certs = [TSS_PKI_Identity currentIdentitiesWithAssertion:kAssertCertificateKeyUsageDigitalSignature];

NSString *subjectName;

NSString *emailAddress;

NSData *dataAKI;

NSData *dataSKI;

        

if ( certs.count > 0 ) {

            

   TSS_PKI_Identity *signatureCert = certs[0];

   subjectName = signatureCert.certificate.subjectName;

   emailAddress = signatureCert.certificate.subjectAltNames[X509SubjectAltNameRFC822];

            

   // Authority Key Identifier & Subject Key Identifier

   X509 *inCert = signatureCert.certificate.nativeX509;

   X509_EXTENSION *authorityKeyIdentifier = getExtensionFromCert(inCert, NID_authority_key_identifier);

   X509_EXTENSION *subjectKeyIdentifier = getExtensionFromCert(inCert, NID_subject_key_identifier);

            

   if (authorityKeyIdentifier) {

      dataAKI = [NSData dataWithBytes:authorityKeyIdentifier->value->data length:authorityKeyIdentifier->value->length];

   }

            

   if (subjectKeyIdentifier) {

       dataSKI = [NSData dataWithBytes:subjectKeyIdentifier->value->data length:subjectKeyIdentifier->value->length];

   }

}

It takes a time to get all the informations about reading specific data from smart card. I hope these tutorials will help you with development for iOS devices which needs to grab data from smart cards.

Reading of Smart Cards on Apple iOS devices - Part 1

In this tutorial, I would like to show you, how to read data from smart cards using iOS devices. First, what we need is to connect our iPhone / iPad with hardware device for reading smart cards and SDK to develop our own application. We have used PKard Reader from Thursby Software which is available in several form factors. 

Thursby Software's PKard Reader support the major standard smart card formats including PIV and PIV-I smart cards, the CAC / CAC Dual Persona (Common Access Card) used by the U.S. military and DOD (Department of Defense).

Using Thursby's PKard Reader and PKard Toolkit for iOS, we can start reading data from smart card. I will show you how to read data from smart card's "Printed information", "CHUID" and get image data from "Facial Image".

Printed information

// Printed Infromation

TSS_PKI_Data *printedInfo = [TSS_PKI_Data dataObjectWithName:@"Printed Information"];

        

if (printedInfo) {

            

  NSData *nameData = [printedInfo dataWithBerTlvTag:1];

  NSString *name = [[NSString alloc] initWithData:nameData encoding:NSUTF8StringEncoding];

  

  // other tags 

  NSData *employeeAffiliationData = [printedInfo dataWithBerTlvTag:2];

  NSData *expirationDateData = [printedInfo dataWithBerTlvTag:4];

  NSData *agencyCardSerialNumberData = [printedInfo dataWithBerTlvTag:5];

  NSData *issuerIdentificationData = [printedInfo dataWithBerTlvTag:6];

  NSData *organizationAffiliation1Data = [printedInfo dataWithBerTlvTag:7];

  NSData *organizationAffiliation2Data = [printedInfo dataWithBerTlvTag:8];

}

Facial image

If you need to get facial image data, you can do it like this:

// Facial image

NSData *facialImageData = nil;

TSS_PKI_Data *pkiFacialImageData = [TSS_PKI_Data dataObjectWithName:@"Facial Image"];

if (pkiFacialImageData) {

   NSData *cbeffData = [pkiFacialImageData cbeffData];

   

   if (cbeffData) {

      NistBiometricExchangeFormat *cbeff = [[NistBiometricExchangeFormat alloc] initWithCBEFFData:cbeffData];

      facialImageData = cbeff.jpeg;

   }

}

You can find sample project which is included in PKard Toolkit. In case, there are things you are not able to find in documentation, ask Thursby for the answer. Their support works great.

Next part we will read data from "CHUID" especially reading and formating FASC-N, GUID and from X509 extension Authority Key Identifier.  

Camera Confidentiality Conundrum

One of BABEL's features allows you to capture a photograph using your device's camera then send the image as an attachment. This ability is important for users so they can send images of documents or developing events to their contacts. Originally BABEL would use the device's native camera application to take the photo, however we discovered a serious security flaw with this approach. On many Android devices the native camera app would automatically save photos taken by BABEL, and if the user had cloud backup enabled would also upload them to their cloud service. Obviously this is an unacceptable privacy violation for BABEL so we needed to implement a solution.

The solution we came up with was to develop our own simple camera activity which BABEL could use to capture images. By controlling the image capturing process we can ensure that the photo stays private and is not saved outside of BABEL. This was not a simple task unfortunately, to recreate the vast set of features available in native camera apps would take an enormous amount of development time. So we had to aim to include only the most important camera features in our app.

The features we decided to include were auto-focus, zoom and flash. Auto-focus and Flash were relatively simple to implement using the Android camera API, but the zoom was slightly more complicated. Anybody used to touch-screen devices recognizes the pinch to zoom gesture, surprisingly there is no standard utility in the Android framework for this. So firstly we needed to implement a gesture detector for this that would control the camera's zoom level. Another issue we encountered was a large variance in the number of zoom levels available on each device, some cameras we tested supported 3-4 times as many zoom levels as others! To normalize the zoom behaviour across all devices we added scaling to our zoom gesture detector. Now if the user does a 'pinch' that travels half the length of the screen, the device will perform the maximum zoom change with smaller gestures performing a zoom relative to this maximum.

So with this new camera activity included in BABEL's next release can be confident that photos sent as attachments will remain private and not be accidentally leaked by a third party app. The need for a custom camera was an unanticipated problem which demonstrates the importance of our rigorous testing for each release. In the future we may revisit this custom camera to offer a better, more fully featured camera to BABEL users.

UIDocumentInteractionController in landscape mode

The whole iOS version of Babel works in portrait mode, but since we implemented attachments, we wanted to display attachment previews in landscape mode also. We tried it at first with UIDocumentInteractionController, which is displayed modally on UINavigationController.

So the whole app is in portrait mode and only UIDocumentInteractionController is in both portrait and landscape. It worked great, but when you at first turn the iphone to landscape and then display UIDocumentInteractionController, you will see the preview, but the navigation bar is missing. So you cannot get out of this screen, in iOS 8, it looks like this:

In iOS 7, it's ok:

We tried using QLPreviewViewController, but displaying it modally on UINavigationController was the same. Then we tried to push it on the navigation stack with pushViewController:animated and finally it worked on both iOS versions 7 and 8.

However there is one issue with QLPreviewViewController that only occurs in iOS 8 (iOS7 is ok). When you try to play some sound in this preview and turn to landscape, then when you go back (dismiss QLPreviewViewController), the sound continues playing. If you do the same thing in portrait, it stops playing.

Teambuilding

Last weekend our team went to play Paintball near Prague. It was very good fun, as you can see from the pictures. The team enjoyed the game almost as much as their work! ;)