I am able to read a smart card from PB's Tactivo smart card reader on Android, however am not familiar with the validation process. Here is an example of what I have to read the input:
...
channel = card.getBasicChannel();
// See www.globalplatform.org for more information about this command.
// CLA = 0x80
// INS = 0xCa
// P1 = 0x9F
// P2 = 0x7F
// Le = 0x00
CommandAPDU GET_DATA_CardProductionLifeCycle = new CommandAPDU(0x80, 0xCA, 0x9F, 0x7F, 0x00);
ResponseAPDU cardResponse;
// Send the command to the card
cardResponse = channel.transmit(GET_DATA_CardProductionLifeCycle);
// Check SW1 if we provided wrong Le
if (cardResponse.getSW1() == 0x6C) {
// Modify the command with correct Le reported by the card in SW2.
GET_DATA_CardProductionLifeCycle = new CommandAPDU(0x80, 0xCA, 0x9F, 0x7F, cardResponse.getSW2());
// Re-send the command but now with correct Le
cardResponse = channel.transmit(GET_DATA_CardProductionLifeCycle);
}
// Check if the card has data for us to collect
if (cardResponse.getSW1() == 0x61) {
// Issue a GET RESPONSE command using SW2 as Le
CommandAPDU GET_RESPONSE = new CommandAPDU(0x00, 0xC0, 0x00, 0x00, cardResponse.getSW2());
cardResponse = channel.transmit(GET_RESPONSE);
}
// Check the final result of the GET DATA CPLC command
if (cardResponse.getSW() != 0x9000) {
// The card does not support Global Platform
System.out.println(String.format("8Card responded with SW:%04x", cardResponse.getSW()));// some sort of SW from the card here... Read as "SW: 6a82
System.out.println("9This card does not support the Global Platform " + "GET CPLC command");
return;
}
// we do not validate the data in this example - we assume that it is
// correct...
...
If anyone has experience with smart card/CAC card valitaion/authentication please give me some guidance, example, or something to work off of. Because There is very little documentation of this out there.
UPDATE: I have an Android App that I want to secure with a smart card. I am able to read any smart card's input using a Precise Biometrics Tactivo Smart Card reader. How can I validate/authenticate this input to allow only certain users to access the App?
The ATR is inappropriate for validation of any kind, since it is typically shared by thousands of cards.
While cards have a unique identifier (manufacturer specific), this can be easily faked after a valid one has been found out.
The typical means of requiring a certain card (as a component of a two-factor authorization, adding something you have to the something yo know e.g. PIN, password) is execution of an external authentication. Since for that you need to store a key of your own on the card, it will not be an option for a card, which you just happen to possess.