introduce additional test case, add REQUIRE_LRP config option

nfc-developer · Aug 22, 2022 · e80634c · e80634c
1 parent ed65e3f
commit e80634c
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 3 deletions.
diff --git a/app.py b/app.py
@@ -4,8 +4,8 @@
 from flask import Flask, request, render_template, jsonify
 from werkzeug.exceptions import BadRequest
 
-from config import SDMMAC_PARAM, ENC_FILE_DATA_PARAM, ENC_PICC_DATA_PARAM, SDM_FILE_READ_KEY, SDM_META_READ_KEY, UID_PARAM, CTR_PARAM
-from libsdm import decrypt_sun_message, validate_plain_sun, InvalidMessage
+from config import SDMMAC_PARAM, ENC_FILE_DATA_PARAM, ENC_PICC_DATA_PARAM, SDM_FILE_READ_KEY, SDM_META_READ_KEY, UID_PARAM, CTR_PARAM, REQUIRE_LRP
+from libsdm import decrypt_sun_message, validate_plain_sun, InvalidMessage, EncMode
 
 app = Flask(__name__)
 
@@ -66,6 +66,9 @@ def _internal_sdm(with_tt=False):
     except InvalidMessage:
         raise BadRequest("Invalid message (most probably wrong signature).")
 
+    if REQUIRE_LRP and res['encryption_mode'] != EncMode.LRP:
+        raise BadRequest("Invalid encryption mode, expected LRP.")
+
     picc_data_tag = res['picc_data_tag']
     uid = res['uid']
     read_ctr_num = res['read_ctr']
@@ -146,6 +149,9 @@ def sdm_info_plain():
     except InvalidMessage:
         raise BadRequest("Invalid message (most probably wrong signature).")
 
+    if REQUIRE_LRP and res['encryption_mode'] != EncMode.LRP:
+        raise BadRequest("Invalid encryption mode, expected LRP.")
+
     if request.args.get("output") == "json":
         return jsonify({
             "uid": res['uid'].hex().upper(),

diff --git a/config.dist.py b/config.dist.py
@@ -11,3 +11,6 @@
 
 # always applied
 SDMMAC_PARAM = "cmac"
+
+# accept only SDM using LRP, disallow usage of AES
+REQUIRE_LRP = False
diff --git a/config.docker.py b/config.docker.py
@@ -11,3 +11,5 @@
 CTR_PARAM = os.environ.get("CTR_PARAM", "ctr")
 
 SDMMAC_PARAM = os.environ.get("SDMMAC_PARAM", "cmac")
+
+REQUIRE_LRP = (os.environ.get("REQUIRE_LRP", "0") == "1")
diff --git a/templates/sdm_main.html b/templates/sdm_main.html
@@ -13,6 +13,10 @@ <h1>Secure Dynamic Messaging Backend Server Example</h1>
         <a href="/tag?picc_data=EF963FF7828658A599F3041510671E88&cmac=94EED9EE65337086">
         <code>/tag?picc_data=EF963FF7828658A599F3041510671E88&cmac=94EED9EE65337086</code>
     </a></li>
+    <li><strong>NTAG 424 DNA (LRP mode):</strong> Encrypted PICC Data mirroring with SDMMAC (CMAC)<br>
+        <a href="tag?picc_data=1FCBE61B3E4CAD980CBFDD333E7A4AC4A579569BAFD22C5F&cmac=4231608BA7B02BA9">
+        <code>/tag?picc_data=1FCBE61B3E4CAD980CBFDD333E7A4AC4A579569BAFD22C5F&cmac=4231608BA7B02BA9</code>
+    </a></li>
     <li><strong>NTAG 424 DNA:</strong> Encrypted PICC Data mirroring with additional SDMFileData and SDMMAC (CMAC)<br>
         <a href="/tag?picc_data=FD91EC264309878BE6345CBE53BADF40&enc=CEE9A53E3E463EF1F459635736738962&cmac=ECC1E7F6C6C73BF6">
         <code>/tag?picc_data=FD91EC264309878BE6345CBE53BADF40&enc=CEE9A53E3E463EF1F459635736738962&cmac=ECC1E7F6C6C73BF6</code>
@@ -21,7 +25,7 @@ <h1>Secure Dynamic Messaging Backend Server Example</h1>
         <a href="/tagtt?picc_data=FDD387BF32A33A7C40CF259675B3A1E2&enc=EA050C282D8E9043E28F7A171464D697&cmac=758110182134ECE9">
         <code>/tagtt?picc_data=FDD387BF32A33A7C40CF259675B3A1E2&enc=EA050C282D8E9043E28F7A171464D697&cmac=758110182134ECE9</code>
     </a></li>
-    <li><strong>NTAG 424 DNA TagTamper:</strong> LRP mode encryption; Encrypted PICC Data mirroring with additional SDMFileData and SDMMAC (CMAC); TagTamper enabled and with TTStatusOffset = ENCDataOffset<br>
+    <li><strong>NTAG 424 DNA TagTamper (LRP mode):</strong> Encrypted PICC Data mirroring with additional SDMFileData and SDMMAC (CMAC); TagTamper enabled and with TTStatusOffset = ENCDataOffset<br>
         <a href="tagtt?picc_data=8EE8E27DE3974FFE245F96C71087129B2E8449C9FF346F65&enc=48987A0D55638C017D1F4DC3D8ADD910&cmac=862E781E52244A75">
         <code>/tagtt?picc_data=8EE8E27DE3974FFE245F96C71087129B2E8449C9FF346F65&enc=48987A0D55638C017D1F4DC3D8ADD910&cmac=862E781E52244A75</code>
     </a><br><br></li>

diff --git a/test_libsdm.py b/test_libsdm.py
@@ -121,3 +121,17 @@ def test_sdm_lrp1():
     assert res['read_ctr'] == 4
     assert res['file_data'] == b"NTXXb7dz3PsYYBlU"
     assert res['encryption_mode'] == EncMode.LRP
+
+
+def test_sdm_lrp2():
+    res = decrypt_sun_message(
+        sdm_meta_read_key=binascii.unhexlify('00000000000000000000000000000000'),
+        sdm_file_read_key=binascii.unhexlify('00000000000000000000000000000000'),
+        picc_enc_data=binascii.unhexlify("1FCBE61B3E4CAD980CBFDD333E7A4AC4A579569BAFD22C5F"),
+        sdmmac=binascii.unhexlify("4231608BA7B02BA9"))
+
+    assert res['picc_data_tag'] == b"\xc7"
+    assert res['uid'] == binascii.unhexlify("04940e2a2f7080")
+    assert res['read_ctr'] == 3
+    assert res['file_data'] is None
+    assert res['encryption_mode'] == EncMode.LRP