Add MyEID NFC functionality

MOPPIOS-1669 Fix for TLV 0x85 tag in APDU response (odd and even instructions handling).

MOPPIOS-1669 Additional sw code for pin verification method exception.

Encrypt can number saving

NFC refactor

Author: chirbard

Modules/CommonsLib/Sources/CommonsLib/Constants.swift

@@ -99,6 +99,7 @@ public struct Constants {
 
     public struct File {
         public static let LDAPCertsPem = "ldapCerts.pem"
+        public static let nfcCANKey = "canKey.txt"
     }
 
     public struct FileBaseName {

Modules/IdCardLib/Sources/IdCardLib/CardActions/CardCommandsInternal.swift

@@ -74,7 +74,7 @@ extension CardCommandsInternal {
                     return
                 case 0x6A80:  // New pin is invalid
                     throw IdCardInternalError.invalidNewPin
-                case 0x63C0, 0x6983: // Authentication method blocked
+                case 0x63C0, 0x6983, 0x6984: // Authentication method blocked
                     throw IdCardInternalError.pinVerificationFailed
                 // For pin codes this means verification failed due to wrong pin
                 case let uInt16 where (uInt16 & 0xFFF0) == 0x63C0:

Modules/IdCardLib/Sources/IdCardLib/CardActions/CardReaderNFC.swift

@@ -234,19 +234,38 @@ class CardReaderNFC: @unchecked CardReader, Loggable {
         }
         return (tlvEnc, tlvRes, tlvMac)
     }
-
+    // swiftlint:disable cyclomatic_complexity
     func transmit(_ apduData: Bytes) async throws -> (responseData: Bytes, sw: UInt16) {
         CardReaderNFC.logger().debug("Plain >: \(apduData.toHex)")
         guard let apdu = NFCISO7816APDU(data: Data(apduData)) else {
             throw IdCardInternalError.invalidAPDU
         }
         _ = SSC.increment()
-        let DO87 = try getDO87(apdu)
-        let DO97 = try getDO97(apdu)
+        let DO87: Data
+        if let data = apdu.data, !data.isEmpty {
+            let ivValue = try AES.CBC(key: ksEnc).encrypt(SSC)
+            let encData = try AES.CBC(key: ksEnc, ivVal: ivValue).encrypt(data.addPadding())
+            if apdu.instructionCode & 0x01 == 0 {
+                DO87 = TLV(tag: 0x87, bytes: [0x01] + encData).data
+            } else {
+                DO87 = TLV(tag: 0x85, bytes: encData).data
+            }
+        } else {
+            DO87 = Data()
+        }
+        let DO97: Data
+        if apdu.expectedResponseLength > 0 {
+            DO97 = TLV(
+                tag: 0x97,
+                bytes: [UInt8(apdu.expectedResponseLength == 256 ? 0 : apdu.expectedResponseLength)]
+            ).data
+        } else {
+            DO97 = Data()
+        }
         let cmdHeader: Bytes = [apdu.instructionClass | 0x0C, apdu.instructionCode, apdu.p1Parameter, apdu.p2Parameter]
-        let MValue = cmdHeader.addPadding() + DO87 + DO97
-        let NValue = SSC + MValue
-        let mac = try AES.CMAC(key: ksMac).authenticate(bytes: NValue.addPadding())
+        let mVal = cmdHeader.addPadding() + DO87 + DO97
+        let nVal = SSC + mVal
+        let mac = try AES.CMAC(key: ksMac).authenticate(bytes: nVal.addPadding())
         let DO8E = TLV(tag: 0x8E, bytes: mac).data
         let send = DO87 + DO97 + DO8E
         let response = try await tag.sendCommand(
@@ -257,26 +276,39 @@ class CardReaderNFC: @unchecked CardReader, Loggable {
             data: send,
             leByte: 256
         )
-        let (tlvEnc, tlvRes, tlvMac) = try getTLVs(response)
+        var tlvEnc: TKTLVRecord?
+        var tlvRes: TKTLVRecord?
+        var tlvMac: TKTLVRecord?
+        for tlv in TLV.sequenceOfRecords(from: response) ?? [] {
+            switch tlv.tag {
+            case 0x85, 0x87: tlvEnc = tlv
+            case 0x99: tlvRes = tlv
+            case 0x8E: tlvMac = tlv
+            default: print("Unknown tag")
+            }
+        }
         guard let tlvRes else {
             throw IdCardInternalError.missingRESTag
         }
         guard let tlvMac else {
             throw IdCardInternalError.missingMACTag
         }
-        let KValue = SSC.increment() + (tlvEnc?.data ?? Data()) + tlvRes.data
-        if try Data(AES.CMAC(key: ksMac).authenticate(bytes: KValue.addPadding())) != tlvMac.value {
+        let kVal = SSC.increment() + (tlvEnc?.data ?? Data()) + tlvRes.data
+        if try Data(AES.CMAC(key: ksMac).authenticate(bytes: kVal.addPadding())) != tlvMac.value {
             throw IdCardInternalError.invalidMACValue
         }
         guard let tlvEnc else {
             CardReaderNFC.logger().debug("Plain <: \(tlvRes.value.toHex)")
             return (.init(), UInt16(tlvRes.value[0], tlvRes.value[1]))
         }
         let ivValue = try AES.CBC(key: ksEnc).encrypt(SSC)
-        let responseData = try (try AES.CBC(key: ksEnc, ivVal: ivValue).decrypt(tlvEnc.value[1...])).removePadding()
+        let responseData = try (try AES.CBC(key: ksEnc, ivVal: ivValue)
+            .decrypt(tlvEnc.tag == 0x85 ? tlvEnc.value : tlvEnc.value[1...]))
+            .removePadding()
         CardReaderNFC.logger().debug("Plain <:  \(responseData.toHex) \(tlvRes.value.toHex)")
         return (Bytes(responseData), UInt16(tlvRes.value[0], tlvRes.value[1]))
     }
+    // swiftlint:enable cyclomatic_complexity
 
     // MARK: - Utils
 

Modules/IdCardLib/Sources/IdCardLib/CardActions/Thales.swift

@@ -115,6 +115,7 @@ final class Thales: CardCommandsInternal {
         guard type != .puk else {
             throw IdCardInternalError.notSupportedCodeType
         }
+        _ = try await select(file: Thales.kAID)
         try await unblockCode(type.pinRef, puk: puk, newCode: newCode)
     }
 

Modules/IdCardLib/Sources/IdCardLib/Operations/OperationUnblockPin.swift

@@ -156,6 +156,7 @@
 				"Domain/Model/My eID/MyEidPinCodeStep.swift",
 				Domain/Model/Notification/ContainerNotificationType.swift,
 				Domain/Model/SettingsMenuBottomSheetPages.swift,
+				Domain/Model/Signing/ActionType.swift,
 				Domain/Model/Signing/MobileId/MobileIdInputData.swift,
 				Domain/Model/Signing/NFC/NFCInputData.swift,
 				Domain/Model/Signing/SigningMethod.swift,
@@ -165,9 +166,14 @@
 				Domain/Model/SupportedTheme.swift,
 				Domain/Model/ToastMessage.swift,
 				Domain/NFC/DecryptError.swift,
+				Domain/NFC/NFCOperationBase.swift,
 				Domain/NFC/NFCSessionStrings.swift,
+				Domain/NFC/NFCSessionStringsUtil.swift,
+				Domain/NFC/OperationChangePin.swift,
 				Domain/NFC/OperationDecrypt.swift,
+				Domain/NFC/OperationReadCardData.swift,
 				Domain/NFC/OperationReadCertAndSign.swift,
+				Domain/NFC/OperationUnblockPin.swift,
 				Domain/Preferences/DataStore.swift,
 				Domain/Preferences/DataStoreProtocol.swift,
 				Domain/Preferences/KeychainStore.swift,
@@ -194,6 +200,7 @@
 				UI/Theme/Theme.swift,
 				Util/Certificate/CertificateUtil.swift,
 				Util/Certificate/CertificateUtilProtocol.swift,
+				Util/EncryptedData/EncryptedDataUtil.swift,
 				Util/File/FileInspector.swift,
 				Util/File/FileInspectorProtocol.swift,
 				Util/Language/LanguageSettings.swift,

RIADigiDoc.xcodeproj/project.pbxproj

@@ -503,7 +503,10 @@ extension Container {
         self { @MainActor in
             NFCViewModel(
                 dataStore: self.dataStore(),
-                userAgentUtil: self.userAgentUtil()
+                userAgentUtil: self.userAgentUtil(),
+                certificateUtil: self.certificateUtil(),
+                sharedMyEidSession: self.sharedMyEidSession(),
+                keychainStore: self.keychainStore()
             )
         }
     }
@@ -517,17 +520,31 @@ extension Container {
         }
     }
 
+    // swiftlint:disable closure_parameter_position
+    // swiftlint:disable large_tuple
     @MainActor
-    var myEidPinChangeViewModel: ParameterFactory<(MyEidPinCodeAction, CodeType, String), MyEidPinChangeViewModel> {
-        self { @MainActor (pinAction: MyEidPinCodeAction, codeType: CodeType, personalCode: String
+    var myEidPinChangeViewModel: ParameterFactory<(
+        MyEidPinCodeAction,
+        CodeType,
+        String,
+        ActionMethod
+    ), MyEidPinChangeViewModel> {
+        self { @MainActor (
+            pinAction: MyEidPinCodeAction,
+            codeType: CodeType,
+            personalCode: String,
+            actionMethod: ActionMethod
         ) -> MyEidPinChangeViewModel in
             MyEidPinChangeViewModel(
                 pinAction: pinAction,
                 codeType: codeType,
                 personalCode: personalCode,
+                actionMethod: actionMethod,
                 idCardRepository: self.idCardRepository(),
                 sharedMyEidSession: self.sharedMyEidSession()
             )
         }
     }
+    // swiftlint:enable closure_parameter_position
+    // swiftlint:enable large_tuple
 }

RIADigiDoc/DI/AppContainer.swift

@@ -19,4 +19,5 @@
 
 public enum KeychainKey: String, CaseIterable, Sendable {
     case proxyPassword = "proxy_password"
+    case nfcCANKey = "nfc_can_key"
 }

RIADigiDoc/Domain/Model/KeychainKey.swift

@@ -72,12 +72,14 @@ public enum NavigationDestination: Hashable {
 
     case myEidRootView
     case myEidView(
-        idCardData: IdCardData
+        idCardData: IdCardData,
+        actionMethod: ActionMethod
     )
 
     case myEidPinView(
         pinAction: MyEidPinCodeAction,
         codeType: CodeType,
-        personalCode: String
+        personalCode: String,
+        actionMethod: ActionMethod
     )
 }