Merge branch 'oda'

* oda:
  Misc Doxygen updates
  Move ODA types required by EMV context to separate header
  Use crypto_memcmp_s() for hash validation during ODA
  Implement validation of certification expiration dates
  Implement --oda option for emv-tool
  Fix --debug-source option parsing for emv-tool
  Implement remaining part of Combined DDA/Application Cryptogram Generation (CDA)
  Refactor ODA abstraction to cache data needed for Transaction Data Hash Code
  Implement initial EMV Card Action Analysis
  Implement helper functions for GENERATE APPLICATION CRYPTOGRAM in TTL and TAL
  Update Signed Dynamic Application Data retrieval for CDA
  Remember currently retrieved ICC public key
  Remember currently selected Offline Data Authentication (ODA) method
  Implement initial part of Combined DDA/Application Cryptogram Generation (CDA)
  Implement remaining part of Dynamic Data Authentication (DDA)
  Implement helper functions for INTERNAL AUTHENTICATE in TTL and TAL
  Implement Signed Dynamic Application Data retrieval and validation
  Validate configuration fields for ODA in high-level EMV abstraction
  Move cached fields to EMV processing context
  Let most ODA functions use EMV processing context
  Populate Unpredictable Number (field 9F37)
  Add error for missing terminal data during Offline Data Authentication (ODA)
  Implement initial part of Dynamic Data Authentication (DDA)
  Refactor EMV RSA abstraction
  Implement Static Data Authentication (SDA)
  Add initial Offline Data Authentication (ODA) abstraction
  Implement ICC public key retrieval
  Implement Signed Static Application Data retrieval
  Implement issuer public key retrieval and validation
  Implement CAPK validation
  Update Github Actions workflow for MbedTLS
  Add OpenEMV common crypto abstraction as a submodule
  Add more CAPKs
  Move CAPK static data to separate header
  Add initial CAPK abstraction

Author: leonlynch

.github/workflows/fedora-build.yaml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
     - name: Install build tools and dependencies
-      run: sudo dnf -y install git cmake gcc g++ boost-devel iso-codes-devel json-c-devel
+      run: sudo dnf -y install git cmake gcc g++ mbedtls-devel boost-devel iso-codes-devel json-c-devel
 
     - name: Install PCSCLite
       if: contains(matrix.deps, 'pcsclite')
@@ -77,7 +77,7 @@ jobs:
     steps:
     - name: Install build tools and dependencies
       run: |
-        sudo dnf -y install git gh cmake gcc g++ boost-devel iso-codes-devel json-c-devel pcsc-lite-devel bash-completion-devel doxygen rpm-build qt5-qtbase-devel
+        sudo dnf -y install git gh cmake gcc g++ mbedtls-devel boost-devel iso-codes-devel json-c-devel pcsc-lite-devel bash-completion-devel doxygen rpm-build qt5-qtbase-devel
 
     - name: Checkout
       uses: actions/checkout@v4

.github/workflows/macos-build.yaml

@@ -1,5 +1,5 @@
 ##############################################################################
-# Copyright 2022-2024 Leon Lynch
+# Copyright 2022-2025 Leon Lynch
 #
 # This file is licensed under the terms of the LGPL v2.1 license.
 # See LICENSE file.
@@ -32,9 +32,13 @@ jobs:
         brew install iso-codes
         brew install json-c
 
-    - name: Install argp-standalone using brew
+    - name: Install MbedTLS and argp-standalone using brew
+      # Homebrew doesn't support universal binaries so only install dependencies for arch-specific builds
       if: ${{ matrix.fetch_deps == 'NO' }}
-      run: brew install argp-standalone
+      run: |
+        brew install mbedtls
+        brew install argp-standalone
+        echo "CMAKE_REQUIRE_FIND_PACKAGE_MbedTLS=YES" >> $GITHUB_ENV
 
     - name: Install PCSCLite using brew
       if: contains(matrix.deps, 'pcsclite')
@@ -67,6 +71,8 @@ jobs:
           -DCMAKE_OSX_ARCHITECTURES="${{ matrix.osx_arch }}" \
           -DCMAKE_BUILD_TYPE="${{ matrix.build_type }}" \
           -DBUILD_SHARED_LIBS=${{ matrix.shared_libs }} \
+          -DFETCH_MBEDTLS=${{ matrix.fetch_deps }} \
+          -DCMAKE_REQUIRE_FIND_PACKAGE_MbedTLS=${{ env.CMAKE_REQUIRE_FIND_PACKAGE_MbedTLS }} \
           -DFETCH_ARGP=${{ matrix.fetch_deps }} \
           -DBUILD_EMV_DECODE=YES \
           -DBUILD_EMV_TOOL=${{ matrix.build_emv_tool }} \
@@ -114,6 +120,7 @@ jobs:
         cmake -B build \
           -DCMAKE_OSX_ARCHITECTURES="x86_64" \
           -DCMAKE_BUILD_TYPE="RelWithDebInfo" \
+          -DFETCH_MBEDTLS=YES \
           -DFETCH_ARGP=YES \
           -DBUILD_EMV_DECODE=YES \
           -DBUILD_EMV_TOOL=YES \

.github/workflows/ubuntu-build.yaml

@@ -29,7 +29,7 @@ jobs:
     - name: Install dependencies
       run: |
         sudo apt-get update
-        sudo apt-get install -y libboost-locale-dev iso-codes libjson-c-dev
+        sudo apt-get install -y libmbedtls-dev libboost-locale-dev iso-codes libjson-c-dev
 
     - name: Install PCSCLite
       if: contains(matrix.deps, 'pcsclite')
@@ -80,7 +80,7 @@ jobs:
 
     - name: Install dependencies
       run: |
-        apt-get install -y libboost-locale-dev iso-codes libjson-c-dev libpcsclite-dev bash-completion doxygen qtbase5-dev
+        apt-get install -y libmbedtls-dev libboost-locale-dev iso-codes libjson-c-dev libpcsclite-dev bash-completion doxygen qtbase5-dev
 
     - name: Checkout
       uses: actions/checkout@v4
@@ -148,7 +148,7 @@ jobs:
     - name: Install dependencies
       run: |
         sudo apt-get update
-        sudo apt-get install -y libboost-locale-dev iso-codes libjson-c-dev libpcsclite-dev doxygen qtbase5-dev
+        sudo apt-get install -y libmbedtls-dev libboost-locale-dev iso-codes libjson-c-dev libpcsclite-dev doxygen qtbase5-dev
 
     - name: Checkout
       uses: actions/checkout@v4

.github/workflows/windows-build.yaml

@@ -17,14 +17,14 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - { sys: mingw64, env: x86_64, build_type: "Release", lib_type: "static", shared_libs: "NO", deps: "none", build_emv_tool: NO, build_emv_viewer: NO }
-          - { sys: mingw64, env: x86_64, build_type: "Debug", lib_type: "dll", shared_libs: "YES", deps: "qt6", build_emv_tool: YES, build_emv_viewer: YES }
-          - { sys: mingw64, env: x86_64, build_type: "Release", lib_type: "static", shared_libs: "NO", deps: "qt5", build_emv_tool: YES, build_emv_viewer: YES }
-          - { sys: ucrt64, env: ucrt-x86_64, build_type: "Debug", lib_type: "static", shared_libs: "NO", deps: "qt5", build_emv_tool: YES, build_emv_viewer: YES }
-          - { sys: ucrt64, env: ucrt-x86_64, build_type: "Release", lib_type: "dll", shared_libs: "YES", deps: "qt6", build_emv_tool: YES, build_emv_viewer: YES }
+          - { sys: mingw64, env: x86_64, build_type: "Release", lib_type: "static", shared_libs: "NO", deps: "none", fetch_deps: NO, build_emv_tool: NO, build_emv_viewer: NO }
+          - { sys: mingw64, env: x86_64, build_type: "Debug", lib_type: "dll", shared_libs: "YES", deps: "qt6", fetch_deps: NO, build_emv_tool: YES, build_emv_viewer: YES }
+          - { sys: mingw64, env: x86_64, build_type: "Release", lib_type: "static", shared_libs: "NO", deps: "qt5", fetch_deps: YES, build_emv_tool: YES, build_emv_viewer: YES }
+          - { sys: ucrt64, env: ucrt-x86_64, build_type: "Debug", lib_type: "static", shared_libs: "NO", deps: "qt5", fetch_deps: NO, build_emv_tool: YES, build_emv_viewer: YES }
+          - { sys: ucrt64, env: ucrt-x86_64, build_type: "Release", lib_type: "dll", shared_libs: "YES", deps: "qt6", fetch_deps: YES, build_emv_tool: YES, build_emv_viewer: YES }
           # NOTE: Only test Qt6 for clang64 because Qt5's windeployqt does not support clang64
-          - { sys: clang64, env: clang-x86_64, build_type: "Debug", lib_type: "static", shared_libs: "NO", deps: "qt6", build_emv_tool: YES, build_emv_viewer: YES }
-          - { sys: clang64, env: clang-x86_64, build_type: "Release", lib_type: "dll", shared_libs: "YES", deps: "qt6", build_emv_tool: YES, build_emv_viewer: YES }
+          - { sys: clang64, env: clang-x86_64, build_type: "Debug", lib_type: "static", shared_libs: "NO", deps: "qt6", fetch_deps: NO, build_emv_tool: YES, build_emv_viewer: YES }
+          - { sys: clang64, env: clang-x86_64, build_type: "Release", lib_type: "dll", shared_libs: "YES", deps: "qt6", fetch_deps: YES, build_emv_tool: YES, build_emv_viewer: YES }
 
     name: Windows MSYS2 ${{matrix.sys}} build (${{ matrix.lib_type }}/${{ matrix.build_type }}/${{ matrix.deps }})
 
@@ -54,6 +54,12 @@ jobs:
           mingw-w64-${{matrix.env}}-json-c
           mingw-w64-${{matrix.env}}-gettext
 
+    - name: Install MbedTLS
+      if: ${{ matrix.fetch_deps == 'NO' }}
+      run: |
+        pacman --noconfirm -S --needed mingw-w64-${{matrix.env}}-mbedtls
+        echo "CMAKE_REQUIRE_FIND_PACKAGE_MbedTLS=YES" >> $GITHUB_ENV
+
     - name: Install Qt5
       if: contains(matrix.deps, 'qt5')
       run: |
@@ -75,6 +81,8 @@ jobs:
         cmake -G Ninja -B build \
           -DCMAKE_BUILD_TYPE="${{ matrix.build_type }}" \
           -DBUILD_SHARED_LIBS=${{ matrix.shared_libs }} \
+          -DFETCH_MBEDTLS=${{ matrix.fetch_deps }} \
+          -DCMAKE_REQUIRE_FIND_PACKAGE_MbedTLS=${{ env.CMAKE_REQUIRE_FIND_PACKAGE_MbedTLS }} \
           -DFETCH_ARGP=YES \
           -DBUILD_EMV_DECODE=YES \
           -DBUILD_EMV_TOOL=${{ matrix.build_emv_tool }} \
@@ -154,6 +162,7 @@ jobs:
           -DCMAKE_C_COMPILER="${{ env.TOOLCHAIN_PATH }}/gcc.exe" \
           -DCMAKE_CXX_COMPILER="${{ env.TOOLCHAIN_PATH }}/g++.exe" \
           -DBUILD_SHARED_LIBS=YES \
+          -DFETCH_MBEDTLS=YES \
           -DFETCH_ARGP=YES \
           -DBUILD_EMV_DECODE=YES \
           -DBUILD_EMV_TOOL=YES \

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "mcc-codes"]
 	path = mcc-codes
 	url = https://github.com/greggles/mcc-codes.git
+[submodule "crypto"]
+	path = crypto
+	url = https://github.com/openemv/crypto.git

CMakeLists.txt

@@ -83,6 +83,18 @@ if(EMV_UTILS_IS_TOP_LEVEL)
 	include(CTest)
 endif()
 
+# Allow parent scope to provide crypto targets when not building shared libs
+if(EMV_UTILS_IS_TOP_LEVEL OR BUILD_SHARED_LIBS)
+	list(APPEND CRYPTO_TESTS crypto_sha crypto_rsa)
+	add_subdirectory(crypto)
+	add_subdirectory(crypto/test)
+elseif (NOT TARGET crypto_mem OR
+	NOT TARGET crypto_rand OR
+	NOT TARGET crypto_sha OR
+	NOT TARGET crypto_rsa)
+	message(FATAL_ERROR "Parent project must provide crypto libraries for static builds")
+endif()
+
 include(FindPackageHandleStandardArgs) # Provides find_package() messages
 include(GNUInstallDirs) # Provides CMAKE_INSTALL_* variables and good defaults for install()
 

README.md

@@ -84,6 +84,7 @@ Dependencies
 
 This project also makes use of sub-projects that must be provided as git
 submodules using `git clone --recurse-submodules`:
+* [OpenEMV common crypto abstraction](https://github.com/openemv/crypto)
 * [mcc-codes](https://github.com/greggles/mcc-codes)
 
 Build
@@ -336,6 +337,10 @@ See [LICENSE](https://github.com/openemv/emv-utils/blob/master/LICENSE) and
 [LICENSE.gpl](https://github.com/openemv/emv-utils/blob/master/viewer/LICENSE.gpl)
 files.
 
+This project includes [crypto](https://github.com/openemv/crypto) as a git
+submodule and it is licensed under the terms of the MIT license. See
+[LICENSE](https://github.com/openemv/crypto/blob/master/LICENSE) file.
+
 This project includes [mcc-codes](https://github.com/greggles/mcc-codes) as a
 git submodule and it is licensed under the terms of The Unlicense license. See
 [LICENSE](https://github.com/greggles/mcc-codes/blob/main/LICENSE.txt) file.

crypto

@@ -280,6 +280,10 @@ add_library(emv
 	emv_ttl.c
 	emv_app.c
 	emv_tal.c
+	emv_capk.c
+	emv_rsa.c
+	emv_oda.c
+	emv_date.c
 )
 set(emv_HEADERS # PUBLIC_HEADER property requires a list instead of individual entries
 	emv.h
@@ -291,6 +295,11 @@ set(emv_HEADERS # PUBLIC_HEADER property requires a list instead of individual e
 	emv_ttl.h
 	emv_app.h
 	emv_tal.h
+	emv_capk.h
+	emv_rsa.h
+	emv_oda.h
+	emv_oda_types.h
+	emv_date.h
 )
 set(emv_HEADERS ${emv_HEADERS} PARENT_SCOPE) # Doxygen generator requires a list of headers
 add_library(emv::emv ALIAS emv)
@@ -301,6 +310,10 @@ target_link_libraries(emv
 	PRIVATE
 		iso7816
 		iso8859
+		crypto_mem
+		crypto_rand
+		crypto_sha
+		crypto_rsa
 )
 # The EMV_PKGCONFIG_REQ_PRIV and EMV_PKGCONFIG_LIBS_PRIV variables are set
 # for the parent scope to facilitate the generation of pkgconfig files.
@@ -323,6 +336,10 @@ target_include_directories(emv
 install(
 	TARGETS
 		emv
+		crypto_mem
+		crypto_rand
+		crypto_sha
+		crypto_rsa
 	EXPORT emvUtilsTargets # For use by install(EXPORT) command
 	PUBLIC_HEADER
 		DESTINATION "include/emv"