/// <summary>
        ///
        /// </summary>
        /// <returns></returns>
        public CommandAPDU CreateExternalAuthCommand()
        {
            MemoryStream memStream = new MemoryStream();

            memStream.Write(mInitUpdateResponse, 12, 8);
            memStream.Write(mHostChallenge, 0, mHostChallenge.Length);

            byte[] hostCryptogram = CryptoUtil.FullTripleDESMAC(mSessionKeys.RetrieveKey(Key.KEY_TYPE_ENC),
                                                                CryptoUtil.BINARY_ZEROS_8_BYTE_BLOCK, CryptoUtil.DESPad(memStream.ToArray()));
            int P1 = mSecurityLevel;

            CommandAPDU externalAuth = new CommandAPDU(CLA_SECURE_GP, INS_EXT_AUTH, P1, 0x00, hostCryptogram);

            mSecureChannel = new SecureChannel(mSessionKeys, SecurityLevel.C_MAC, mSCPIdentifier,
                                               mSCPImplementationOption, CryptoUtil.BINARY_ZEROS_8_BYTE_BLOCK, CryptoUtil.BINARY_ZEROS_8_BYTE_BLOCK);
            externalAuth = mSecureChannel.wrap(externalAuth);
            return(externalAuth);
        }
Exemplo n.º 2
0
        public CommandAPDU wrap(CommandAPDU command)
        {
            // Apply R-MAC
            if ((mSecurityLevel & net.SecurityLevel.R_MAC) != 0)
            {
                if(mRMACStream != null)
                    throw new Exception("There exists an unwrapped response while R-MAC security level set. Secure channel can only work correctly if " +
                                        "for each wrapped command the corresponding response be unwrapped immediately.");
                mRMACStream = new MemoryStream();

                //Clear 3 LSB of CLA
                mRMACStream.WriteByte((byte)(command.CLA & ~0x07));
                mRMACStream.WriteByte((byte) command.INS);
                mRMACStream.WriteByte((byte) command.P1);
                mRMACStream.WriteByte((byte) command.P2);
                if (command.LC > 0)
                {
                    mRMACStream.WriteByte((byte) command.LC);
                    mRMACStream.Write(command.Data, 0, command.Data.Length);
                }

            }

            if ((mSecurityLevel & (net.SecurityLevel.C_MAC | net.SecurityLevel.C_DECRYPTION)) == 0)
                return command;

            int secureCLA = command.CLA;
            byte[] wrappedData = null;
            int wrappedDataSize = command.LC;

            MemoryStream commandStream = new MemoryStream();

            int maxCommandSize = 255;
            if ((mSecurityLevel & net.SecurityLevel.C_MAC) != 0)
                maxCommandSize -= 8;
            if ((mSecurityLevel & net.SecurityLevel.C_DECRYPTION) != 0)
                maxCommandSize -= 8;
            if(command.LC > maxCommandSize)
                throw new Exception("APDU command too large. Max command length = 255 - 8(for C-MAC if present) - 8(for C-DECRYTPION padding if present).");

            if ((mSecurityLevel & net.SecurityLevel.C_MAC) != 0)
            {
                if (mFirstCommandInChain)
                    mFirstCommandInChain = false;
                else if(mICVEncryption)
                {
                    if (mSCPIdentifier == GlobalPlatform.SCP_01)
                    {
                        mICV = CryptoUtil.TripleDESECB(new Key(mSessionKeys.MacKey.BuildTripleDesKey()), mICV,
                            CryptoUtil.MODE_ENCRYPT);
                    }
                    else
                    {
                        mICV = CryptoUtil.DESECB(new Key(mSessionKeys.MacKey.BuildDesKey()), mICV,
                            CryptoUtil.MODE_ENCRYPT);
                    }
                } // If ICV Encryption

                if (mApplyToModifiedAPDU)
                {
                    secureCLA = command.CLA | 0x04;
                    wrappedDataSize += 8;
                }

                commandStream.WriteByte((byte) secureCLA);
                commandStream.WriteByte((byte) command.INS);
                commandStream.WriteByte((byte) command.P1);
                commandStream.WriteByte((byte) command.P2);
                commandStream.WriteByte((byte) wrappedDataSize);
                commandStream.Write(command.Data, 0, command.Data.Length);
                if (mSCPIdentifier == GlobalPlatform.SCP_01)
                {
                    mICV = CryptoUtil.FullTripleDESMAC(mSessionKeys.MacKey, mICV, CryptoUtil.DESPad(commandStream.ToArray()));
                }
                else
                {
                    mICV = CryptoUtil.SingleDESFullTripleDESMAC(mSessionKeys.MacKey, mICV, CryptoUtil.DESPad(commandStream.ToArray()));
                }

                if (!mApplyToModifiedAPDU)
                {
                    secureCLA = command.CLA | 0x04;
                    wrappedDataSize += 8;
                }
                wrappedData = command.Data;
                commandStream = new MemoryStream();
            } // If C-MAC

            if (((mSecurityLevel & net.SecurityLevel.C_DECRYPTION) != 0) && command.LC > 0)
            {
                if (mSCPIdentifier == GlobalPlatform.SCP_01)
                {
                    if ((command.LC + 1)%8 != 0)
                    {
                        commandStream.WriteByte((byte) command.LC);
                        commandStream.Write(command.Data, 0, command.Data.Length);
                        byte[] paddedData = CryptoUtil.DESPad(commandStream.ToArray());
                        commandStream = new MemoryStream();
                        commandStream.Write(paddedData, 0, paddedData.Length);
                    }
                    else
                    {
                        commandStream.WriteByte((byte)command.LC);
                        commandStream.Write(command.Data, 0, command.Data.Length);
                    }
                } // If SCP '01'
                else
                {
                    byte[] paddedData = CryptoUtil.DESPad(command.Data);
                    commandStream.Write(paddedData, 0, paddedData.Length);
                }
                wrappedDataSize += (int)(commandStream.Length - command.Data.Length);
                wrappedData = CryptoUtil.TripleDESCBC(new Key(mSessionKeys.EncKey.BuildTripleDesKey()),
                    CryptoUtil.BINARY_ZEROS_8_BYTE_BLOCK, commandStream.ToArray(), CryptoUtil.MODE_ENCRYPT);
                commandStream = new MemoryStream();
            }  // If C-DECRYPTION
            commandStream.WriteByte((byte) secureCLA);
            commandStream.WriteByte((byte) command.INS);
            commandStream.WriteByte((byte) command.P1);
            commandStream.WriteByte((byte) command.P2);
            if (wrappedDataSize > 0)
            {
                commandStream.WriteByte((byte) wrappedDataSize);
                commandStream.Write(wrappedData, 0, wrappedData.Length);
            }

            if((mSecurityLevel & net.SecurityLevel.C_MAC) != 0)
                commandStream.Write(mICV, 0, mICV.Length);
            if(command.LE > 0)
                commandStream.WriteByte((byte) command.LE);
 
            return new CommandAPDU(commandStream.ToArray());
        }
        /// <summary>
        ///
        /// </summary>
        /// <param name="keys"></param>
        /// <param name="replaceExisting"></param>
        /// <param name="keyFormat"></param>
        /// <returns></returns>
        public CommandAPDU CreatePutKeyCommand(List <Key> keys, bool replaceExisting, bool addKCV, int keyFormat)
        {
            int p1;
            int p2;

            if (keyFormat == KEY_FORMAT_2)
            {
                throw new Exception("Format 2 is reserved for futrue use.");
            }
            if (keyFormat != KEY_FORMAT_1)
            {
                throw new Exception("Unknown format");
            }

            int prevId = -1;

            for (int i = 0; i < keys.Count; i++)
            {
                Key key = keys[i];
                if (i > 1)
                {
                    if (key.KeyId != prevId + 1)
                    {
                        throw new Exception("Key Identifiers must sequentially increment. See See Global Platform 2.1.1 Card Spec section 9.8.2.3.1");
                    }
                }
                prevId = key.KeyId;
            }

            if (replaceExisting)
            {
                p1 = keys[0].KeyVersion;
            }
            else
            {
                p1 = 0;
            }

            p2 = keys[0].KeyId;

            // Multiple keys
            if (keys.Count > 1)
            {
                p2 |= 0x80;
            }

            Key kek = null;

            if (mSCPIdentifier == SCP_01)
            {
                kek = new Key(mStaticKeys.KekKey.BuildTripleDesKey());
            }
            else if (mSCPIdentifier == SCP_02)
            {
                kek = new Key(mSessionKeys.KekKey.BuildTripleDesKey());
            }

            MemoryStream allKeyData = new MemoryStream();

            allKeyData.WriteByte((byte)keys[0].KeyVersion);
            for (int i = 0; i < keys.Count; i++)
            {
                Key    key          = keys[i];
                byte[] keyDataBytes = EncodeKeyData(key, kek, addKCV, keyFormat);
                allKeyData.Write(keyDataBytes, 0, keyDataBytes.Length);
            }
            CommandAPDU putKeyCommand = new CommandAPDU(CLA_GP, INS_PUT_KEY, p1, p2, allKeyData.ToArray(), 0x00);

            putKeyCommand = mSecureChannel.wrap(putKeyCommand);
            return(putKeyCommand);
        }
        /// <summary>
        /// Generates INITIALIZE UPDATE command with specified static key set.
        /// </summary>
        /// <param name="staticKeySet">Secure channel static key set</param>
        /// <param name="securityLevel">Security level. It must be a valid combination of
        /// security level bit pattern defined in <see cref="SecurityLevel"/>.</param>
        /// <param name="scpIdentifier">Secure Channel Identifier according to Global Platform 2.1.1 Card Spec section 8.6.
        /// Currently SCP '01' and SCP '02' is supported. Use <see cref="SCP_ANY"/> if you are not sure.</param>
        /// <param name="scpImplementationOption">Secure Channel Implementation Option according to
        /// Global Platform 2.1.1 Card Spec section D.1.1 for SCP '01' or section E.1.1 for SCP '02'. Use <see cref="IMPL_OPTION_ANY"/>
        /// along with <see cref="SCP_ANY"/> for Secure Channel Identifier, if you are not sure.</param>
        /// <returns>CommandAPDU for INITIALIZE UPDATE command for specified static key set</returns>
        public CommandAPDU CreateInitUpdateCommand(KeySet staticKeySet, int securityLevel, int scpIdentifier,
                                                   int scpImplementationOption)
        {
            // Validate Secure Channel Identifier
            if ((scpIdentifier != SCP_01) && (scpIdentifier != SCP_02) && (scpIdentifier != SCP_ANY))
            {
                throw new Exception(
                          "Invalid secure channel protocol identifier. Currently SCP 01 (0x01) and SCP 02 (0x02) are valid." +
                          " See Global Platform 2.1.1 Card Spec section 8.6.");
            }

            //Validate Secure Channel Implementation Option
            if (scpImplementationOption == IMPL_OPTION_ANY && scpIdentifier != SCP_ANY)
            {
                throw new Exception(
                          "Secure Channel Implementation Option IMPL_OPTION_ANY can only be used along with Secure Channel Identifier SCP_ANY.");
            }


            if (scpIdentifier == SCP_ANY)
            {
                if (scpImplementationOption != IMPL_OPTION_I_05 && scpImplementationOption != IMPL_OPTION_I_15 &&
                    scpImplementationOption != IMPL_OPTION_ANY)
                {
                    throw new Exception(
                              "Invalid implementation option. Only IMPL_OPTION_I_05, IMPL_OPTION_I_15 or IMPL_OPTION_ANY can be used along with SCP_ANY.");
                }
            }

            // Validate Secure Channel Implementation Option for SCP 01
            if (scpIdentifier == SCP_01)
            {
                if ((scpImplementationOption != IMPL_OPTION_I_05) && (scpImplementationOption != IMPL_OPTION_I_15))
                {
                    throw new Exception(
                              "Invalid implementation option for SCP 01. See Global Platform 2.1.1 Card Spec section D.1.1.");
                }
            }

            // Validate Secure Channel Implementation Option for SCP 02
            if (scpIdentifier == SCP_02)
            {
                if ((scpImplementationOption != IMPL_OPTION_I_04) && (scpImplementationOption != IMPL_OPTION_I_05) &&
                    (scpImplementationOption != IMPL_OPTION_I_0A) && (scpImplementationOption != IMPL_OPTION_I_0B) &&
                    (scpImplementationOption != IMPL_OPTION_I_14) && (scpImplementationOption != IMPL_OPTION_I_15) &&
                    (scpImplementationOption != IMPL_OPTION_I_1A) && (scpImplementationOption != IMPL_OPTION_I_1B))
                {
                    throw new Exception(
                              "Invalid implementation option for SCP 02. See Global Platform 2.1.1 Card Spec section E.1.1.");
                }

                if ((scpImplementationOption == IMPL_OPTION_I_0A) || (scpImplementationOption == IMPL_OPTION_I_0B) ||
                    (scpImplementationOption == IMPL_OPTION_I_1A) || (scpImplementationOption == IMPL_OPTION_I_1B))
                {
                    throw new Exception("Implicit secure channel can't be initialized explicitly.");
                }
            }


            mSCPIdentifier           = scpIdentifier;
            mSCPImplementationOption = scpImplementationOption;
            mStaticKeys    = staticKeySet;
            mSecurityLevel = securityLevel;


            // C-DECRYPTION allways come with C-MAC
            if ((securityLevel & SecurityLevel.C_DECRYPTION) != 0)
            {
                securityLevel |= SecurityLevel.C_MAC;
            }

            // Validate security level
            if (securityLevel != (SecurityLevel.NO_SECURITY_LEVEL) &&
                securityLevel != (SecurityLevel.C_DECRYPTION | SecurityLevel.C_MAC | SecurityLevel.R_MAC) &&
                securityLevel != (SecurityLevel.C_MAC | SecurityLevel.R_MAC) &&
                securityLevel != (SecurityLevel.R_MAC) &&
                securityLevel != (SecurityLevel.C_DECRYPTION | SecurityLevel.C_MAC) &&
                securityLevel != (SecurityLevel.C_MAC))
            {
                throw new Exception(
                          "Invalid security level. See Global Platform 2.1.1 Card Spec section E.5.2.3 or section D.4.2.3.");
            }

            // Host challenge
            mHostChallenge = new byte[8];
            RandomNumberGenerator rng = RandomNumberGenerator.Create();

            rng.GetBytes(mHostChallenge);

            // Build INITIALIZE UPDATE command
            CommandAPDU initUpdate = new CommandAPDU(CLA_GP, INS_INIT_UPDATE, staticKeySet.KeyVersion,
                                                     staticKeySet.KeyId, mHostChallenge, 0x00);

            return(initUpdate);
        }
Exemplo n.º 5
0
        /// <summary>
        /// 
        /// </summary>
        /// <param name="keys"></param>
        /// <param name="replaceExisting"></param>
        /// <param name="keyFormat"></param>
        /// <returns></returns>
        public CommandAPDU CreatePutKeyCommand(List<Key> keys, bool replaceExisting, bool addKCV, int keyFormat)
        {
            int p1;
            int p2;
            if (keyFormat == KEY_FORMAT_2)
                throw new Exception("Format 2 is reserved for futrue use.");
            if (keyFormat != KEY_FORMAT_1)
                throw new Exception("Unknown format");

            int prevId = -1;
            for (int i = 0; i < keys.Count; i++)
            {
                Key key = keys[i];
                if (i > 1)
                    if (key.KeyId != prevId + 1)
                        throw new Exception("Key Identifiers must sequentially increment. See See Global Platform 2.1.1 Card Spec section 9.8.2.3.1");
                prevId = key.KeyId;
            }

            if (replaceExisting)
                p1 = keys[0].KeyVersion;
            else
            {
                p1 = 0;
            }

            p2 = keys[0].KeyId;

            // Multiple keys
            if (keys.Count > 1)
                p2 |= 0x80;

            Key kek = null;
            if (mSCPIdentifier == SCP_01)
                kek = new Key(mStaticKeys.KekKey.BuildTripleDesKey());
            else if(mSCPIdentifier == SCP_02)
            {
                kek = new Key(mSessionKeys.KekKey.BuildTripleDesKey());
            }

            MemoryStream allKeyData = new MemoryStream();
            allKeyData.WriteByte((byte)keys[0].KeyVersion);
            for (int i = 0; i < keys.Count; i++)
            {
                Key key = keys[i];
                byte[] keyDataBytes = EncodeKeyData(key, kek, addKCV, keyFormat);
                allKeyData.Write(keyDataBytes, 0, keyDataBytes.Length);
                
            }
            CommandAPDU putKeyCommand = new CommandAPDU(CLA_GP, INS_PUT_KEY, p1, p2, allKeyData.ToArray(), 0x00);
            putKeyCommand = mSecureChannel.wrap(putKeyCommand);
            return putKeyCommand;
        }
Exemplo n.º 6
0
        /// <summary>
        /// 
        /// </summary>
        /// <returns></returns>
        public CommandAPDU CreateExternalAuthCommand()
        {
            MemoryStream memStream = new MemoryStream();
            memStream.Write(mInitUpdateResponse, 12, 8);
            memStream.Write(mHostChallenge, 0, mHostChallenge.Length);

            byte[] hostCryptogram = CryptoUtil.FullTripleDESMAC(mSessionKeys.RetrieveKey(Key.KEY_TYPE_ENC),
                CryptoUtil.BINARY_ZEROS_8_BYTE_BLOCK, CryptoUtil.DESPad(memStream.ToArray()));
            int P1 = mSecurityLevel;

            CommandAPDU externalAuth = new CommandAPDU(CLA_SECURE_GP, INS_EXT_AUTH, P1, 0x00, hostCryptogram);
            mSecureChannel = new SecureChannel(mSessionKeys, SecurityLevel.C_MAC, mSCPIdentifier,
                mSCPImplementationOption, CryptoUtil.BINARY_ZEROS_8_BYTE_BLOCK, CryptoUtil.BINARY_ZEROS_8_BYTE_BLOCK);
            externalAuth = mSecureChannel.wrap(externalAuth);
            return externalAuth;
        }
Exemplo n.º 7
0
        /// <summary>
        /// Generates INITIALIZE UPDATE command with specified static key set.
        /// </summary>
        /// <param name="staticKeySet">Secure channel static key set</param>
        /// <param name="securityLevel">Security level. It must be a valid combination of 
        /// security level bit pattern defined in <see cref="SecurityLevel"/>.</param>
        /// <param name="scpIdentifier">Secure Channel Identifier according to Global Platform 2.1.1 Card Spec section 8.6.
        /// Currently SCP '01' and SCP '02' is supported. Use <see cref="SCP_ANY"/> if you are not sure.</param>
        /// <param name="scpImplementationOption">Secure Channel Implementation Option according to
        /// Global Platform 2.1.1 Card Spec section D.1.1 for SCP '01' or section E.1.1 for SCP '02'. Use <see cref="IMPL_OPTION_ANY"/> 
        /// along with <see cref="SCP_ANY"/> for Secure Channel Identifier, if you are not sure.</param>
        /// <returns>CommandAPDU for INITIALIZE UPDATE command for specified static key set</returns>
        public CommandAPDU CreateInitUpdateCommand(KeySet staticKeySet, int securityLevel, int scpIdentifier,
            int scpImplementationOption)
        {
            // Validate Secure Channel Identifier
            if ((scpIdentifier != SCP_01) && (scpIdentifier != SCP_02) && (scpIdentifier != SCP_ANY))
                throw new Exception(
                    "Invalid secure channel protocol identifier. Currently SCP 01 (0x01) and SCP 02 (0x02) are valid." +
                    " See Global Platform 2.1.1 Card Spec section 8.6.");

            //Validate Secure Channel Implementation Option
            if (scpImplementationOption == IMPL_OPTION_ANY && scpIdentifier != SCP_ANY)
                throw new Exception(
                    "Secure Channel Implementation Option IMPL_OPTION_ANY can only be used along with Secure Channel Identifier SCP_ANY.");


            if (scpIdentifier == SCP_ANY)
            {
                if (scpImplementationOption != IMPL_OPTION_I_05 && scpImplementationOption != IMPL_OPTION_I_15 &&
                    scpImplementationOption != IMPL_OPTION_ANY)
                    throw new Exception(
                        "Invalid implementation option. Only IMPL_OPTION_I_05, IMPL_OPTION_I_15 or IMPL_OPTION_ANY can be used along with SCP_ANY.");
            }

            // Validate Secure Channel Implementation Option for SCP 01
            if (scpIdentifier == SCP_01)
                if ((scpImplementationOption != IMPL_OPTION_I_05) && (scpImplementationOption != IMPL_OPTION_I_15))
                    throw new Exception(
                        "Invalid implementation option for SCP 01. See Global Platform 2.1.1 Card Spec section D.1.1.");

            // Validate Secure Channel Implementation Option for SCP 02
            if (scpIdentifier == SCP_02)
            {
                if ((scpImplementationOption != IMPL_OPTION_I_04) && (scpImplementationOption != IMPL_OPTION_I_05) &&
                    (scpImplementationOption != IMPL_OPTION_I_0A) && (scpImplementationOption != IMPL_OPTION_I_0B) &&
                    (scpImplementationOption != IMPL_OPTION_I_14) && (scpImplementationOption != IMPL_OPTION_I_15) &&
                    (scpImplementationOption != IMPL_OPTION_I_1A) && (scpImplementationOption != IMPL_OPTION_I_1B))
                    throw new Exception(
                        "Invalid implementation option for SCP 02. See Global Platform 2.1.1 Card Spec section E.1.1.");

                if ((scpImplementationOption == IMPL_OPTION_I_0A) || (scpImplementationOption == IMPL_OPTION_I_0B) ||
                    (scpImplementationOption == IMPL_OPTION_I_1A) || (scpImplementationOption == IMPL_OPTION_I_1B))
                    throw new Exception("Implicit secure channel can't be initialized explicitly.");
            }


            mSCPIdentifier = scpIdentifier;
            mSCPImplementationOption = scpImplementationOption;
            mStaticKeys = staticKeySet;
            mSecurityLevel = securityLevel;


            // C-DECRYPTION allways come with C-MAC
            if ((securityLevel & SecurityLevel.C_DECRYPTION) != 0)
                securityLevel |= SecurityLevel.C_MAC;

            // Validate security level
            if (securityLevel != (SecurityLevel.NO_SECURITY_LEVEL) &&
                securityLevel != (SecurityLevel.C_DECRYPTION | SecurityLevel.C_MAC | SecurityLevel.R_MAC) &&
                securityLevel != (SecurityLevel.C_MAC | SecurityLevel.R_MAC) &&
                securityLevel != (SecurityLevel.R_MAC) &&
                securityLevel != (SecurityLevel.C_DECRYPTION | SecurityLevel.C_MAC) &&
                securityLevel != (SecurityLevel.C_MAC))

                throw new Exception(
                    "Invalid security level. See Global Platform 2.1.1 Card Spec section E.5.2.3 or section D.4.2.3.");

            // Host challenge
            mHostChallenge = new byte[8];
            RandomNumberGenerator rng = RandomNumberGenerator.Create();
            rng.GetBytes(mHostChallenge);

            // Build INITIALIZE UPDATE command
            CommandAPDU initUpdate = new CommandAPDU(CLA_GP, INS_INIT_UPDATE, staticKeySet.KeyVersion,
                staticKeySet.KeyId, mHostChallenge, 0x00);
            return initUpdate;
        }
        public CommandAPDU wrap(CommandAPDU command)
        {
            // Apply R-MAC
            if ((mSecurityLevel & net.SecurityLevel.R_MAC) != 0)
            {
                if (mRMACStream != null)
                {
                    throw new Exception("There exists an unwrapped response while R-MAC security level set. Secure channel can only work correctly if " +
                                        "for each wrapped command the corresponding response be unwrapped immediately.");
                }
                mRMACStream = new MemoryStream();

                //Clear 3 LSB of CLA
                mRMACStream.WriteByte((byte)(command.CLA & ~0x07));
                mRMACStream.WriteByte((byte)command.INS);
                mRMACStream.WriteByte((byte)command.P1);
                mRMACStream.WriteByte((byte)command.P2);
                if (command.LC > 0)
                {
                    mRMACStream.WriteByte((byte)command.LC);
                    mRMACStream.Write(command.Data, 0, command.Data.Length);
                }
            }

            if ((mSecurityLevel & (net.SecurityLevel.C_MAC | net.SecurityLevel.C_DECRYPTION)) == 0)
            {
                return(command);
            }

            int secureCLA = command.CLA;

            byte[] wrappedData     = null;
            int    wrappedDataSize = command.LC;

            MemoryStream commandStream = new MemoryStream();

            int maxCommandSize = 255;

            if ((mSecurityLevel & net.SecurityLevel.C_MAC) != 0)
            {
                maxCommandSize -= 8;
            }
            if ((mSecurityLevel & net.SecurityLevel.C_DECRYPTION) != 0)
            {
                maxCommandSize -= 8;
            }
            if (command.LC > maxCommandSize)
            {
                throw new Exception("APDU command too large. Max command length = 255 - 8(for C-MAC if present) - 8(for C-DECRYTPION padding if present).");
            }

            if ((mSecurityLevel & net.SecurityLevel.C_MAC) != 0)
            {
                if (mFirstCommandInChain)
                {
                    mFirstCommandInChain = false;
                }
                else if (mICVEncryption)
                {
                    if (mSCPIdentifier == GlobalPlatform.SCP_01)
                    {
                        mICV = CryptoUtil.TripleDESECB(new Key(mSessionKeys.MacKey.BuildTripleDesKey()), mICV,
                                                       CryptoUtil.MODE_ENCRYPT);
                    }
                    else
                    {
                        mICV = CryptoUtil.DESECB(new Key(mSessionKeys.MacKey.BuildDesKey()), mICV,
                                                 CryptoUtil.MODE_ENCRYPT);
                    }
                } // If ICV Encryption

                if (mApplyToModifiedAPDU)
                {
                    secureCLA        = command.CLA | 0x04;
                    wrappedDataSize += 8;
                }

                commandStream.WriteByte((byte)secureCLA);
                commandStream.WriteByte((byte)command.INS);
                commandStream.WriteByte((byte)command.P1);
                commandStream.WriteByte((byte)command.P2);
                commandStream.WriteByte((byte)wrappedDataSize);
                commandStream.Write(command.Data, 0, command.Data.Length);
                if (mSCPIdentifier == GlobalPlatform.SCP_01)
                {
                    mICV = CryptoUtil.FullTripleDESMAC(mSessionKeys.MacKey, mICV, CryptoUtil.DESPad(commandStream.ToArray()));
                }
                else
                {
                    mICV = CryptoUtil.SingleDESFullTripleDESMAC(mSessionKeys.MacKey, mICV, CryptoUtil.DESPad(commandStream.ToArray()));
                }

                if (!mApplyToModifiedAPDU)
                {
                    secureCLA        = command.CLA | 0x04;
                    wrappedDataSize += 8;
                }
                wrappedData   = command.Data;
                commandStream = new MemoryStream();
            } // If C-MAC

            if (((mSecurityLevel & net.SecurityLevel.C_DECRYPTION) != 0) && command.LC > 0)
            {
                if (mSCPIdentifier == GlobalPlatform.SCP_01)
                {
                    if ((command.LC + 1) % 8 != 0)
                    {
                        commandStream.WriteByte((byte)command.LC);
                        commandStream.Write(command.Data, 0, command.Data.Length);
                        byte[] paddedData = CryptoUtil.DESPad(commandStream.ToArray());
                        commandStream = new MemoryStream();
                        commandStream.Write(paddedData, 0, paddedData.Length);
                    }
                    else
                    {
                        commandStream.WriteByte((byte)command.LC);
                        commandStream.Write(command.Data, 0, command.Data.Length);
                    }
                } // If SCP '01'
                else
                {
                    byte[] paddedData = CryptoUtil.DESPad(command.Data);
                    commandStream.Write(paddedData, 0, paddedData.Length);
                }
                wrappedDataSize += (int)(commandStream.Length - command.Data.Length);
                wrappedData      = CryptoUtil.TripleDESCBC(new Key(mSessionKeys.EncKey.BuildTripleDesKey()),
                                                           CryptoUtil.BINARY_ZEROS_8_BYTE_BLOCK, commandStream.ToArray(), CryptoUtil.MODE_ENCRYPT);
                commandStream = new MemoryStream();
            }  // If C-DECRYPTION
            commandStream.WriteByte((byte)secureCLA);
            commandStream.WriteByte((byte)command.INS);
            commandStream.WriteByte((byte)command.P1);
            commandStream.WriteByte((byte)command.P2);
            if (wrappedDataSize > 0)
            {
                commandStream.WriteByte((byte)wrappedDataSize);
                commandStream.Write(wrappedData, 0, wrappedData.Length);
            }

            if ((mSecurityLevel & net.SecurityLevel.C_MAC) != 0)
            {
                commandStream.Write(mICV, 0, mICV.Length);
            }
            if (command.LE > 0)
            {
                commandStream.WriteByte((byte)command.LE);
            }

            return(new CommandAPDU(commandStream.ToArray()));
        }