FabInfra-Mirror/api.fabaccess-api
1
0
Fork 0
mirror of https://gitlab.com/fabinfra/fabaccess/fabaccess-api.git synced 2025-03-12 14:51:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Describe DESFire card format

Browse Source
This commit is contained in:
Gregor Reitzenstein 2021-08-28 20:25:49 +02:00
parent 3e5ba09f10
commit d20543de34
1 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
user.capnp
View File

@ -51,6 +51,50 @@ struct User
# These cards have the ability to restrict access for data on the cards using symmetric # These cards have the ability to restrict access for data on the cards using symmetric
# encryption and using a keyed Diffie-Hellman to prevent eavesdropping by any relaying # encryption and using a keyed Diffie-Hellman to prevent eavesdropping by any relaying
# party. # party.
# A card has several "applications", containing up to 32 files. A file can be read or
# written. Both kinds of access can be restricted to parties knowing a PSK, on a
# file-to-file basis.
# The current system uses File 0001 through File 0004:
#
# File 0001 allows public (i.e. unauthenticated) read access and contains the Strings
# "FABACCESS", "DESFIRE", and "1.0" as packed list of UTF-8 encoded zero-terminated strings:
# (i.e. "FABACCESS\0DESFIRE\01.0\0")
# This file serves as sort of magic identifier allowing a server to verify quickly if it is
# able to use this card at all.
#
# File 0002 too allows public read access and contains:
# - An URL-encoded name of the issuing lab as URN in the format "urn:fabaccess:lab:<labname>"
# Examples:
# - "urn:fabaccess:lab:innovisionlab"
# - "urn:fabaccess:lab:Bibliothek%20Neustadt%20Makerspace"
# - "urn:fabaccess:lab:Offene%20Werkstatt%20M%C3%A4rz"
# - A valid IRI pointing towards the bffd instance running for this lab. This uffd SHOULD be
# reachable from the internet. Using private use IP addresses or IRIs that resolve to such
# may be necessary for labs behind restrictive firewalls or due to local policy.
# The IRI MUST use the "fabaccess" scheme, and SHOULD NOT contain an userinfo, path, query,
# or fragment part.
# Examples:
# - "fabaccess://innovisionlab.de/"
# - "fabaccess://192.168.178.65"
# - "fabaccess://fabaccess-server.localnet"
# - A zero-terminated list of UTF-8 encoded IRIs giving contact options to notify the issuer
# or owner in case the card has been lost. Issuers SHOULD set one value on card creation and
# MAY allow card owners to change or add values of their choosing.
# Examples:
# - "mailto:lostcard@innovisionlab.de"
# - "https://innovisionlab.de/lostcard"
# - "https://werkstatt-märz.de/cardlost.php?action=submitcardlost"
#
# File 0003 allows public access or access using a key, at the issuers option.
# It contains a token that can be used by the home server of the card owner to identify the
# card owner. The format of the token MUST NOT be relied on by any party except the home
# server.
#
# File 0004 restricts read access to a single key known to the home server of the card
# owner.
# It is empty but by being access restricted allows the home server to validate the card as
# being genuine and thus finalizing the authentication of the user.
getTokenList @0 () -> ( tokens :List(Data) ); getTokenList @0 () -> ( tokens :List(Data) );
# Get a list of all user Token currently bound to an user. This will generally be the number # Get a list of all user Token currently bound to an user. This will generally be the number