How to use FIDESMO API to operate MIFARE DESFire® EV1 cards

Service Providers (SP) can make use of Fidesmo API methods to handle Secure Elements (SE), i.e. chips. The full Fidesmo API is documented in this page. Here some code examples are shown, they depict how SPs can make use of the three MIFARE DESFire®-related methods of that API to operate on the MIFARE DESFire® implementation of Fidesmo chips. For the sake of clarity this page shows how those requests would be built using bash, but when sent from an SP they would be of course built in the same language the SP is coded.

To fully benefit from this examples developers should have a good knowledge of DESFire® EV1® specifications. Also, readers of this material should be familiar with Fidesmo architecture, in the description of Fidesmo architecture there is a good introductory explanation of how Fidesmo works and key concepts such as Service Provider. Finally, it is strongly advised to read the doc explaining how Fidesmo enables developers to operate MIFARE DESFire® EV1 chips.

Preliminary steps

As it is explained in the description of Fidesmo architecture, SP developers must first create a Fidesmo developer account, and then create a new Fidesmo application which will be associated to the SP. The new application will be assigned an id and key, that would be the id and key used in the code snippets in the next sections. Finally, before sending requests to Fidesmo backend it is needed to setup a session between the backend and the SP (the Setup Phase mentioned in the description of Fidesmo architecture). Once the session is created the SP will have a sessionId that will be used in all the requests of that session.

Creating a MIFARE DESFire® EV1 application

As described in Fidesmo API, the creation of a MIFARE DESFire® app is done through a POST request to https://api.fidesmo.com/desfire/ev1/createApp URL. This request must carry in its body the required parameters in JSON format: AID of the application, application master key, and both key settings. All values are in hexadecimal format. Like any call to Fidesmo API, the POST request must include as headers the session ID and callback URL where the result of the request will be notified to, along with the application id and key of the application the SP is associated to (see previous section). The session ID was provided by Fidesmo backend in the service delivery request message (again, see description of Fidesmo's architecture), the callback URL can be any address the SP can listen to. The following example shows how to build and send a request to create a MIFARE DESFire® app.

        $ export APP_ID="FEDCBA98"                                 # Application id in Fidesmo dev portal
        $ export APP_KEY="01234567-ABCD-ABCD-ABCD-0123456789AB"    # Application key in Fidesmo dev portal
        $ export SESSION_ID="01234567-ABCD-ABCD-ABCD-0123456789AB" # Given by Fidesmo backend once session is established
        $ export CALLBACK_URL="http://mysp.com/operationsresults"  # Where backend shall send the op result
        $ export AID="1234AB"                                      # AID of new DESFire® application
        $ export AMK="00112233445566778899AABBCCDDEEFF"            # Application master key of new DESFire® app
        $ export KEY_SETTING_1="AB"                                # Key setting first byte
        $ export KEY_SETTING_2="CD"                                # Key setting second byte

        $ curl \
        -H "app_id: $APP_ID" \
        -H "app_key: $APP_KEY" \
        -H "sessionId: $SESSION_ID" \
        -H "callbackUrl: $CALLBACK_URL" \
        -H "Content-Type: application/json" \
        -d "{\"aid\":\"$AID\", \"amk\":\"$AMK\", \"keySetting1\": \"$KEY_SETTING_1\", \"keySetting2\": \"$KEY_SETTING_2\"}" \
        -X POST https://api.fidesmo.com/desfire/ev1/createApp
        

Sending MIFARE DESFire® EV1 APDUs to application

MIFARE DESFire® APDUs are sent as an array de strings (one per APDU) in hex format. Requests are sent to https://api.fidesmo.com/desfire/ev1/transceive URL. Fidesmo backend will send to the callbackUrl the result of each command as another array.

        $ export APP_ID="FEDCBA98"                                 # Application id in Fidesmo dev portal
        $ export APP_KEY="01234567-ABCD-ABCD-ABCD-0123456789AB"    # Application key in Fidesmo dev portal
        $ export SESSION_ID="01234567-ABCD-ABCD-ABCD-0123456789AB" # Given by Fidesmo backend once session is established
        $ export CALLBACK_URL="http://mysp.com/operationsresults"  # Where backend shall send the op result
        $ export COMMANDS="[\"01234567\", \"89ABCDEF\"]"           # DESFire APDU commands, hex format

        $ curl \
        -H "app_id: $APP_ID" \
        -H "app_key: $APP_KEY" \
        -H "sessionId: $SESSION_ID" \
        -H "callbackUrl: $CALLBACK_URL" \
        -H "Content-Type: application/json" \
        -d "{\"commands\": $COMMANDS}" \
        -X POST https://api.fidesmo.com/desfire/ev1/transceive
        

Reply will contain a JSON document with a responses field. Each String in responses is a response in HEX format. Responses are in the same order than the original MIFARE DESFire® commands that were sent to the backend.

Deleting a MIFARE DESFire® EV1 application

Requests to delete MIFARE DESFire® applications are similar to the ones to create them, but with less parameters. It only requires the application AID and AMK (to check that the user requesting the app is its owner). Requests are sent to https://api.fidesmo.com/desfire/ev1/deleteApp URL. Code would be as follows:

        $ export APP_ID="FEDCBA98"                                 # Application id in Fidesmo dev portal
        $ export APP_KEY="01234567-ABCD-ABCD-ABCD-0123456789AB"    # Application key in Fidesmo dev portal
        $ export SESSION_ID="01234567-ABCD-ABCD-ABCD-0123456789AB" # Given by Fidesmo backend once session is established
        $ export CALLBACK_URL="http://mysp.com/operationsresults"  # Where backend shall send the op result
        $ export AID="1234AB"                                      # AID of new DESFire® application
        $ export AMK="00112233445566778899AABBCCDDEEFF"            # Application master key of new DESFire® app
        $ export KEY_SETTING_1="AB"                                # Key setting first byte
        $ export KEY_SETTING_2="CD"                                # Key setting second byte

        $ curl \
        -H "app_id: $APP_ID" \
        -H "app_key: $APP_KEY" \
        -H "sessionId: $SESSION_ID" \
        -H "callbackUrl: $CALLBACK_URL" \
        -H "Content-Type: application/json" \
        -d "{\"aid\":\"$AID\", \"amk\":\"$AMK\"}" \
        -X POST https://api.fidesmo.com/desfire/ev1/deleteApp
        

NXP®, MIFARE, and DESFire® are registered trademarks of NXP® B.V. and are used under license.