terminal authentication on national ID smartcard

Hi,

I am working on android application, that should use my national ID smartcard, in order to authenticate with web server, using one of two available certificates on ID (one is for authentication, the other is for encryption).
Smartcard is NXP, compatible with Java Card v3.0.4 (detail from public tender).

Issuer provided only IDProtect middleware for Windows, so no much information available for Android defelopers.

I logged APDUs during web session, when my ID is used on Win10 PC and supported smartcard reader, along with IDProtect middleware. What I can see, is following content (only interesting part):

Select MF
Select AppId ChipDoc
MSe-Set (CRT KAT) 00 22 41 A6 89 80 01 9B 83 01 8E 91 81 80 <128-byte data>
Get Data SDO 00 CB 3F FF 06 4D 04 A6 02 91 00 00

Everything is much likely IAS ECC 5.2.3.1 Set the privacy protection (but only that 1st phase), much like IFD and ICC exchange ephemeral keys.

After that, two secure messages:

Select some EF/DF
Verify 0C 20 02 01 18 ...

I am not sure (at the moment) what DF is selected in Select APDU, but Verify APDU possibly relates to PIN entered for authentication certificate, as happens after PIN is entered during web session, for certificate selected (web server requires client authentication...).

As not in posession of vendor documentation, I can only follow IAS ECC documentation. It stated, that for Terminal authentication (privacy protection phase), IFD should send PuK.IFD.DH to ICC. In order to create PuK.IFD.DH, IFD need to read DH parameters (p, g, q) from ICC (IAS ECC stated that these parameters should be read from certain EF.DH under root, using Read BINARY APDU, or through 3 separated Read DATA SDO APDUs (for p, g and q). Anyway, in logged APDUs (from the moment when smartcard is inserted in reader), I cannot find any Read BINARY command that relates to reading of EF.DH, but also I cannot find any Read DATA SDO commands (3), which are reading p, g and q (they should be of 128, 128 and 20 bytes, if I am not wrong).

I also do not know, what Verify APDU with P1P2 as 0201 mean (can only assume that PIN is sent for verification).

After these messages, I can see following:

Verify (PIN devalidation) 00 20 FF 01
Select MF
Get Challenge (returned 8 bytes from ICC)
Verify 00 20 03 01 0C <apdu_data>

One more Verify, with 0301 parameters, which I cannot understand.

This is only authentication part, after which comes several Mse-Set CRT CT with pair of PSO Decipher messages (due to TLS v1.2 and v1.3), RAPDU of last PSO Decipher contains 256byte packet, that is sent from web client to web server, during client's Certificate Verify message).

So, here are my questions:
1. Anyone could help with explenation about Verify 0201 and Verify 0301 messages?
2. Anyone has an idea, how IFD communicate with ICC, without reading p, g, q DH parameters? Could it be possible, that IDProtect middleware has hard coded p,g,q parameters, and does not need to read EF.DH, as stated by IAS ECC?

3. Anyone could help with explanation of this authentication process, as it is not as IAS-ECC states (at least not as stated in IAS ECC v1.0.1 chapter 5.2.3 Device authentication with privacy protection.