Menu
▾
▴
globalplatform-users — Mailinglist for GlobalPlatform Users
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(5) |
Oct
(15) |
Nov
|
Dec
(6) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(2) |
Feb
|
Mar
|
Apr
(1) |
May
(4) |
Jun
|
Jul
(10) |
Aug
(7) |
Sep
|
Oct
(2) |
Nov
(1) |
Dec
|
| 2008 |
Jan
(2) |
Feb
(7) |
Mar
(1) |
Apr
(7) |
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
(9) |
Oct
(6) |
Nov
|
Dec
(22) |
| 2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(3) |
Jul
(2) |
Aug
(2) |
Sep
(3) |
Oct
|
Nov
(6) |
Dec
(1) |
| 2010 |
Jan
(1) |
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(3) |
Oct
(11) |
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(11) |
Aug
(7) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
(2) |
Feb
|
Mar
(4) |
Apr
(5) |
May
(6) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2015 |
Jan
|
Feb
(2) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2017 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Michael S. <mst...@co...> - 2013-03-03 21:46:51
|
The JCOP cards have a pre-personalization configuration option which can be set to prevent the use of GET DATA unless authenticated. In general, if a JCOP card supports SCP02, it will support the 0x15 set of options for that protocol. At 10:40 AM 3/3/2013, Karsten Ohme wrote: >Hi Colin, > >I think I know the problem. I try to find out which cryptographic protocols the card is using with a GET DATA command. So your card is not supporting this. Please use the helloInstallJCOP21OrJTopV15.txt example, as a template. > >-scp 2 -scpimpl 0x15 might be the important switches to open_sc: > >open_sc -scp 2 -scpimpl 0x15 -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f > >Please try it out, > >BR, >Karsten > >Am 02.03.2013 00:02, schrieb Colin O'Flynn: >>Hello, >> >>Just thought Id update this thread. My vendor sent me two new cards, which were personalized, so I think that was the ultimate solution. >> >>But when I try doing anything I get an error: >> >>mode_211 >>enable_trace >>establish_context >>card_connect -readerNumber 1 >>select -AID a000000003000000 >>Command --> 00A4040008A000000003000000 >>Wrapped command --> 00A4040008A000000003000000 >>Response <-- 6F658408A000000003000000A5599F6501FF9F6E06479100783300734A06072A864886FC6B01600C060A2A864886FC6B02020101630 >>906072A864886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C060A2B060104012A026E01029000 >>open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel >>Command --> 80CA006600 >>Wrapped command --> 80CA006600 >>Response <-- 6985 >>GP211_get_secure_channel_protocol_details() returns 0x80206985 (6985: Command not allowed - Conditions of use not satisfied.) >> >>jcManager here (<http://www.brokenmill.com/2010/03/java-secure-card-manager/>http://www.brokenmill.com/2010/03/java-secure-card-manager/) with the same settings worked fine, its output was: >> >>Open terminal ... >>EstablishContext(): ... >>Wait for card in a certain reader ... >>Pick reader ... >>********************** >>Selecting Card Manager >>*********************** >>-> 00 A4 04 00 08 A0 00 00 00 03 00 00 00 >><- 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 01 FF 9F 6E 06 47 91 00 78 33 00 73 4A 06 07 2A 86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B 02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09 2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 04 01 2A 02 6E 01 02 90 00 >>************ >>Init Update >>************* >>-> 80 50 00 00 08 26 6C 8E 3C 10 69 39 05 >><- 00 00 12 02 10 25 60 95 66 19 FF 02 00 02 59 8D D3 96 1B FD CC 97 F9 DF 4F 2A 6C E2 90 00 >>HostChallenge: 26 6C 8E 3C 10 69 39 05 >>CardChallenge: 59 8D D3 96 1B FD >>Card Calculated Card Cryptogram: CC 97 F9 DF 4F 2A 6C E2 >>Derivation Data is 01 82 00 02 00 00 00 00 00 00 00 00 00 00 00 00 >>Host Cryptogram Data (to encrypt) 00 02 59 8D D3 96 1B FD 26 6C 8E 3C 10 69 39 05 80 00 00 00 00 00 00 00 >>Card Cryptogram Data (to encrypt for verification) 26 6C 8E 3C 10 69 39 05 00 02 59 8D D3 96 1B FD 80 00 00 00 00 00 00 00 >>S_ENC: AD C1 16 3B A2 A1 47 FB B8 4B F4 4C 86 76 FB 7D AD C1 16 3B A2 A1 47 FB >>The Current session MAC key is 3E 06 B1 C8 FC FD 78 8A 57 3B 9A 98 89 D0 CA 50 >>The Current session DEK key is FC 01 09 6B 6D B1 3A DE E0 D4 CB 61 D0 3F D3 AA >>Encrypted CardCryptoGram is 4F FC F3 9B 4A 25 56 A2 1B 69 AA 91 D8 E3 D7 44 CC 97 F9 DF 4F 2A 6C E2 >>Encrypted HostCryptoGram is D8 F5 B8 41 93 59 A6 45 E1 2D 3A 9A 0A 03 13 CD 5F 64 BB 10 3F 4F 87 19 >>-> 84 82 03 00 10 5F 64 BB 10 3F 4F 87 19 21 48 9B A9 BF 0B F8 34 >><- 90 00 >>Authenticated >> >>While I can use this other tool, if anyone has an idea why GPShell didnt work it might be useful for future users to note in the wiki and/or fix? >> >>Regards, >> >> -Colin >> >>From: Karsten Ohme [<mailto:wid...@t-...>mailto:wid...@t-...] >>Sent: January-23-13 5:55 AM >>To: <mailto:glo...@li...>glo...@li... >>Subject: Re: [Globalplatform-users] JCOP V4.1 Card (NXP J2A040) >> >>Hi, >> >>I'm not familiar with the process. Maybe you can contact the people where you bought the card or the NXP or whoever is the manufacturer. >> >>I have corrected the error in the Wiki. The new wiki is on: >><https://sourceforge.net/p/globalplatform/wiki/GPShell/>https://sourceforge.net/p/globalplatform/wiki/GPShell/ >>SourceForge wanted to shut down the old wiki. At the moment the information should be the same on both wikis. >> >>BR, >>Karsten >> >> >>Am 23.01.2013 00:42, schrieb Colin O'Flynn: >>Hello, >> >>I have a J2A040 card which I was trying to get working. This was previously discussed it looked like in this thread: >><http://sourceforge.net/mailarchive/forum.php?thread_name=4E13B1D3.7050604%40t-online.de&forum_name=globalplatform-users>http://sourceforge.net/mailarchive/forum.php?thread_name=4E13B1D3.7050604%40t-online.de&forum_name=globalplatform-users . My results are basically identical to that. >> >>The results of the JCOP IDENTIFY command are: >>04 31 00 33 00 00 00 00 4E 58 30 31 31 43 00 03 39 F8 73 6A 82 >> >>This suggests the card is not fused. The thread states that is bad, but the wiki the opposite way around (at <http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell>http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell ). >> >>Is it bad the card isnt fused, and what should I do? They are brand new, but when I checked with the vendor they said the only key they knew of was the default keys (40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f). Im new to the JavaCard world so not 100% sure of the next steps & would appreciate any guidance. >> >>Thanks for your help, >> >> -Colin OFlynn >> >> >> >> >>------------------------------------------------------------------------------ >>Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, >>MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >>with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >>MVPs and experts. ON SALE this month only -- learn more at: >><http://p.sf.net/sfu/learnnow-d2d>http://p.sf.net/sfu/learnnow-d2d >> >> >> >>_______________________________________________ >>Globalplatform-users mailing list >><mailto:Glo...@li...>Glo...@li... >>https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> >> >> >> >>------------------------------------------------------------------------------ >>Everyone hates slow websites. So do we. >>Make your web apps faster with AppDynamics >>Download AppDynamics Lite for free today: >><http://p.sf.net/sfu/appdyn_d2d_feb>http://p.sf.net/sfu/appdyn_d2d_feb >> >> >>_______________________________________________ >>Globalplatform-users mailing list >><mailto:Glo...@li...>Glo...@li... >>https://lists.sourceforge.net/lists/listinfo/globalplatform-users > >------------------------------------------------------------------------------ >Everyone hates slow websites. So do we. >Make your web apps faster with AppDynamics >Download AppDynamics Lite for free today: >http://p.sf.net/sfu/appdyn_d2d_feb >_______________________________________________ >Globalplatform-users mailing list >Glo...@li... >https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Colin O'F. <co...@ne...> - 2013-03-03 18:01:19
|
Wonderful - everything works with adding those two switches! Thanks for your help. From: Karsten Ohme [mailto:wid...@t-...] Sent: March-03-13 11:41 AM To: glo...@li... Subject: Re: [Globalplatform-users] JCOP V4.1 Card (NXP J2A040) Hi Colin, I think I know the problem. I try to find out which cryptographic protocols the card is using with a GET DATA command. So your card is not supporting this. Please use the helloInstallJCOP21OrJTopV15.txt example, as a template. -scp 2 -scpimpl 0x15 might be the important switches to open_sc: open_sc -scp 2 -scpimpl 0x15 -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f Please try it out, BR, Karsten Am 02.03.2013 00:02, schrieb Colin O'Flynn: Hello, Just thought I'd update this thread. My vendor sent me two new cards, which were personalized, so I think that was the ultimate solution. But when I try doing anything I get an error: mode_211 enable_trace establish_context card_connect -readerNumber 1 select -AID a000000003000000 Command --> 00A4040008A000000003000000 Wrapped command --> 00A4040008A000000003000000 Response <-- 6F658408A000000003000000A5599F6501FF9F6E06479100783300734A06072A864886FC6B01 600C060A2A864886FC6B02020101630 906072A864886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C0 60A2B060104012A026E01029000 open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel Command --> 80CA006600 Wrapped command --> 80CA006600 Response <-- 6985 GP211_get_secure_channel_protocol_details() returns 0x80206985 (6985: Command not allowed - Conditions of use not satisfied.) jcManager here (http://www.brokenmill.com/2010/03/java-secure-card-manager/) with the same settings worked fine, it's output was: Open terminal ... EstablishContext(): ... Wait for card in a certain reader ... Pick reader ... ********************** Selecting Card Manager *********************** -> 00 A4 04 00 08 A0 00 00 00 03 00 00 00 <- 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 01 FF 9F 6E 06 47 91 00 78 33 00 73 4A 06 07 2A 86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B 02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09 2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 04 01 2A 02 6E 01 02 90 00 ************ Init Update ************* -> 80 50 00 00 08 26 6C 8E 3C 10 69 39 05 <- 00 00 12 02 10 25 60 95 66 19 FF 02 00 02 59 8D D3 96 1B FD CC 97 F9 DF 4F 2A 6C E2 90 00 HostChallenge: 26 6C 8E 3C 10 69 39 05 CardChallenge: 59 8D D3 96 1B FD Card Calculated Card Cryptogram: CC 97 F9 DF 4F 2A 6C E2 Derivation Data is 01 82 00 02 00 00 00 00 00 00 00 00 00 00 00 00 Host Cryptogram Data (to encrypt) 00 02 59 8D D3 96 1B FD 26 6C 8E 3C 10 69 39 05 80 00 00 00 00 00 00 00 Card Cryptogram Data (to encrypt for verification) 26 6C 8E 3C 10 69 39 05 00 02 59 8D D3 96 1B FD 80 00 00 00 00 00 00 00 S_ENC: AD C1 16 3B A2 A1 47 FB B8 4B F4 4C 86 76 FB 7D AD C1 16 3B A2 A1 47 FB The Current session MAC key is 3E 06 B1 C8 FC FD 78 8A 57 3B 9A 98 89 D0 CA 50 The Current session DEK key is FC 01 09 6B 6D B1 3A DE E0 D4 CB 61 D0 3F D3 AA Encrypted CardCryptoGram is 4F FC F3 9B 4A 25 56 A2 1B 69 AA 91 D8 E3 D7 44 CC 97 F9 DF 4F 2A 6C E2 Encrypted HostCryptoGram is D8 F5 B8 41 93 59 A6 45 E1 2D 3A 9A 0A 03 13 CD 5F 64 BB 10 3F 4F 87 19 -> 84 82 03 00 10 5F 64 BB 10 3F 4F 87 19 21 48 9B A9 BF 0B F8 34 <- 90 00 Authenticated While I can use this other tool, if anyone has an idea why GPShell didn't work it might be useful for future users to note in the wiki and/or fix? Regards, -Colin From: Karsten Ohme [mailto:wid...@t-...] Sent: January-23-13 5:55 AM To: glo...@li... Subject: Re: [Globalplatform-users] JCOP V4.1 Card (NXP J2A040) Hi, I'm not familiar with the process. Maybe you can contact the people where you bought the card or the NXP or whoever is the manufacturer. I have corrected the error in the Wiki. The new wiki is on: https://sourceforge.net/p/globalplatform/wiki/GPShell/ SourceForge wanted to shut down the old wiki. At the moment the information should be the same on both wikis. BR, Karsten Am 23.01.2013 00:42, schrieb Colin O'Flynn: Hello, I have a J2A040 card which I was trying to get working. This was previously discussed it looked like in this thread: http://sourceforge.net/mailarchive/forum.php?thread_name=4E13B1D3.7050604%40 t-online.de <http://sourceforge.net/mailarchive/forum.php?thread_name=4E13B1D3.7050604%4 0t-online.de&forum_name=globalplatform-users> &forum_name=globalplatform-users . My results are basically identical to that. The results of the JCOP IDENTIFY command are: 04 31 00 33 00 00 00 00 4E 58 30 31 31 43 00 03 39 F8 73 6A 82 This suggests the card is not fused. The thread states that is bad, but the wiki the opposite way around (at http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell ). Is it bad the card isn't fused, and what should I do? They are brand new, but when I checked with the vendor they said the only key they knew of was the default keys (40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f). I'm new to the JavaCard world so not 100% sure of the next steps & would appreciate any guidance. Thanks for your help, -Colin O'Flynn ---------------------------------------------------------------------------- -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Globalplatform-users mailing list Glo...@li... https://lists.sourceforge.net/lists/listinfo/globalplatform-users ---------------------------------------------------------------------------- -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Globalplatform-users mailing list Glo...@li... https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Karsten O. <wid...@t-...> - 2013-03-03 15:40:49
|
Hi Colin, I think I know the problem. I try to find out which cryptographic protocols the card is using with a GET DATA command. So your card is not supporting this. Please use the helloInstallJCOP21OrJTopV15.txt example, as a template. -scp 2 -scpimpl 0x15 might be the important switches to open_sc: open_sc -scp 2 -scpimpl 0x15 -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f Please try it out, BR, Karsten Am 02.03.2013 00:02, schrieb Colin O'Flynn: > > Hello, > > > > Just thought I'd update this thread. My vendor sent me two new cards, > which *were* personalized, so I think that was the ultimate solution. > > > > But when I try doing anything I get an error: > > > > mode_211 > > enable_trace > > establish_context > > card_connect -readerNumber 1 > > select -AID a000000003000000 > > Command --> 00A4040008A000000003000000 > > Wrapped command --> 00A4040008A000000003000000 > > Response <-- > 6F658408A000000003000000A5599F6501FF9F6E06479100783300734A06072A864886FC6B01600C060A2A864886FC6B02020101630 > > 906072A864886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C060A2B060104012A026E01029000 > > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > > Command --> 80CA006600 > > Wrapped command --> 80CA006600 > > Response <-- 6985 > > GP211_get_secure_channel_protocol_details() returns 0x80206985 (6985: > Command not allowed - Conditions of use not satisfied.) > > > > jcManager here > (http://www.brokenmill.com/2010/03/java-secure-card-manager/) with the > same settings worked fine, it's output was: > > > > Open terminal ... > > EstablishContext(): ... > > Wait for card in a certain reader ... > > Pick reader ... > > ********************** > > Selecting Card Manager > > *********************** > > -> 00 A4 04 00 08 A0 00 00 00 03 00 00 00 > > <- 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 01 FF 9F 6E 06 47 > 91 00 78 33 00 73 4A 06 07 2A 86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 > 86 FC 6B 02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 0B 06 09 2A > 86 48 86 FC 6B 04 02 15 65 0B 06 09 2B 85 10 86 48 64 02 01 03 66 0C > 06 0A 2B 06 01 04 01 2A 02 6E 01 02 90 00 > > ************ > > Init Update > > ************* > > -> 80 50 00 00 08 26 6C 8E 3C 10 69 39 05 > > <- 00 00 12 02 10 25 60 95 66 19 FF 02 00 02 59 8D D3 96 1B FD CC 97 > F9 DF 4F 2A 6C E2 90 00 > > HostChallenge: 26 6C 8E 3C 10 69 39 05 > > CardChallenge: 59 8D D3 96 1B FD > > Card Calculated Card Cryptogram: CC 97 F9 DF 4F 2A 6C E2 > > Derivation Data is 01 82 00 02 00 00 00 00 00 00 00 00 00 00 00 00 > > Host Cryptogram Data (to encrypt) 00 02 59 8D D3 96 1B FD 26 6C 8E 3C > 10 69 39 05 80 00 00 00 00 00 00 00 > > Card Cryptogram Data (to encrypt for verification) 26 6C 8E 3C 10 69 > 39 05 00 02 59 8D D3 96 1B FD 80 00 00 00 00 00 00 00 > > S_ENC: AD C1 16 3B A2 A1 47 FB B8 4B F4 4C 86 76 FB 7D AD C1 16 3B A2 > A1 47 FB > > The Current session MAC key is 3E 06 B1 C8 FC FD 78 8A 57 3B 9A 98 89 > D0 CA 50 > > The Current session DEK key is FC 01 09 6B 6D B1 3A DE E0 D4 CB 61 D0 > 3F D3 AA > > Encrypted CardCryptoGram is 4F FC F3 9B 4A 25 56 A2 1B 69 AA 91 D8 E3 > D7 44 CC 97 F9 DF 4F 2A 6C E2 > > Encrypted HostCryptoGram is D8 F5 B8 41 93 59 A6 45 E1 2D 3A 9A 0A 03 > 13 CD 5F 64 BB 10 3F 4F 87 19 > > -> 84 82 03 00 10 5F 64 BB 10 3F 4F 87 19 21 48 9B A9 BF 0B F8 34 > > <- 90 00 > > Authenticated > > > > While I can use this other tool, if anyone has an idea why GPShell > didn't work it might be useful for future users to note in the wiki > and/or fix? > > > > Regards, > > > > -Colin > > > > *From:*Karsten Ohme [mailto:wid...@t-...] > *Sent:* January-23-13 5:55 AM > *To:* glo...@li... > *Subject:* Re: [Globalplatform-users] JCOP V4.1 Card (NXP J2A040) > > > > Hi, > > I'm not familiar with the process. Maybe you can contact the people > where you bought the card or the NXP or whoever is the manufacturer. > > I have corrected the error in the Wiki. The new wiki is on: > https://sourceforge.net/p/globalplatform/wiki/GPShell/ > SourceForge wanted to shut down the old wiki. At the moment the > information should be the same on both wikis. > > BR, > Karsten > > > Am 23.01.2013 00:42, schrieb Colin O'Flynn: > > Hello, > > > > I have a J2A040 card which I was trying to get working. This was > previously discussed it looked like in this thread: > > http://sourceforge.net/mailarchive/forum.php?thread_name=4E13B1D3.7050604%40t-online.de&forum_name=globalplatform-users > . My results are basically identical to that. > > > > The results of the JCOP IDENTIFY command are: > > 04 31 00 33 00 00 00 00 4E 58 30 31 31 43 00 03 39 F8 73 6A 82 > > > > This suggests the card is not fused. The thread states that is > bad, but the wiki the opposite way around (at > http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell > ). > > > > Is it bad the card isn't fused, and what should I do? They are > brand new, but when I checked with the vendor they said the only > key they knew of was the default keys (40 41 42 43 44 45 46 47 48 > 49 4a 4b 4c 4d 4e 4f). I'm new to the JavaCard world so not 100% > sure of the next steps & would appreciate any guidance. > > > > Thanks for your help, > > > > -Colin O'Flynn > > > > > ------------------------------------------------------------------------------ > > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > > MVPs and experts. ON SALE this month only -- learn more at: > > http://p.sf.net/sfu/learnnow-d2d > > > > > _______________________________________________ > > Globalplatform-users mailing list > > Glo...@li... <mailto:Glo...@li...> > > https://lists.sourceforge.net/lists/listinfo/globalplatform-users > > > > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > > > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Colin O'F. <co...@ne...> - 2013-03-02 00:03:56
|
Hello, Just thought I'd update this thread. My vendor sent me two new cards, which were personalized, so I think that was the ultimate solution. But when I try doing anything I get an error: mode_211 enable_trace establish_context card_connect -readerNumber 1 select -AID a000000003000000 Command --> 00A4040008A000000003000000 Wrapped command --> 00A4040008A000000003000000 Response <-- 6F658408A000000003000000A5599F6501FF9F6E06479100783300734A06072A864886FC6B01 600C060A2A864886FC6B02020101630 906072A864886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C0 60A2B060104012A026E01029000 open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel Command --> 80CA006600 Wrapped command --> 80CA006600 Response <-- 6985 GP211_get_secure_channel_protocol_details() returns 0x80206985 (6985: Command not allowed - Conditions of use not satisfied.) jcManager here (http://www.brokenmill.com/2010/03/java-secure-card-manager/) with the same settings worked fine, it's output was: Open terminal ... EstablishContext(): ... Wait for card in a certain reader ... Pick reader ... ********************** Selecting Card Manager *********************** -> 00 A4 04 00 08 A0 00 00 00 03 00 00 00 <- 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 01 FF 9F 6E 06 47 91 00 78 33 00 73 4A 06 07 2A 86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B 02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09 2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 04 01 2A 02 6E 01 02 90 00 ************ Init Update ************* -> 80 50 00 00 08 26 6C 8E 3C 10 69 39 05 <- 00 00 12 02 10 25 60 95 66 19 FF 02 00 02 59 8D D3 96 1B FD CC 97 F9 DF 4F 2A 6C E2 90 00 HostChallenge: 26 6C 8E 3C 10 69 39 05 CardChallenge: 59 8D D3 96 1B FD Card Calculated Card Cryptogram: CC 97 F9 DF 4F 2A 6C E2 Derivation Data is 01 82 00 02 00 00 00 00 00 00 00 00 00 00 00 00 Host Cryptogram Data (to encrypt) 00 02 59 8D D3 96 1B FD 26 6C 8E 3C 10 69 39 05 80 00 00 00 00 00 00 00 Card Cryptogram Data (to encrypt for verification) 26 6C 8E 3C 10 69 39 05 00 02 59 8D D3 96 1B FD 80 00 00 00 00 00 00 00 S_ENC: AD C1 16 3B A2 A1 47 FB B8 4B F4 4C 86 76 FB 7D AD C1 16 3B A2 A1 47 FB The Current session MAC key is 3E 06 B1 C8 FC FD 78 8A 57 3B 9A 98 89 D0 CA 50 The Current session DEK key is FC 01 09 6B 6D B1 3A DE E0 D4 CB 61 D0 3F D3 AA Encrypted CardCryptoGram is 4F FC F3 9B 4A 25 56 A2 1B 69 AA 91 D8 E3 D7 44 CC 97 F9 DF 4F 2A 6C E2 Encrypted HostCryptoGram is D8 F5 B8 41 93 59 A6 45 E1 2D 3A 9A 0A 03 13 CD 5F 64 BB 10 3F 4F 87 19 -> 84 82 03 00 10 5F 64 BB 10 3F 4F 87 19 21 48 9B A9 BF 0B F8 34 <- 90 00 Authenticated While I can use this other tool, if anyone has an idea why GPShell didn't work it might be useful for future users to note in the wiki and/or fix? Regards, -Colin From: Karsten Ohme [mailto:wid...@t-...] Sent: January-23-13 5:55 AM To: glo...@li... Subject: Re: [Globalplatform-users] JCOP V4.1 Card (NXP J2A040) Hi, I'm not familiar with the process. Maybe you can contact the people where you bought the card or the NXP or whoever is the manufacturer. I have corrected the error in the Wiki. The new wiki is on: https://sourceforge.net/p/globalplatform/wiki/GPShell/ SourceForge wanted to shut down the old wiki. At the moment the information should be the same on both wikis. BR, Karsten Am 23.01.2013 00:42, schrieb Colin O'Flynn: Hello, I have a J2A040 card which I was trying to get working. This was previously discussed it looked like in this thread: http://sourceforge.net/mailarchive/forum.php?thread_name=4E13B1D3.7050604%40 t-online.de <http://sourceforge.net/mailarchive/forum.php?thread_name=4E13B1D3.7050604%4 0t-online.de&forum_name=globalplatform-users> &forum_name=globalplatform-users . My results are basically identical to that. The results of the JCOP IDENTIFY command are: 04 31 00 33 00 00 00 00 4E 58 30 31 31 43 00 03 39 F8 73 6A 82 This suggests the card is not fused. The thread states that is bad, but the wiki the opposite way around (at http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell ). Is it bad the card isn't fused, and what should I do? They are brand new, but when I checked with the vendor they said the only key they knew of was the default keys (40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f). I'm new to the JavaCard world so not 100% sure of the next steps & would appreciate any guidance. Thanks for your help, -Colin O'Flynn ---------------------------------------------------------------------------- -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Globalplatform-users mailing list Glo...@li... https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Karsten O. <wid...@t-...> - 2013-01-23 09:55:24
|
Hi, I'm not familiar with the process. Maybe you can contact the people where you bought the card or the NXP or whoever is the manufacturer. I have corrected the error in the Wiki. The new wiki is on: https://sourceforge.net/p/globalplatform/wiki/GPShell/ SourceForge wanted to shut down the old wiki. At the moment the information should be the same on both wikis. BR, Karsten Am 23.01.2013 00:42, schrieb Colin O'Flynn: > > Hello, > > > > I have a J2A040 card which I was trying to get working. This was > previously discussed it looked like in this thread: > > http://sourceforge.net/mailarchive/forum.php?thread_name=4E13B1D3.7050604%40t-online.de&forum_name=globalplatform-users > . My results are basically identical to that. > > > > The results of the JCOP IDENTIFY command are: > > 04 31 00 33 00 00 00 00 4E 58 30 31 31 43 00 03 39 F8 73 6A 82 > > > > This suggests the card is not fused. The thread states that is bad, > but the wiki the opposite way around (at > http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell > ). > > > > Is it bad the card isn't fused, and what should I do? They are brand > new, but when I checked with the vendor they said the only key they > knew of was the default keys (40 41 42 43 44 45 46 47 48 49 4a 4b 4c > 4d 4e 4f). I'm new to the JavaCard world so not 100% sure of the next > steps & would appreciate any guidance. > > > > Thanks for your help, > > > > -Colin O'Flynn > > > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnnow-d2d > > > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Colin O'F. <co...@ne...> - 2013-01-22 23:42:48
|
Hello, I have a J2A040 card which I was trying to get working. This was previously discussed it looked like in this thread: http://sourceforge.net/mailarchive/forum.php?thread_name=4E13B1D3.7050604%40 t-online.de <http://sourceforge.net/mailarchive/forum.php?thread_name=4E13B1D3.7050604%4 0t-online.de&forum_name=globalplatform-users> &forum_name=globalplatform-users . My results are basically identical to that. The results of the JCOP IDENTIFY command are: 04 31 00 33 00 00 00 00 4E 58 30 31 31 43 00 03 39 F8 73 6A 82 This suggests the card is not fused. The thread states that is bad, but the wiki the opposite way around (at http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell ). Is it bad the card isn't fused, and what should I do? They are brand new, but when I checked with the vendor they said the only key they knew of was the default keys (40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f). I'm new to the JavaCard world so not 100% sure of the next steps & would appreciate any guidance. Thanks for your help, -Colin O'Flynn |
|
From: GreenPost <he...@gr...> - 2012-09-05 16:07:33
|
GreenPost offers following bills from Singapore at ONE place - *StarHub, M1, SingTel, Singapore Power, NUSS, Keppel Club, SunPage, Sg Swimming Club, Phoenix Comms, ZONE Telecom, Temasek Club, American Club, MyRepublic, NSRCC.* Introducing GreenPost Our brand new service lets you manage and analyse all your bill, online and on mobile. 1- Organise electricity, telephone, internet and club bills all in one place. 2- Help the environment and never print another paper bill again! 3- Use our awarded iOS and Android Apps to check your bills on the go. What are you waiting for? Sign up in just 5 minutes. <https://www.gogreenpost.com/#signup> * check out more details at http://www.gogreenpost.com You’re receiving this email because you requested to be notified about GreenPost. --- www.gogreenpost.com If you do not to intend receive, you can unsubscribe using http://mail.greenasia1.com/lists/?p=unsubscribe&uid=cdfdcf3425ada7a00151a751ac5ff96a or you can change your preferences using http://mail.greenasia1.com/lists/?p=preferences&uid=cdfdcf3425ada7a00151a751ac5ff96a.Thank you. |
|
From: GreenPost <Gre...@ma...> - 2012-06-19 11:44:01
|
Having trouble reading this email? View it in your browser - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/f95f58a2b9 Do you have the hassle of paper bill clutter? Losing bills or forgetting to pay? Struggling to deal with remembering all those different usernames and passwords? - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/93c848897b - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/bc2545cec4 --> Do you have the hassle of paper bill clutter? Losing bills or forgetting to pay? Struggling to deal with remembering all those different usernames and passwords? - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/e4b04472a7 --> - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/1d9e34e71d Stress no more. Introducing GreenPost. GreenPost offers following bills from Singapore at ONE place- SingTel, M1, StarHub, SP Services, SunPage, Phoenix, NUSS Alumni club, Keppel Club, Singapore Swimming Club. Many more to come soon from Singapore. Full list of bills GreenPost is the revolutionary FREE service that automatically gives you all your e-bills in ONE place. GreenPost has removed all the hassles of e-billing so you can relax. All your current bills for payment and all your archived bills for your records are available to you anytime. - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/13a3b73983 Other popular features include bill and due date reminders and spending analysis & comparison so you can track your spending. Plus GreenPost is Asia's Top 50 Apps 'Solution of the Year. - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/8e605a7d6d GreenPost is your one place to manage all your bills.Save time and remove paper clutter. - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/d8e3f4524c So join the community and set up your - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/c26ae08432 free GreenPost account * check out more details at www.gogreenpost.com - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/a61681ab7e Full list of bills# • Singapore - StarHub, M1, SingTel, Singapore Power, NUSS, Keppel Club, SunPage, Sg Swimming Club, Phoenix Comms. • Malaysia - Maxis, Digi, TNB, Astro, Celcom, U Mobile. • Australia - Optus, Telstra, 3Mobile, CityLink, Lumo Energy • USA - AT&T. • Philippines - Globe, Meralco. • Indonesia - Telkom. • Sri Lanka - Dialog. • United Arab Emirates - du, Salik, Etisalat, Dewa. Learn more about GreenPost here - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/cb0b7b0c76 - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/96ab9de777 - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/2646ffd348 - http://cts.vresp.com/c/?GreenPost/e24e4a4cd7/50036793c6/3cee460217 P.S: For your convenience, you can find the QR codes for the download here: ______________________________________________________________________ Click to view this email in a browser http://hosted.verticalresponse.com/1183287/e24e4a4cd7/547400377/50036793c6/ If you no longer wish to receive these emails, please reply to this message with "Unsubscribe" in the subject line or simply click on the following link: http://cts.vresp.com/u?e24e4a4cd7/50036793c6/mlpftw ______________________________________________________________________ This message was sent by GreenPost using VerticalResponse GreenPost 401 Macpherson Singapore, 368125 Singapore Read the VerticalResponse marketing policy: http://www.verticalresponse.com/content/pm_policy.html |
|
From: Karsten O. <wid...@t-...> - 2012-01-01 14:46:22
|
Hi Saman, The GX4 supports the SCP01 and SCP02 secure channel protocols. So it should be supported by GloblaPlatform (if there is no bug). Try the SCP02 scheme. But the Gemalto card might be using a key derivation scheme, i.e. the real key is derived from a master key. Look at the file helloInstallgemXpressoProR3_2E64.txt in GPShell : mode_201 enable_trace enable_timer establish_context card_connect select -AID A000000018434D00 open_sc -security 3 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45 -keyDerivation visa2 // Open secure channel delete -AID D0D1D2D3D4D50101 delete -AID D0D1D2D3D4D501 delete -AID D0D1D2D3D4D50101 install -file helloworld.cap -sdAID A000000018434D00 -nvCodeLimit 4000 card_disconnect release_context You can look into the GPShell source code how to program it. Maybe you also have used the wrong AID for the Issuer Security Domain. Some former Gemaltos were using A000000018434D00. Check this out, The wrong ATR can be really a bug. Maybe it is also the case that the card has a contactless and a contact interface. So the card has 2 ATRs. To which intreface are you connecting? So you might be connecting the different interfaces. But this should not cause any trouble to the mutual authentication. And be careful. After 10 or less tries your card is locked, so you have to get a new one. If you have another tool which works for the authentication case use it in between to reset the counter. If you don't have such a tool several cards are good, so can make a note on each card how many attemps have failed and use a different one to have less damage. Good luck, Karsten Am 01.01.2012 07:27, schrieb saman delfani: > > Hello Mr. Karsten Ohme > > > > I have special thanks for your development on Java cards, because when > I saw your development, I understood it's very powerful and helpful > and it's really integrated way. > > > > My name is Sam Delfani and I'm a new developer for Java cards. I > studied Sun documents for developing Java applets and I wrote my first > application to Java cards. Also I could simulate it in JCWDE in > Eclipse plugins and built the CAP file for my test project. > > > > I read some technologies to transfer my application to real Java card > but I couldn't success. My real Java card is a Gemalto GX4 and then > when I saw its features I understood which Global Platform is a way > to transfer my application to real Java card and in this situation I > used your platform and I could develop your GP PCSC Connection Plugin > and I could see list readers and every things were true. So I tried to > develop your platform to transfer Java application but I couldn't > because based on your development in "globalplatformTest.c" the fourth > step is "internal_mutual_authentication" but it returned > "error=FFFFFFFF80302000(The verification of the card cryptogram > failed.) ". Also I think there is another problem. The ATR is > different from ATR in Gemalto "Gem_PCSC.exe" utility because in > "Gem_PCSC" utility I got "ATR = 3B 6D 00 00 80 31 80 65 B0 84 01 00 C8 > 83 00 90 00" but with Global Platform I got some different ATRs with > every execution like C3BF3BC, ... > > > > Do you know where my problem is? > > > > I'm looking forward to hearing from you. > > Sam > > Delfani-Signature-1 > > > > > > ------------------------------------------------------------------------------ > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex > infrastructure or vast IT resources to deliver seamless, secure access to > virtual desktops. With this all-in-one solution, easily deploy virtual > desktops for less than the cost of PCs and save 60% on VDI infrastructure > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox > > > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Marcel C. <mco...@gm...> - 2011-09-06 18:45:53
|
Hi,
I finally was able to establish the secure channel with the ISD on
my card and to communicate from my applet to the off-card entity
through it. The problem did was the missing 'mode-211' in the script,
thanks Karsten. Now I'm trying to do the same but using this time the
Supplementary Security Domain (SSD) in my card. The load file for the
SSD was indeed preinstalled in the card so I just issued an
install_for_install command in order to get it ready for use. The
following script ended successfully:
mode_211
enable_trace
enable_timer
establish_context
card_connect
select -AID a000000003000000
open_sc -security 3 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key
404142434445464748494a4b4c4d4e4f // Open secure channel
install_for_install -priv 128 -pkgAID A0000000035350 -AID
A000000003535041 -instAID A000000003535041
card_disconnect
release_context
The number "a000000003000000" is the AID for the CardManager as we
know and "A0000000035350" and "A000000003535041" are the AIDs for the
SSD's load file and module respectively. After this I've been trying
unsuccessfully to install my applet associating it to the SSD. I use
the sdAID option in the install command for the applet as Karsten
suggested in a previous trhead but every time I get the error
install_for_load() returns 0x80206985 (6985: Command not allowed -
Conditions of use not satisfied)
after issuing the install command.
Here is the script used and a section of the debug trace corresponding
to the install operations:
--------------------------------------------------------------------------------------
mode_211
enable_trace
enable_timer
establish_context
card_connect
select -AID a000000003000000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key
404142434445464748494a4b4c4d4e4f // Open secure channel
delete -AID F00000006203010C0101 // remove applet if previously installed
delete -AID F00000006203010C01 // remove applet module if previously
install -file MyApplet.cap -sdAID A000000003535041 -instParam
05080510001D3333726314155697 -priv 2
#getdata
# close_sc // Close secure channel
# putkey // Put key
// options:
// -keyind Key index
// -keyver Key version
// -key Key value in hex
card_disconnect
release_context
--------------------------------------------------------------------------------
06/09 13:22:27 +read_executable_load_file_parameters in loadfile.c at
line 422 : start
06/09 13:22:27 +handle_load_file in loadfile.c at line 47 : start
06/09 13:22:27 +detect_cap_file in loadfile.c at line 380 : start
06/09 13:22:27 Magic: 0x50 0x4b
06/09 13:22:27 File is a CAP file.
06/09 13:22:27 -detect_cap_file in loadfile.c at line 409 : end
status 0, error code(0x0): Success
06/09 13:22:27 +extract_cap_file in loadfile.c at line 151 : start
06/09 13:22:27 extract_cap_file: Try to open cap file VotingCard.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content META-INF/MANIFEST.MF
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Header.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Directory.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Applet.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Import.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/ConstantPool.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Class.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Method.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/StaticField.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/RefLocation.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Descriptor.cap
06/09 13:22:27 extract_cap_file: Successfully extracted cap file VotingCard.cap
06/09 13:22:27 -extract_cap_file in loadfile.c at line 366 : end
status 0, error code(0x0): Success
06/09 13:22:27 -handle_load_file in loadfile.c at line 90 : end
status 0, error code(0x0): Success
06/09 13:22:27 +handle_load_file in loadfile.c at line 47 : start
06/09 13:22:27 +detect_cap_file in loadfile.c at line 380 : start
06/09 13:22:27 Magic: 0x50 0x4b
06/09 13:22:27 File is a CAP file.
06/09 13:22:27 -detect_cap_file in loadfile.c at line 409 : end
status 0, error code(0x0): Success
06/09 13:22:27 +extract_cap_file in loadfile.c at line 151 : start
06/09 13:22:27 extract_cap_file: Try to open cap file VotingCard.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content META-INF/MANIFEST.MF
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Header.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Directory.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Applet.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Import.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/ConstantPool.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Class.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Method.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/StaticField.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/RefLocation.cap
06/09 13:22:27 extract_cap_file: Allocating buffer size for cap file
content Smartmatic/SAES/SmartCard/VotingCard/javacard/Descriptor.cap
06/09 13:22:27 extract_cap_file: Successfully extracted cap file VotingCard.cap
06/09 13:22:27 extract_cap_file: Copying extracted cap file contents into buffer
06/09 13:22:27 extract_cap_file: Buffer copied.
06/09 13:22:27 -extract_cap_file in loadfile.c at line 366 : end
status 0, error code(0x0): Success
06/09 13:22:27 -handle_load_file in loadfile.c at line 90 : end
status 0, error code(0x0): Success
06/09 13:22:27 +read_executable_load_file_parameters_from_buffer in
loadfile.c at line 522 : start
06/09 13:22:27 Package AID Length: 9
06/09 13:22:27 Package AID: F00000006203010C01
06/09 13:22:27 Applet count: 1
06/09 13:22:27 Applet AID: F00000006203010C0101
06/09 13:22:27 -read_executable_load_file_paramaters_from_buffer in
loadfile.c at line 658 : end status 0, error code(0x0): Success
06/09 13:22:27 -read_executable_load_file_paramaters in loadfile.c at
line 449 : end status 0, error code(0x0): Success
06/09 13:22:27 +install_for_load in globalplatform.c at line 2118 : start
06/09 13:22:27 +get_load_data in loadfile.c at line 687 : start
06/09 13:22:27 get_load_data: Gathered data :
02009B09F00000006203010C0108A0000000035350410006EF04C6020B70
06/09 13:22:27 -get_load_data in loadfile.c at line 760 : end status
0, error code(0x0): Success
06/09 13:22:27 +OPGP_send_APDU in connection.c at line 210 : start
06/09 13:22:27 OPGP_send_APDU: Command -->
80E602001C09F00000006203010C0108A0000000035350410006EF04C6020B700000
06/09 13:22:27 +wrap_command in crypto.c at line 841 : start
06/09 13:22:27 +calculate_enc_ecb_single_des in crypto.c at line 358 : start
06/09 13:22:27 -calculate_enc_ecb_single_des in crypto.c at line 402
: end status 0, error code(0x0): Success
06/09 13:22:27 +calculate_MAC_des_3des in crypto.c at line 610 : start
06/09 13:22:27 -calculate_MAC_des_3des in crypto.c at line 673 : end
status 0, error code(0x0): Success
06/09 13:22:27 wrap_command: ICV for MAC: 40F330E3E76F3752
06/09 13:22:27 wrap_command: Generated MAC: 41A29ABBF99EEB69
06/09 13:22:27 -wrap_command in crypto.c at line 1089 : end status 0,
error code(0x0): Success
06/09 13:22:27 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
296 : start
06/09 13:22:27 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
694 : end status 0, error code(0x80206985): 6985: Command not allowed
- Conditions of use not satisfied.
06/09 13:22:27 OPGP_send_APDU: Response <-- 6985
06/09 13:22:27 +GP211_check_R_MAC in crypto.c at line 1251 : start
06/09 13:22:27 -GP211_check_R_MAC in crypto.c at line 1302 : end
status 0, error code(0x0): Success
06/09 13:22:27 -OPGP_send_APDU in connection.c at line 264 : end
status 0, error code(0x80206985): 6985: Command not allowed -
Conditions of use not satisfied.
06/09 13:22:27 -install_for_load in globalplatform.c at line 2149 :
end status 1, error code(0x80206985): 6985: Command not allowed -
Conditions of use not satisfied.
I tried to issue a put_key command on the SSD with the same result:
mode_211
enable_trace
enable_timer
establish_context
card_connect
select -AID A000000003535041
put_sc_key -keyver 0 -newkeyver 2 -mac_key
505152535455565758595a5b5c5d5e5f -enc_key
505152535455565758595a5b5c5d5e5f -kek_key
505152535455565758595a5b5c5d5e5f
card_disconnect
release_context
Thanks in advance for any help you can provide.
Marcel
|
|
From: Karsten O. <wid...@t-...> - 2011-08-31 00:26:15
|
Am 31.08.2011 02:01, schrieb Marcel Cordovi: > Thanks Mike. Your reply was very helpful. I sent the GET DATA command > you recommended and got the xx-yy bytes values you were mentioning. > They turns out to be 0215, which stands for SCP02 with 0x15 > implementation version as I was expecting from my card default values > reference. The problem was a missing 'mode_211' command in the script > that was making the underlying global platform library to have the > wrong function querying the protocol version. After having this > corrected I was able to establish the secure channel with my applet > but I still needed to specify the 'scp' and 'scpimpl' options in order > to avoid a "6D00: Invalid instruction byte / Command not supported or > invalid" error I was getting. I'll be trying to fix that too later but > for now passing the options will do just fine. Thanks again for your > help. The reason for the 6D00 is that you have selected the applet, not a security domain. The applet does not know of the GET DATA command, so this fails. I have documented this: https://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell#Secure_Channel_Commands Karsten > Greetings, > > Marcel > > > > On Tue, Aug 30, 2011 at 5:48 PM, > <glo...@li...> wrote: >> Send Globalplatform-users mailing list submissions to >> glo...@li... >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> or, via email, send a message with subject or body 'help' to >> glo...@li... >> >> You can reach the person managing the list at >> glo...@li... >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Globalplatform-users digest..." >> >> >> Today's Topics: >> >> 1. Problem opening a secure channel on a java card (Marcel Cordovi) >> 2. Re: Problem opening a secure channel on a java card >> (Michael StJohns) >> 3. Re: Problem opening a secure channel on a java card (Karsten Ohme) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Mon, 29 Aug 2011 19:08:49 -0500 >> From: Marcel Cordovi <mco...@gm...> >> Subject: [Globalplatform-users] Problem opening a secure channel on a >> java card >> To: glo...@li... >> Message-ID: >> <CAL...@ma...> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Hi Karsten, >> >> ??? I appreciate your reply. I'm still having the same problem >> establishing a secure channel with my card. In response for one of my >> questions you posted: >> >>> Hi, >>> >>> Nothing known to me. You are using processSecurity for all commands not >>> known to your applet? >>> >>> Try to get a debug output and post the result. >> >> The answer is yes. All not known APDUs are handled by the default >> clause of a switch statement in the 'process' method and forwarded to: >> >> >> void SCPcommands ( APDU apdu ) { >> >> responseLength = MySecureChannel.processSecurity( apdu ); >> if (responseLength != 0 ) >> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, >> responseLength ); >> } >> >> as I posted previously. >> >> I tried the following script: >> >> --------------------------------------------- >> establish_context >> enable_trace >> enable_timer >> card_connect >> >> select -AID F00100006203010C0101 >> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >> 404142434445464748494a4b4c4d4e4f -enc_key >> 404142434445464748494a4b4c4d4e4f -kek_key >> 404142434445464748494a4b4c4d4e4f // Open secure channel >> >> card_disconnect >> release_context >> ----------------------------------------------- >> >> >> And this is the DEBUG trace: >> >> >> 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start >> 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start >> 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : >> end status 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start >> 29/08 18:16:49 DYN_LoadLibrary: Using library name >> "gppcscconnectionplugin" and version "1.0.1". >> 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end >> status 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c >> at line 85 : start >> 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c >> at line 98 : end status 0, error code(0x0): Success >> 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : >> end status 0, error code(0x0): Success >> 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start >> 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at >> line 137 : start >> 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 >> 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at >> line 176 : end status 0, error code(0x0): Success >> 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end >> status 0, error code(0x0): Success >> 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start >> 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at >> line 202 : start >> 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS >> ACR 38U-CCID 00 00 with protocol 2 in card state 524340 >> 29/08 18:16:49 OPGP_PL_card_connect: Card ATR: >> 3BFD1800008131FE4550565F4A434F50323176323332E7 >> 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at >> line 242 : end status 0, error code(0x0): Success >> 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end >> status 0, error code(0x0): Success >> 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start >> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >> 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 >> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >> error code(0x0): Success >> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >> 296 : start >> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >> 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 >> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >> status 0, error code(0x0): Success >> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >> status 0, error code(0x80209000): 9000: Success. No error. >> 29/08 18:16:49 -select_application in globalplatform.c at line 444 : >> end status 0, error code(0x0): Success >> 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start >> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 >> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol >> Implementation: 0x05 >> 29/08 18:16:49 +get_random in crypto.c at line 1465 : start >> 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, >> error code(0x0): Success >> 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA >> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 >> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >> error code(0x0): Success >> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >> 296 : start >> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >> 29/08 18:16:49 OPGP_send_APDU: Response <-- >> 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 >> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >> status 0, error code(0x0): Success >> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >> status 0, error code(0x80209000): 9000: Success. No error. >> 29/08 18:16:49 mutual_authentication: Key Diversification Data: >> 00008247024411914208 >> 29/08 18:16:49 mutual_authentication: Key Information Data: 0102 >> 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA >> 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: >> 1134FD4C1BECE9E5 >> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >> line 294 : start >> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >> line 338 : end status 0, error code(0x0): Success >> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >> end status 0, error code(0x0): Success >> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >> line 294 : start >> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >> line 338 : end status 0, error code(0x0): Success >> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >> end status 0, error code(0x0): Success >> 29/08 18:16:49 mutual_authentication: S-ENC Session Key: >> E374467F06501BB92057F15A8C860AAB >> 29/08 18:16:49 mutual_authentication: S-MAC Session Key: >> 29/08 18:16:49 mutual_authentication: Data Encryption Key: >> 404142434445464748494A4B4C4D4E4F >> 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start >> 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start >> 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, >> error code(0x0): Success >> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at >> line 118 : end status 0, error code(0x0): Success >> 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: >> 683ED52BCE9F682F >> 29/08 18:16:49 -mutual_authentication in globalplatform.c at line >> 3898 : end status 1, error code(0x80302000): The verification of the >> card cryptogram failed. >> >> >> >From the marked lines ( * ) can be seen that gpshell is trying to use >> SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has >> support for SCP01 but with i=15 so there's still something wrong even >> in the case I accidentally change the protocol version without knowing >> it. I've tried to force the use of SCP02 by means of the 'sc' option, >> even when gpshell's documentation says there's no need to do it, but >> the result is the same, the SCP01 protocol is still being used and the >> cryptogram can't finally be verified. I also tried passing the 'visa2' >> value on the keyDerivation option since my card is a JCOP but there >> were no success. I tried every combination of parameters: passing the >> kek_key along with the enc_key and mac_key, passing only the -key with >> the keyDerivation, passing it all together without any results. >> >> Why is gpshell using the wrong protocol version and what can I do to >> ensure the use of the proper one? >> Is there some way of querying the card for the key derivation >> algorithm that it supports or has set by default? >> Is there anything else am I missing? >> >> Thanks in advance, >> >> Marcel >> >> >> >> ------------------------------ >> >> Message: 2 >> Date: Mon, 29 Aug 2011 22:11:23 -0400 >> From: Michael StJohns <mst...@co...> >> Subject: Re: [Globalplatform-users] Problem opening a secure channel >> on a java card >> To: Marcel Cordovi <mco...@gm...>, >> glo...@li... >> Message-ID: >> <mai...@li...> >> >> Content-Type: text/plain; charset="us-ascii" >> >> Hi Marcel - >> >> I think you've got a mismatch between what's in the card recognition data and what the card is configured for. >> >> I know this was a problem with the generic open_sc (where you were opening with the security domain) a while back - Karsten ended up providing a fix. I wonder if that's the same problem. >> >> If you can do a select of the AID and then a GET DATA with a P1 of 0 an d a P2 of 0x66 and paste it back here, it might be helpful. >> >> Look for a hex string 64 0B 06 09 2A 86 48 86 fc 6b 04 xx yy -- xx should be the SCP and YY the implementation options. My guess is that will be 01 05 to match what gpshell is trying to do. >> >> Which version of GPShell are you using? I thought this was patched. >> >> Mike >> >> >> At 08:08 PM 8/29/2011, Marcel Cordovi wrote: >>> Hi Karsten, >>> >>> I appreciate your reply. I'm still having the same problem >>> establishing a secure channel with my card. In response for one of my >>> questions you posted: >>> >>>> Hi, >>>> >>>> Nothing known to me. You are using processSecurity for all commands not >>>> known to your applet? >>>> >>>> Try to get a debug output and post the result. >>> >>> The answer is yes. All not known APDUs are handled by the default >>> clause of a switch statement in the 'process' method and forwarded to: >>> >>> >>> void SCPcommands ( APDU apdu ) { >>> >>> responseLength = MySecureChannel.processSecurity( apdu ); >>> if (responseLength != 0 ) >>> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, >>> responseLength ); >>> } >>> >>> as I posted previously. >>> >>> I tried the following script: >>> >>> --------------------------------------------- >>> establish_context >>> enable_trace >>> enable_timer >>> card_connect >>> >>> select -AID F00100006203010C0101 >>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>> 404142434445464748494a4b4c4d4e4f -enc_key >>> 404142434445464748494a4b4c4d4e4f -kek_key >>> 404142434445464748494a4b4c4d4e4f // Open secure channel >>> >>> card_disconnect >>> release_context >>> ----------------------------------------------- >>> >>> >>> And this is the DEBUG trace: >>> >>> >>> 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start >>> 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start >>> 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start >>> 29/08 18:16:49 DYN_LoadLibrary: Using library name >>> "gppcscconnectionplugin" and version "1.0.1". >>> 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c >>> at line 85 : start >>> 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c >>> at line 98 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start >>> 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at >>> line 137 : start >>> 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 >>> 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at >>> line 176 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start >>> 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at >>> line 202 : start >>> 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS >>> ACR 38U-CCID 00 00 with protocol 2 in card state 524340 >>> 29/08 18:16:49 OPGP_PL_card_connect: Card ATR: >>> 3BFD1800008131FE4550565F4A434F50323176323332E7 >>> 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at >>> line 242 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start >>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>> 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 >>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 296 : start >>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 >>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>> status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 -select_application in globalplatform.c at line 444 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start >>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 >>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol >>> Implementation: 0x05 >>> 29/08 18:16:49 +get_random in crypto.c at line 1465 : start >>> 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA >>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 >>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 296 : start >>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 OPGP_send_APDU: Response <-- >>> 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 >>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>> status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 mutual_authentication: Key Diversification Data: >>> 00008247024411914208 >>> 29/08 18:16:49 mutual_authentication: Key Information Data: 0102 >>> 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA >>> 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: >>> 1134FD4C1BECE9E5 >>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 294 : start >>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 338 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 294 : start >>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 338 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: S-ENC Session Key: >>> E374467F06501BB92057F15A8C860AAB >>> 29/08 18:16:49 mutual_authentication: S-MAC Session Key: >>> 29/08 18:16:49 mutual_authentication: Data Encryption Key: >>> 404142434445464748494A4B4C4D4E4F >>> 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start >>> 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start >>> 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, >>> error code(0x0): Success >>> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at >>> line 118 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: >>> 683ED52BCE9F682F >>> 29/08 18:16:49 -mutual_authentication in globalplatform.c at line >>> 3898 : end status 1, error code(0x80302000): The verification of the >>> card cryptogram failed. >>> >>> >>> >From the marked lines ( * ) can be seen that gpshell is trying to use >>> SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has >>> support for SCP01 but with i=15 so there's still something wrong even >>> in the case I accidentally change the protocol version without knowing >>> it. I've tried to force the use of SCP02 by means of the 'sc' option, >>> even when gpshell's documentation says there's no need to do it, but >>> the result is the same, the SCP01 protocol is still being used and the >>> cryptogram can't finally be verified. I also tried passing the 'visa2' >>> value on the keyDerivation option since my card is a JCOP but there >>> were no success. I tried every combination of parameters: passing the >>> kek_key along with the enc_key and mac_key, passing only the -key with >>> the keyDerivation, passing it all together without any results. >>> >>> Why is gpshell using the wrong protocol version and what can I do to >>> ensure the use of the proper one? >>> Is there some way of querying the card for the key derivation >>> algorithm that it supports or has set by default? >>> Is there anything else am I missing? >>> >>> Thanks in advance, >>> >>> Marcel >>> >>> ------------------------------------------------------------------------------ >>> Special Offer -- Download ArcSight Logger for FREE! >>> Finally, a world-class log management solution at an even better >>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>> download Logger. Secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsisghtdev2dev >>> _______________________________________________ >>> Globalplatform-users mailing list >>> Glo...@li... >>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Wed, 31 Aug 2011 00:48:25 +0200 >> From: Karsten Ohme <wid...@t-...> >> Subject: Re: [Globalplatform-users] Problem opening a secure channel >> on a java card >> To: glo...@li... >> Message-ID: <4E5...@t-...> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Hi, >> >> Ah! I guess I found it. You are using a GlobalPlatform 2.1.1 compliant >> card. So you have to specify the mode in the beginning of the script >> fail. Otherwise it falls back to the OpenPlatform 2.0.1 mode. >> >> Start you file with: >> >> mode_211 >> >> Karsten >> >> Am 30.08.2011 04:11, schrieb Michael StJohns: >>> Hi Marcel - >>> >>> I think you've got a mismatch between what's in the card recognition data and what the card is configured for. >>> >>> I know this was a problem with the generic open_sc (where you were opening with the security domain) a while back - Karsten ended up providing a fix. I wonder if that's the same problem. >>> >>> If you can do a select of the AID and then a GET DATA with a P1 of 0 an d a P2 of 0x66 and paste it back here, it might be helpful. >>> >>> Look for a hex string 64 0B 06 09 2A 86 48 86 fc 6b 04 xx yy -- xx should be the SCP and YY the implementation options. My guess is that will be 01 05 to match what gpshell is trying to do. >>> >>> Which version of GPShell are you using? I thought this was patched. >>> >>> Mike >>> >>> >>> At 08:08 PM 8/29/2011, Marcel Cordovi wrote: >>>> Hi Karsten, >>>> >>>> I appreciate your reply. I'm still having the same problem >>>> establishing a secure channel with my card. In response for one of my >>>> questions you posted: >>>> >>>>> Hi, >>>>> >>>>> Nothing known to me. You are using processSecurity for all commands not >>>>> known to your applet? >>>>> >>>>> Try to get a debug output and post the result. >>>> The answer is yes. All not known APDUs are handled by the default >>>> clause of a switch statement in the 'process' method and forwarded to: >>>> >>>> >>>> void SCPcommands ( APDU apdu ) { >>>> >>>> responseLength = MySecureChannel.processSecurity( apdu ); >>>> if (responseLength != 0 ) >>>> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, >>>> responseLength ); >>>> } >>>> >>>> as I posted previously. >>>> >>>> I tried the following script: >>>> >>>> --------------------------------------------- >>>> establish_context >>>> enable_trace >>>> enable_timer >>>> card_connect >>>> >>>> select -AID F00100006203010C0101 >>>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>>> 404142434445464748494a4b4c4d4e4f -enc_key >>>> 404142434445464748494a4b4c4d4e4f -kek_key >>>> 404142434445464748494a4b4c4d4e4f // Open secure channel >>>> >>>> card_disconnect >>>> release_context >>>> ----------------------------------------------- >>>> >>>> >>>> And this is the DEBUG trace: >>>> >>>> >>>> 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start >>>> 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start >>>> 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : >>>> end status 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start >>>> 29/08 18:16:49 DYN_LoadLibrary: Using library name >>>> "gppcscconnectionplugin" and version "1.0.1". >>>> 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end >>>> status 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c >>>> at line 85 : start >>>> 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c >>>> at line 98 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : >>>> end status 0, error code(0x0): Success >>>> 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start >>>> 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at >>>> line 137 : start >>>> 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 >>>> 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at >>>> line 176 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end >>>> status 0, error code(0x0): Success >>>> 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start >>>> 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at >>>> line 202 : start >>>> 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS >>>> ACR 38U-CCID 00 00 with protocol 2 in card state 524340 >>>> 29/08 18:16:49 OPGP_PL_card_connect: Card ATR: >>>> 3BFD1800008131FE4550565F4A434F50323176323332E7 >>>> 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at >>>> line 242 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end >>>> status 0, error code(0x0): Success >>>> 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start >>>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>>> 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 >>>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>>> error code(0x0): Success >>>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>>> 296 : start >>>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>>> 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 >>>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>>> status 0, error code(0x0): Success >>>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>>> status 0, error code(0x80209000): 9000: Success. No error. >>>> 29/08 18:16:49 -select_application in globalplatform.c at line 444 : >>>> end status 0, error code(0x0): Success >>>> 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start >>>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 >>>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol >>>> Implementation: 0x05 >>>> 29/08 18:16:49 +get_random in crypto.c at line 1465 : start >>>> 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, >>>> error code(0x0): Success >>>> 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA >>>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>>> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 >>>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>>> error code(0x0): Success >>>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>>> 296 : start >>>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>>> 29/08 18:16:49 OPGP_send_APDU: Response <-- >>>> 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 >>>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>>> status 0, error code(0x0): Success >>>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>>> status 0, error code(0x80209000): 9000: Success. No error. >>>> 29/08 18:16:49 mutual_authentication: Key Diversification Data: >>>> 00008247024411914208 >>>> 29/08 18:16:49 mutual_authentication: Key Information Data: 0102 >>>> 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA >>>> 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: >>>> 1134FD4C1BECE9E5 >>>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>>> line 294 : start >>>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>>> line 338 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>>> end status 0, error code(0x0): Success >>>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>>> line 294 : start >>>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>>> line 338 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>>> end status 0, error code(0x0): Success >>>> 29/08 18:16:49 mutual_authentication: S-ENC Session Key: >>>> E374467F06501BB92057F15A8C860AAB >>>> 29/08 18:16:49 mutual_authentication: S-MAC Session Key: >>>> 29/08 18:16:49 mutual_authentication: Data Encryption Key: >>>> 404142434445464748494A4B4C4D4E4F >>>> 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start >>>> 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start >>>> 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, >>>> error code(0x0): Success >>>> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at >>>> line 118 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: >>>> 683ED52BCE9F682F >>>> 29/08 18:16:49 -mutual_authentication in globalplatform.c at line >>>> 3898 : end status 1, error code(0x80302000): The verification of the >>>> card cryptogram failed. >>>> >>>> >>>> >From the marked lines ( * ) can be seen that gpshell is trying to use >>>> SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has >>>> support for SCP01 but with i=15 so there's still something wrong even >>>> in the case I accidentally change the protocol version without knowing >>>> it. I've tried to force the use of SCP02 by means of the 'sc' option, >>>> even when gpshell's documentation says there's no need to do it, but >>>> the result is the same, the SCP01 protocol is still being used and the >>>> cryptogram can't finally be verified. I also tried passing the 'visa2' >>>> value on the keyDerivation option since my card is a JCOP but there >>>> were no success. I tried every combination of parameters: passing the >>>> kek_key along with the enc_key and mac_key, passing only the -key with >>>> the keyDerivation, passing it all together without any results. >>>> >>>> Why is gpshell using the wrong protocol version and what can I do to >>>> ensure the use of the proper one? >>>> Is there some way of querying the card for the key derivation >>>> algorithm that it supports or has set by default? >>>> Is there anything else am I missing? >>>> >>>> Thanks in advance, >>>> >>>> Marcel >>>> >>>> ------------------------------------------------------------------------------ >>>> Special Offer -- Download ArcSight Logger for FREE! >>>> Finally, a world-class log management solution at an even better >>>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>>> download Logger. Secure your free ArcSight Logger TODAY! >>>> http://p.sf.net/sfu/arcsisghtdev2dev >>>> _______________________________________________ >>>> Globalplatform-users mailing list >>>> Glo...@li... >>>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >>> >>> ------------------------------------------------------------------------------ >>> Special Offer -- Download ArcSight Logger for FREE! >>> Finally, a world-class log management solution at an even better >>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>> download Logger. Secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsisghtdev2dev >>> _______________________________________________ >>> Globalplatform-users mailing list >>> Glo...@li... >>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >>> >> >> >> >> ------------------------------ >> >> ------------------------------------------------------------------------------ >> Special Offer -- Download ArcSight Logger for FREE! >> Finally, a world-class log management solution at an even better >> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >> download Logger. Secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsisghtdev2dev >> >> ------------------------------ >> >> _______________________________________________ >> Globalplatform-users mailing list >> Glo...@li... >> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> >> >> End of Globalplatform-users Digest, Vol 18, Issue 2 >> *************************************************** >> > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users > |
|
From: Marcel C. <mco...@gm...> - 2011-08-31 00:01:42
|
Thanks Mike. Your reply was very helpful. I sent the GET DATA command you recommended and got the xx-yy bytes values you were mentioning. They turns out to be 0215, which stands for SCP02 with 0x15 implementation version as I was expecting from my card default values reference. The problem was a missing 'mode_211' command in the script that was making the underlying global platform library to have the wrong function querying the protocol version. After having this corrected I was able to establish the secure channel with my applet but I still needed to specify the 'scp' and 'scpimpl' options in order to avoid a "6D00: Invalid instruction byte / Command not supported or invalid" error I was getting. I'll be trying to fix that too later but for now passing the options will do just fine. Thanks again for your help. Greetings, Marcel On Tue, Aug 30, 2011 at 5:48 PM, <glo...@li...> wrote: > Send Globalplatform-users mailing list submissions to > glo...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/globalplatform-users > or, via email, send a message with subject or body 'help' to > glo...@li... > > You can reach the person managing the list at > glo...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Globalplatform-users digest..." > > > Today's Topics: > > 1. Problem opening a secure channel on a java card (Marcel Cordovi) > 2. Re: Problem opening a secure channel on a java card > (Michael StJohns) > 3. Re: Problem opening a secure channel on a java card (Karsten Ohme) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 29 Aug 2011 19:08:49 -0500 > From: Marcel Cordovi <mco...@gm...> > Subject: [Globalplatform-users] Problem opening a secure channel on a > java card > To: glo...@li... > Message-ID: > <CAL...@ma...> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi Karsten, > > ??? I appreciate your reply. I'm still having the same problem > establishing a secure channel with my card. In response for one of my > questions you posted: > >> Hi, >> >> Nothing known to me. You are using processSecurity for all commands not >> known to your applet? >> >> Try to get a debug output and post the result. > > > The answer is yes. All not known APDUs are handled by the default > clause of a switch statement in the 'process' method and forwarded to: > > > void SCPcommands ( APDU apdu ) { > > responseLength = MySecureChannel.processSecurity( apdu ); > if (responseLength != 0 ) > apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, > responseLength ); > } > > as I posted previously. > > I tried the following script: > > --------------------------------------------- > establish_context > enable_trace > enable_timer > card_connect > > select -AID F00100006203010C0101 > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f -kek_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > > card_disconnect > release_context > ----------------------------------------------- > > > And this is the DEBUG trace: > > > 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start > 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start > 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : > end status 0, error code(0x0): Success > 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start > 29/08 18:16:49 DYN_LoadLibrary: Using library name > "gppcscconnectionplugin" and version "1.0.1". > 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end > status 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c > at line 85 : start > 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c > at line 98 : end status 0, error code(0x0): Success > 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : > end status 0, error code(0x0): Success > 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start > 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at > line 137 : start > 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 > 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at > line 176 : end status 0, error code(0x0): Success > 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end > status 0, error code(0x0): Success > 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start > 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at > line 202 : start > 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS > ACR 38U-CCID 00 00 with protocol 2 in card state 524340 > 29/08 18:16:49 OPGP_PL_card_connect: Card ATR: > 3BFD1800008131FE4550565F4A434F50323176323332E7 > 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at > line 242 : end status 0, error code(0x0): Success > 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end > status 0, error code(0x0): Success > 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start > 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start > 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 > 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start > 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, > error code(0x0): Success > 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line > 296 : start > 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line > 694 : end status 0, error code(0x80209000): 9000: Success. No error. > 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 > 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start > 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end > status 0, error code(0x0): Success > 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end > status 0, error code(0x80209000): 9000: Success. No error. > 29/08 18:16:49 -select_application in globalplatform.c at line 444 : > end status 0, error code(0x0): Success > 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start > * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 > * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol > Implementation: 0x05 > 29/08 18:16:49 +get_random in crypto.c at line 1465 : start > 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, > error code(0x0): Success > 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA > 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start > * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 > 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start > 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, > error code(0x0): Success > 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line > 296 : start > 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line > 694 : end status 0, error code(0x80209000): 9000: Success. No error. > 29/08 18:16:49 OPGP_send_APDU: Response <-- > 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 > 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start > 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end > status 0, error code(0x0): Success > 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end > status 0, error code(0x80209000): 9000: Success. No error. > 29/08 18:16:49 mutual_authentication: Key Diversification Data: > 00008247024411914208 > 29/08 18:16:49 mutual_authentication: Key Information Data: 0102 > 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA > 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: > 1134FD4C1BECE9E5 > 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start > 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at > line 294 : start > 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at > line 338 : end status 0, error code(0x0): Success > 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : > end status 0, error code(0x0): Success > 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start > 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at > line 294 : start > 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at > line 338 : end status 0, error code(0x0): Success > 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : > end status 0, error code(0x0): Success > 29/08 18:16:49 mutual_authentication: S-ENC Session Key: > E374467F06501BB92057F15A8C860AAB > 29/08 18:16:49 mutual_authentication: S-MAC Session Key: > 29/08 18:16:49 mutual_authentication: Data Encryption Key: > 404142434445464748494A4B4C4D4E4F > 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start > 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start > 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, > error code(0x0): Success > * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at > line 118 : end status 0, error code(0x0): Success > 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: > 683ED52BCE9F682F > 29/08 18:16:49 -mutual_authentication in globalplatform.c at line > 3898 : end status 1, error code(0x80302000): The verification of the > card cryptogram failed. > > > >From the marked lines ( * ) can be seen that gpshell is trying to use > SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has > support for SCP01 but with i=15 so there's still something wrong even > in the case I accidentally change the protocol version without knowing > it. I've tried to force the use of SCP02 by means of the 'sc' option, > even when gpshell's documentation says there's no need to do it, but > the result is the same, the SCP01 protocol is still being used and the > cryptogram can't finally be verified. I also tried passing the 'visa2' > value on the keyDerivation option since my card is a JCOP but there > were no success. I tried every combination of parameters: passing the > kek_key along with the enc_key and mac_key, passing only the -key with > the keyDerivation, passing it all together without any results. > > Why is gpshell using the wrong protocol version and what can I do to > ensure the use of the proper one? > Is there some way of querying the card for the key derivation > algorithm that it supports or has set by default? > Is there anything else am I missing? > > Thanks in advance, > > Marcel > > > > ------------------------------ > > Message: 2 > Date: Mon, 29 Aug 2011 22:11:23 -0400 > From: Michael StJohns <mst...@co...> > Subject: Re: [Globalplatform-users] Problem opening a secure channel > on a java card > To: Marcel Cordovi <mco...@gm...>, > glo...@li... > Message-ID: > <mai...@li...> > > Content-Type: text/plain; charset="us-ascii" > > Hi Marcel - > > I think you've got a mismatch between what's in the card recognition data and what the card is configured for. > > I know this was a problem with the generic open_sc (where you were opening with the security domain) a while back - Karsten ended up providing a fix. I wonder if that's the same problem. > > If you can do a select of the AID and then a GET DATA with a P1 of 0 an d a P2 of 0x66 and paste it back here, it might be helpful. > > Look for a hex string 64 0B 06 09 2A 86 48 86 fc 6b 04 xx yy -- xx should be the SCP and YY the implementation options. My guess is that will be 01 05 to match what gpshell is trying to do. > > Which version of GPShell are you using? I thought this was patched. > > Mike > > > At 08:08 PM 8/29/2011, Marcel Cordovi wrote: >>Hi Karsten, >> >> I appreciate your reply. I'm still having the same problem >>establishing a secure channel with my card. In response for one of my >>questions you posted: >> >>> Hi, >>> >>> Nothing known to me. You are using processSecurity for all commands not >>> known to your applet? >>> >>> Try to get a debug output and post the result. >> >> >>The answer is yes. All not known APDUs are handled by the default >>clause of a switch statement in the 'process' method and forwarded to: >> >> >> void SCPcommands ( APDU apdu ) { >> >> responseLength = MySecureChannel.processSecurity( apdu ); >> if (responseLength != 0 ) >> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, >>responseLength ); >> } >> >>as I posted previously. >> >>I tried the following script: >> >>--------------------------------------------- >>establish_context >>enable_trace >>enable_timer >>card_connect >> >>select -AID F00100006203010C0101 >>open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>404142434445464748494a4b4c4d4e4f -enc_key >>404142434445464748494a4b4c4d4e4f -kek_key >>404142434445464748494a4b4c4d4e4f // Open secure channel >> >>card_disconnect >>release_context >>----------------------------------------------- >> >> >>And this is the DEBUG trace: >> >> >>29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start >>29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start >>29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : >>end status 0, error code(0x0): Success >>29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start >>29/08 18:16:49 DYN_LoadLibrary: Using library name >>"gppcscconnectionplugin" and version "1.0.1". >>29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end >>status 0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c >>at line 85 : start >>29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c >>at line 98 : end status 0, error code(0x0): Success >>29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : >>end status 0, error code(0x0): Success >>29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start >>29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at >>line 137 : start >>29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 >>29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at >>line 176 : end status 0, error code(0x0): Success >>29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end >>status 0, error code(0x0): Success >>29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start >>29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at >>line 202 : start >>29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS >>ACR 38U-CCID 00 00 with protocol 2 in card state 524340 >>29/08 18:16:49 OPGP_PL_card_connect: Card ATR: >>3BFD1800008131FE4550565F4A434F50323176323332E7 >>29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at >>line 242 : end status 0, error code(0x0): Success >>29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end >>status 0, error code(0x0): Success >>29/08 18:16:49 +select_application in globalplatform.c at line 413 : start >>29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 >>29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>error code(0x0): Success >>29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>296 : start >>29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>694 : end status 0, error code(0x80209000): 9000: Success. No error. >>29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 >>29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>status 0, error code(0x0): Success >>29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>status 0, error code(0x80209000): 9000: Success. No error. >>29/08 18:16:49 -select_application in globalplatform.c at line 444 : >>end status 0, error code(0x0): Success >>29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start >> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 >> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol >>Implementation: 0x05 >>29/08 18:16:49 +get_random in crypto.c at line 1465 : start >>29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, >>error code(0x0): Success >>29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA >>29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 >>29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>error code(0x0): Success >>29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>296 : start >>29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>694 : end status 0, error code(0x80209000): 9000: Success. No error. >>29/08 18:16:49 OPGP_send_APDU: Response <-- >>000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 >>29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>status 0, error code(0x0): Success >>29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>status 0, error code(0x80209000): 9000: Success. No error. >>29/08 18:16:49 mutual_authentication: Key Diversification Data: >>00008247024411914208 >>29/08 18:16:49 mutual_authentication: Key Information Data: 0102 >>29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA >>29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: >>1134FD4C1BECE9E5 >>29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>line 294 : start >>29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>line 338 : end status 0, error code(0x0): Success >>29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>end status 0, error code(0x0): Success >>29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>line 294 : start >>29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>line 338 : end status 0, error code(0x0): Success >>29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>end status 0, error code(0x0): Success >>29/08 18:16:49 mutual_authentication: S-ENC Session Key: >>E374467F06501BB92057F15A8C860AAB >>29/08 18:16:49 mutual_authentication: S-MAC Session Key: >>29/08 18:16:49 mutual_authentication: Data Encryption Key: >>404142434445464748494A4B4C4D4E4F >>29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start >>29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start >>29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, >>error code(0x0): Success >> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at >>line 118 : end status 0, error code(0x0): Success >>29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: >>683ED52BCE9F682F >>29/08 18:16:49 -mutual_authentication in globalplatform.c at line >>3898 : end status 1, error code(0x80302000): The verification of the >>card cryptogram failed. >> >> >>>From the marked lines ( * ) can be seen that gpshell is trying to use >>SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has >>support for SCP01 but with i=15 so there's still something wrong even >>in the case I accidentally change the protocol version without knowing >>it. I've tried to force the use of SCP02 by means of the 'sc' option, >>even when gpshell's documentation says there's no need to do it, but >>the result is the same, the SCP01 protocol is still being used and the >>cryptogram can't finally be verified. I also tried passing the 'visa2' >>value on the keyDerivation option since my card is a JCOP but there >>were no success. I tried every combination of parameters: passing the >>kek_key along with the enc_key and mac_key, passing only the -key with >>the keyDerivation, passing it all together without any results. >> >>Why is gpshell using the wrong protocol version and what can I do to >>ensure the use of the proper one? >>Is there some way of querying the card for the key derivation >>algorithm that it supports or has set by default? >>Is there anything else am I missing? >> >>Thanks in advance, >> >>Marcel >> >>------------------------------------------------------------------------------ >>Special Offer -- Download ArcSight Logger for FREE! >>Finally, a world-class log management solution at an even better >>price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>download Logger. Secure your free ArcSight Logger TODAY! >>http://p.sf.net/sfu/arcsisghtdev2dev >>_______________________________________________ >>Globalplatform-users mailing list >>Glo...@li... >>https://lists.sourceforge.net/lists/listinfo/globalplatform-users > > > > > > ------------------------------ > > Message: 3 > Date: Wed, 31 Aug 2011 00:48:25 +0200 > From: Karsten Ohme <wid...@t-...> > Subject: Re: [Globalplatform-users] Problem opening a secure channel > on a java card > To: glo...@li... > Message-ID: <4E5...@t-...> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi, > > Ah! I guess I found it. You are using a GlobalPlatform 2.1.1 compliant > card. So you have to specify the mode in the beginning of the script > fail. Otherwise it falls back to the OpenPlatform 2.0.1 mode. > > Start you file with: > > mode_211 > > Karsten > > Am 30.08.2011 04:11, schrieb Michael StJohns: >> Hi Marcel - >> >> I think you've got a mismatch between what's in the card recognition data and what the card is configured for. >> >> I know this was a problem with the generic open_sc (where you were opening with the security domain) a while back - Karsten ended up providing a fix. I wonder if that's the same problem. >> >> If you can do a select of the AID and then a GET DATA with a P1 of 0 an d a P2 of 0x66 and paste it back here, it might be helpful. >> >> Look for a hex string 64 0B 06 09 2A 86 48 86 fc 6b 04 xx yy -- xx should be the SCP and YY the implementation options. My guess is that will be 01 05 to match what gpshell is trying to do. >> >> Which version of GPShell are you using? I thought this was patched. >> >> Mike >> >> >> At 08:08 PM 8/29/2011, Marcel Cordovi wrote: >>> Hi Karsten, >>> >>> I appreciate your reply. I'm still having the same problem >>> establishing a secure channel with my card. In response for one of my >>> questions you posted: >>> >>>> Hi, >>>> >>>> Nothing known to me. You are using processSecurity for all commands not >>>> known to your applet? >>>> >>>> Try to get a debug output and post the result. >>> >>> The answer is yes. All not known APDUs are handled by the default >>> clause of a switch statement in the 'process' method and forwarded to: >>> >>> >>> void SCPcommands ( APDU apdu ) { >>> >>> responseLength = MySecureChannel.processSecurity( apdu ); >>> if (responseLength != 0 ) >>> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, >>> responseLength ); >>> } >>> >>> as I posted previously. >>> >>> I tried the following script: >>> >>> --------------------------------------------- >>> establish_context >>> enable_trace >>> enable_timer >>> card_connect >>> >>> select -AID F00100006203010C0101 >>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>> 404142434445464748494a4b4c4d4e4f -enc_key >>> 404142434445464748494a4b4c4d4e4f -kek_key >>> 404142434445464748494a4b4c4d4e4f // Open secure channel >>> >>> card_disconnect >>> release_context >>> ----------------------------------------------- >>> >>> >>> And this is the DEBUG trace: >>> >>> >>> 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start >>> 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start >>> 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start >>> 29/08 18:16:49 DYN_LoadLibrary: Using library name >>> "gppcscconnectionplugin" and version "1.0.1". >>> 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c >>> at line 85 : start >>> 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c >>> at line 98 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start >>> 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at >>> line 137 : start >>> 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 >>> 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at >>> line 176 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start >>> 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at >>> line 202 : start >>> 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS >>> ACR 38U-CCID 00 00 with protocol 2 in card state 524340 >>> 29/08 18:16:49 OPGP_PL_card_connect: Card ATR: >>> 3BFD1800008131FE4550565F4A434F50323176323332E7 >>> 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at >>> line 242 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start >>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>> 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 >>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 296 : start >>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 >>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>> status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 -select_application in globalplatform.c at line 444 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start >>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 >>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol >>> Implementation: 0x05 >>> 29/08 18:16:49 +get_random in crypto.c at line 1465 : start >>> 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA >>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 >>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 296 : start >>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 OPGP_send_APDU: Response <-- >>> 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 >>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>> status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 mutual_authentication: Key Diversification Data: >>> 00008247024411914208 >>> 29/08 18:16:49 mutual_authentication: Key Information Data: 0102 >>> 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA >>> 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: >>> 1134FD4C1BECE9E5 >>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 294 : start >>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 338 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 294 : start >>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 338 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: S-ENC Session Key: >>> E374467F06501BB92057F15A8C860AAB >>> 29/08 18:16:49 mutual_authentication: S-MAC Session Key: >>> 29/08 18:16:49 mutual_authentication: Data Encryption Key: >>> 404142434445464748494A4B4C4D4E4F >>> 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start >>> 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start >>> 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, >>> error code(0x0): Success >>> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at >>> line 118 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: >>> 683ED52BCE9F682F >>> 29/08 18:16:49 -mutual_authentication in globalplatform.c at line >>> 3898 : end status 1, error code(0x80302000): The verification of the >>> card cryptogram failed. >>> >>> >>> >From the marked lines ( * ) can be seen that gpshell is trying to use >>> SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has >>> support for SCP01 but with i=15 so there's still something wrong even >>> in the case I accidentally change the protocol version without knowing >>> it. I've tried to force the use of SCP02 by means of the 'sc' option, >>> even when gpshell's documentation says there's no need to do it, but >>> the result is the same, the SCP01 protocol is still being used and the >>> cryptogram can't finally be verified. I also tried passing the 'visa2' >>> value on the keyDerivation option since my card is a JCOP but there >>> were no success. I tried every combination of parameters: passing the >>> kek_key along with the enc_key and mac_key, passing only the -key with >>> the keyDerivation, passing it all together without any results. >>> >>> Why is gpshell using the wrong protocol version and what can I do to >>> ensure the use of the proper one? >>> Is there some way of querying the card for the key derivation >>> algorithm that it supports or has set by default? >>> Is there anything else am I missing? >>> >>> Thanks in advance, >>> >>> Marcel >>> >>> ------------------------------------------------------------------------------ >>> Special Offer -- Download ArcSight Logger for FREE! >>> Finally, a world-class log management solution at an even better >>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>> download Logger. Secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsisghtdev2dev >>> _______________________________________________ >>> Globalplatform-users mailing list >>> Glo...@li... >>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> >> >> ------------------------------------------------------------------------------ >> Special Offer -- Download ArcSight Logger for FREE! >> Finally, a world-class log management solution at an even better >> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >> download Logger. Secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsisghtdev2dev >> _______________________________________________ >> Globalplatform-users mailing list >> Glo...@li... >> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> > > > > > ------------------------------ > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > > ------------------------------ > > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users > > > End of Globalplatform-users Digest, Vol 18, Issue 2 > *************************************************** > |
|
From: Karsten O. <wid...@t-...> - 2011-08-30 22:48:47
|
Hi,
Ah! I guess I found it. You are using a GlobalPlatform 2.1.1 compliant
card. So you have to specify the mode in the beginning of the script
fail. Otherwise it falls back to the OpenPlatform 2.0.1 mode.
Start you file with:
mode_211
Karsten
Am 30.08.2011 04:11, schrieb Michael StJohns:
> Hi Marcel -
>
> I think you've got a mismatch between what's in the card recognition data and what the card is configured for.
>
> I know this was a problem with the generic open_sc (where you were opening with the security domain) a while back - Karsten ended up providing a fix. I wonder if that's the same problem.
>
> If you can do a select of the AID and then a GET DATA with a P1 of 0 an d a P2 of 0x66 and paste it back here, it might be helpful.
>
> Look for a hex string 64 0B 06 09 2A 86 48 86 fc 6b 04 xx yy -- xx should be the SCP and YY the implementation options. My guess is that will be 01 05 to match what gpshell is trying to do.
>
> Which version of GPShell are you using? I thought this was patched.
>
> Mike
>
>
> At 08:08 PM 8/29/2011, Marcel Cordovi wrote:
>> Hi Karsten,
>>
>> I appreciate your reply. I'm still having the same problem
>> establishing a secure channel with my card. In response for one of my
>> questions you posted:
>>
>>> Hi,
>>>
>>> Nothing known to me. You are using processSecurity for all commands not
>>> known to your applet?
>>>
>>> Try to get a debug output and post the result.
>>
>> The answer is yes. All not known APDUs are handled by the default
>> clause of a switch statement in the 'process' method and forwarded to:
>>
>>
>> void SCPcommands ( APDU apdu ) {
>>
>> responseLength = MySecureChannel.processSecurity( apdu );
>> if (responseLength != 0 )
>> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA,
>> responseLength );
>> }
>>
>> as I posted previously.
>>
>> I tried the following script:
>>
>> ---------------------------------------------
>> establish_context
>> enable_trace
>> enable_timer
>> card_connect
>>
>> select -AID F00100006203010C0101
>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key
>> 404142434445464748494a4b4c4d4e4f -enc_key
>> 404142434445464748494a4b4c4d4e4f -kek_key
>> 404142434445464748494a4b4c4d4e4f // Open secure channel
>>
>> card_disconnect
>> release_context
>> -----------------------------------------------
>>
>>
>> And this is the DEBUG trace:
>>
>>
>> 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start
>> 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start
>> 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 :
>> end status 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start
>> 29/08 18:16:49 DYN_LoadLibrary: Using library name
>> "gppcscconnectionplugin" and version "1.0.1".
>> 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end
>> status 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c
>> at line 85 : start
>> 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c
>> at line 98 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 :
>> end status 0, error code(0x0): Success
>> 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start
>> 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at
>> line 137 : start
>> 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24
>> 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at
>> line 176 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end
>> status 0, error code(0x0): Success
>> 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start
>> 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at
>> line 202 : start
>> 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS
>> ACR 38U-CCID 00 00 with protocol 2 in card state 524340
>> 29/08 18:16:49 OPGP_PL_card_connect: Card ATR:
>> 3BFD1800008131FE4550565F4A434F50323176323332E7
>> 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at
>> line 242 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end
>> status 0, error code(0x0): Success
>> 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start
>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start
>> 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101
>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start
>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0,
>> error code(0x0): Success
>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>> 296 : start
>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>> 694 : end status 0, error code(0x80209000): 9000: Success. No error.
>> 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000
>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start
>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end
>> status 0, error code(0x0): Success
>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end
>> status 0, error code(0x80209000): 9000: Success. No error.
>> 29/08 18:16:49 -select_application in globalplatform.c at line 444 :
>> end status 0, error code(0x0): Success
>> 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start
>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01
>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol
>> Implementation: 0x05
>> 29/08 18:16:49 +get_random in crypto.c at line 1465 : start
>> 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0,
>> error code(0x0): Success
>> 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA
>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start
>> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00
>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start
>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0,
>> error code(0x0): Success
>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>> 296 : start
>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>> 694 : end status 0, error code(0x80209000): 9000: Success. No error.
>> 29/08 18:16:49 OPGP_send_APDU: Response <--
>> 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000
>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start
>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end
>> status 0, error code(0x0): Success
>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end
>> status 0, error code(0x80209000): 9000: Success. No error.
>> 29/08 18:16:49 mutual_authentication: Key Diversification Data:
>> 00008247024411914208
>> 29/08 18:16:49 mutual_authentication: Key Information Data: 0102
>> 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA
>> 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram:
>> 1134FD4C1BECE9E5
>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start
>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at
>> line 294 : start
>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at
>> line 338 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 :
>> end status 0, error code(0x0): Success
>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start
>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at
>> line 294 : start
>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at
>> line 338 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 :
>> end status 0, error code(0x0): Success
>> 29/08 18:16:49 mutual_authentication: S-ENC Session Key:
>> E374467F06501BB92057F15A8C860AAB
>> 29/08 18:16:49 mutual_authentication: S-MAC Session Key:
>> 29/08 18:16:49 mutual_authentication: Data Encryption Key:
>> 404142434445464748494A4B4C4D4E4F
>> 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start
>> 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start
>> 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0,
>> error code(0x0): Success
>> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at
>> line 118 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare:
>> 683ED52BCE9F682F
>> 29/08 18:16:49 -mutual_authentication in globalplatform.c at line
>> 3898 : end status 1, error code(0x80302000): The verification of the
>> card cryptogram failed.
>>
>>
>> >From the marked lines ( * ) can be seen that gpshell is trying to use
>> SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has
>> support for SCP01 but with i=15 so there's still something wrong even
>> in the case I accidentally change the protocol version without knowing
>> it. I've tried to force the use of SCP02 by means of the 'sc' option,
>> even when gpshell's documentation says there's no need to do it, but
>> the result is the same, the SCP01 protocol is still being used and the
>> cryptogram can't finally be verified. I also tried passing the 'visa2'
>> value on the keyDerivation option since my card is a JCOP but there
>> were no success. I tried every combination of parameters: passing the
>> kek_key along with the enc_key and mac_key, passing only the -key with
>> the keyDerivation, passing it all together without any results.
>>
>> Why is gpshell using the wrong protocol version and what can I do to
>> ensure the use of the proper one?
>> Is there some way of querying the card for the key derivation
>> algorithm that it supports or has set by default?
>> Is there anything else am I missing?
>>
>> Thanks in advance,
>>
>> Marcel
>>
>> ------------------------------------------------------------------------------
>> Special Offer -- Download ArcSight Logger for FREE!
>> Finally, a world-class log management solution at an even better
>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you
>> download Logger. Secure your free ArcSight Logger TODAY!
>> http://p.sf.net/sfu/arcsisghtdev2dev
>> _______________________________________________
>> Globalplatform-users mailing list
>> Glo...@li...
>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users
>
>
> ------------------------------------------------------------------------------
> Special Offer -- Download ArcSight Logger for FREE!
> Finally, a world-class log management solution at an even better
> price-free! And you'll get a free "Love Thy Logs" t-shirt when you
> download Logger. Secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsisghtdev2dev
> _______________________________________________
> Globalplatform-users mailing list
> Glo...@li...
> https://lists.sourceforge.net/lists/listinfo/globalplatform-users
>
|
|
From: Michael S. <mst...@co...> - 2011-08-30 02:11:59
|
Hi Marcel -
I think you've got a mismatch between what's in the card recognition data and what the card is configured for.
I know this was a problem with the generic open_sc (where you were opening with the security domain) a while back - Karsten ended up providing a fix. I wonder if that's the same problem.
If you can do a select of the AID and then a GET DATA with a P1 of 0 an d a P2 of 0x66 and paste it back here, it might be helpful.
Look for a hex string 64 0B 06 09 2A 86 48 86 fc 6b 04 xx yy -- xx should be the SCP and YY the implementation options. My guess is that will be 01 05 to match what gpshell is trying to do.
Which version of GPShell are you using? I thought this was patched.
Mike
At 08:08 PM 8/29/2011, Marcel Cordovi wrote:
>Hi Karsten,
>
> I appreciate your reply. I'm still having the same problem
>establishing a secure channel with my card. In response for one of my
>questions you posted:
>
>> Hi,
>>
>> Nothing known to me. You are using processSecurity for all commands not
>> known to your applet?
>>
>> Try to get a debug output and post the result.
>
>
>The answer is yes. All not known APDUs are handled by the default
>clause of a switch statement in the 'process' method and forwarded to:
>
>
> void SCPcommands ( APDU apdu ) {
>
> responseLength = MySecureChannel.processSecurity( apdu );
> if (responseLength != 0 )
> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA,
>responseLength );
> }
>
>as I posted previously.
>
>I tried the following script:
>
>---------------------------------------------
>establish_context
>enable_trace
>enable_timer
>card_connect
>
>select -AID F00100006203010C0101
>open_sc -security 1 -keyind 0 -keyver 0 -mac_key
>404142434445464748494a4b4c4d4e4f -enc_key
>404142434445464748494a4b4c4d4e4f -kek_key
>404142434445464748494a4b4c4d4e4f // Open secure channel
>
>card_disconnect
>release_context
>-----------------------------------------------
>
>
>And this is the DEBUG trace:
>
>
>29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start
>29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start
>29/08 18:16:49 -OPGP_release_context in connection.c at line 132 :
>end status 0, error code(0x0): Success
>29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start
>29/08 18:16:49 DYN_LoadLibrary: Using library name
>"gppcscconnectionplugin" and version "1.0.1".
>29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end
>status 0, error code(0x0): Success
>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>0, error code(0x0): Success
>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>0, error code(0x0): Success
>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>0, error code(0x0): Success
>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>0, error code(0x0): Success
>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>0, error code(0x0): Success
>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>0, error code(0x0): Success
>29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c
>at line 85 : start
>29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c
>at line 98 : end status 0, error code(0x0): Success
>29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 :
>end status 0, error code(0x0): Success
>29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start
>29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at
>line 137 : start
>29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24
>29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at
>line 176 : end status 0, error code(0x0): Success
>29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end
>status 0, error code(0x0): Success
>29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start
>29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at
>line 202 : start
>29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS
>ACR 38U-CCID 00 00 with protocol 2 in card state 524340
>29/08 18:16:49 OPGP_PL_card_connect: Card ATR:
>3BFD1800008131FE4550565F4A434F50323176323332E7
>29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at
>line 242 : end status 0, error code(0x0): Success
>29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end
>status 0, error code(0x0): Success
>29/08 18:16:49 +select_application in globalplatform.c at line 413 : start
>29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start
>29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101
>29/08 18:16:49 +wrap_command in crypto.c at line 841 : start
>29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0,
>error code(0x0): Success
>29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>296 : start
>29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>694 : end status 0, error code(0x80209000): 9000: Success. No error.
>29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000
>29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start
>29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end
>status 0, error code(0x0): Success
>29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end
>status 0, error code(0x80209000): 9000: Success. No error.
>29/08 18:16:49 -select_application in globalplatform.c at line 444 :
>end status 0, error code(0x0): Success
>29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start
> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01
> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol
>Implementation: 0x05
>29/08 18:16:49 +get_random in crypto.c at line 1465 : start
>29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0,
>error code(0x0): Success
>29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA
>29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start
> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00
>29/08 18:16:49 +wrap_command in crypto.c at line 841 : start
>29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0,
>error code(0x0): Success
>29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>296 : start
>29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>694 : end status 0, error code(0x80209000): 9000: Success. No error.
>29/08 18:16:49 OPGP_send_APDU: Response <--
>000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000
>29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start
>29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end
>status 0, error code(0x0): Success
>29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end
>status 0, error code(0x80209000): 9000: Success. No error.
>29/08 18:16:49 mutual_authentication: Key Diversification Data:
>00008247024411914208
>29/08 18:16:49 mutual_authentication: Key Information Data: 0102
>29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA
>29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram:
>1134FD4C1BECE9E5
>29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start
>29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at
>line 294 : start
>29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at
>line 338 : end status 0, error code(0x0): Success
>29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 :
>end status 0, error code(0x0): Success
>29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start
>29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at
>line 294 : start
>29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at
>line 338 : end status 0, error code(0x0): Success
>29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 :
>end status 0, error code(0x0): Success
>29/08 18:16:49 mutual_authentication: S-ENC Session Key:
>E374467F06501BB92057F15A8C860AAB
>29/08 18:16:49 mutual_authentication: S-MAC Session Key:
>29/08 18:16:49 mutual_authentication: Data Encryption Key:
>404142434445464748494A4B4C4D4E4F
>29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start
>29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start
>29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0,
>error code(0x0): Success
> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at
>line 118 : end status 0, error code(0x0): Success
>29/08 18:16:49 mutual_authentication: Card Cryptogram to compare:
>683ED52BCE9F682F
>29/08 18:16:49 -mutual_authentication in globalplatform.c at line
>3898 : end status 1, error code(0x80302000): The verification of the
>card cryptogram failed.
>
>
>>From the marked lines ( * ) can be seen that gpshell is trying to use
>SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has
>support for SCP01 but with i=15 so there's still something wrong even
>in the case I accidentally change the protocol version without knowing
>it. I've tried to force the use of SCP02 by means of the 'sc' option,
>even when gpshell's documentation says there's no need to do it, but
>the result is the same, the SCP01 protocol is still being used and the
>cryptogram can't finally be verified. I also tried passing the 'visa2'
>value on the keyDerivation option since my card is a JCOP but there
>were no success. I tried every combination of parameters: passing the
>kek_key along with the enc_key and mac_key, passing only the -key with
>the keyDerivation, passing it all together without any results.
>
>Why is gpshell using the wrong protocol version and what can I do to
>ensure the use of the proper one?
>Is there some way of querying the card for the key derivation
>algorithm that it supports or has set by default?
>Is there anything else am I missing?
>
>Thanks in advance,
>
>Marcel
>
>------------------------------------------------------------------------------
>Special Offer -- Download ArcSight Logger for FREE!
>Finally, a world-class log management solution at an even better
>price-free! And you'll get a free "Love Thy Logs" t-shirt when you
>download Logger. Secure your free ArcSight Logger TODAY!
>http://p.sf.net/sfu/arcsisghtdev2dev
>_______________________________________________
>Globalplatform-users mailing list
>Glo...@li...
>https://lists.sourceforge.net/lists/listinfo/globalplatform-users
|
|
From: Marcel C. <mco...@gm...> - 2011-08-30 00:08:57
|
Hi Karsten,
I appreciate your reply. I'm still having the same problem
establishing a secure channel with my card. In response for one of my
questions you posted:
> Hi,
>
> Nothing known to me. You are using processSecurity for all commands not
> known to your applet?
>
> Try to get a debug output and post the result.
The answer is yes. All not known APDUs are handled by the default
clause of a switch statement in the 'process' method and forwarded to:
void SCPcommands ( APDU apdu ) {
responseLength = MySecureChannel.processSecurity( apdu );
if (responseLength != 0 )
apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA,
responseLength );
}
as I posted previously.
I tried the following script:
---------------------------------------------
establish_context
enable_trace
enable_timer
card_connect
select -AID F00100006203010C0101
open_sc -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key
404142434445464748494a4b4c4d4e4f -kek_key
404142434445464748494a4b4c4d4e4f // Open secure channel
card_disconnect
release_context
-----------------------------------------------
And this is the DEBUG trace:
29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start
29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start
29/08 18:16:49 -OPGP_release_context in connection.c at line 132 :
end status 0, error code(0x0): Success
29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start
29/08 18:16:49 DYN_LoadLibrary: Using library name
"gppcscconnectionplugin" and version "1.0.1".
29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end
status 0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c
at line 85 : start
29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c
at line 98 : end status 0, error code(0x0): Success
29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 :
end status 0, error code(0x0): Success
29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start
29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at
line 137 : start
29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24
29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at
line 176 : end status 0, error code(0x0): Success
29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end
status 0, error code(0x0): Success
29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start
29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at
line 202 : start
29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS
ACR 38U-CCID 00 00 with protocol 2 in card state 524340
29/08 18:16:49 OPGP_PL_card_connect: Card ATR:
3BFD1800008131FE4550565F4A434F50323176323332E7
29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at
line 242 : end status 0, error code(0x0): Success
29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end
status 0, error code(0x0): Success
29/08 18:16:49 +select_application in globalplatform.c at line 413 : start
29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start
29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101
29/08 18:16:49 +wrap_command in crypto.c at line 841 : start
29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0,
error code(0x0): Success
29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
296 : start
29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
694 : end status 0, error code(0x80209000): 9000: Success. No error.
29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000
29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start
29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end
status 0, error code(0x0): Success
29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end
status 0, error code(0x80209000): 9000: Success. No error.
29/08 18:16:49 -select_application in globalplatform.c at line 444 :
end status 0, error code(0x0): Success
29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start
* 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01
* 29/08 18:16:49 mutual_authentication: Secure Channel Protocol
Implementation: 0x05
29/08 18:16:49 +get_random in crypto.c at line 1465 : start
29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0,
error code(0x0): Success
29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA
29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start
* 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00
29/08 18:16:49 +wrap_command in crypto.c at line 841 : start
29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0,
error code(0x0): Success
29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
296 : start
29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
694 : end status 0, error code(0x80209000): 9000: Success. No error.
29/08 18:16:49 OPGP_send_APDU: Response <--
000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000
29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start
29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end
status 0, error code(0x0): Success
29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end
status 0, error code(0x80209000): 9000: Success. No error.
29/08 18:16:49 mutual_authentication: Key Diversification Data:
00008247024411914208
29/08 18:16:49 mutual_authentication: Key Information Data: 0102
29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA
29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram:
1134FD4C1BECE9E5
29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start
29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at
line 294 : start
29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at
line 338 : end status 0, error code(0x0): Success
29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 :
end status 0, error code(0x0): Success
29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start
29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at
line 294 : start
29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at
line 338 : end status 0, error code(0x0): Success
29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 :
end status 0, error code(0x0): Success
29/08 18:16:49 mutual_authentication: S-ENC Session Key:
E374467F06501BB92057F15A8C860AAB
29/08 18:16:49 mutual_authentication: S-MAC Session Key:
29/08 18:16:49 mutual_authentication: Data Encryption Key:
404142434445464748494A4B4C4D4E4F
29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start
29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start
29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0,
error code(0x0): Success
* 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at
line 118 : end status 0, error code(0x0): Success
29/08 18:16:49 mutual_authentication: Card Cryptogram to compare:
683ED52BCE9F682F
29/08 18:16:49 -mutual_authentication in globalplatform.c at line
3898 : end status 1, error code(0x80302000): The verification of the
card cryptogram failed.
>From the marked lines ( * ) can be seen that gpshell is trying to use
SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has
support for SCP01 but with i=15 so there's still something wrong even
in the case I accidentally change the protocol version without knowing
it. I've tried to force the use of SCP02 by means of the 'sc' option,
even when gpshell's documentation says there's no need to do it, but
the result is the same, the SCP01 protocol is still being used and the
cryptogram can't finally be verified. I also tried passing the 'visa2'
value on the keyDerivation option since my card is a JCOP but there
were no success. I tried every combination of parameters: passing the
kek_key along with the enc_key and mac_key, passing only the -key with
the keyDerivation, passing it all together without any results.
Why is gpshell using the wrong protocol version and what can I do to
ensure the use of the proper one?
Is there some way of querying the card for the key derivation
algorithm that it supports or has set by default?
Is there anything else am I missing?
Thanks in advance,
Marcel
|
|
From: Karsten O. <wid...@t-...> - 2011-08-27 16:13:34
|
Am 27.08.2011 03:04, schrieb Marcel Cordovi: > > Hi, > > I'm having problems establishing a secure channel with an applet > I've just installed in a javacard. The card is in an INITIALIZED state > with its three keys set to the default value > (404142434445464748494A4B4C4D4E4F). I know I'm able to establish a > secure channel with the Card Manager using these keys because I can > successfully install my own applets using this gpshell script: > > mode_211 > enable_trace > enable_timer > > establish_context > card_connect > select -AID a000000003000000 > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > delete -AID F00100006203010C0101 > delete -AID F00100006203010C01 > install -file samples.cap -priv 2 > # getdata > # close_sc // Close secure channel > # putkey // Put key > // options: > // -keyind Key index > // -keyver Key version > // -key Key value in hex > card_disconnect > release_context > > The sample applet I'm using for testing purposes is taken from > http://www.globalplatform.org/specificationform.asp?fid=6306. I can > infer from the code that the security command processing is performed > inside the following code snippet: > > void SCPcommands ( APDU apdu ) { > > responseLength = MySecureChannel.processSecurity( apdu ); > if (responseLength != 0 ) > apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, > responseLength ); > } > > so the SCP02's management is being left to the Security Domain the > applet is associated with (the ISD I assume since the Card Manager was > used to install the applet). > > The problem arise when trying to establish a secure channel with the > applet using the gpshell script: > > establish_context > enable_trace > enable_timer > card_connect > > select -AID F00100006203010C0101 > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > > card_disconnect > release_context > > gpshell keeps returning an error in an early stage of the SCP02 as a > result of sending the INITIALIZE UPDATE command. The card cryptogram > cannot be verified as can be seen in the trace: > > establish_context > enable_trace > enable_timer > card_connect > command time: 0 ms > select -AID F00100006203010C0101 > Command --> 00A404000AF00100006203010C0101 > Wrapped command --> 00A404000AF00100006203010C0101 > Response <-- 6F0E840AF00100006203010C0101A5009000 > command time: 22 ms > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > Command --> 805000000818594C319FFDF58C00 > Wrapped command --> 805000000818594C319FFDF58C00 > Response <-- 000082470244119142080102001AE08851C2967C0CC37A11A2F1FE579000 > mutual_authentication() returns 0x80302000 (The verification of the > card cryptogram failed.) > > > Am I missing some applet specific parameters in the open_sc commands? Hi, Nothing known to me. You are using processSecurity for all commands not known to your applet? Try to get a debug output and post the result: http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell#Debug_output > Am I using the right keys? > Do I need to establish new keys for the applet other than the default > ones set for the ISD? > How do I install my own security domain and associate custom applets > with it? Security domain packages are preinstalled on the card. You have to list all load files and execute a install_for_install command to install the security domain. Then execute the install -file ... -sdAID sdAID command. The sdAID is important here. Maybe you also have to pass some privileges. Without a manual of your smart card vendor this will be a pain. When buying cards actually always you will not receive such a manual. INSTALL [for extradition] which is only available in the GP Library behind GPShell might also be useful to associate the applet with an SD. But this is not available in GPShell for now. Delegated management, i.e. especially giving a Security domain the right to install applications is not very well tested because of lacking sample cards and unknown card behaviors. Karsten > > I would appreciate any help. > > Thanks. > > Marcel > > > > > > > ------------------------------------------------------------------------------ > EMC VNX: the world's simplest storage, starting under $10K > The only unified storage solution that offers unified management > Up to 160% more powerful than alternatives and 25% more efficient. > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev > > > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Marcel C. <mco...@gm...> - 2011-08-27 01:04:12
|
Hi,
I'm having problems establishing a secure channel with an applet I've
just installed in a javacard. The card is in an INITIALIZED state with its
three keys set to the default value (404142434445464748494A4B4C4D4E4F). I
know I'm able to establish a secure channel with the Card Manager using
these keys because I can successfully install my own applets using this
gpshell script:
mode_211
enable_trace
enable_timer
establish_context
card_connect
select -AID a000000003000000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
// Open secure channel
delete -AID F00100006203010C0101
delete -AID F00100006203010C01
install -file samples.cap -priv 2
# getdata
# close_sc // Close secure channel
# putkey // Put key
// options:
// -keyind Key index
// -keyver Key version
// -key Key value in hex
card_disconnect
release_context
The sample applet I'm using for testing purposes is taken from
http://www.globalplatform.org/specificationform.asp?fid=6306. I can infer
from the code that the security command processing is performed inside the
following code snippet:
void SCPcommands ( APDU apdu ) {
responseLength = MySecureChannel.processSecurity( apdu );
if (responseLength != 0 )
apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA,
responseLength );
}
so the SCP02's management is being left to the Security Domain the applet is
associated with (the ISD I assume since the Card Manager was used to install
the applet).
The problem arise when trying to establish a secure channel with the applet
using the gpshell script:
establish_context
enable_trace
enable_timer
card_connect
select -AID F00100006203010C0101
open_sc -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
// Open secure channel
card_disconnect
release_context
gpshell keeps returning an error in an early stage of the SCP02 as a result
of sending the INITIALIZE UPDATE command. The card cryptogram cannot be
verified as can be seen in the trace:
establish_context
enable_trace
enable_timer
card_connect
command time: 0 ms
select -AID F00100006203010C0101
Command --> 00A404000AF00100006203010C0101
Wrapped command --> 00A404000AF00100006203010C0101
Response <-- 6F0E840AF00100006203010C0101A5009000
command time: 22 ms
open_sc -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
// Open secure channel
Command --> 805000000818594C319FFDF58C00
Wrapped command --> 805000000818594C319FFDF58C00
Response <-- 000082470244119142080102001AE08851C2967C0CC37A11A2F1FE579000
mutual_authentication() returns 0x80302000 (The verification of the card
cryptogram failed.)
Am I missing some applet specific parameters in the open_sc commands?
Am I using the right keys?
Do I need to establish new keys for the applet other than the default ones
set for the ISD?
How do I install my own security domain and associate custom applets with
it?
I would appreciate any help.
Thanks.
Marcel
|
|
From: Karsten O. <wid...@t-...> - 2011-07-06 00:51:57
|
It's a pity that most smart card vendors still try to enforce security by obscurity. Well, at least these information are somehow connected to the understanding of the card behavior and because the main purpose of smart cards is security there shouldn't be such restrictions. Karsten Am 06.07.2011 02:17, schrieb Michael StJohns: > Unfortunately, the JCOP manual is under NDA. Some of this is discernable by looking at the JCOP Eclipse tools. > > Mike > > > At 03:38 PM 7/5/2011, Karsten Ohme wrote: >> Hi, >> >> I have added these information to the GPShell page: >> >> https://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell >> >> A wiki with the manuals of all cards would be nice. >> >> Karsten >> Am 05.07.2011 18:31, schrieb Michael StJohns: >>> >>> >>> Send "00h A4h 04h 00h 09h A0h 00h 00h 01h 67h 41h 30h 00h FFh 00h" to >>> the card - this is the JCOP IDENTIFY command. You can do this with the >>> GPShell select command - "select -aid A000000167413000FF" >>> >>> Offset 14 (decimal) of the response has the pre-personalized state. 00h >>> is not fused (not personalized), 01h is fused. If the former, you're >>> pretty much out of luck unless you have the transport key as the global >>> platform keys are set randomly. >>> >>> JCOP41 2.3.2 cards are mostly the same as the previous version of the >>> card. They do (or are supposed to) use the aid "A000000003000000". You >>> can try instead using the "select next" version of the select >>> command. CLA=0, ins=A4, P1=04, P2=02, data = "A0 00" to select any >>> applet whose AID begins with "A0 00". The response might be useful. >>> >>> Lastly, JCOP41 cards are GP2.01 - AKA Open Platform. You should grab a >>> copy of the standard from the global platform web site. It should help >>> when you're poking around. In particular, it should describe the format >>> of the response from the select command. >>> >>> Enjoy - Mike >>> >>> >>> >>> >>> At 10:30 AM 7/5/2011, Marcel Mauricio Mancini Tavara wrote: >>>> Content-class: urn:content-classes:message >>>> Content-Type: multipart/alternative; >>>> boundary="----_=_NextPart_001_01CC3B20.1591579A" >>>> >>>> >>>> Thank you so much for your help. I tried the alternatives offered by >>>> you and all the different cmds always return the same: >>>> >>>> 6A81: Function not supported >>>> >>>> Also, this is the first model of card that has given me so much >>>> trouble. Could it be that they are not even pre-personalized? I will >>>> try to get a response from the vendor and I will let you know if I >>>> make any progresses. >>>> >>>> Marcel >>>> >>>> -----Original Message----- >>>> From: Karsten Ohme [mailto:wid...@t-... ] >>>> Sent: Mon 7/4/2011 7:34 PM >>>> To: Marcel Mauricio Mancini Tavara >>>> Cc: glo...@li... >>>> Subject: Re: [Globalplatform-users] FW: JCOP 41 V 2.3.2 >>>> >>>> Hi, >>>> >>>> So I guess the AID is different for this card, although this is actually >>>> the correct AID. If nothing helps ask the people were you bought it. >>>> Actually there should be a manual. >>>> >>>> One way to find it out: >>>> >>>> establish_context >>>> enable_trace >>>> enable_timer >>>> card_connect >>>> get_data -identifier 004F >>>> // or if not working: get_data -identifier 4F >>>> card_disconnect >>>> release_context >>>> >>>> Problem with this: Nobody seems to support it. >>>> >>>> ----------------------- >>>> >>>> Another way to find it out: >>>> >>>> I assume the Card Issuer Security Domain is the default selected >>>> application on new cards. So the select command is not necessary. >>>> >>>> mode_211 >>>> enable_trace >>>> establish_context >>>> // only necessary if you have multiple readers: card_connect >>>> -readerNumber 1 >>>> // not necessary if this is default selected: select -AID a000000003000000 >>>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>>> 404142434445464748494a4b4c4d4e4f -enc_key >>>> 404142434445464748494a4b4c4d4e4f // Open secure channel >>>> get_status -element 10 >>>> get_status -element 20 >>>> get_status -element 40 >>>> card_disconnect >>>> release_context >>>> >>>> The command are also described here: >>>> >>>> http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell >>>> >>>> >>>> get_status -element e0 >>>> List applets and packages and security domains >>>> >>>> get_status -element 20 >>>> List packages >>>> >>>> get_status -element 40 >>>> List applets or security domains >>>> >>>> get_status -element 80 >>>> List Card Manager / Security Issuer Domain >>>> >>>> >>>> (-element 40 or 80 should help). If you have found out the correct AID >>>> you can use it in later scripts, when the Issuer Security Domain is no >>>> longer the default application of the card. >>>> >>>> I have just added some information about default Security Issuer Domain >>>> AIDs. >>>> >>>> But be careful. Too many unsuccessful attempts to authenticate will lock >>>> the card. So if the keys are not correct, do try it more than a few >>>> times (less than 3) and use for further testing a different card. >>>> Remember the number of unsuccesful authentication attempts on the card. >>>> To reset it you must successfully authenticate. >>>> All commands before calling open_sc are safe. No attempt limit can lock >>>> the card. >>>> >>>> BR, >>>> Karsten >>>> >>>> Am 04.07.2011 21:59, schrieb Marcel Mauricio Mancini Tavara: >>>>> >>>>> Good Day, >>>>> >>>>> I'm trying to load the test applet in a JCOP 41 v 2.3.2 card using >>>>> GPShell (1.4.4) and the script helloInstalGP211.txt: >>>>> >>>>> mode_211 >>>>> enable_trace >>>>> enable_timer >>>>> >>>>> establish_context >>>>> card_connect >>>>> select -AID a000000003000000 >>>>> >>>> >>>> >>>>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>>>> 404142434445464748494a4b4c4d4e4f -enc_key >>>>> 404142434445464748494a4b4c4d4e4f // Open secure channel >>>>> delete -AID D0D1D2D3D4D50101 >>>>> delete -AID D0D1D2D3D4D501 >>>>> install -file helloworld.cap -nvDataLimit 2000 -instParam 00 -priv 2 >>>>> # getdata >>>>> # close_sc // Close secure channel >>>>> # putkey // Put key >>>>> // options: >>>>> // -keyind Key index >>>>> // -keyver Key version >>>>> // -key Key value in hex >>>>> card_disconnect >>>>> release_context >>>>> >>>>> However, it always fails when selecting the master file (select -AID >>>>> a000000003000000) without mattering which AID I put. >>>>> >>>>> The response for the select is always 6A82 (file not found). >>>>> >>>>> I have already tested it with 3 JCOP 41 v 2.3.2 >>>>> >>>>> Any ideas why could this be happening? >>>>> >>>>> Thanks for your help, >>>>> >>>>> Marcel >>>>> >>>>> >>>>> >>>> ------------------------------------------------------------------------------ >>>>> All of the data generated in your IT infrastructure is seriously >>>> valuable. >>>>> Why? It contains a definitive record of application performance, >>>> security >>>>> threats, fraudulent activity, and more. Splunk takes this data and makes >>>>> sense of it. IT sense. And common sense. >>>>> http://p.sf.net/sfu/splunk-d2d-c2 >>>>> >>>>> >>>>> _______________________________________________ >>>>> Globalplatform-users mailing list >>>>> Glo...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> All of the data generated in your IT infrastructure is seriously valuable. >>>> Why? It contains a definitive record of application performance, security >>>> threats, fraudulent activity, and more. Splunk takes this data and makes >>>> sense of it. IT sense. And common sense. >>>> http://p.sf.net/sfu/splunk-d2d-c2 >>>> _______________________________________________ >>>> Globalplatform-users mailing list >>>> Glo...@li... >>>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> All of the data generated in your IT infrastructure is seriously valuable. >>> Why? It contains a definitive record of application performance, security >>> threats, fraudulent activity, and more. Splunk takes this data and makes >>> sense of it. IT sense. And common sense. >>> http://p.sf.net/sfu/splunk-d2d-c2 >>> >>> >>> >>> _______________________________________________ >>> Globalplatform-users mailing list >>> Glo...@li... >>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users > > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users > |
|
From: Michael S. <mst...@co...> - 2011-07-06 00:20:14
|
Unfortunately, the JCOP manual is under NDA. Some of this is discernable by looking at the JCOP Eclipse tools. Mike At 03:38 PM 7/5/2011, Karsten Ohme wrote: >Hi, > >I have added these information to the GPShell page: > >https://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell > >A wiki with the manuals of all cards would be nice. > >Karsten >Am 05.07.2011 18:31, schrieb Michael StJohns: >> >> >> Send "00h A4h 04h 00h 09h A0h 00h 00h 01h 67h 41h 30h 00h FFh 00h" to >> the card - this is the JCOP IDENTIFY command. You can do this with the >> GPShell select command - "select -aid A000000167413000FF" >> >> Offset 14 (decimal) of the response has the pre-personalized state. 00h >> is not fused (not personalized), 01h is fused. If the former, you're >> pretty much out of luck unless you have the transport key as the global >> platform keys are set randomly. >> >> JCOP41 2.3.2 cards are mostly the same as the previous version of the >> card. They do (or are supposed to) use the aid "A000000003000000". You >> can try instead using the "select next" version of the select >> command. CLA=0, ins=A4, P1=04, P2=02, data = "A0 00" to select any >> applet whose AID begins with "A0 00". The response might be useful. >> >> Lastly, JCOP41 cards are GP2.01 - AKA Open Platform. You should grab a >> copy of the standard from the global platform web site. It should help >> when you're poking around. In particular, it should describe the format >> of the response from the select command. >> >> Enjoy - Mike >> >> >> >> >> At 10:30 AM 7/5/2011, Marcel Mauricio Mancini Tavara wrote: >>> Content-class: urn:content-classes:message >>> Content-Type: multipart/alternative; >>> boundary="----_=_NextPart_001_01CC3B20.1591579A" >>> >>> >>> Thank you so much for your help. I tried the alternatives offered by >>> you and all the different cmds always return the same: >>> >>> 6A81: Function not supported >>> >>> Also, this is the first model of card that has given me so much >>> trouble. Could it be that they are not even pre-personalized? I will >>> try to get a response from the vendor and I will let you know if I >>> make any progresses. >>> >>> Marcel >>> >>> -----Original Message----- >>> From: Karsten Ohme [mailto:wid...@t-... ] >>> Sent: Mon 7/4/2011 7:34 PM >>> To: Marcel Mauricio Mancini Tavara >>> Cc: glo...@li... >>> Subject: Re: [Globalplatform-users] FW: JCOP 41 V 2.3.2 >>> >>> Hi, >>> >>> So I guess the AID is different for this card, although this is actually >>> the correct AID. If nothing helps ask the people were you bought it. >>> Actually there should be a manual. >>> >>> One way to find it out: >>> >>> establish_context >>> enable_trace >>> enable_timer >>> card_connect >>> get_data -identifier 004F >>> // or if not working: get_data -identifier 4F >>> card_disconnect >>> release_context >>> >>> Problem with this: Nobody seems to support it. >>> >>> ----------------------- >>> >>> Another way to find it out: >>> >>> I assume the Card Issuer Security Domain is the default selected >>> application on new cards. So the select command is not necessary. >>> >>> mode_211 >>> enable_trace >>> establish_context >>> // only necessary if you have multiple readers: card_connect >>> -readerNumber 1 >>> // not necessary if this is default selected: select -AID a000000003000000 >>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>> 404142434445464748494a4b4c4d4e4f -enc_key >>> 404142434445464748494a4b4c4d4e4f // Open secure channel >>> get_status -element 10 >>> get_status -element 20 >>> get_status -element 40 >>> card_disconnect >>> release_context >>> >>> The command are also described here: >>> >>> http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell >>> >>> >>> get_status -element e0 >>> List applets and packages and security domains >>> >>> get_status -element 20 >>> List packages >>> >>> get_status -element 40 >>> List applets or security domains >>> >>> get_status -element 80 >>> List Card Manager / Security Issuer Domain >>> >>> >>> (-element 40 or 80 should help). If you have found out the correct AID >>> you can use it in later scripts, when the Issuer Security Domain is no >>> longer the default application of the card. >>> >>> I have just added some information about default Security Issuer Domain >>> AIDs. >>> >>> But be careful. Too many unsuccessful attempts to authenticate will lock >>> the card. So if the keys are not correct, do try it more than a few >>> times (less than 3) and use for further testing a different card. >>> Remember the number of unsuccesful authentication attempts on the card. >>> To reset it you must successfully authenticate. >>> All commands before calling open_sc are safe. No attempt limit can lock >>> the card. >>> >>> BR, >>> Karsten >>> >>> Am 04.07.2011 21:59, schrieb Marcel Mauricio Mancini Tavara: >>> > >>> > Good Day, >>> > >>> > I'm trying to load the test applet in a JCOP 41 v 2.3.2 card using >>> > GPShell (1.4.4) and the script helloInstalGP211.txt: >>> > >>> > mode_211 >>> > enable_trace >>> > enable_timer >>> > >>> > establish_context >>> > card_connect >>> > select -AID a000000003000000 >>> > >>> >>> >>> > open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>> > 404142434445464748494a4b4c4d4e4f -enc_key >>> > 404142434445464748494a4b4c4d4e4f // Open secure channel >>> > delete -AID D0D1D2D3D4D50101 >>> > delete -AID D0D1D2D3D4D501 >>> > install -file helloworld.cap -nvDataLimit 2000 -instParam 00 -priv 2 >>> > # getdata >>> > # close_sc // Close secure channel >>> > # putkey // Put key >>> > // options: >>> > // -keyind Key index >>> > // -keyver Key version >>> > // -key Key value in hex >>> > card_disconnect >>> > release_context >>> > >>> > However, it always fails when selecting the master file (select -AID >>> > a000000003000000) without mattering which AID I put. >>> > >>> > The response for the select is always 6A82 (file not found). >>> > >>> > I have already tested it with 3 JCOP 41 v 2.3.2 >>> > >>> > Any ideas why could this be happening? >>> > >>> > Thanks for your help, >>> > >>> > Marcel >>> > >>> > >>> > >>> ------------------------------------------------------------------------------ >>> > All of the data generated in your IT infrastructure is seriously >>> valuable. >>> > Why? It contains a definitive record of application performance, >>> security >>> > threats, fraudulent activity, and more. Splunk takes this data and makes >>> > sense of it. IT sense. And common sense. >>> > http://p.sf.net/sfu/splunk-d2d-c2 >>> > >>> > >>> > _______________________________________________ >>> > Globalplatform-users mailing list >>> > Glo...@li... >>> > https://lists.sourceforge.net/lists/listinfo/globalplatform-users >>> >>> >>> ------------------------------------------------------------------------------ >>> All of the data generated in your IT infrastructure is seriously valuable. >>> Why? It contains a definitive record of application performance, security >>> threats, fraudulent activity, and more. Splunk takes this data and makes >>> sense of it. IT sense. And common sense. >>> http://p.sf.net/sfu/splunk-d2d-c2 >>> _______________________________________________ >>> Globalplatform-users mailing list >>> Glo...@li... >>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> >> >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> >> >> >> _______________________________________________ >> Globalplatform-users mailing list >> Glo...@li... >> https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Michael S. <mst...@co...> - 2011-07-06 00:19:30
|
Unfortunately, the JCOP manual is under NDA. Some of this is discernable by looking at the JCOP Eclipse tools. Mike At 03:38 PM 7/5/2011, Karsten Ohme wrote: >Hi, > >I have added these information to the GPShell page: > >https://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell > >A wiki with the manuals of all cards would be nice. > >Karsten >Am 05.07.2011 18:31, schrieb Michael StJohns: >> >> >> Send "00h A4h 04h 00h 09h A0h 00h 00h 01h 67h 41h 30h 00h FFh 00h" to >> the card - this is the JCOP IDENTIFY command. You can do this with the >> GPShell select command - "select -aid A000000167413000FF" >> >> Offset 14 (decimal) of the response has the pre-personalized state. 00h >> is not fused (not personalized), 01h is fused. If the former, you're >> pretty much out of luck unless you have the transport key as the global >> platform keys are set randomly. >> >> JCOP41 2.3.2 cards are mostly the same as the previous version of the >> card. They do (or are supposed to) use the aid "A000000003000000". You >> can try instead using the "select next" version of the select >> command. CLA=0, ins=A4, P1=04, P2=02, data = "A0 00" to select any >> applet whose AID begins with "A0 00". The response might be useful. >> >> Lastly, JCOP41 cards are GP2.01 - AKA Open Platform. You should grab a >> copy of the standard from the global platform web site. It should help >> when you're poking around. In particular, it should describe the format >> of the response from the select command. >> >> Enjoy - Mike >> >> >> >> >> At 10:30 AM 7/5/2011, Marcel Mauricio Mancini Tavara wrote: >>> Content-class: urn:content-classes:message >>> Content-Type: multipart/alternative; >>> boundary="----_=_NextPart_001_01CC3B20.1591579A" >>> >>> >>> Thank you so much for your help. I tried the alternatives offered by >>> you and all the different cmds always return the same: >>> >>> 6A81: Function not supported >>> >>> Also, this is the first model of card that has given me so much >>> trouble. Could it be that they are not even pre-personalized? I will >>> try to get a response from the vendor and I will let you know if I >>> make any progresses. >>> >>> Marcel >>> >>> -----Original Message----- >>> From: Karsten Ohme [mailto:wid...@t-... ] >>> Sent: Mon 7/4/2011 7:34 PM >>> To: Marcel Mauricio Mancini Tavara >>> Cc: glo...@li... >>> Subject: Re: [Globalplatform-users] FW: JCOP 41 V 2.3.2 >>> >>> Hi, >>> >>> So I guess the AID is different for this card, although this is actually >>> the correct AID. If nothing helps ask the people were you bought it. >>> Actually there should be a manual. >>> >>> One way to find it out: >>> >>> establish_context >>> enable_trace >>> enable_timer >>> card_connect >>> get_data -identifier 004F >>> // or if not working: get_data -identifier 4F >>> card_disconnect >>> release_context >>> >>> Problem with this: Nobody seems to support it. >>> >>> ----------------------- >>> >>> Another way to find it out: >>> >>> I assume the Card Issuer Security Domain is the default selected >>> application on new cards. So the select command is not necessary. >>> >>> mode_211 >>> enable_trace >>> establish_context >>> // only necessary if you have multiple readers: card_connect >>> -readerNumber 1 >>> // not necessary if this is default selected: select -AID a000000003000000 >>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>> 404142434445464748494a4b4c4d4e4f -enc_key >>> 404142434445464748494a4b4c4d4e4f // Open secure channel >>> get_status -element 10 >>> get_status -element 20 >>> get_status -element 40 >>> card_disconnect >>> release_context >>> >>> The command are also described here: >>> >>> http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell >>> >>> >>> get_status -element e0 >>> List applets and packages and security domains >>> >>> get_status -element 20 >>> List packages >>> >>> get_status -element 40 >>> List applets or security domains >>> >>> get_status -element 80 >>> List Card Manager / Security Issuer Domain >>> >>> >>> (-element 40 or 80 should help). If you have found out the correct AID >>> you can use it in later scripts, when the Issuer Security Domain is no >>> longer the default application of the card. >>> >>> I have just added some information about default Security Issuer Domain >>> AIDs. >>> >>> But be careful. Too many unsuccessful attempts to authenticate will lock >>> the card. So if the keys are not correct, do try it more than a few >>> times (less than 3) and use for further testing a different card. >>> Remember the number of unsuccesful authentication attempts on the card. >>> To reset it you must successfully authenticate. >>> All commands before calling open_sc are safe. No attempt limit can lock >>> the card. >>> >>> BR, >>> Karsten >>> >>> Am 04.07.2011 21:59, schrieb Marcel Mauricio Mancini Tavara: >>> > >>> > Good Day, >>> > >>> > I'm trying to load the test applet in a JCOP 41 v 2.3.2 card using >>> > GPShell (1.4.4) and the script helloInstalGP211.txt: >>> > >>> > mode_211 >>> > enable_trace >>> > enable_timer >>> > >>> > establish_context >>> > card_connect >>> > select -AID a000000003000000 >>> > >>> >>> >>> > open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>> > 404142434445464748494a4b4c4d4e4f -enc_key >>> > 404142434445464748494a4b4c4d4e4f // Open secure channel >>> > delete -AID D0D1D2D3D4D50101 >>> > delete -AID D0D1D2D3D4D501 >>> > install -file helloworld.cap -nvDataLimit 2000 -instParam 00 -priv 2 >>> > # getdata >>> > # close_sc // Close secure channel >>> > # putkey // Put key >>> > // options: >>> > // -keyind Key index >>> > // -keyver Key version >>> > // -key Key value in hex >>> > card_disconnect >>> > release_context >>> > >>> > However, it always fails when selecting the master file (select -AID >>> > a000000003000000) without mattering which AID I put. >>> > >>> > The response for the select is always 6A82 (file not found). >>> > >>> > I have already tested it with 3 JCOP 41 v 2.3.2 >>> > >>> > Any ideas why could this be happening? >>> > >>> > Thanks for your help, >>> > >>> > Marcel >>> > >>> > >>> > >>> ------------------------------------------------------------------------------ >>> > All of the data generated in your IT infrastructure is seriously >>> valuable. >>> > Why? It contains a definitive record of application performance, >>> security >>> > threats, fraudulent activity, and more. Splunk takes this data and makes >>> > sense of it. IT sense. And common sense. >>> > http://p.sf.net/sfu/splunk-d2d-c2 >>> > >>> > >>> > _______________________________________________ >>> > Globalplatform-users mailing list >>> > Glo...@li... >>> > https://lists.sourceforge.net/lists/listinfo/globalplatform-users >>> >>> >>> ------------------------------------------------------------------------------ >>> All of the data generated in your IT infrastructure is seriously valuable. >>> Why? It contains a definitive record of application performance, security >>> threats, fraudulent activity, and more. Splunk takes this data and makes >>> sense of it. IT sense. And common sense. >>> http://p.sf.net/sfu/splunk-d2d-c2 >>> _______________________________________________ >>> Globalplatform-users mailing list >>> Glo...@li... >>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> >> >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> >> >> >> _______________________________________________ >> Globalplatform-users mailing list >> Glo...@li... >> https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Karsten O. <wid...@t-...> - 2011-07-05 19:38:02
|
Hi, I have added these information to the GPShell page: https://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell A wiki with the manuals of all cards would be nice. Karsten Am 05.07.2011 18:31, schrieb Michael StJohns: > > > Send "00h A4h 04h 00h 09h A0h 00h 00h 01h 67h 41h 30h 00h FFh 00h" to > the card - this is the JCOP IDENTIFY command. You can do this with the > GPShell select command - "select -aid A000000167413000FF" > > Offset 14 (decimal) of the response has the pre-personalized state. 00h > is not fused (not personalized), 01h is fused. If the former, you're > pretty much out of luck unless you have the transport key as the global > platform keys are set randomly. > > JCOP41 2.3.2 cards are mostly the same as the previous version of the > card. They do (or are supposed to) use the aid "A000000003000000". You > can try instead using the "select next" version of the select > command. CLA=0, ins=A4, P1=04, P2=02, data = "A0 00" to select any > applet whose AID begins with "A0 00". The response might be useful. > > Lastly, JCOP41 cards are GP2.01 - AKA Open Platform. You should grab a > copy of the standard from the global platform web site. It should help > when you're poking around. In particular, it should describe the format > of the response from the select command. > > Enjoy - Mike > > > > > At 10:30 AM 7/5/2011, Marcel Mauricio Mancini Tavara wrote: >> Content-class: urn:content-classes:message >> Content-Type: multipart/alternative; >> boundary="----_=_NextPart_001_01CC3B20.1591579A" >> >> >> Thank you so much for your help. I tried the alternatives offered by >> you and all the different cmds always return the same: >> >> 6A81: Function not supported >> >> Also, this is the first model of card that has given me so much >> trouble. Could it be that they are not even pre-personalized? I will >> try to get a response from the vendor and I will let you know if I >> make any progresses. >> >> Marcel >> >> -----Original Message----- >> From: Karsten Ohme [mailto:wid...@t-... ] >> Sent: Mon 7/4/2011 7:34 PM >> To: Marcel Mauricio Mancini Tavara >> Cc: glo...@li... >> Subject: Re: [Globalplatform-users] FW: JCOP 41 V 2.3.2 >> >> Hi, >> >> So I guess the AID is different for this card, although this is actually >> the correct AID. If nothing helps ask the people were you bought it. >> Actually there should be a manual. >> >> One way to find it out: >> >> establish_context >> enable_trace >> enable_timer >> card_connect >> get_data -identifier 004F >> // or if not working: get_data -identifier 4F >> card_disconnect >> release_context >> >> Problem with this: Nobody seems to support it. >> >> ----------------------- >> >> Another way to find it out: >> >> I assume the Card Issuer Security Domain is the default selected >> application on new cards. So the select command is not necessary. >> >> mode_211 >> enable_trace >> establish_context >> // only necessary if you have multiple readers: card_connect >> -readerNumber 1 >> // not necessary if this is default selected: select -AID a000000003000000 >> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >> 404142434445464748494a4b4c4d4e4f -enc_key >> 404142434445464748494a4b4c4d4e4f // Open secure channel >> get_status -element 10 >> get_status -element 20 >> get_status -element 40 >> card_disconnect >> release_context >> >> The command are also described here: >> >> http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell >> >> >> get_status -element e0 >> List applets and packages and security domains >> >> get_status -element 20 >> List packages >> >> get_status -element 40 >> List applets or security domains >> >> get_status -element 80 >> List Card Manager / Security Issuer Domain >> >> >> (-element 40 or 80 should help). If you have found out the correct AID >> you can use it in later scripts, when the Issuer Security Domain is no >> longer the default application of the card. >> >> I have just added some information about default Security Issuer Domain >> AIDs. >> >> But be careful. Too many unsuccessful attempts to authenticate will lock >> the card. So if the keys are not correct, do try it more than a few >> times (less than 3) and use for further testing a different card. >> Remember the number of unsuccesful authentication attempts on the card. >> To reset it you must successfully authenticate. >> All commands before calling open_sc are safe. No attempt limit can lock >> the card. >> >> BR, >> Karsten >> >> Am 04.07.2011 21:59, schrieb Marcel Mauricio Mancini Tavara: >> > >> > Good Day, >> > >> > I'm trying to load the test applet in a JCOP 41 v 2.3.2 card using >> > GPShell (1.4.4) and the script helloInstalGP211.txt: >> > >> > mode_211 >> > enable_trace >> > enable_timer >> > >> > establish_context >> > card_connect >> > select -AID a000000003000000 >> > >> >> >> > open_sc -security 1 -keyind 0 -keyver 0 -mac_key >> > 404142434445464748494a4b4c4d4e4f -enc_key >> > 404142434445464748494a4b4c4d4e4f // Open secure channel >> > delete -AID D0D1D2D3D4D50101 >> > delete -AID D0D1D2D3D4D501 >> > install -file helloworld.cap -nvDataLimit 2000 -instParam 00 -priv 2 >> > # getdata >> > # close_sc // Close secure channel >> > # putkey // Put key >> > // options: >> > // -keyind Key index >> > // -keyver Key version >> > // -key Key value in hex >> > card_disconnect >> > release_context >> > >> > However, it always fails when selecting the master file (select -AID >> > a000000003000000) without mattering which AID I put. >> > >> > The response for the select is always 6A82 (file not found). >> > >> > I have already tested it with 3 JCOP 41 v 2.3.2 >> > >> > Any ideas why could this be happening? >> > >> > Thanks for your help, >> > >> > Marcel >> > >> > >> > >> ------------------------------------------------------------------------------ >> > All of the data generated in your IT infrastructure is seriously >> valuable. >> > Why? It contains a definitive record of application performance, >> security >> > threats, fraudulent activity, and more. Splunk takes this data and makes >> > sense of it. IT sense. And common sense. >> > http://p.sf.net/sfu/splunk-d2d-c2 >> > >> > >> > _______________________________________________ >> > Globalplatform-users mailing list >> > Glo...@li... >> > https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> _______________________________________________ >> Globalplatform-users mailing list >> Glo...@li... >> https://lists.sourceforge.net/lists/listinfo/globalplatform-users > > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > > > > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Marcel M. M. T. <mar...@sm...> - 2011-07-05 19:00:25
|
using that APDU I found out that the card is not fused (fourteenth byte starting from zero is 00). Thanks again for your help. Marcel -----Original Message----- From: Michael StJohns [mailto:mst...@co...] Sent: Tue 7/5/2011 12:31 PM To: Marcel Mauricio Mancini Tavara; Karsten Ohme Cc: glo...@li... Subject: Re: [Globalplatform-users] FW: JCOP 41 V 2.3.2 Send "00h A4h 04h 00h 09h A0h 00h 00h 01h 67h 41h 30h 00h FFh 00h" to the card - this is the JCOP IDENTIFY command. You can do this with the GPShell select command - "select -aid A000000167413000FF" Offset 14 (decimal) of the response has the pre-personalized state. 00h is not fused (not personalized), 01h is fused. If the former, you're pretty much out of luck unless you have the transport key as the global platform keys are set randomly. JCOP41 2.3.2 cards are mostly the same as the previous version of the card. They do (or are supposed to) use the aid "A000000003000000". You can try instead using the "select next" version of the select command. CLA=0, ins=A4, P1=04, P2=02, data = "A0 00" to select any applet whose AID begins with "A0 00". The response might be useful. Lastly, JCOP41 cards are GP2.01 - AKA Open Platform. You should grab a copy of the standard from the global platform web site. It should help when you're poking around. In particular, it should describe the format of the response from the select command. Enjoy - Mike At 10:30 AM 7/5/2011, Marcel Mauricio Mancini Tavara wrote: >Content-class: urn:content-classes:message >Content-Type: multipart/alternative; > boundary="----_=_NextPart_001_01CC3B20.1591579A" > > >Thank you so much for your help. I tried the alternatives offered by you and all the different cmds always return the same: > >6A81: Function not supported > >Also, this is the first model of card that has given me so much trouble. Could it be that they are not even pre-personalized? I will try to get a response from the vendor and I will let you know if I make any progresses. > >Marcel > >-----Original Message----- >From: Karsten Ohme [<mailto:wid...@t-...>mailto:wid...@t-...] >Sent: Mon 7/4/2011 7:34 PM >To: Marcel Mauricio Mancini Tavara >Cc: glo...@li... >Subject: Re: [Globalplatform-users] FW: JCOP 41 V 2.3.2 > >Hi, > >So I guess the AID is different for this card, although this is actually >the correct AID. If nothing helps ask the people were you bought it. >Actually there should be a manual. > >One way to find it out: > >establish_context >enable_trace >enable_timer >card_connect >get_data -identifier 004F >// or if not working: get_data -identifier 4F >card_disconnect >release_context > >Problem with this: Nobody seems to support it. > >----------------------- > >Another way to find it out: > >I assume the Card Issuer Security Domain is the default selected >application on new cards. So the select command is not necessary. > >mode_211 >enable_trace >establish_context >// only necessary if you have multiple readers: card_connect -readerNumber 1 >// not necessary if this is default selected: select -AID a000000003000000 >open_sc -security 1 -keyind 0 -keyver 0 -mac_key >404142434445464748494a4b4c4d4e4f -enc_key >404142434445464748494a4b4c4d4e4f // Open secure channel >get_status -element 10 >get_status -element 20 >get_status -element 40 >card_disconnect >release_context > >The command are also described here: > ><http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell>http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell > >get_status -element e0 > List applets and packages and security domains > >get_status -element 20 > List packages > >get_status -element 40 > List applets or security domains > >get_status -element 80 > List Card Manager / Security Issuer Domain > > >(-element 40 or 80 should help). If you have found out the correct AID >you can use it in later scripts, when the Issuer Security Domain is no >longer the default application of the card. > >I have just added some information about default Security Issuer Domain >AIDs. > >But be careful. Too many unsuccessful attempts to authenticate will lock >the card. So if the keys are not correct, do try it more than a few >times (less than 3) and use for further testing a different card. >Remember the number of unsuccesful authentication attempts on the card. >To reset it you must successfully authenticate. >All commands before calling open_sc are safe. No attempt limit can lock >the card. > >BR, >Karsten > >Am 04.07.2011 21:59, schrieb Marcel Mauricio Mancini Tavara: >> >> Good Day, >> >> I'm trying to load the test applet in a JCOP 41 v 2.3.2 card using >> GPShell (1.4.4) and the script helloInstalGP211.txt: >> >> mode_211 >> enable_trace >> enable_timer >> >> establish_context >> card_connect >> select -AID a000000003000000 >> > > >> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >> 404142434445464748494a4b4c4d4e4f -enc_key >> 404142434445464748494a4b4c4d4e4f // Open secure channel >> delete -AID D0D1D2D3D4D50101 >> delete -AID D0D1D2D3D4D501 >> install -file helloworld.cap -nvDataLimit 2000 -instParam 00 -priv 2 >> # getdata >> # close_sc // Close secure channel >> # putkey // Put key >> // options: >> // -keyind Key index >> // -keyver Key version >> // -key Key value in hex >> card_disconnect >> release_context >> >> However, it always fails when selecting the master file (select -AID >> a000000003000000) without mattering which AID I put. >> >> The response for the select is always 6A82 (file not found). >> >> I have already tested it with 3 JCOP 41 v 2.3.2 >> >> Any ideas why could this be happening? >> >> Thanks for your help, >> >> Marcel >> >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> <http://p.sf.net/sfu/splunk-d2d-c2>http://p.sf.net/sfu/splunk-d2d-c2 >> >> >> _______________________________________________ >> Globalplatform-users mailing list >> Glo...@li... >> <https://lists.sourceforge.net/lists/listinfo/globalplatform-users>https://lists.sourceforge.net/lists/listinfo/globalplatform-users > > >------------------------------------------------------------------------------ >All of the data generated in your IT infrastructure is seriously valuable. >Why? It contains a definitive record of application performance, security >threats, fraudulent activity, and more. Splunk takes this data and makes >sense of it. IT sense. And common sense. >http://p.sf.net/sfu/splunk-d2d-c2 >_______________________________________________ >Globalplatform-users mailing list >Glo...@li... >https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Michael S. <mst...@co...> - 2011-07-05 16:31:47
|
Send "00h A4h 04h 00h 09h A0h 00h 00h 01h 67h 41h 30h 00h FFh 00h" to the card - this is the JCOP IDENTIFY command. You can do this with the GPShell select command - "select -aid A000000167413000FF" Offset 14 (decimal) of the response has the pre-personalized state. 00h is not fused (not personalized), 01h is fused. If the former, you're pretty much out of luck unless you have the transport key as the global platform keys are set randomly. JCOP41 2.3.2 cards are mostly the same as the previous version of the card. They do (or are supposed to) use the aid "A000000003000000". You can try instead using the "select next" version of the select command. CLA=0, ins=A4, P1=04, P2=02, data = "A0 00" to select any applet whose AID begins with "A0 00". The response might be useful. Lastly, JCOP41 cards are GP2.01 - AKA Open Platform. You should grab a copy of the standard from the global platform web site. It should help when you're poking around. In particular, it should describe the format of the response from the select command. Enjoy - Mike At 10:30 AM 7/5/2011, Marcel Mauricio Mancini Tavara wrote: >Content-class: urn:content-classes:message >Content-Type: multipart/alternative; > boundary="----_=_NextPart_001_01CC3B20.1591579A" > > >Thank you so much for your help. I tried the alternatives offered by you and all the different cmds always return the same: > >6A81: Function not supported > >Also, this is the first model of card that has given me so much trouble. Could it be that they are not even pre-personalized? I will try to get a response from the vendor and I will let you know if I make any progresses. > >Marcel > >-----Original Message----- >From: Karsten Ohme [<mailto:wid...@t-...>mailto:wid...@t-...] >Sent: Mon 7/4/2011 7:34 PM >To: Marcel Mauricio Mancini Tavara >Cc: glo...@li... >Subject: Re: [Globalplatform-users] FW: JCOP 41 V 2.3.2 > >Hi, > >So I guess the AID is different for this card, although this is actually >the correct AID. If nothing helps ask the people were you bought it. >Actually there should be a manual. > >One way to find it out: > >establish_context >enable_trace >enable_timer >card_connect >get_data -identifier 004F >// or if not working: get_data -identifier 4F >card_disconnect >release_context > >Problem with this: Nobody seems to support it. > >----------------------- > >Another way to find it out: > >I assume the Card Issuer Security Domain is the default selected >application on new cards. So the select command is not necessary. > >mode_211 >enable_trace >establish_context >// only necessary if you have multiple readers: card_connect -readerNumber 1 >// not necessary if this is default selected: select -AID a000000003000000 >open_sc -security 1 -keyind 0 -keyver 0 -mac_key >404142434445464748494a4b4c4d4e4f -enc_key >404142434445464748494a4b4c4d4e4f // Open secure channel >get_status -element 10 >get_status -element 20 >get_status -element 40 >card_disconnect >release_context > >The command are also described here: > ><http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell>http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell > >get_status -element e0 > List applets and packages and security domains > >get_status -element 20 > List packages > >get_status -element 40 > List applets or security domains > >get_status -element 80 > List Card Manager / Security Issuer Domain > > >(-element 40 or 80 should help). If you have found out the correct AID >you can use it in later scripts, when the Issuer Security Domain is no >longer the default application of the card. > >I have just added some information about default Security Issuer Domain >AIDs. > >But be careful. Too many unsuccessful attempts to authenticate will lock >the card. So if the keys are not correct, do try it more than a few >times (less than 3) and use for further testing a different card. >Remember the number of unsuccesful authentication attempts on the card. >To reset it you must successfully authenticate. >All commands before calling open_sc are safe. No attempt limit can lock >the card. > >BR, >Karsten > >Am 04.07.2011 21:59, schrieb Marcel Mauricio Mancini Tavara: >> >> Good Day, >> >> I'm trying to load the test applet in a JCOP 41 v 2.3.2 card using >> GPShell (1.4.4) and the script helloInstalGP211.txt: >> >> mode_211 >> enable_trace >> enable_timer >> >> establish_context >> card_connect >> select -AID a000000003000000 >> > > >> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >> 404142434445464748494a4b4c4d4e4f -enc_key >> 404142434445464748494a4b4c4d4e4f // Open secure channel >> delete -AID D0D1D2D3D4D50101 >> delete -AID D0D1D2D3D4D501 >> install -file helloworld.cap -nvDataLimit 2000 -instParam 00 -priv 2 >> # getdata >> # close_sc // Close secure channel >> # putkey // Put key >> // options: >> // -keyind Key index >> // -keyver Key version >> // -key Key value in hex >> card_disconnect >> release_context >> >> However, it always fails when selecting the master file (select -AID >> a000000003000000) without mattering which AID I put. >> >> The response for the select is always 6A82 (file not found). >> >> I have already tested it with 3 JCOP 41 v 2.3.2 >> >> Any ideas why could this be happening? >> >> Thanks for your help, >> >> Marcel >> >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> <http://p.sf.net/sfu/splunk-d2d-c2>http://p.sf.net/sfu/splunk-d2d-c2 >> >> >> _______________________________________________ >> Globalplatform-users mailing list >> Glo...@li... >> <https://lists.sourceforge.net/lists/listinfo/globalplatform-users>https://lists.sourceforge.net/lists/listinfo/globalplatform-users > > >------------------------------------------------------------------------------ >All of the data generated in your IT infrastructure is seriously valuable. >Why? It contains a definitive record of application performance, security >threats, fraudulent activity, and more. Splunk takes this data and makes >sense of it. IT sense. And common sense. >http://p.sf.net/sfu/splunk-d2d-c2 >_______________________________________________ >Globalplatform-users mailing list >Glo...@li... >https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Marcel M. M. T. <mar...@sm...> - 2011-07-05 14:32:38
|
Thank you so much for your help. I tried the alternatives offered by you and all the different cmds always return the same: 6A81: Function not supported Also, this is the first model of card that has given me so much trouble. Could it be that they are not even pre-personalized? I will try to get a response from the vendor and I will let you know if I make any progresses. Marcel -----Original Message----- From: Karsten Ohme [mailto:wid...@t-...] Sent: Mon 7/4/2011 7:34 PM To: Marcel Mauricio Mancini Tavara Cc: glo...@li... Subject: Re: [Globalplatform-users] FW: JCOP 41 V 2.3.2 Hi, So I guess the AID is different for this card, although this is actually the correct AID. If nothing helps ask the people were you bought it. Actually there should be a manual. One way to find it out: establish_context enable_trace enable_timer card_connect get_data -identifier 004F // or if not working: get_data -identifier 4F card_disconnect release_context Problem with this: Nobody seems to support it. ----------------------- Another way to find it out: I assume the Card Issuer Security Domain is the default selected application on new cards. So the select command is not necessary. mode_211 enable_trace establish_context // only necessary if you have multiple readers: card_connect -readerNumber 1 // not necessary if this is default selected: select -AID a000000003000000 open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel get_status -element 10 get_status -element 20 get_status -element 40 card_disconnect release_context The command are also described here: http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell get_status -element e0 List applets and packages and security domains get_status -element 20 List packages get_status -element 40 List applets or security domains get_status -element 80 List Card Manager / Security Issuer Domain (-element 40 or 80 should help). If you have found out the correct AID you can use it in later scripts, when the Issuer Security Domain is no longer the default application of the card. I have just added some information about default Security Issuer Domain AIDs. But be careful. Too many unsuccessful attempts to authenticate will lock the card. So if the keys are not correct, do try it more than a few times (less than 3) and use for further testing a different card. Remember the number of unsuccesful authentication attempts on the card. To reset it you must successfully authenticate. All commands before calling open_sc are safe. No attempt limit can lock the card. BR, Karsten Am 04.07.2011 21:59, schrieb Marcel Mauricio Mancini Tavara: > > Good Day, > > I'm trying to load the test applet in a JCOP 41 v 2.3.2 card using > GPShell (1.4.4) and the script helloInstalGP211.txt: > > mode_211 > enable_trace > enable_timer > > establish_context > card_connect > select -AID a000000003000000 > > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > delete -AID D0D1D2D3D4D50101 > delete -AID D0D1D2D3D4D501 > install -file helloworld.cap -nvDataLimit 2000 -instParam 00 -priv 2 > # getdata > # close_sc // Close secure channel > # putkey // Put key > // options: > // -keyind Key index > // -keyver Key version > // -key Key value in hex > card_disconnect > release_context > > However, it always fails when selecting the master file (select -AID > a000000003000000) without mattering which AID I put. > > The response for the select is always 6A82 (file not found). > > I have already tested it with 3 JCOP 41 v 2.3.2 > > Any ideas why could this be happening? > > Thanks for your help, > > Marcel > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > > > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
|
From: Karsten O. <wid...@t-...> - 2011-07-04 23:34:41
|
Hi, So I guess the AID is different for this card, although this is actually the correct AID. If nothing helps ask the people were you bought it. Actually there should be a manual. One way to find it out: establish_context enable_trace enable_timer card_connect get_data -identifier 004F // or if not working: get_data -identifier 4F card_disconnect release_context Problem with this: Nobody seems to support it. ----------------------- Another way to find it out: I assume the Card Issuer Security Domain is the default selected application on new cards. So the select command is not necessary. mode_211 enable_trace establish_context // only necessary if you have multiple readers: card_connect -readerNumber 1 // not necessary if this is default selected: select -AID a000000003000000 open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel get_status -element 10 get_status -element 20 get_status -element 40 card_disconnect release_context The command are also described here: http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell get_status -element e0 List applets and packages and security domains get_status -element 20 List packages get_status -element 40 List applets or security domains get_status -element 80 List Card Manager / Security Issuer Domain (-element 40 or 80 should help). If you have found out the correct AID you can use it in later scripts, when the Issuer Security Domain is no longer the default application of the card. I have just added some information about default Security Issuer Domain AIDs. But be careful. Too many unsuccessful attempts to authenticate will lock the card. So if the keys are not correct, do try it more than a few times (less than 3) and use for further testing a different card. Remember the number of unsuccesful authentication attempts on the card. To reset it you must successfully authenticate. All commands before calling open_sc are safe. No attempt limit can lock the card. BR, Karsten Am 04.07.2011 21:59, schrieb Marcel Mauricio Mancini Tavara: > > Good Day, > > I'm trying to load the test applet in a JCOP 41 v 2.3.2 card using > GPShell (1.4.4) and the script helloInstalGP211.txt: > > mode_211 > enable_trace > enable_timer > > establish_context > card_connect > select -AID a000000003000000 > > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > delete -AID D0D1D2D3D4D50101 > delete -AID D0D1D2D3D4D501 > install -file helloworld.cap -nvDataLimit 2000 -instParam 00 -priv 2 > # getdata > # close_sc // Close secure channel > # putkey // Put key > // options: > // -keyind Key index > // -keyver Key version > // -key Key value in hex > card_disconnect > release_context > > However, it always fails when selecting the master file (select -AID > a000000003000000) without mattering which AID I put. > > The response for the select is always 6A82 (file not found). > > I have already tested it with 3 JCOP 41 v 2.3.2 > > Any ideas why could this be happening? > > Thanks for your help, > > Marcel > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > > > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
2 messages has been excluded from this view by a project administrator.
