Menu
▾
▴
globalplatform-users
|
From: Gina <gi...@rb...> - 2007-07-17 13:24:22
|
Hello everyone,
I'm currently trying to install my first Java Applet on an NXP JCOP 31
smartcard with 36K, using a GemPC Twin USB reader under Debian GNU/Linux
Testing, 32Bit.
I successfully managed to compile the globalplatform library and
gpshell, but I'm totally lost when it comes to correctly communicating
with the card. If I got the correct information, the card should support
the Global Platform specification, version 2.2.1. Sadly though, I did
not yet manage to successfully execute either 2.0.1 or 2.1.1 mode
scripts as supplied with gpshell's source code. Trying a list of
installed applets in 2.0.1 mode (list.txt) yields the error message
"6A86: Incorrect parameters (P1, P2)". 2.1.1 mode (listgp211.txt) does
not even get through authentication ("The verification of the card
cryptogram failed"). I'm also not able to upload any applet to the card,
as that also fails ("6A88: Referenced data not found." in 2.0.1 mode,
failed authentication in 2.1.1).
I'm sure I just miss something simple here (e.g. the right information
to correctly adjust the scripts to that type of card), but after
struggling with those problems for two work days without a clue and some
nice deadline in my neck I'd now really appreciate some friendly hint in
the right direction or even a working example for that type of card,
it's getting a bit frustrating ;)
Thanks in advance for the time spent reading or even answering this, and
kind regards,
Gina Häußge
--
Dipl.-Inform. Gina Häußge
RBG, FB20, TU Darmstadt Tel: +49 (0)6151 16 6655
Hochschulstr. 10 Fax: +49 (0)6151 16 4701
64289 Darmstadt S2|02 B120
|
|
From: Karsten O. <wid...@t-...> - 2007-07-17 23:54:25
|
Gina Häußge schrieb: > Hello everyone, > > I'm currently trying to install my first Java Applet on an NXP JCOP 31 > smartcard with 36K, using a GemPC Twin USB reader under Debian GNU/Linux > Testing, 32Bit. Unfortunately I do not have such a card. After a quick search in Google I cannot find a manual for this card. The first important information should be the AID of the Card Issuer Domain (Card Manager) select -AID ... Do you know it? There should be some manual. But it seems that this is OK, because you get further. Do not try to authenticate to the card to often! It gets locked if you need 10 tries. If you are near this limit perform a successful verification. Use the JCOP tools (This should work perfectly with this card. You can develop and install applets for a card within eclipse). Maybe this is a correct version: http://download.boulder.ibm.com/ibmdl/pub/software/dw/jcop/tools.zip Post a complete output with "enable_trace" in the first line of the script file. You must know the correct keys to authenticate to the card. > > I successfully managed to compile the globalplatform library and > gpshell, but I'm totally lost when it comes to correctly communicating > with the card. If I got the correct information, the card should support > the Global Platform specification, version 2.2.1. Sadly though, I did > not yet manage to successfully execute either 2.0.1 or 2.1.1 mode > scripts as supplied with gpshell's source code. Trying a list of > installed applets in 2.0.1 mode (list.txt) yields the error message > "6A86: Incorrect parameters (P1, P2)". 2.1.1 mode (listgp211.txt) does > not even get through authentication ("The verification of the card > cryptogram failed"). Strange that it authenticates successfully in OP 2.0.1' mode. Do you have connected only one reader to the system? Or are there multiple readers with inserted cards? I you try to install something first try "install -file HelloWorld.cap" without any parameters. If this is not successful try some variants of parameters. WBR, Karsten > I'm also not able to upload any applet to the card, > as that also fails ("6A88: Referenced data not found." in 2.0.1 mode, > failed authentication in 2.1.1). > > I'm sure I just miss something simple here (e.g. the right information > to correctly adjust the scripts to that type of card), but after > struggling with those problems for two work days without a clue and some > nice deadline in my neck I'd now really appreciate some friendly hint in > the right direction or even a working example for that type of card, > it's getting a bit frustrating ;) > > Thanks in advance for the time spent reading or even answering this, and > kind regards, > Gina Häußge > |
|
From: Gina <gi...@rb...> - 2007-07-18 08:14:29
|
Hello there, On Wed, 2007-07-18 at 01:53 +0200, Karsten Ohme wrote: > Gina Häußge schrieb: > > I'm currently trying to install my first Java Applet on an NXP JCOP 31 > > smartcard with 36K, using a GemPC Twin USB reader under Debian GNU/Linux > > Testing, 32Bit. > > Unfortunately I do not have such a card. After a quick search in Google > I cannot find a manual for this card. The first important information > should be the AID of the Card Issuer Domain (Card Manager) select -AID ... > Do you know it? There should be some manual. But it seems that this is > OK, because you get further. The AID of the Card Manager is "a0000000030000", so that is ok. > Do not try to authenticate to the card to often! It gets locked if you > need 10 tries. If you are near this limit perform a successful > verification. Yeah, I already read about that, so after each unsuccessful attempt I make a connection in 2.0.1 mode (as there at least the authentication works). So far, it didn't lock up the card *crosses fingers* > Use the JCOP tools (This should work perfectly with this > card. You can develop and install applets for a card within eclipse). > > Maybe this is a correct version: > > http://download.boulder.ibm.com/ibmdl/pub/software/dw/jcop/tools.zip Sadly, I already tried with the JCOP Tools (after finding them on a CD included in the card delivery, as IBM no longer maintains them and it is a pain in the ... to get a copy of them now -- the zip above just contains a readme telling you exactly this :/). Had a rather unpleasant experience of my whole eclipse crashing as soon as I tried to connect to the card via the JCShell, a stack trace revealed a segfault in the JCOP Tools. So no-go there as well, at least I had no idea how to solve that issue either. I had hoped though that maybe someone reading this mailinglist might have had success with that type of card and therefore an idea as to what would be the correct keys etc. What I found online at a couple of sites were the JCOP Tools commands to authenticate with that type of card: set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f set-key 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f set-key 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f set-key 1/3/DES-ECB/505152535455565758595a5b5c5d5e5f set-key 1/1/DES-ECB/707172737475767778797a7b7c7d7e7f set-key 1/2/DES-ECB/606162636465666768696a6b6c6d6e6f init-update 255 ext-auth I have no idea though how to translate those into corresponding gpshell syntax. > Strange that it authenticates successfully in OP 2.0.1' mode. > Do you have connected only one reader to the system? Or are there > multiple readers with inserted cards? It's only one reader. > I you try to install something first try "install -file HelloWorld.cap" > without any parameters. If this is not successful try some variants of > parameters. I've tried a couple of parameter combinations, sadly all with the same effect of a "6A88: Referenced data not found" message. If it is of any help, I also tried a "load -f HelloWorld.cap", and that yielded a "load_applet() returns 0x80206985 (6985: Command not allowed - Conditions of use not satisfied.)". I have to admit that I have some troubles understanding what exactly does each command and each parameter (although having read the included README approx. 10mio times now), so I might be trying to do really stupid things here ;) Kind regards, Gina Häußge > -- Dipl.-Inform. Gina Häußge RBG, FB20, TU Darmstadt Tel: +49 (0)6151 16 6655 Hochschulstr. 10 Fax: +49 (0)6151 16 4701 64289 Darmstadt S2|02 B120 |
|
From: Gina <gi...@rb...> - 2007-07-19 10:28:41
|
Hi Karsten, On Wed, 2007-07-18 at 19:46 +0200, Karsten Ohme wrote: > > The AID of the Card Manager is "a0000000030000", so that is ok. > > Mmmh, try a000000003000000 in GP211 mode. a0000000030000 was used for > former OP2.01' cards. Maybe this helps. I now managed to get a listing of installed applets, using both AIDs, but still in OP2.01 mode. > >> Do not try to authenticate to the card to often! It gets locked if you > >> need 10 tries. If you are near this limit perform a successful > >> verification. > > > > Yeah, I already read about that, so after each unsuccessful attempt I > > make a connection in 2.0.1 mode (as there at least the authentication > > works). So far, it didn't lock up the card *crosses fingers* > > Well, I would say it is a OP 2.0.1' card if it does not work in GP 2.1.1 > mode. But not sure, but I would say that I remember that there was some > difference in the used cryptography so it should not work in both modes. > If it is written on the card it will be true. Weird... maybe I'll simply knock on the door of NXP now. According to their description, that damned thing should support GP2.1.1. > Just a moment what my JCOP 41 card says ... no list.txt does not work > for this GP 2.1.1 card. The mutual authentication step does not succeed. > listGP211.txt works. Exactly the opposite for me here. > > [...] Had a rather unpleasant > > experience of my whole eclipse crashing as soon as I tried to connect to > > the card via the JCShell, a stack trace revealed a segfault in the JCOP > > Tools. So no-go there as well, at least I had no idea how to solve that > > issue either. > > I wrote a bug report some time ago. Maybe it is this problem: > > ---- > > The current version of PC/SC Lite is 1.x.y. But the JCOP tools search > for the library libpcsclite.so.0. It cannot be found. So a link to the > libpcsclite.so.1 must be made. Then it works. > > ---- Hm.. I didn't even get my eclipse to install the version of the Tools I got from said CD under Linux, so I had my goes in a Win32 environment, and said crash occured. Anyway, thanks for your help, I think I'll now go pester the guys from NXP with those problems, they made that card, they should now how to talk to it. And if all else fails, I'll try to get my hands on something else alltogether that hopefully works :) Although I didn't manage to use it so far, thanks anyway for writing GPShell and the globalplatform lib -- such stuff comes in handy :) Greetings, Gina > -- Dipl.-Inform. Gina Häußge RBG, FB20, TU Darmstadt Tel: +49 (0)6151 16 6655 Hochschulstr. 10 Fax: +49 (0)6151 16 4701 64289 Darmstadt S2|02 B120 |
|
From: Karsten O. <wid...@t-...> - 2007-07-18 17:47:11
|
Hallo Gina, Gina Häußge schrieb: > Hello there, > > On Wed, 2007-07-18 at 01:53 +0200, Karsten Ohme wrote: >> Gina Häußge schrieb: >>> I'm currently trying to install my first Java Applet on an NXP JCOP 31 >>> smartcard with 36K, using a GemPC Twin USB reader under Debian GNU/Linux >>> Testing, 32Bit. >> Unfortunately I do not have such a card. After a quick search in Google >> I cannot find a manual for this card. The first important information >> should be the AID of the Card Issuer Domain (Card Manager) select -AID ... >> Do you know it? There should be some manual. But it seems that this is >> OK, because you get further. > > The AID of the Card Manager is "a0000000030000", so that is ok. Mmmh, try a000000003000000 in GP211 mode. a0000000030000 was used for former OP2.01' cards. Maybe this helps. > >> Do not try to authenticate to the card to often! It gets locked if you >> need 10 tries. If you are near this limit perform a successful >> verification. > > Yeah, I already read about that, so after each unsuccessful attempt I > make a connection in 2.0.1 mode (as there at least the authentication > works). So far, it didn't lock up the card *crosses fingers* Well, I would say it is a OP 2.0.1' card if it does not work in GP 2.1.1 mode. But not sure, but I would say that I remember that there was some difference in the used cryptography so it should not work in both modes. If it is written on the card it will be true. Just a moment what my JCOP 41 card says ... no list.txt does not work for this GP 2.1.1 card. The mutual authentication step does not succeed. listGP211.txt works. > >> Use the JCOP tools (This should work perfectly with this >> card. You can develop and install applets for a card within eclipse). >> >> Maybe this is a correct version: >> >> http://download.boulder.ibm.com/ibmdl/pub/software/dw/jcop/tools.zip > > Sadly, I already tried with the JCOP Tools (after finding them on a CD > included in the card delivery, as IBM no longer maintains them and it is > a pain in the ... to get a copy of them now -- the zip above just > contains a readme telling you exactly this :/). Had a rather unpleasant > experience of my whole eclipse crashing as soon as I tried to connect to > the card via the JCShell, a stack trace revealed a segfault in the JCOP > Tools. So no-go there as well, at least I had no idea how to solve that > issue either. I wrote a bug report some time ago. Maybe it is this problem: ---- The current version of PC/SC Lite is 1.x.y. But the JCOP tools search for the library libpcsclite.so.0. It cannot be found. So a link to the libpcsclite.so.1 must be made. Then it works. ---- > > I had hoped though that maybe someone reading this mailinglist might > have had success with that type of card and therefore an idea as to what > would be the correct keys etc. I have only a JCOP 41 card and it works. > > What I found online at a couple of sites were the JCOP Tools commands to > authenticate with that type of card: > > set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f > set-key 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f > set-key 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f > set-key 1/3/DES-ECB/505152535455565758595a5b5c5d5e5f > set-key 1/1/DES-ECB/707172737475767778797a7b7c7d7e7f > set-key 1/2/DES-ECB/606162636465666768696a6b6c6d6e6f > init-update 255 > ext-auth This set a new key set. You do not want it. Because the OP 2.0.1' mode succeeds the three keys 404142434445464748494a4b4c4d4e4f should be OK. > > I have no idea though how to translate those into corresponding gpshell syntax. put_sc_key ... > >> Strange that it authenticates successfully in OP 2.0.1' mode. >> Do you have connected only one reader to the system? Or are there >> multiple readers with inserted cards? > > It's only one reader. > >> I you try to install something first try "install -file HelloWorld.cap" >> without any parameters. If this is not successful try some variants of >> parameters. > > I've tried a couple of parameter combinations, sadly all with the same > effect of a "6A88: Referenced data not found" message. If it is of any > help, I also tried a "load -f HelloWorld.cap", and that yielded a > "load_applet() returns 0x80206985 (6985: Command not allowed - > Conditions of use not satisfied.)". > > I have to admit that I have some troubles understanding what exactly > does each command and each parameter (although having read the included > README approx. 10mio times now), so I might be trying to do really > stupid things here ;) Mmmh, it is still a quite low level tool, if you have read the GP standard you will understand each command, but it is a pain that the card are so different. With some time I will get or buy such a card to test it. Tschüss, Karsten > > Kind regards, > Gina Häußge |
|
From: Karsten O. <wid...@t-...> - 2007-07-19 18:38:42
|
Gina Häußge schrieb: > Hi Karsten, > > On Wed, 2007-07-18 at 19:46 +0200, Karsten Ohme wrote: >>> The AID of the Card Manager is "a0000000030000", so that is ok. >> Mmmh, try a000000003000000 in GP211 mode. a0000000030000 was used for >> former OP2.01' cards. Maybe this helps. > > I now managed to get a listing of installed applets, using both AIDs, > but still in OP2.01 mode. Both AIDs? How come? This should not work. Great. If you can list the applets, you should also be able to execute other commands. Give the install -file a try. Or try again GP211 mode mode_211 enable_trace establish_context card_connect select -AID a000000003000000 open_sc -security 0 -keyind 255 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f -security 0 disables authentication and encryption And use key index 255. > >>>> Do not try to authenticate to the card to often! It gets locked if you >>>> need 10 tries. If you are near this limit perform a successful >>>> verification. >>> Yeah, I already read about that, so after each unsuccessful attempt I >>> make a connection in 2.0.1 mode (as there at least the authentication >>> works). So far, it didn't lock up the card *crosses fingers* >> Well, I would say it is a OP 2.0.1' card if it does not work in GP 2.1.1 >> mode. But not sure, but I would say that I remember that there was some >> difference in the used cryptography so it should not work in both modes. >> If it is written on the card it will be true. > > Weird... maybe I'll simply knock on the door of NXP now. According to > their description, that damned thing should support GP2.1.1. > >> Just a moment what my JCOP 41 card says ... no list.txt does not work >> for this GP 2.1.1 card. The mutual authentication step does not succeed. >> listGP211.txt works. > > Exactly the opposite for me here. > >>> [...] Had a rather unpleasant >>> experience of my whole eclipse crashing as soon as I tried to connect to >>> the card via the JCShell, a stack trace revealed a segfault in the JCOP >>> Tools. So no-go there as well, at least I had no idea how to solve that >>> issue either. >> I wrote a bug report some time ago. Maybe it is this problem: >> >> ---- >> >> The current version of PC/SC Lite is 1.x.y. But the JCOP tools search >> for the library libpcsclite.so.0. It cannot be found. So a link to the >> libpcsclite.so.1 must be made. Then it works. >> >> ---- > > Hm.. I didn't even get my eclipse to install the version of the Tools I > got from said CD under Linux, so I had my goes in a Win32 environment, > and said crash occured. I can search and send you a my version which I have downloaded. This works for me in Win32 an Linux with the above fix. > > Anyway, thanks for your help, I think I'll now go pester the guys from > NXP with those problems, they made that card, they should now how to > talk to it. And if all else fails, I'll try to get my hands on something > else alltogether that hopefully works :) They will advise you to use the JCOP tools or buy a SDK. > > Although I didn't manage to use it so far, thanks anyway for writing > GPShell and the globalplatform lib -- such stuff comes in handy :) I found a site, where I can order such cards, but the shipping costs from USA are from hell. Cheers, Karsten > > Greetings, > Gina |
|
From: Gina <gi...@rb...> - 2007-07-20 07:06:35
|
Good morning, On Thu, 2007-07-19 at 20:38 +0200, Karsten Ohme wrote: > Gina Häußge schrieb: > > On Wed, 2007-07-18 at 19:46 +0200, Karsten Ohme wrote: > >>> The AID of the Card Manager is "a0000000030000", so that is ok. > >> Mmmh, try a000000003000000 in GP211 mode. a0000000030000 was used for > >> former OP2.01' cards. Maybe this helps. > > > > I now managed to get a listing of installed applets, using both AIDs, > > but still in OP2.01 mode. > > Both AIDs? How come? This should not work. Great. If you can list the > applets, you should also be able to execute other commands. Give the > install -file a try. I did, same as before, "6A88: Referenced data not found". > Or try again GP211 mode > mode_211 > enable_trace > > establish_context > card_connect > select -AID a000000003000000 > open_sc -security 0 -keyind 255 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f > > -security 0 disables authentication and encryption > And use key index 255. Now I get a "mutual_authentication() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)" message *sigh* Guess a try with a version of the JCOP Tools proven to work would be helpful, so if you could send me your version like you offered, that would be great! :) Greetings, Gina -- Dipl.-Inform. Gina Häußge RBG, FB20, TU Darmstadt Tel: +49 (0)6151 16 6655 Hochschulstr. 10 Fax: +49 (0)6151 16 4701 64289 Darmstadt S2|02 B120 |
|
From: Gina <gi...@rb...> - 2007-07-20 11:29:23
|
Just to inform you that I finally managed to get it to work after diving into the OP2.0.1 specification. I successfully managed to upload both the HelloWorld Applet as well as the MuscleCardApplet onto that card, using the below script as input for gpshell. -- 8< -- mode_201 enable_trace establish_context card_connect select -AID a000000003000000 open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel delete -sdAID a000000003000000 -AID a00000006203010c0101 delete -sdAID a000000003000000 -AID a00000006203010c01 delete -sdAID a000000003000000 -AID a00000006203010c0101 install -file HelloWorld.cap -sdAID a000000003000000 -priv 2 card_disconnect release_context -- >8 -- Thanks again for your help! :) Gina > -- Dipl.-Inform. Gina Häußge RBG, FB20, TU Darmstadt Tel: +49 (0)6151 16 6655 Hochschulstr. 10 Fax: +49 (0)6151 16 4701 64289 Darmstadt S2|02 B120 |
|
From: Karsten O. <wid...@t-...> - 2007-07-21 00:25:16
|
Gina Häußge schrieb: > Just to inform you that I finally managed to get it to work after diving > into the OP2.0.1 specification. > > I successfully managed to upload both the HelloWorld Applet as well as > the MuscleCardApplet onto that card, using the below script as input for > gpshell. Great! I hope, I will remember to include it in GPShell. > > -- 8< -- > > mode_201 > enable_trace > establish_context > card_connect > select -AID a000000003000000 > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > delete -sdAID a000000003000000 -AID a00000006203010c0101 > delete -sdAID a000000003000000 -AID a00000006203010c01 > delete -sdAID a000000003000000 -AID a00000006203010c0101 The -sdAID should have no effect an delete. > install -file HelloWorld.cap -sdAID a000000003000000 -priv 2 Yes, this seems to be the important thing. Usually a OP 2.0.1' card should use the AID a0000000030000, but for some reason this card does not, so not the default AID is used. In GP 2.1.1 mode it does not work? > card_disconnect > release_context > > -- >8 -- > > Thanks again for your help! :) Karsten > Gina |
|
From:
<gi...@rb...> - 2007-07-21 08:45:23
|
Good morning, Karsten Ohme wrote: > Gina Häußge schrieb: >> I successfully managed to upload both the HelloWorld Applet as well >> as the MuscleCardApplet onto that card, using the below script as >> input for gpshell. > > Great! I hope, I will remember to include it in GPShell. I'm happy if my clueless poking around yielded some usable results :) >> delete -sdAID a000000003000000 -AID a00000006203010c0101 >> delete -sdAID a000000003000000 -AID a00000006203010c01 >> delete -sdAID a000000003000000 -AID a00000006203010c0101 > > The -sdAID should have no effect an delete. Classic case of "I just wanted to make sure" ;) >> install -file HelloWorld.cap -sdAID a000000003000000 -priv 2 > > Yes, this seems to be the important thing. Usually a OP 2.0.1' card > should use the AID a0000000030000, but for some reason this card does > not, so not the default AID is used. Why ever that may be. > In GP 2.1.1 mode it does not work? Nope, still no success. I still find this weird, as that card definitely was advertised as an GP 2.1.1 card (I triple checked), but I won't complain as long as it works in any one of those modes ;) In the meantime, I also successfully made a MuscleCard out of the JCOP31 and got it working as PKCS#11 provider -- yay :D Greetings, Gina |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X