Menu
▾
▴
globalplatform-users
|
From: Karsten O. <kar...@go...> - 2009-06-26 23:28:14
|
Hi, Lishoy Francis schrieb: > Hi Karsten, > > Many thanks for your valuable suggestions and your reply is much > appreciated, > > With your time permitting please read the following and advise. > > What I am trying to do is to make my applet to be the default > selected, so that it can receive and process all APDU commands. > > 1. > I tried the 3 step process of installing with privilege 4, > > <-- > mode_211 > enable_trace > establish_context > card_connect > > #a000000003000000 card manager > select -AID a000000003000000 > > open_sc -security 3 -keyver 42 -mac_key > 404142434445464748494A4B4C4D4E4F -enc_key > 404142434445464748494A4B4C4D4E4F -kek_key > 404142434445464748494A4B4C4D4E4F > > #install -file testsemcardpackage.cap -priv 2 > > install_for_load -pkgAID <AID of test applet> > load -file test.cap > install_for_install -instParam 00 -priv 04 -AID <AID of test applet> > -pkgAID <AID of package of test applet> -instAID <AID of test applet> > > select -AID <AID of test applet> > card_disconnect > > release_context > --> > > The applet and package was loaded, but the "install_for_install" > command failed with the following response, > > "Response <-- 6985 > install_for_install_and_make_selectable() returns 0x80206985 (6985: > Command not > allowed - Conditions of use not satisfied.)" > > a. > Is the Issuer Card Domain or the Card Manager stopping installation in > -priv 4 (I believe by default, the card manager SD is chosen)? how to > install applet to the Issuer security level/domain? Or is it possible > for me to create a new Security Domain and install my applet in > Default Selected Privilege -priv 4? Card Manager and Issuer Securioty Domain is the same. I don't get what you mean. Some cards also support to create another security domain, where you can install applications. > > b. > what does -instParam 00 mean in the install_for_install line? You can pass parameters to the applet which is going to be installed. A dummy parameter is passed to the installed applet. Actually not necessary, but I think there have been an issue in former time with a card which wanted to have at least one byte. > > 2. > On my secure element in 6131 have the following files/applets/packages, > > get_status -element 80 > Command --> 80F28000024F0000 > Wrapped command --> 84F280001094C1910C32119F3F7BA8013B9E32C1B300 > Response <-- 08A0000000030000000F9A9000 > GP211_get_status() returned 1 items > > List of elements (AID state privileges) > a000000003000000 f 9a > get_status -element 40 > Command --> 80F24000024F0000 > Wrapped command --> 84F240001094C1910C32119F3F34DB206B5BE207DE00 > Response <-- > 0CD276000005AB0503E004010107140CD276000005AA0503E005010107000F48656 > C6C6F4170706C65742E61707007029000 > GP211_get_status() returned 3 items > > List of elements (AID state privileges) > d276000005ab0503e0040101 7 14 > d276000005aa0503e0050101 7 0 > 48656c6c6f4170706c65742e617070 7 2 > get_status -element 20 > Command --> 80F22000024F0000 > Wrapped command --> 84F220001094C1910C32119F3F257C1422F6352A3900 > Response <-- > 07A000000003535001000CD276000005AA04036001041001000BD276000005AA050 > 3E0040101000BD276000005AA0503E0050101000B48656C6C6F4170706C657401009000 > GP211_get_status() returned 5 items > > List of elements (AID state privileges) > a0000000035350 1 0 > d276000005aa040360010410 1 0 > d276000005aa0503e00401 1 0 > d276000005aa0503e00501 1 0 > 48656c6c6f4170706c6574 1 0 > card_disconnect > release_context > > I could see that a000000003000000 f 9a is the card manager, what > does 9A stand for? These are the privileges. b8=1 indicates that the Application is a Security Domain. b7=1 indicates that the Security Domain has DAP Verification capability. b6=1 indicates that the Security Domain has Delegated Management privileges. b5=1 indicates that the Application has the privilege to lock the card. b4=1 indicates that the Application has the privilege to terminate the card. b3=1 indicates that the Application has the Default Selected privilege. b2=1 indicates that the Application has CVM management privileges. b1=1 indicates that the Security Domain has mandated DAP Verification capability. 0x9a = 10011010 > I was expecting to see an applet/security domain with Default Selected > Privilege. > What does the privilege 14 mean? > d276000005ab0503e0040101 7 14 > > I don't know if I should try deleting d276000005ab0503e0040101 and see > installing in -priv 4. Would you please let me know what does > privilege 9 and 14 means? 1001 and 1110. So the the last one consumes the Default Selected Privilege already. You have to remove the this security domain and the privilage should be possible to set. > > 3. > Another way I was thinking is to select by name, > > Is it possible to make an applet be selected by "NAME" ? > after installing my applet test.cap, I tried sending the command APDU > for SELECT<bytesremaining><Name of Applet>, You must pass the AID. Select has several modes. Read ISO 7816-4. I don't know the details. BR, Karsten > > 00A404000474657374 > > But this returned "File Not Found" error. > > Is there anything I need to specify at the Install time, about > selecting by Name of the Applet? > > Or do I need to have a default file in a directory file and return the > AID of my applet for further processing? > > Then the "wild" questions are does secure element support file > structure? If so, what tool can be used to view/edit/install onto > directory files? No. You would need an applet which simulates this in the applets OWN memory. Not the other memory. For the whole card this should not work. > > Many thanks in anticipation. > > -- > Kind Regards, > > Lishoy > > > 2009/6/23 Karsten Ohme <wid...@t-... > <mailto:wid...@t-...>> > > Lishoy Francis schrieb: > > Hi Karsten, > > > > Many thanks for the GPShell and tips in the forums....I find them > > quite useful.....I saw your email ID on the forum and would like > your > > advise please. > > Hi, > > What I have found: > > Only one Application or Security Domain in the card may be set > with the > Default Selected Application > privilege at a time (e.g. the Issuer Security Domain, a current legacy > Application or an Application that > requires specific behavior with regards to logical channels), > • Once the Default Selected privilege has been assigned to an > Application, the privilege can only be > reassigned to a new Application by deleting the Application which has > the privilege, > • The Default Selected Application privilege may be assigned only > if the > Issuer Security Domain has the > Default Selected Application privilege. > > Execute a GET STATUS command to find out if someone else has the > privilege. > > But maybe it is simpler. Try to install the file in single steps (for > install for load, later load and then install for install [See the > README of GPShell]). Maybe you can convince the card to set the > privilege. > > BR, > Karsten > > > > I was trying to install my Java Card applet with "Default Selected > > Privilege" (.cap is 2.1.1) using GPShell 1.4.2 onto 6131 NFC secure > > element (unlocked). > > > > mode_211 > > enable_trace > > establish_context > > card_connect > > select -AID a000000003000000 > > open_sc -security 3 -keyver 42 -mac_key > > 404142434445464748494A4B4C4D4E4F -enc_key > > 404142434445464748494A4B4C4D4E4F -kek_key > > 404142434445464748494A4B4C4D4E4F > > install -file testcard.cap -priv 4 > > select -AID 01050000000c0000 > > card_disconnect > > release_context > > > > For the above script, I am getting the following error, > > > > "Response <-- 6985 > > install_for_install_and_make_selectable() returns 0x80206985 (6985: > > Command not allowed - Conditions of use not satisfied.)" > > > > Please advise....what could be going wrong? What is the right set of > > commands for installing my applet as the "Default Selected". > > > |
