[Globalplatform-users] Problem opening a secure channel on a java card

[Marcel C. <mco...@gm...>]

Hi,

    I'm having problems establishing a secure channel with an applet I've
just installed in a javacard. The card is in an INITIALIZED state with its
three keys set to the default value (404142434445464748494A4B4C4D4E4F). I
know I'm able to establish a secure channel with the Card Manager using
these keys because I can successfully install my own applets using this
gpshell script:

mode_211
enable_trace
enable_timer

establish_context
card_connect
select -AID a000000003000000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
// Open secure channel
delete -AID F00100006203010C0101
delete -AID F00100006203010C01
install -file samples.cap -priv 2
# getdata
# close_sc // Close secure channel
# putkey // Put key
  // options:
  //          -keyind Key index
  //          -keyver Key version
  //          -key Key value in hex
card_disconnect
release_context

The sample applet I'm using for testing purposes is taken from
http://www.globalplatform.org/specificationform.asp?fid=6306. I can infer
from the code that the security command processing is performed inside the
following code snippet:

   void SCPcommands ( APDU apdu ) {

        responseLength = MySecureChannel.processSecurity( apdu );
        if (responseLength != 0 )
            apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA,
responseLength );
    }

so the SCP02's management is being left to the Security Domain the applet is
associated with (the ISD I assume since the Card Manager was used to install
the applet).

The problem arise when trying to establish a secure channel with the applet
using the gpshell script:

establish_context
enable_trace
enable_timer
card_connect

select -AID F00100006203010C0101
open_sc -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
// Open secure channel

card_disconnect
release_context

gpshell keeps returning an error in an early stage of the SCP02 as a result
of sending the INITIALIZE UPDATE command. The card cryptogram cannot be
verified as can be seen in the trace:

establish_context
enable_trace
enable_timer
card_connect
command time: 0 ms
select -AID F00100006203010C0101
Command --> 00A404000AF00100006203010C0101
Wrapped command --> 00A404000AF00100006203010C0101
Response <-- 6F0E840AF00100006203010C0101A5009000
command time: 22 ms
open_sc -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
// Open secure channel
Command --> 805000000818594C319FFDF58C00
Wrapped command --> 805000000818594C319FFDF58C00
Response <-- 000082470244119142080102001AE08851C2967C0CC37A11A2F1FE579000
mutual_authentication() returns 0x80302000 (The verification of the card
cryptogram failed.)


Am I missing some applet specific parameters in the open_sc commands?
Am I using the right keys?
Do I need to establish new keys for the applet other than the default ones
set for the ISD?
How do I install my own security domain and associate custom applets with
it?

I would appreciate any help.

Thanks.

Marcel