Menu
▾
▴
Re: [Globalplatform-developers] [Globalplatform-users] Re: Re: GlobalPlatform2.1.1 and OpenSSL
|
From: Karsten O. <wid...@t-...> - 2006-10-18 23:16:54
|
Iain MacDonnell wrote:
> So I think the Cosmo52 cards I was trying to use before had had their
> keys swapped without my knowledge. Trying again, with cards that I know
> are new, and I can establish a secure channel, and load and instantiate
> the MCardApplet .... but I can't seem to delete it!! Am I missing
> something? I've tried various combinations of scp/scpimpl/security and
> sdAIDs of a000000003000000 and a0000000030000 - the result is always
> 6985...
>
> mode_211
> establish_context
> card_connect
> enable_trace
> select -AID a000000003000000
> --> 00A4040008A000000003000000
> <--
> 6F6E8408A000000003000000A562732F06072A864886FC6B01600C060A2A864886FC6B02020001630906072A864886FC6B03640B06092A864886FC6B0401059F6E2A2050500040414091005F42583011BB5B4288191242881913428819144288000CC71300000000000000009F6501FF9000
> open_sc -scp 1 -scpimpl 5 -security 1 -keyind 0 -keyver 0 -enc_key
> 404142434445464748494a4b4c4d4e4f -mac_key 404142434445464748494a4b4c4d4e4f
> --> 8050000008D6C5DC4AD8A949EE00
> <-- 000042583011BB5B4288FF01B9E74AB54E60408208AF848B1016E81F9000
> --> 848201001007037657966B46ED92B673CE885CA553
> <-- 9000
> get_status -element e0
> --> 80F2E000024F0000
> <--
> 08A000000003000000019E07A0000000035350010005A000000001010006A0000000010107029000
>
> List of applets (AID state privileges)
> a000000003000000 1 9e
> a0000000035350 1 0
> a000000001 1 0
> a00000000101 7 2
> delete -AID a00000000101
> --> 80E40000084F06A0000000010100
> <-- 6985
> delete_applet() returns 0x80206985 (6985: Command not allowed -
> Conditions of use not satisfied.)
Usually at first all applets which have reference to the applet must bed
deleted. This should not be the case.
Then the applet must be deleted before the package.
Then the package can be deleted.
But there are cards, which delete all dependent data if the package is
deleted. So try to delete the package:
delete -AID a000000001
I remember that I implemented it that way that always for GP 211 cards
all related data is also deleted. So, it should work.
At one card I know of the package AID and the applet AID together must
be specified to delete it. This is not supported by GPShell. You must
manually look into the documentation of your card, what is necessary.
Use the script and instead of the delete command insert a send_apdu
command which could look like:
80 E4 00 80 0e
4f 06 a0 00 00 00 01 01
4f 05 a0 00 00 00 01
00
(I have separated with newlines and spaces, must be written together.)
Maybe the order of the 2nd and 3rd line must be changed.
Karsten
>
>
> TIA,
>
> ~Iain
>
>
>
>
> Snit Mo wrote on 03/27/06 06:07 PM:
>
>>I have to assume that your card doesn't have the usual test key
>>(4041..4f). Where did you get the card from? Can you ask them what
>>the key is?
>>
>>Also, you may want to try Oberthur AppLoader.
>>
>>Thanks,
>>
>>On 3/27/06, Iain MacDonnell <mu...@ds...> wrote:
>>
>>>Snit Mo wrote on 03/27/06 05:45 PM:
>>>
>>>>Hello, Iain,
>>>
>>>Hi :)
>>>
>>>
>>>
>>>>Use listgp211.txt. It works fine for me with Oberthur Cosmo 5.2. The
>>>>default key is 404142...4f. See the result at the end of this file.
>>>
>>>Doesn't work for me - I wonder why...
>>>
>>>mode_211
>>>enable_trace
>>>establish_context
>>>card_connect
>>>select -AID a000000003000000
>>>--> 00A4040008A000000003000000
>>><--
>>>6F6E8408A000000003000000A562732F06072A864886FC6B01600C060A2A864886FC6B02020001630906072A864886FC6B03640B06092A864886FC6B0401059F6E2A2050500040414091005F42583011BB524288191242881913428819144288000CC71300000000000000009F6501FF9000
>>>open_sc -security 1 -keyind 0 -keyver 0 -mac_key
>>>404142434445464748494a4b4c4d4e4f -enc_key
>>>404142434445464748494a4b4c4d4e4f // Open secure channel
>>>--> 00CA006600
>>><--
>>>6631732F06072A864886FC6B01600C060A2A864886FC6B02020001630906072A864886FC6B03640B06092A864886FC6B0401059000
>>>--> 8050000008C13CAC00B446633A00
>>><-- 000042583011BB5242880101ABBC16B787DA1960AC4EE7E255D338669000
>>>mutual_authentication() returns 0x80302000 (The verification of the card
>>>cryptogram failed.)
>>>
>>> ~Iain
>>>
>>>
>>>
>>>
>>>
>>>>For changing keys, use attached files. replacekey-cosmo-gp211 changes
>>>>key from 4041...4f to 5051...5f. recyclekey-cosmo-gp211.txt puts it
>>>>back to 4041...4f. Perhaps I should include these in later releases
>>>>...
>>>>
>>>>$ ./Release/GPShell.exe listgp211.txt
>>>>mode_211
>>>>enable_trace
>>>>establish_context
>>>>card_connect
>>>>select -AID a000000003000000
>>>>--> 00A4040008A000000003000000
>>>><-- 6F6E8408A000000003000000A562732F06072A864886FC6B01600C060A2A864886FC6B020201
>>>>01630906072A864886FC6B03640B06092A864886FC6B0401059F6E2A2050500040414091005F5291
>>>>0000000300001912529119135291000000000000000000000000000000009F6501FF9000
>>>>open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4
>>>>f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
>>>>--> 00CA006600
>>>><-- 6631732F06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03
>>>>640B06092A864886FC6B0401059000
>>>>--> 8050000008B7070A7E2C84570000
>>>><-- 0000529100000003000001013E5B6BEE91B858BE6750A80612655CA69000
>>>>--> 84820100102AF486A3BFA39CFFC188D51C8F21EA3D
>>>><-- 9000
>>>>get_status -element 20
>>>>--> 80F22000024F0000
>>>><-- 07A0000000035350010009A00000006203010C01010006A0000000010101009000
>>>>
>>>>List of applets (AID state privileges)
>>>>a0000000035350 1 0
>>>>a00000006203010c01 1 0
>>>>a00000000101 1 0
>>>>card_disconnect
>>>>release_context
>>>>
>>>>On 3/27/06, Karsten Ohme <wid...@t-...> wrote:
>>>>
>>>>>Iain MacDonnell wrote:
>>>>>
>>>>>>Karsten Ohme wrote on 03/26/06 01:00 PM:
>>>>>>
>>>>>>
>>>>>>>Karsten Ohme wrote:
>>>>>>>
>>>>>>>
>>>>>>>>Karsten Ohme wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>>Karsten Ohme wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>Iain MacDonnell wrote:
>>>>>>>>>>
>>>>>>>>>>>>BTW, I've run into what appears to be a bigger problem - have you
>>>>>>>>>>>>ever
>>>>>>>>>>>>tried this stuff on a big-endian machine?
>>>>>>>
>>>>>>>I have run some big endian tests on a Solaris system running on a Sparc.
>>>>>>>
>>>>>>>For some reason the following happens:
>>>>>>>
>>>>>>>char *test = "EE";
>>>>>>>sscanf (test, "%02x", &temp);
>>>>>>>
>>>>>>>if temp is a char the conversion is always 00, if temp is an int, it
>>>>>>>works.
>>>>>>>
>>>>>>>Please try out the GPShell version in CVS. I have fixed probably all
>>>>>>>conversions, but I have no possibility to test it.
>>>>>>
>>>>>>Current CVS seems to be working fine on Solaris 10 / SPARC. I haven't
>>>>>>exercised all functions, but it's able to 'select' and 'open_sc' OK.
>>>>>>I'll let you know, of course, if I run into any further problems.
>>>>>>
>>>>>>Side question: do you happen to have the developer keys for Oberthur
>>>>>>Cosmo v5.2 handy and/or is there something else I need to change
>>>>>>in the example GPShell scripts to establish a secure channel?
>>>>>
>>>>>For for for a Oberthur card it works with the default 0x40 ... 0x4F key.
>>>>>
>>>>>I executed the list.txt file:
>>>>>
>>>>>mode_201
>>>>>enable_trace
>>>>>establish_context
>>>>>card_connect
>>>>>select -AID a0000000030000
>>>>>--> 00A4040007A0000000030000
>>>>><--
>>>>>6F6E8408A000000003000000A562732F06072A864886FC6B01600C060A2A864886FC6B020201
>>>>>01630906072A864886FC6B03640B06092A864886FC6B0401059F6E2A2050500040414091005F5237
>>>>>0000004600001912523719135237000000000000000000000000000000009F6501FF9000
>>>>>open_sc -security 1 -keyind 0 -keyver 0 -mac_key
>>>>>404142434445464748494a4b4c4d4e4
>>>>>f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
>>>>>--> 805000000803AF9CAB5BC9A73A00
>>>>><-- 00005237000000460000010100CB902348832FB5492783C164F1FF749000
>>>>>--> 84820100106E04B80DBD241D26EEC85AEF6EBC9B5E
>>>>><-- 9000
>>>>>get_status -element e0
>>>>>--> 80F2E000024F0000
>>>>><-- 6A86
>>>>>OP201_get_status() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)
>>>>>
>>>>>Obviously the card has problem to list the applications. Don't know way.
>>>>>
>>>>>By the way. I have problems with my Oberthur Cosmo card, that it can not
>>>>>treat the GET RESPONSE command. Is this a usual feature? I cannot use
>>>>>the card.
>>>>>
>>>>>
>>>>>>I'm
>>>>>>getting mutual_authentication() returns 0x80302000. I read about the
>>>>>>need to specify a sdAID, but that seems to apply only to
>>>>>>'install_for_load', and the referenced 'putkey-cosmo.txt' example
>>>>>>doesn't seem to exist...?
>>>>>
>>>>>Don't know. Maybe Snit knows. He wrote it. Maybe the putkey for the
>>>>>CFlex card works with the mentioned change.
>>>>>
>>>>>Karsten
>>>>>
>>>>>
>>>>>>Thanks!
>>>>>>
>>>>>> ~Iain
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>>>># /opt/ITmuscle/bin/gpshell list-cflex.txt
>>>>>>>>>>>>mode_201
>>>>>>>>>>>>enable_trace
>>>>>>>>>>>>establish_context
>>>>>>>>>>>>card_connect
>>>>>>>>>>>>select -AID a0000000030000
>>>>>>>>>>>>--> 00A404000700000000000000
>>>>>>>>>>>
>>>>>>>>>>>Note that the AID is not showing in this APDU... compared to
>>>>>>>>>>>below....
>>>>>>>>>>
>>>>>>>>>>Mmmh, this is a bigger problem. I will see to fix the conversion
>>>>>>>>>>routines, if something like this is used, I'm not sure.
>>>>>>>>
>>>>>>>>This could be the guilty routine (?):
>>>>>>>>
>>>>>>>>It scans two bytes interpreted as a hex byte:
>>>>>>>>
>>>>>>>>while (sscanf (&(dummy[i*2]), "%02x", &(pOptionStr->AID[i])) > 0) {
>>>>>>>> i++;
>>>>>>>>}
>>>>>>>>
>>>>>>>>I will see.
>>>>>>>>
>>>>>>>>Karsten
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>Thanks, Karsten
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>><-- 6A82
>>>>>>>>>>>>select_application() returns 0x80216A82 (6A82: The application to be
>>>>>>>>>>>>selected could not be found.)
>>>>>>>>>>>># uname -a
>>>>>>>>>>>>SunOS sb150 5.10 Generic_118822-25 sun4u sparc SUNW,Sun-Blade-100
>>>>>>>>>>>>#
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>Maybe the endianess is a red herring too ... but I've
>>>>>>>>>>>>successfully used
>>>>>>>>>>>>this stuff on Solaris x86...
>>>>>>>>>
>>>>>>>>>Mmmh, actually I use only byte arrays, no numbers, this should not
>>>>>>>>>effect endianess. I will look into GPShell.
>>>>>>>>>
>>>>>>>>>Karsten
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>Same card, same reader, same sources, but on Solaris x86:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>># /opt/ITmuscle/bin/gpshell list-cflex.txt
>>>>>>>>>>>mode_201
>>>>>>>>>>>enable_trace
>>>>>>>>>>>establish_context
>>>>>>>>>>>card_connect
>>>>>>>>>>>select -AID a0000000030000
>>>>>>>>>>>--> 00A4040007A0000000030000
>>>>>>>>>>><-- 6F188407A0000000030000A50D9F6E060005020201009F6501FF9000
>>>>>>>>>>>open_sc -security 1 -keyind 0 -keyver 0 -mac_key
>>>>>>>>>>>404142434445464748494a4b4c4d4e4f -enc_key
>>>>>>>>>>>404142434445464748494a4b4c4d4e4f // Open secure channel
>>>>>>>>>>>--> 80500000088409FFE1A2E28B4600
>>>>>>>>>>><-- 000012010000111401020101E86DFA173682E4673596888A215DE86C9000
>>>>>>>>>>>--> 8482010010C8207C7B2A3E416884B431EF23B61CD2
>>>>>>>>>>><-- 9000
>>>>>>>>>>>get_status -element e0
>>>>>>>>>>>--> 80F2E000024F0000
>>>>>>>>>>><--
>>>>>>>>>>>07A0000000030000070007A0000000620001010007A0000000620101010007A0000000620102010007A0000000620201010007A0000000030000010005A000000001010006A0000000010107009000
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>List of applets (AID state privileges)
>>>>>>>>>>>a0000000030000 7 0
>>>>>>>>>>>a0000000620001 1 0
>>>>>>>>>>>a0000000620101 1 0
>>>>>>>>>>>a0000000620102 1 0
>>>>>>>>>>>a0000000620201 1 0
>>>>>>>>>>>a0000000030000 1 0
>>>>>>>>>>>a000000001 1 0
>>>>>>>>>>>a00000000101 7 0
>>>>>>>>>>>card_disconnect
>>>>>>>>>>>release_context
>>>>>>>>>>>#
>>>>>>>>>>>
>>>>>>>>>>> ~Iain
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>-------------------------------------------------------
>>>>>>>>>>>This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>>>>>>>>>>language
>>>>>>>>>>>that extends applications into web and mobile media. Attend the live
>>>>>>>>>>>webcast
>>>>>>>>>>>and join the prime developer group breaking into this new coding
>>>>>>>>>>>territory!
>>>>>>>>>>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>>>>>>>>>>
>>>>>>>>>>>_______________________________________________
>>>>>>>>>>>Globalplatform-users mailing list
>>>>>>>>>>>Glo...@li...
>>>>>>>>>>>https://lists.sourceforge.net/lists/listinfo/globalplatform-users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>-------------------------------------------------------
>>>>>>>>>>This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>>>>>>>>>language
>>>>>>>>>>that extends applications into web and mobile media. Attend the
>>>>>>>>>>live webcast
>>>>>>>>>>and join the prime developer group breaking into this new coding
>>>>>>>>>>territory!
>>>>>>>>>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>>>>>>>>>
>>>>>>>>>>_______________________________________________
>>>>>>>>>>Globalplatform-users mailing list
>>>>>>>>>>Glo...@li...
>>>>>>>>>>https://lists.sourceforge.net/lists/listinfo/globalplatform-users
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>-------------------------------------------------------
>>>>>>>>>This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>>>>>>>>language
>>>>>>>>>that extends applications into web and mobile media. Attend the live
>>>>>>>>>webcast
>>>>>>>>>and join the prime developer group breaking into this new coding
>>>>>>>>>territory!
>>>>>>>>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>>>>>>>>
>>>>>>>>>_______________________________________________
>>>>>>>>>Globalplatform-developers mailing list
>>>>>>>>>Glo...@li...
>>>>>>>>>https://lists.sourceforge.net/lists/listinfo/globalplatform-developers
>>>>>>>>
>>>>>>>>
>>>>>>>>-------------------------------------------------------
>>>>>>>>This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>>>>>>>language
>>>>>>>>that extends applications into web and mobile media. Attend the live
>>>>>>>>webcast
>>>>>>>>and join the prime developer group breaking into this new coding
>>>>>>>>territory!
>>>>>>>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>>>>>>>_______________________________________________
>>>>>>>>Globalplatform-developers mailing list
>>>>>>>>Glo...@li...
>>>>>>>>https://lists.sourceforge.net/lists/listinfo/globalplatform-developers
>>>>>
>>>>>------------------------------------------------------------------------
>>>>>
>>>>>mode_211
>>>>>enable_trace
>>>>>establish_context
>>>>>card_connect
>>>>>select -AID a0000000030000
>>>>>open_sc -scp 1 -scpimpl 5 -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f // Open secure channel
>>>>>put_sc_key -keyver 1 -newkeyver 1 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f // Put secure channel keys
>>>>>#put_sc_key -keyver 1 -newkeyver 1 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f // Put secure channel keys
>>>>>card_disconnect
>>>>>release_context
>>>>>
>>>>>------------------------------------------------------------------------
>>>>>
>>>>>mode_211
>>>>>enable_trace
>>>>>establish_context
>>>>>card_connect
>>>>>select -AID a0000000030000
>>>>>open_sc -scp 1 -scpimpl 5 -security 1 -keyind 0 -keyver 0 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f // Open secure channel
>>>>>put_sc_key -keyver 1 -newkeyver 1 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f // Put secure channel keys
>>>>>card_disconnect
>>>>>release_context
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Globalplatform-users mailing list
> Glo...@li...
> https://lists.sourceforge.net/lists/listinfo/globalplatform-users
|
