Menu
▾
▴
Re: [Globalplatform-developers] [Globalplatform-users] Re: Re: GlobalPlatform2.1.1 and OpenSSL
|
From: Iain M. <mu...@ds...> - 2006-10-18 23:30:52
|
Karsten Ohme wrote on 10/18/06 04:02 PM:
> Iain MacDonnell wrote:
>> So I think the Cosmo52 cards I was trying to use before had had their
>> keys swapped without my knowledge. Trying again, with cards that I know
>> are new, and I can establish a secure channel, and load and instantiate
>> the MCardApplet .... but I can't seem to delete it!! Am I missing
>> something? I've tried various combinations of scp/scpimpl/security and
>> sdAIDs of a000000003000000 and a0000000030000 - the result is always
>> 6985...
>>
>> mode_211
>> establish_context
>> card_connect
>> enable_trace
>> select -AID a000000003000000
>> --> 00A4040008A000000003000000
>> <--
>> 6F6E8408A000000003000000A562732F06072A864886FC6B01600C060A2A864886FC6B02020001630906072A864886FC6B03640B06092A864886FC6B0401059F6E2A2050500040414091005F42583011BB5B4288191242881913428819144288000CC71300000000000000009F6501FF9000
>> open_sc -scp 1 -scpimpl 5 -security 1 -keyind 0 -keyver 0 -enc_key
>> 404142434445464748494a4b4c4d4e4f -mac_key 404142434445464748494a4b4c4d4e4f
>> --> 8050000008D6C5DC4AD8A949EE00
>> <-- 000042583011BB5B4288FF01B9E74AB54E60408208AF848B1016E81F9000
>> --> 848201001007037657966B46ED92B673CE885CA553
>> <-- 9000
>> get_status -element e0
>> --> 80F2E000024F0000
>> <--
>> 08A000000003000000019E07A0000000035350010005A000000001010006A0000000010107029000
>>
>> List of applets (AID state privileges)
>> a000000003000000 1 9e
>> a0000000035350 1 0
>> a000000001 1 0
>> a00000000101 7 2
>> delete -AID a00000000101
>> --> 80E40000084F06A0000000010100
>> <-- 6985
>> delete_applet() returns 0x80206985 (6985: Command not allowed -
>> Conditions of use not satisfied.)
>
> Usually at first all applets which have reference to the applet must bed
> deleted. This should not be the case.
> Then the applet must be deleted before the package.
> Then the package can be deleted.
>
> But there are cards, which delete all dependent data if the package is
> deleted. So try to delete the package:
>
> delete -AID a000000001
>
> I remember that I implemented it that way that always for GP 211 cards
> all related data is also deleted. So, it should work.
No; same error:
delete -AID a000000001
delete_applet() returns 0x80206985 (6985: Command not allowed -
Conditions of use not satisfied.)
> At one card I know of the package AID and the applet AID together must
> be specified to delete it. This is not supported by GPShell. You must
> manually look into the documentation of your card, what is necessary.
> Use the script and instead of the delete command insert a send_apdu
> command which could look like:
>
> 80 E4 00 80 0e
0e should be 0f, I assume?
> 4f 06 a0 00 00 00 01 01
> 4f 05 a0 00 00 00 01
> 00
>
> (I have separated with newlines and spaces, must be written together.)
> Maybe the order of the 2nd and 3rd line must be changed.
Either way around, that gets:
send_apdu -sc 1 -APDU 80E400800F4F06A000000001014F05A00000000100
Send APDU: 80 E4 00 80 0F 4F 06 A0 00 00 00 01 01 4F 05 A0 00 00 00 01 00
send_APDU() returns 0x80206A80 (6A80: Wrong data / Incorrect values in
command data.)
I guess I need to go hunting for a Cosmo V5.2 manual...
Thx,
~Iain
>> Snit Mo wrote on 03/27/06 06:07 PM:
>>
>>> I have to assume that your card doesn't have the usual test key
>>> (4041..4f). Where did you get the card from? Can you ask them what
>>> the key is?
>>>
>>> Also, you may want to try Oberthur AppLoader.
>>>
>>> Thanks,
>>>
>>> On 3/27/06, Iain MacDonnell <mu...@ds...> wrote:
>>>
>>>> Snit Mo wrote on 03/27/06 05:45 PM:
>>>>
>>>>> Hello, Iain,
>>>> Hi :)
>>>>
>>>>
>>>>
>>>>> Use listgp211.txt. It works fine for me with Oberthur Cosmo 5.2. The
>>>>> default key is 404142...4f. See the result at the end of this file.
>>>> Doesn't work for me - I wonder why...
>>>>
>>>> mode_211
>>>> enable_trace
>>>> establish_context
>>>> card_connect
>>>> select -AID a000000003000000
>>>> --> 00A4040008A000000003000000
>>>> <--
>>>> 6F6E8408A000000003000000A562732F06072A864886FC6B01600C060A2A864886FC6B02020001630906072A864886FC6B03640B06092A864886FC6B0401059F6E2A2050500040414091005F42583011BB524288191242881913428819144288000CC71300000000000000009F6501FF9000
>>>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key
>>>> 404142434445464748494a4b4c4d4e4f -enc_key
>>>> 404142434445464748494a4b4c4d4e4f // Open secure channel
>>>> --> 00CA006600
>>>> <--
>>>> 6631732F06072A864886FC6B01600C060A2A864886FC6B02020001630906072A864886FC6B03640B06092A864886FC6B0401059000
>>>> --> 8050000008C13CAC00B446633A00
>>>> <-- 000042583011BB5242880101ABBC16B787DA1960AC4EE7E255D338669000
>>>> mutual_authentication() returns 0x80302000 (The verification of the card
>>>> cryptogram failed.)
>>>>
>>>> ~Iain
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> For changing keys, use attached files. replacekey-cosmo-gp211 changes
>>>>> key from 4041...4f to 5051...5f. recyclekey-cosmo-gp211.txt puts it
>>>>> back to 4041...4f. Perhaps I should include these in later releases
>>>>> ...
>>>>>
>>>>> $ ./Release/GPShell.exe listgp211.txt
>>>>> mode_211
>>>>> enable_trace
>>>>> establish_context
>>>>> card_connect
>>>>> select -AID a000000003000000
>>>>> --> 00A4040008A000000003000000
>>>>> <-- 6F6E8408A000000003000000A562732F06072A864886FC6B01600C060A2A864886FC6B020201
>>>>> 01630906072A864886FC6B03640B06092A864886FC6B0401059F6E2A2050500040414091005F5291
>>>>> 0000000300001912529119135291000000000000000000000000000000009F6501FF9000
>>>>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4
>>>>> f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
>>>>> --> 00CA006600
>>>>> <-- 6631732F06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03
>>>>> 640B06092A864886FC6B0401059000
>>>>> --> 8050000008B7070A7E2C84570000
>>>>> <-- 0000529100000003000001013E5B6BEE91B858BE6750A80612655CA69000
>>>>> --> 84820100102AF486A3BFA39CFFC188D51C8F21EA3D
>>>>> <-- 9000
>>>>> get_status -element 20
>>>>> --> 80F22000024F0000
>>>>> <-- 07A0000000035350010009A00000006203010C01010006A0000000010101009000
>>>>>
>>>>> List of applets (AID state privileges)
>>>>> a0000000035350 1 0
>>>>> a00000006203010c01 1 0
>>>>> a00000000101 1 0
>>>>> card_disconnect
>>>>> release_context
>>>>>
>>>>> On 3/27/06, Karsten Ohme <wid...@t-...> wrote:
>>>>>
>>>>>> Iain MacDonnell wrote:
>>>>>>
>>>>>>> Karsten Ohme wrote on 03/26/06 01:00 PM:
>>>>>>>
>>>>>>>
>>>>>>>> Karsten Ohme wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Karsten Ohme wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Karsten Ohme wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Iain MacDonnell wrote:
>>>>>>>>>>>
>>>>>>>>>>>>> BTW, I've run into what appears to be a bigger problem - have you
>>>>>>>>>>>>> ever
>>>>>>>>>>>>> tried this stuff on a big-endian machine?
>>>>>>>> I have run some big endian tests on a Solaris system running on a Sparc.
>>>>>>>>
>>>>>>>> For some reason the following happens:
>>>>>>>>
>>>>>>>> char *test = "EE";
>>>>>>>> sscanf (test, "%02x", &temp);
>>>>>>>>
>>>>>>>> if temp is a char the conversion is always 00, if temp is an int, it
>>>>>>>> works.
>>>>>>>>
>>>>>>>> Please try out the GPShell version in CVS. I have fixed probably all
>>>>>>>> conversions, but I have no possibility to test it.
>>>>>>> Current CVS seems to be working fine on Solaris 10 / SPARC. I haven't
>>>>>>> exercised all functions, but it's able to 'select' and 'open_sc' OK.
>>>>>>> I'll let you know, of course, if I run into any further problems.
>>>>>>>
>>>>>>> Side question: do you happen to have the developer keys for Oberthur
>>>>>>> Cosmo v5.2 handy and/or is there something else I need to change
>>>>>>> in the example GPShell scripts to establish a secure channel?
>>>>>> For for for a Oberthur card it works with the default 0x40 ... 0x4F key.
>>>>>>
>>>>>> I executed the list.txt file:
>>>>>>
>>>>>> mode_201
>>>>>> enable_trace
>>>>>> establish_context
>>>>>> card_connect
>>>>>> select -AID a0000000030000
>>>>>> --> 00A4040007A0000000030000
>>>>>> <--
>>>>>> 6F6E8408A000000003000000A562732F06072A864886FC6B01600C060A2A864886FC6B020201
>>>>>> 01630906072A864886FC6B03640B06092A864886FC6B0401059F6E2A2050500040414091005F5237
>>>>>> 0000004600001912523719135237000000000000000000000000000000009F6501FF9000
>>>>>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key
>>>>>> 404142434445464748494a4b4c4d4e4
>>>>>> f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
>>>>>> --> 805000000803AF9CAB5BC9A73A00
>>>>>> <-- 00005237000000460000010100CB902348832FB5492783C164F1FF749000
>>>>>> --> 84820100106E04B80DBD241D26EEC85AEF6EBC9B5E
>>>>>> <-- 9000
>>>>>> get_status -element e0
>>>>>> --> 80F2E000024F0000
>>>>>> <-- 6A86
>>>>>> OP201_get_status() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)
>>>>>>
>>>>>> Obviously the card has problem to list the applications. Don't know way.
>>>>>>
>>>>>> By the way. I have problems with my Oberthur Cosmo card, that it can not
>>>>>> treat the GET RESPONSE command. Is this a usual feature? I cannot use
>>>>>> the card.
>>>>>>
>>>>>>
>>>>>>> I'm
>>>>>>> getting mutual_authentication() returns 0x80302000. I read about the
>>>>>>> need to specify a sdAID, but that seems to apply only to
>>>>>>> 'install_for_load', and the referenced 'putkey-cosmo.txt' example
>>>>>>> doesn't seem to exist...?
>>>>>> Don't know. Maybe Snit knows. He wrote it. Maybe the putkey for the
>>>>>> CFlex card works with the mentioned change.
>>>>>>
>>>>>> Karsten
>>>>>>
>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> ~Iain
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>>>> # /opt/ITmuscle/bin/gpshell list-cflex.txt
>>>>>>>>>>>>> mode_201
>>>>>>>>>>>>> enable_trace
>>>>>>>>>>>>> establish_context
>>>>>>>>>>>>> card_connect
>>>>>>>>>>>>> select -AID a0000000030000
>>>>>>>>>>>>> --> 00A404000700000000000000
>>>>>>>>>>>> Note that the AID is not showing in this APDU... compared to
>>>>>>>>>>>> below....
>>>>>>>>>>> Mmmh, this is a bigger problem. I will see to fix the conversion
>>>>>>>>>>> routines, if something like this is used, I'm not sure.
>>>>>>>>> This could be the guilty routine (?):
>>>>>>>>>
>>>>>>>>> It scans two bytes interpreted as a hex byte:
>>>>>>>>>
>>>>>>>>> while (sscanf (&(dummy[i*2]), "%02x", &(pOptionStr->AID[i])) > 0) {
>>>>>>>>> i++;
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> I will see.
>>>>>>>>>
>>>>>>>>> Karsten
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>> Thanks, Karsten
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>> <-- 6A82
>>>>>>>>>>>>> select_application() returns 0x80216A82 (6A82: The application to be
>>>>>>>>>>>>> selected could not be found.)
>>>>>>>>>>>>> # uname -a
>>>>>>>>>>>>> SunOS sb150 5.10 Generic_118822-25 sun4u sparc SUNW,Sun-Blade-100
>>>>>>>>>>>>> #
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Maybe the endianess is a red herring too ... but I've
>>>>>>>>>>>>> successfully used
>>>>>>>>>>>>> this stuff on Solaris x86...
>>>>>>>>>> Mmmh, actually I use only byte arrays, no numbers, this should not
>>>>>>>>>> effect endianess. I will look into GPShell.
>>>>>>>>>>
>>>>>>>>>> Karsten
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>> Same card, same reader, same sources, but on Solaris x86:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> # /opt/ITmuscle/bin/gpshell list-cflex.txt
>>>>>>>>>>>> mode_201
>>>>>>>>>>>> enable_trace
>>>>>>>>>>>> establish_context
>>>>>>>>>>>> card_connect
>>>>>>>>>>>> select -AID a0000000030000
>>>>>>>>>>>> --> 00A4040007A0000000030000
>>>>>>>>>>>> <-- 6F188407A0000000030000A50D9F6E060005020201009F6501FF9000
>>>>>>>>>>>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key
>>>>>>>>>>>> 404142434445464748494a4b4c4d4e4f -enc_key
>>>>>>>>>>>> 404142434445464748494a4b4c4d4e4f // Open secure channel
>>>>>>>>>>>> --> 80500000088409FFE1A2E28B4600
>>>>>>>>>>>> <-- 000012010000111401020101E86DFA173682E4673596888A215DE86C9000
>>>>>>>>>>>> --> 8482010010C8207C7B2A3E416884B431EF23B61CD2
>>>>>>>>>>>> <-- 9000
>>>>>>>>>>>> get_status -element e0
>>>>>>>>>>>> --> 80F2E000024F0000
>>>>>>>>>>>> <--
>>>>>>>>>>>> 07A0000000030000070007A0000000620001010007A0000000620101010007A0000000620102010007A0000000620201010007A0000000030000010005A000000001010006A0000000010107009000
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> List of applets (AID state privileges)
>>>>>>>>>>>> a0000000030000 7 0
>>>>>>>>>>>> a0000000620001 1 0
>>>>>>>>>>>> a0000000620101 1 0
>>>>>>>>>>>> a0000000620102 1 0
>>>>>>>>>>>> a0000000620201 1 0
>>>>>>>>>>>> a0000000030000 1 0
>>>>>>>>>>>> a000000001 1 0
>>>>>>>>>>>> a00000000101 7 0
>>>>>>>>>>>> card_disconnect
>>>>>>>>>>>> release_context
>>>>>>>>>>>> #
>>>>>>>>>>>>
>>>>>>>>>>>> ~Iain
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>>>>>>>>>>> language
>>>>>>>>>>>> that extends applications into web and mobile media. Attend the live
>>>>>>>>>>>> webcast
>>>>>>>>>>>> and join the prime developer group breaking into this new coding
>>>>>>>>>>>> territory!
>>>>>>>>>>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Globalplatform-users mailing list
>>>>>>>>>>>> Glo...@li...
>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users
>>>>>>>>>>>
>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>>>>>>>>>> language
>>>>>>>>>>> that extends applications into web and mobile media. Attend the
>>>>>>>>>>> live webcast
>>>>>>>>>>> and join the prime developer group breaking into this new coding
>>>>>>>>>>> territory!
>>>>>>>>>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Globalplatform-users mailing list
>>>>>>>>>>> Glo...@li...
>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users
>>>>>>>>>>
>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>>>>>>>>> language
>>>>>>>>>> that extends applications into web and mobile media. Attend the live
>>>>>>>>>> webcast
>>>>>>>>>> and join the prime developer group breaking into this new coding
>>>>>>>>>> territory!
>>>>>>>>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Globalplatform-developers mailing list
>>>>>>>>>> Glo...@li...
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/globalplatform-developers
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------
>>>>>>>>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>>>>>>>> language
>>>>>>>>> that extends applications into web and mobile media. Attend the live
>>>>>>>>> webcast
>>>>>>>>> and join the prime developer group breaking into this new coding
>>>>>>>>> territory!
>>>>>>>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>>>>>>>> _______________________________________________
>>>>>>>>> Globalplatform-developers mailing list
>>>>>>>>> Glo...@li...
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/globalplatform-developers
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>> mode_211
>>>>>> enable_trace
>>>>>> establish_context
>>>>>> card_connect
>>>>>> select -AID a0000000030000
>>>>>> open_sc -scp 1 -scpimpl 5 -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f // Open secure channel
>>>>>> put_sc_key -keyver 1 -newkeyver 1 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f // Put secure channel keys
>>>>>> #put_sc_key -keyver 1 -newkeyver 1 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f // Put secure channel keys
>>>>>> card_disconnect
>>>>>> release_context
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>> mode_211
>>>>>> enable_trace
>>>>>> establish_context
>>>>>> card_connect
>>>>>> select -AID a0000000030000
>>>>>> open_sc -scp 1 -scpimpl 5 -security 1 -keyind 0 -keyver 0 -mac_key 505152535455565758595a5b5c5d5e5f -enc_key 505152535455565758595a5b5c5d5e5f -kek_key 505152535455565758595a5b5c5d5e5f // Open secure channel
>>>>>> put_sc_key -keyver 1 -newkeyver 1 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f // Put secure channel keys
>>>>>> card_disconnect
>>>>>> release_context
>>
>> -------------------------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services, security?
>> Get stuff done quickly with pre-integrated technology to make your job easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> Globalplatform-users mailing list
>> Glo...@li...
>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users
>
|
