[Globalplatform-users] Opening a secure connection - Gemalto IDCore 3010

[Bura P. <bu...@gm...>]

Dear all,

After succeeding with Java Card development on emulators now I'm dealing
with a real Java Card (Gemalto IDCore 3010
<http://www.gemalto.com/dwnld/6589_IDCore3010_Product_Datasheet_Jan14.pdf>).
I have been experiencing with GPShell, but I have problems even with the
most basic sample code, that would list the applets on the card
(GPShell.exe list.txt).

The content of the list.txt file is the following (as you might all know):
mode_201
enable_trace
establish_context
card_connect
select -AID a0000000030000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
// Open secure channel
get_status -element e0
card_disconnect
release_context

Which I have modified after reading the Global Platform wiki and it is like
this now:
//I changed this, because the Card Management & API is compliant with
GP2.1.1.
mode_211
enable_trace
establish_context
//Switches are not necessary as I am using only one single-slot card reader
card_connect
//The auto-detected ISD AID of the card is: A000000018434D00
select -AID A000000018434D00
//This is the line where the command fails
open_sc -security 0 -keyind 0 -keyver 0 -keyDerivation none -key
47454d5850524553534f53414d504c45   // Open secure channel
//This would list applets and packages and security domains
get_status -element e0
card_disconnect
release_context

On the Global Platform page one can find that these are the switches for an
open_sc command:
open_sc -keyind x -keyver x -key xyz -mac_key xyz -enc_key xyz -kek_key xyz
-security x -scp x -scpimpl x -keyDerivation x
Open secure channel

But sadly I couldn't make my command work, but here I summarize what I know
about the switches:

   - *keyind*: The only information I found is that it is a key index,
   which I would have guessed also all by myself.
   - *keyver*: Key set version. Same as above.
   - *key*: I read that If I have a card which uses key derivation I must
   enable the derivation mode with the -keyDerivation option and I must
   specify with -key the master (mother) key. So here I provided my mother key
   (4F454D5850524553534F53414D504C45).
   - *mac_key*: It should not be relevant, because it is calculated from
   the master key.
   - *enc_key*: It should not be relevant, because it is calculated from
   the master key.
   - *kek_key*: It should not be relevant, because it is calculated from
   the master key.
   - *security*: The information I found is this: 0: clear, 1: MAC, 3:
   MAC+ENC. Since in the datasheet of my card I couldn't find something like
   this I chose "0".
   - *scp*: Secure Channel Protocol (1 SCP01, 2 SCP02, default not set).
   Should not be necessary to be stated explicitly. My card supports both
   SCP01 and SCP02.
   - *scpimpl*: Secure Channel Implementation (default not set). Should not
   be necessary to be stated explicitly.
   - *keyDerivation*: Possible values are "none", "visa2" or "emvcps11".
   Also since I couldn't find information on this in the datasheet I stack to
   "none".

This is the error message that I get with the modified code:
C:\JavaCard\GPShell-1.4.4>GPShell.exe list.txt
mode_211
enable_trace
establish_context
card_connect
select -AID A000000018434D00
Command --> 00A4040008A000000018434D00
Wrapped command --> 00A4040008A000000018434D00
Response <-- 6F198408A000000018434D00A50D9F6E061291518101009F6501FF9000
open_sc -security 0 -keyind 0 -keyver 0 -keyDerivation none -key
47454d585052455
3534f53414d504c45   // Open secure channel
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 6A88
GP211_get_secure_channel_protocol_details() returns 0x80206A88 (6A88:
Referenced
 data not found.)

Would you be so kind as to tell me what I am doing wrong and how I should
parameterize my open_sc command to make this all thing work with the
Gemalto IDCore 3010?

Thank you very much!

Kindest regards,
Pál