Re: [Globalplatform-users] Opening a secure connection - Gemalto IDCore 3010

[Karsten O. <wid...@t-...>]

Hi Pál,

unfortunately in contrast to other devices of the daily life complete
manuals or instructions are often not provided. If you have not some of
the necessary parameters you are lost. In your case these parameters
might be:

-security 3 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45
-keyDerivation visa2

There is a example file called listgemXpressoProR3_2E64.txt:
https://sourceforge.net/p/globalplatform/code/HEAD/tree/trunk/gpshell/helloInstallgemXpressoProR3_2E64.txt

Maybe your card is compatible to this Gemalto card.

Best,
Karsten

Am 22.03.2015 um 19:32 schrieb Bura Pál:
> Dear all,
>
> After succeeding with Java Card development on emulators now I'm
> dealing with a real Java Card (Gemalto IDCore 3010
> <http://www.gemalto.com/dwnld/6589_IDCore3010_Product_Datasheet_Jan14.pdf>).
> I have been experiencing with GPShell, but I have problems even with
> the most basic sample code, that would list the applets on the card
> (GPShell.exe list.txt).
>
> The content of the list.txt file is the following (as you might all know):
> mode_201
> enable_trace
> establish_context
> card_connect
> select -AID a0000000030000
> open_sc -security 1 -keyind 0 -keyver 0 -mac_key
> 404142434445464748494a4b4c4d4e4f -enc_key
> 404142434445464748494a4b4c4d4e4f // Open secure channel
> get_status -element e0
> card_disconnect
> release_context
>
> Which I have modified after reading the Global Platform wiki and it is
> like this now:
> //I changed this, because the Card Management & API is compliant with
> GP2.1.1. 
> mode_211
> enable_trace
> establish_context
> //Switches are not necessary as I am using only one single-slot card
> reader
> card_connect
> //The auto-detected ISD AID of the card is: A000000018434D00
> select -AID A000000018434D00
> //This is the line where the command fails
> open_sc -security 0 -keyind 0 -keyver 0 -keyDerivation none -key
> 47454d5850524553534f53414d504c45   // Open secure channel
> //This would list applets and packages and security domains
> get_status -element e0
> card_disconnect
> release_context
>
> On the Global Platform page one can find that these are the switches
> for an open_sc command:
> open_sc -keyind x -keyver x -key xyz -mac_key xyz -enc_key xyz
> -kek_key xyz -security x -scp x -scpimpl x -keyDerivation x
> Open secure channel
>
> But sadly I couldn't make my command work, but here I summarize what I
> know about the switches:
>
>   * *keyind*: The only information I found is that it is a key index,
>     which I would have guessed also all by myself.
>   * *keyver*: Key set version. Same as above.
>   * *key*: I read that If I have a card which uses key derivation I
>     must enable the derivation mode with the -keyDerivation option and
>     I must specify with -key the master (mother) key. So here I
>     provided my mother key (4F454D5850524553534F53414D504C45).
>   * *mac_key*: It should not be relevant, because it is calculated
>     from the master key.
>   * *enc_key*: It should not be relevant, because it is calculated
>     from the master key.
>   * *kek_key*: It should not be relevant, because it is calculated
>     from the master key.
>   * *security*: The information I found is this: 0: clear, 1: MAC, 3:
>     MAC+ENC. Since in the datasheet of my card I couldn't find
>     something like this I chose "0".
>   * *scp*: Secure Channel Protocol (1 SCP01, 2 SCP02, default not
>     set). Should not be necessary to be stated explicitly. My card
>     supports both SCP01 and SCP02.
>   * *scpimpl*: Secure Channel Implementation (default not set). Should
>     not be necessary to be stated explicitly.
>   * *keyDerivation*: Possible values are "none", "visa2" or
>     "emvcps11". Also since I couldn't find information on this in the
>     datasheet I stack to "none".
>
> This is the error message that I get with the modified code:
> C:\JavaCard\GPShell-1.4.4>GPShell.exe list.txt
> mode_211
> enable_trace
> establish_context
> card_connect
> select -AID A000000018434D00
> Command --> 00A4040008A000000018434D00
> Wrapped command --> 00A4040008A000000018434D00
> Response <-- 6F198408A000000018434D00A50D9F6E061291518101009F6501FF9000
> open_sc -security 0 -keyind 0 -keyver 0 -keyDerivation none -key
> 47454d585052455
> 3534f53414d504c45   // Open secure channel
> Command --> 80CA006600
> Wrapped command --> 80CA006600
> Response <-- 6A88
> GP211_get_secure_channel_protocol_details() returns 0x80206A88 (6A88:
> Referenced
>  data not found.)
>
> Would you be so kind as to tell me what I am doing wrong and how I
> should parameterize my open_sc command to make this all thing work
> with the Gemalto IDCore 3010? 
>
> Thank you very much!
>
> Kindest regards,
> Pál
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> Globalplatform-users mailing list
> Glo...@li...
> https://lists.sourceforge.net/lists/listinfo/globalplatform-users