kaoh / globalplatform

C library + command-line for Open- / GlobalPlatform smart cards
https://kaoh.github.io/globalplatform/
Other
72 stars 30 forks source link

Problems with downloading a public RSA key to a SSD with Delegate Management #29

Open kaoh opened 6 years ago

kaoh commented 6 years ago

I encountered problems when I tried to put the public RSA key on the Supplementary Security Domain (SSD) with the Delegate Management(DM) privs to smart card using the GPShell utility. What I do:

I generate a private key using the options:

openssl genrsa -out ./pr.pem -des -passout pass:12345678 1024

Based on it, I generate a public key:

openssl rsa -in ./pr.pem -pubout -out pub.pem

I create on the smart card a domain with Delegated Management privs with the help of Global Platform Pro:

gp keys --domain A000000004000001 --privs DelegatedManagement

Reuslt:

DOM: A000000004000001 (SELECTABLE) Privs: SecurityDomain, DelegatedManagement

I install the keys MAC, ENC and DEK (By Global Platform Pro):

gp --sdaid A000000004000001 -lock [key]

Domain became PERSONALIZED:

DOM: A000000004000001 (PERSONALIZED) Privs: SecurityDomain, DelegatedManagement

With the help of GPShell I try to put the public RSA key to the domain:

mode_211
enable_trace
enable_timer
establish_context
command time: 4 ms
card_connect
command time: 61 ms
select -AID A000000004000001
Command --> 00A4040008A000000004000001
Wrapped command --> 00A4040008A000000004000001
Response <-- 6F108408A000000004000001A5049F6501FF9000
command time: 59 ms
open_sc -scp 2 -security 3 -scpimpl 0x15 -keyver 0 -mac_key [key_mac] -enc_key [key_enc] -kek_key [key_kek]
Command --> 8050000008275D44D56FE9B1C300
Wrapped command --> 8050000008275D44D56FE9B1C300
Response <-- 000172850008B6DE043C01020000CA5C85B8CA6F97B71320C829ABD79000
Command --> 8482030010BA266EA9661D13493D3DC8FED7F45961
Wrapped command --> 8482030010BA266EA9661D13493D3DC8FED7F45961
Response <-- 9000
command time: 260 ms
put_dm_keys -keyver 0 -newkeyver 2 -file pub.pem -pass [The_key_is_8_characters_in_length] -key [The_key_is_32_characters_in_length]
Command --> 80D80001A002A1803BAC9523A55469AF1035251FBFF034BB324CE3720808430AE6D8C2473D548CA86A6E1C4BF94EEB899C67D6EAD11A995D77F914654473BB7E088CB930CE953893BA01372CE4D128D980AB5B5657764E26AB1F6B01B954CF77554DD191309F1BFBD356ABAC8ADE1BCD87B83C6FC868F6FFE08A9C6DE02A1FFA9285E184EFAE7ACE00A00301000100801085272E4D9EF376D285272E4D9EF376D2038CA64D00
Wrapped command --> 84D80001B0ACA2E440664B9437FF05EAC64B0119C732BCCE420A5D3AD8DD96CB3C6C23CA46BE0E4ACC85F76D06FC5AB6A98B85726729320253F53D4079A331A4A1EA66F0FE64B83F18FB544B9E81B2A72BA5CD653ABE3E4C5783231DA1ED4F726C0D2A34C2FD5A75532A6A21690E4C0292125617D68D140E93EB815700507B940265B2E7A4E871095B9B4AC70067348132BF4E3650CA23B0B0D130738F6C6248337344F36C753A3BA4ABD3B54A9C3AB047A0807F0800
Response <-- 6A86
put_delegated_management_keys() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)

Gives out the error parameters P1, P2, but I can not understand what the problem is and what I'm doing wrong. It is possible that the length of the password or the key, or their appearance, does not. Is it possible to somehow load keys with the help of Global Platform Pro or is it possible only with the help of GPShell?

Reported by: grv333

kaoh commented 6 years ago

Hi,

The problem can be the key version parameters: "-keyver 0 -newkeyver 2"

keyver 0 is indicating the default version, usually used during mutual authentication to take the first available one. Maybe you have to use different values here, e.g. "-keyver 1 -newkeyver 1" to overwrite key set version 1 with new values.

Original comment by: kaoh

kaoh commented 6 years ago

Thanks for the answer! I've already tried different versions of the versions, but for some reason it's impossible to load the keys:

0 to 0 :

put_dm_keys -keyver 0 -newkeyver 0 -file /disk2/Cards/newgit/var/svn/svnETD/YouROK/JavaCard/AisaCard/apdu_tests/rsapkcs1/pub.pem -pass [The_key_is_8_characters_in_length] -key [The_key_is_32_characters_in_length]
Command --> 80D80001A000A1803BAC9523A55469AF1035251FBFF034BB324CE3720808430AE6D8C2473D548CA86A6E1C4BF94EEB899C67D6EAD11A995D77F914654473BB7E088CB930CE953893BA01372CE4D128D980AB5B5657764E26AB1F6B01B954CF77554DD191309F1BFBD356ABAC8ADE1BCD87B83C6FC868F6FFE08A9C6DE02A1FFA9285E184EFAE7ACE00A003010001008010F9A55CEFECB901603D7FA351FFEA516803B846EC00
Wrapped command --> 84D80001B0F62450DC942FDC2C2DF107D3C5A37AD5622C9655A974408393F0F4742DA7F6A62CFC3150D43744B4574DC6F49F88C08AD9E61B5981C875753A410AC31A6AD083DCD7A1D4F18BC0AF62CBC1A552D1718E455E6354BAD28CE4CB920D93CF8F8E5D7CF920250D4E6CB637D360BB846E0C2D590DFDFC8D9419FEB155570E338FB341E2543BF8757B666F00E78AB5F989AED33BCDD32EE3EEA3E21C1CFA3879554111EB9B3EA010A5188F32C7FA3CF03CEB8C00
Response <-- 6A80
put_delegated_management_keys() returns 0x80206A80 (6A80: Wrong data / Incorrect values in command data.)

0 to 1:

put_dm_keys -keyver 0 -newkeyver 1 -file /disk2/Cards/newgit/var/svn/svnETD/YouROK/JavaCard/AisaCard/apdu_tests/rsapkcs1/pub.pem -pass [The_key_is_8_characters_in_length] -key [The_key_is_32_characters_in_length]
Command --> 80D80001A001A1803BAC9523A55469AF1035251FBFF034BB324CE3720808430AE6D8C2473D548CA86A6E1C4BF94EEB899C67D6EAD11A995D77F914654473BB7E088CB930CE953893BA01372CE4D128D980AB5B5657764E26AB1F6B01B954CF77554DD191309F1BFBD356ABAC8ADE1BCD87B83C6FC868F6FFE08A9C6DE02A1FFA9285E184EFAE7ACE00A003010001008010A1E37F0D48C342BEEA61174882172ACF03B846EC00
Wrapped command --> 84D80001B0484C0003713B7EDA44D6BCFF0B915B78C180A1CB4E05904A67214681036C25D49E5FB36F4F04A4F3E501A4506324A2DFC6FE9FEA428CEB5AA38AB85C2539A7E18F471962484D2D8267611E0A24CED478D369D16CF156F0BA94A70430B80EC4F75B977BAC084D41826E085077106CA8FD036ADD045AC066EDD1EF87145F1B5CBFC8EF5EB09C343EE627222BFE2AF71FCE700F7906E0E368C27CB16BF548AA8072D9AC3FDB6ADD7F62F3C624AC7F9E129F00
Response <-- 6A86
put_delegated_management_keys() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)

1 to 1:

put_dm_keys -keyver 1 -newkeyver 1 -file /disk2/Cards/newgit/var/svn/svnETD/YouROK/JavaCard/AisaCard/apdu_tests/rsapkcs1/pub.pem -pass [The_key_is_8_characters_in_length] -key [The_key_is_32_characters_in_length]
Command --> 80D80101A001A1803BAC9523A55469AF1035251FBFF034BB324CE3720808430AE6D8C2473D548CA86A6E1C4BF94EEB899C67D6EAD11A995D77F914654473BB7E088CB930CE953893BA01372CE4D128D980AB5B5657764E26AB1F6B01B954CF77554DD191309F1BFBD356ABAC8ADE1BCD87B83C6FC868F6FFE08A9C6DE02A1FFA9285E184EFAE7ACE00A003010001008010578B322D083DCCECAD759DAD7495E0E703B846EC00
Wrapped command --> 84D80101B0C867D37089C785A281111CD7566EE3B94DF59FAB1B7941185E431B314F1856A0B8456AF1EF0DEA5002EF48D94B11F3EB365C496D3DD54A2EE00742EBF60F9A25CF58FFCE5541211F19CD16ADDD337DC1A24F7DCB97939A704FF88E01F02355A758FB1DF5A309BFFEFE0A410C8ED056B11CFD34F332AA9C713314BDEAA120982C37D417B34024136C046A86E735EC831AFA7DAE5859D7CC201680736EACBE1F926D6D462631145947EC1459E567676DCA00
Response <-- 6A86
put_delegated_management_keys() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)

1 to 2:

put_dm_keys -keyver 1 -newkeyver 2 -file /disk2/Cards/newgit/var/svn/svnETD/YouROK/JavaCard/AisaCard/apdu_tests/rsapkcs1/pub.pem -pass [The_key_is_8_characters_in_length] -key [The_key_is_32_characters_in_length]
Command --> 80D80101A002A1803BAC9523A55469AF1035251FBFF034BB324CE3720808430AE6D8C2473D548CA86A6E1C4BF94EEB899C67D6EAD11A995D77F914654473BB7E088CB930CE953893BA01372CE4D128D980AB5B5657764E26AB1F6B01B954CF77554DD191309F1BFBD356ABAC8ADE1BCD87B83C6FC868F6FFE08A9C6DE02A1FFA9285E184EFAE7ACE00A003010001008010C8A943BE91EB3EAEFD76EB57D1E83CB503B846EC00
Wrapped command --> 84D80101B066755A307ADB1D78125062B7DD8CAC43DF524F803837BDA77E6E54B341D0250A25EFBDA6B8588F702A97F8F9C58D1185D3908AD14AC23591EB760C0C8C9BFF9CC457335F36F94CDCC55C1C08D0637AC6773CA68F14EE40A7B36722C8D8C4F4AD6A9490BE74B6A1B24DA77CA2B8559DC5AC1F5EEC4EE87F326AAE0ACB20708D6B8FE1293B7C92D1E4AD2B6406BE349011CECF8282C3490B04CD7B1C9C2C420B7CFE16AB36CA4AACF2467C95AC284A73BE00
Response <-- 6A86
put_delegated_management_keys() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)

2 to 2:

put_dm_keys -keyver 2 -newkeyver 2 -file /disk2/Cards/newgit/var/svn/svnETD/YouROK/JavaCard/AisaCard/apdu_tests/rsapkcs1/pub.pem -pass [The_key_is_8_characters_in_length] -key [The_key_is_32_characters_in_length]
Command --> 80D80201A002A1803BAC9523A55469AF1035251FBFF034BB324CE3720808430AE6D8C2473D548CA86A6E1C4BF94EEB899C67D6EAD11A995D77F914654473BB7E088CB930CE953893BA01372CE4D128D980AB5B5657764E26AB1F6B01B954CF77554DD191309F1BFBD356ABAC8ADE1BCD87B83C6FC868F6FFE08A9C6DE02A1FFA9285E184EFAE7ACE00A003010001008010D739F1121DC2441D3CA2CBA35224388203B846EC00
Wrapped command --> 84D80201B07B585955082410774DED31CE2D4720A31F3A90AB61F555DFD70B232D9CD8248DBF0D0A0AE660BB0109E2A4FA57AB1FC342361BE4B5C2665A2DC96ADA9DDEB09C936F934A5E27EE7CE854B28C8F11E890F408CF0F70C0EC266E1BA7930D49297F74A48DECF9D50CDD7CFF5F13D215597366E79C30BFF91F4C132DAF84CA57F70572F71598E73A4201F2C359B6500B5275AACBB5ED127EBE581C00B3D749F2F1A410A10C04C25D19F484EC0DC78D96858E00
Response <-- 6A88
put_delegated_management_keys() returns 0x80206A88 (6A88: Referenced data not found.)

But any combination comes with errors. Can it is necessary somehow on special to create SSD with DM or to use any other algorithm for generation of RSA keys?

Original comment by: grv333

kaoh commented 6 years ago

Are there any ideas, what could be the problem?

Original comment by: *anonymous

kaoh commented 6 years ago

No, the combination 0,0 seems not bad, but the error sounds like an encoding problem of the transmitted data of the PUT_KEY command, it would be necessary to have a look into the manual how the data has to be sent. Usually the manufacturers do not provide a manual or hide it under NDAs. I'm also not sure if during the creation of a security domain any data must be passed for an inital key set for DM. Otherwise a default key must be used or the SD is not functional.

Original comment by: kaoh

mjalaliwallex commented 1 year ago

Is this problem solved? I cannot see the comments except kaoh's and the solution to this question.

koh-osug commented 1 year ago

Most likely not, the bug is from a long time ago and a new bug description is needed. Since I also have no cards not the card type is mentioned to reproduce this, it is unlikely to going to be fixed without funding.