martinpaljak / GlobalPlatformPro

🌐 🔐 Manage applets and keys on JavaCard-s like a pro
https://javacard.pro/globalplatform
GNU Lesser General Public License v3.0
699 stars 212 forks source link

Unsupported framework produces unhelpful error message #237

Closed elipsion closed 1 week ago

elipsion commented 4 years ago

Describe the bug

When trying to load an applet built with a too recent version of GlobalPlatform, gp produces a less-than-stellar error message.

Information about your card

https://www.cardlogix.com/product/nxp-jcop3-j2h145-java-card-145k/

Expected behavior

Unsupported Framework

Full log

Using GPv1.7

PS C:\source\repos\IsoApplet> java -jar gp.jar -r "ACS APG8201-B2 0" --install .\IsoApplet.cap -v
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Windows 10 10.0 amd64, Java 11.0.8 by AdoptOpenJDK
Reader: ACS APG8201-B2 0
ATR: 3BDC18FF8191FE1FC38073C821136605036351000250
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3BDC18FF8191FE1FC38073C821136605036351000250

[DEBUG] GPSession - Auto-detected ISD: A000000151000000
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[INFO] GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[DEBUG] GPSession - Host challenge: 3CA14CAD6E40FEA1
[DEBUG] GPSession - Card challenge: 0004C7693B4FBA61
[DEBUG] GPSession - Card reports SCP02 with key version 255 (0xFF)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=A9875ADFB0F8402FB6F7DBF7F75FFAFA MAC=C8F6243ECF0DF436AF901514F65C7EF9 RMAC=D4DE6363159EBD4F89F99EF9ED7D5EF6, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[DEBUG] GPSession - Verified card cryptogram: A705CAA7028F7416
[DEBUG] GPSession - Calculated host cryptogram: 047AFEB30986A3AE
CAP file (v2.1), contains: applets for JavaCard 3.0.4/GlobalPlatform unknown: 1.7
Package: net.pwendland.javacard.pki.isoapplet F276A288BCFBA69D34F310 v1.0
Applet:  net.pwendland.javacard.pki.isoapplet.IsoApplet F276A288BCFBA69D34F31001
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620101                   v1.5 javacard.framework
Import:  A0000000620209                   v1.0 javacardx.apdu
Import:  A0000000620102                   v1.5 javacard.security
Import:  A0000000620201                   v1.5 javacardx.crypto
Import:  A00000015100                     v1.7 org.globalplatform
Generated by Oracle Corporation converter  [v3.0.5]
On Thu Aug 06 10:02:06 CEST 2020 with JDK 11.0.8 (AdoptOpenJDK)
Code size 19452 bytes (22171 with debug)
SHA-256 bb45e6eb25a69eb300af496421dac3ffdcba904d57c0eb0c384077f0ee8c6bc7
SHA-1   b240496a8f9746446f74cbe5f9872769e9105ffa
[DEBUG] GPRegistry - Registry already contains PKG: A0000001515350, 1
LOAD failed: 0x6438
PS C:\source\repos\IsoApplet>

Using GPv1.5 (aka 2.2.1)

PS C:\source\repos\IsoApplet> java -jar gp.jar -r "ACS APG8201-B2 0" --install .\IsoApplet.cap -v
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Windows 10 10.0 amd64, Java 11.0.8 by AdoptOpenJDK
Reader: ACS APG8201-B2 0
ATR: 3BDC18FF8191FE1FC38073C821136605036351000250
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3BDC18FF8191FE1FC38073C821136605036351000250

[DEBUG] GPSession - Auto-detected ISD: A000000151000000
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[INFO] GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[DEBUG] GPSession - Host challenge: 44DEF1DA12141A2C
[DEBUG] GPSession - Card challenge: 0005CE8E67158589
[DEBUG] GPSession - Card reports SCP02 with key version 255 (0xFF)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=114E70DD9FDAB543CE3BFCFD4C8531B8 MAC=9BC7F172011D9C5D5758BBA497E7B9E6 RMAC=F71D1EDB05931C7C007AA23F7E44F4DE, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[DEBUG] GPSession - Verified card cryptogram: 923CAB8A25119DBE
[DEBUG] GPSession - Calculated host cryptogram: 9D2C297F1DF1C365
CAP file (v2.1), contains: applets for JavaCard 3.0.4/GlobalPlatform 2.2.1
Package: net.pwendland.javacard.pki.isoapplet F276A288BCFBA69D34F310 v1.0
Applet:  net.pwendland.javacard.pki.isoapplet.IsoApplet F276A288BCFBA69D34F31001
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620101                   v1.5 javacard.framework
Import:  A0000000620209                   v1.0 javacardx.apdu
Import:  A0000000620102                   v1.5 javacard.security
Import:  A0000000620201                   v1.5 javacardx.crypto
Import:  A00000015100                     v1.5 org.globalplatform
Generated by Oracle Corporation converter  [v3.0.5]
On Thu Aug 06 10:47:59 CEST 2020 with JDK 11.0.8 (AdoptOpenJDK)
Code size 19452 bytes (22171 with debug)
SHA-256 4ca60f25b44e8d9583e2c1c83b66934088d9ebb55d5d2daebc8f626cf7f74d52
SHA-1   8482c2e8bfa1fb48d2af6cc7e7c9ac3d0b057ed1
[DEBUG] GPRegistry - Registry already contains PKG: A0000001515350, 1
CAP loaded
[DEBUG] GPRegistry - Registry already contains PKG: A0000001515350, 1
[DEBUG] GPRegistry - Registry already contains PKG: F276A288BCFBA69D34F310, 1
PS C:\source\repos\IsoApplet>

Additional context

Full APDU-dump available upon request :)

martinpaljak commented 4 years ago
  1. The only message here is the rightful CAP file (v2.1), contains: applets for JavaCard 3.0.4/GlobalPlatform unknown: 1.7 Where do you get the export files of GlobalPlatform with such version?
  2. The error from the card (0x6438) is unknown to me. Yet the half-baked feature of card profiles could accommodate custom SW-message mappings, but those will by no means be "definitive", just might assist.

Please explain which error message would you like to get changed (and if possible, run sample logs "next" branch)

elipsion commented 4 years ago

Ah, look at that. It's only visible in the verbose output, and not indicative of whether the card will accept the software or not. I just downloaded the most recent version from their webpage, since I hadn't found your repository yet.

I wonder if the supported frameworks can be gleaned from the package list on the card:

PS C:\source\repos\IsoApplet> java -jar gp.jar -r "ACS APG8201-B2 0" -l -v
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Windows 10 10.0 amd64, Java 11.0.8 by AdoptOpenJDK
Reader: ACS APG8201-B2 0
ATR: 3BDC18FF8191FE1FC38073C821136605036351000250
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3BDC18FF8191FE1FC38073C821136605036351000250

[DEBUG] GPSession - Auto-detected ISD: A000000151000000
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[INFO] GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[DEBUG] GPSession - Host challenge: E7950C0AC481846A
[DEBUG] GPSession - Card challenge: 0016817262FE5F90
[DEBUG] GPSession - Card reports SCP02 with key version 255 (0xFF)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=77A3C15AB440E2651B32577DB6C27505 MAC=303BB82519C6D717D86F391C506F852F RMAC=736B318928C93BEFAA58DCC4411D6142, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[DEBUG] GPSession - Verified card cryptogram: 63C239DCD28DCAE6
[DEBUG] GPSession - Calculated host cryptogram: 541D0829CF0EE947
[DEBUG] GPRegistry - Registry already contains PKG: A0000001515350, 1
ISD: A000000151000000 (SECURED)
     Parent:  A000000151000000
     From:    A0000000620001
     Privs:   SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

PKG: A0000001515350 (LOADED) (|....QSP|)
     Applet:  A000000151535041 (|....QSPA|)

PS C:\source\repos\IsoApplet>

In this case the error (probably) was the card rejecting a too recent library, but I don't know how specific the error code is and therefore not sure about how specific the associated message should be (Unsupported plattform version vs. Card no like package). But something about the software being actively rejected is probably a good start.

martinpaljak commented 4 years ago
elipsion commented 4 years ago

I don't have any strong feelings in the matter; and since the error is proprietary I can totally agree that it's outside of the scope for this project to have a pretty textual waring for it.

From a UI/UX perspective; the error message could be clearer about that the error (in this case 0x6438) is something that was given to gp from the card/underlying driver stack, rather than something emitted from within gp itself.

martinpaljak commented 4 years ago

That sw-s come from the device should be prior knowledge of anyone working with gp. But working on the ux to make such messages clearer and better positioned would probably not hurt. Suggestions as CLI mockups would help!

martinpaljak commented 1 week ago

I consider this specific issue fixed by 338e53b9c1a87c655ec38d561aab7aa30a5e2992