Closed BorjanEch0 closed 3 years ago
martinpaljak
commented
3 years ago What is the exact command line? Which key version should the key you have represent? I suspect you would not want to use key 0x70 (which could be token verification key) but one of those 0x01..0x03 keys. Do use -key-ver 0x01 for example.
BorjanEch0
commented
3 years ago The exact command line is gp --key-enc DFF145A895A08A9836FCBAEBB2BEF4F0 --key-mac 5C60A8BF7FEBEDCA2754526B87760A54 --key-dek 2A69D3EE732E6D252359D43F066B66B3 -lvi --debug
the sim is sysmoISIM-SJA2 and the reader is a small gemalto usb shell token. i try with an omnikey smartcard reader but also it fails wit:
[INFO] GPSession - Using card master keys with version 112 for setting up session [MAC] A>> T=0 (4+0008) 80507000 08 909C5CB451159FA6 00 << (1s407ms) SCARD_E_NOT_TRANSACTED Error: SCARD_E_NOT_TRANSACTED apdu4j.TagRemovedException: SCARD_E_NOT_TRANSACTED at apdu4j.CardBIBO.transceive(CardBIBO.java:118) at apdu4j.APDUBIBO.transmit(APDUBIBO.java:34) at pro.javacard.gp.GPSession.openSecureChannel(GPSession.java:367) at pro.javacard.gp.GPTool.run(GPTool.java:293) at pro.javacard.gp.GPTool.main(GPTool.java:107) Caused by: jnasmartcardio.Smartcardio$JnaPCSCException: SCardTransmit got response 0x80100016 (SCARD_E_NOT_TRANSACTED: An attempt was made to end a non-existent transaction.) at jnasmartcardio.Smartcardio.check(Smartcardio.java:961) at jnasmartcardio.Smartcardio.check(Smartcardio.java:952) at jnasmartcardio.Smartcardio.access$000(Smartcardio.java:34) at jnasmartcardio.Smartcardio$JnaCardChannel.transmitRaw(Smartcardio.java:877) at jnasmartcardio.Smartcardio$JnaCardChannel.transmitImpl(Smartcardio.java:804) at jnasmartcardio.Smartcardio$JnaCardChannel.transmit(Smartcardio.java:688) at apdu4j.terminals.LoggingCardTerminal$LoggingCard$LoggingCardChannel.transmit(LoggingCardTerminal.java:256) at apdu4j.CardBIBO.transceive(CardBIBO.java:114) ... 4 more SCardDisconnect("OMNIKEY CardMan 1021 00 00", true) tx:40/rx:168
martinpaljak
commented
3 years ago add --key-ver and try number 1..3 (as you have these key identifiers present on the card, try gp -iv for the list). I have no idea about the chip you are talking, if possible, please send me a sample.
BorjanEch0
commented
3 years ago --key-ver and anything else but 0x70 gives me an error like this:
[INFO] GPSession - Using card master keys with version 3 for setting up session [MAC] A>> T=0 (4+0008) 80500300 08 0F27EB107CE576A1 00 A<< (0000+2) (4ms) 6A88 Failed to open secure channel: INITIALIZE UPDATE failed: 0x6A88 (Referenced data not found) Read more from https://github.com/martinpaljak/GlobalPlatformPro/wiki/Keys SCardDisconnect("Gemalto USB Shell Token V2 00 00", true) tx:54/rx:170
http://shop.sysmocom.de/products/sysmoISIM-SJA2
here is the card, if i cant get it to work i will ship a sample for you.
martinpaljak
commented
3 years ago Section 9.4 of the manual tells which keys to use how. And apparently the key version is right. I suspect the keys might not be correct in this case.
BorjanEch0
commented
3 years ago Yes i have checked the manual and am adhering to the keying rules, if i add an extra letter to the key or remove one or change their places i get this:
Version: 112 (0x70) ID: 1 (0x01) type: DES3 length: 16 Version: 112 (0x70) ID: 2 (0x02) type: DES3 length: 16 Version: 112 (0x70) ID: 3 (0x03) type: DES3 length: 16 Version: 1 (0x01) ID: 1 (0x01) type: DES3 length: 16 Version: 1 (0x01) ID: 2 (0x02) type: DES3 length: 16 Version: 1 (0x01) ID: 3 (0x03) type: DES3 length: 16 Version: 2 (0x02) ID: 1 (0x01) type: DES3 length: 16 Version: 2 (0x02) ID: 2 (0x02) type: DES3 length: 16 Version: 2 (0x02) ID: 3 (0x03) type: DES3 length: 16 Version: 3 (0x03) ID: 1 (0x01) type: DES3 length: 16 Version: 3 (0x03) ID: 2 (0x02) type: DES3 length: 16 Version: 3 (0x03) ID: 3 (0x03) type: DES3 length: 16 [main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02 [main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02 [main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02 [main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=8B51206FD44FFA22F78D5667EACA8FD2 (KCV: 1695CD) MAC=F5773D2E3D95E2EA17066B2CAEA23BAB (KCV: 7700E6) DEK=151172F572C28CE1E9786E017CDDEDEA (KCV: 0E4F82) for null A>> T=0 (4+0008) 80507000 08 C2E6FC576902BB6B 00 A<< (0028+2) (41ms) 0000000000000000000070020000F033BA254DA6BA3657B075AD7AAF 9000 [main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=8B51206FD44FFA22F78D5667EACA8FD2 (KCV: 1695CD) MAC=F5773D2E3D95E2EA17066B2CAEA23BAB (KCV: 7700E6) DEK=151172F572C28CE1E9786E017CDDEDEA (KCV: 0E4F82) for SCP02 [main] INFO pro.javacard.gp.GPSession - Session keys: ENC=01EDEF8D4DB22A99AE18A347065FEEBA MAC=E78A3D3927210175DEA9B2D857AD5513 RMAC=CC714D744EABC33C5092B891B1009158, card keys=ENC=8B51206FD44FFA22F78D5667EACA8FD2 (KCV: 1695CD) MAC=F5773D2E3D95E2EA17066B2CAEA23BAB (KCV: 7700E6) DEK=151172F572C28CE1E9786E017CDDEDEA (KCV: 0E4F82) for SCP02 Read more from https://github.com/martinpaljak/GlobalPlatformPro/wiki/Keys Error: STRICT WARNING: Card cryptogram invalid! Card: BA3657B075AD7AAF Host: E48C507D2284FA48 !!! DO NOT RE-TRY THE SAME COMMAND/KEYS OR YOU MAY BRICK YOUR CARD !!!
martinpaljak
commented
3 years ago OK. so the key is right, but auth not allowed. Try "--mode enc" to use no just mac but encrypted session.
BorjanEch0
commented
3 years ago i have already tried --mode <String: mac/enc/renc/rmac/clr> and all failed... im getting a new reader now
martinpaljak
commented
3 years ago I doubt it is a reader issue. But can't really help you much without having a closer look at the specific chip (and I don't have one)
BorjanEch0
commented
3 years ago we will see, i can either ship you a sample, or give you remote access to my machine so you can test the chip remotely.
martinpaljak
commented
3 years ago Please e-mail me.
BorjanEch0
commented
3 years ago i have sent you an email.
BorjanEch0
commented
3 years ago I have managed to use a 3rd party tool to push an aram-apdu directly to the sim's built in ARA-M applet and install the certificate that way. GP still does not work tho. If the cost shipping cost is bearable i will still send a sample.
laf0rge
commented
3 years ago Hi, I'm the co-founder and managing director of @sysmocom.
If anyone working on FOSS software related to our smart cards is in need of free samples, I'm very happy to mail samples, Please contact support@sysmocom.de and mention the FOSS project you work on and your shipping address. Thanks!
Regarding the specific issue described here on installing applets via global platform: I do recall that I defnitely was able to install at lesat one applet this way on the sysmoISIM-SJA2 "golden master" before goign to mass production. However, given that this is a very niche market product, adn the number of users doing Java applet related wokr is even smaller, we're not able to allocate a lot of resources to related testing, sorry :(
laf0rge
commented
3 years ago One minor additional comment: The 0x70 are definitely mandatory as keyset version number, that part definitely is correct.
martinpaljak
commented
3 years ago Hi @laf0rge !
We should have each others emails, will ping you with mailing address
laf0rge
commented
3 years ago Heh, the solution is actually relatively simple: On the SJA2 The SCP02 keys are different from the OTA keys (unlike on the SJS1 where they are the same keys just used in two places). The mapping on the SJA2 is different than expected. So if you use the following weird mapping, it should work:
@BorjanEch0 it would be great if you could confirm that.
We will update the user manual accordingly.
BorjanEch0
commented
3 years ago Dear Laf0rge,
Thank you very much for the time and effort given, it is much appreciated,
However i did not get the 2 and 3 sets of any key, i have only kic kik kid 1 pin 1 adm 1 etc..
How do i get ahold of them?
Thank you.
laf0rge
commented
3 years ago However i did not get the 2 and 3 sets of any key, i have only kic kik kid 1 pin 1 adm 1 etc..
I will investigate.
How do i get ahold of them?
Please contact sysmocom support at the e-mail address stated above.
Hi, i am getting the following errors while trying to program a sysmoISIM-SJA2 card,, the keys are correct.
GlobalPlatformPro v20.01.23-0-g5ad373b Running on Windows 10 10.0 amd64, Java 1.8.0_265 by AdoptOpenJDK
Detected readers from JNA2PCSC
[] Gemplus USB SmartCard Reader 0 SCardConnect("Gemplus USB SmartCard Reader 0", T=) -> T=0, 3B9F96801F878031E073FE211B674A4C753034054BA9 SCardBeginTransaction("Gemplus USB SmartCard Reader 0") Reader: Gemplus USB SmartCard Reader 0 ATR: 3B9F96801F878031E073FE211B674A4C753034054BA9 More information about your card: http://smartcard-atr.appspot.com/parse?ATR=3B9F96801F878031E073FE211B674A4C753034054BA9
A>> T=0 (4+0000) 00A40400 00 A<< (0018+2) (16ms) 6F108408A000000003000000A5049F6501FF 9000 [TRACE] GPSession - [6F] [TRACE] GPSession - [84] A000000003000000 [TRACE] GPSession - [A5] [TRACE] GPSession - [9F65] FF [DEBUG] GPSession - Auto-detected ISD: A000000003000000 [TRACE] GPData - GET DATA(CPLC) A>> T=0 (4+0000) 80CA9F7F 00 A<< (0000+2) (3ms) 6A88 A>> T=0 (4+0000) 00CA9F7F 00 A<< (0000+2) (4ms) 6E00 [WARN] GPData - GET DATA(CPLC) not supported [TRACE] GPData - GET DATA(IIN) A>> T=0 (4+0000) 80CA0042 00 A<< (0005+2) (7ms) 4203000000 9000 IIN: 4203000000 [TRACE] GPData - GET DATA(CIN) A>> T=0 (4+0000) 80CA0045 00 A<< (0004+2) (7ms) 45020000 9000 CIN: 45020000 Card Data: [TRACE] GPData - GET DATA(Card Data) A>> T=0 (4+0000) 80CA0066 00 A<< (0051+2) (11ms) 6631732F06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040215 9000 [TRACE] GPData - [66] [TRACE] GPData - [73] [TRACE] GPData - [06] 2A864886FC6B01 [TRACE] GPData - [60] [TRACE] GPData - [06] 2A864886FC6B02020101 [TRACE] GPData - [63] [TRACE] GPData - [06] 2A864886FC6B03 [TRACE] GPData - [64] [TRACE] GPData - [06] 2A864886FC6B040215 Tag 6: 1.2.840.114283.1 -> Global Platform card Tag 60: 1.2.840.114283.2.2.1.1 -> GP Version: 2.1.1 Tag 63: 1.2.840.114283.3 Tag 64: 1.2.840.114283.4.2.21 -> GP SCP02 i=15 Card Capabilities: [TRACE] GPData - GET DATA(Card Capabilities) A>> T=0 (4+0000) 80CA0067 00 A<< (0000+2) (3ms) 6A88 [DEBUG] GPData - GET DATA(Card Capabilities): N/A [TRACE] GPData - GET DATA(Key Info Template) A>> T=0 (4+0000) 80CA00E0 00 A<< (0074+2) (13ms) E048C00401708010C00402708010C00403708010C00401018010C00402018010C00403018010C00401028010C00402028010C00403028010C00401038010C00402038010C00403038010 9000 [TRACE] GPKeyInfo - [E0] [TRACE] GPKeyInfo - [C0] 01708010 [TRACE] GPKeyInfo - [C0] 02708010 [TRACE] GPKeyInfo - [C0] 03708010 [TRACE] GPKeyInfo - [C0] 01018010 [TRACE] GPKeyInfo - [C0] 02018010 [TRACE] GPKeyInfo - [C0] 03018010 [TRACE] GPKeyInfo - [C0] 01028010 [TRACE] GPKeyInfo - [C0] 02028010 [TRACE] GPKeyInfo - [C0] 03028010 [TRACE] GPKeyInfo - [C0] 01038010 [TRACE] GPKeyInfo - [C0] 02038010 [TRACE] GPKeyInfo - [C0] 03038010 Version: 112 (0x70) ID: 1 (0x01) type: DES3 length: 16 Version: 112 (0x70) ID: 2 (0x02) type: DES3 length: 16 Version: 112 (0x70) ID: 3 (0x03) type: DES3 length: 16 Version: 1 (0x01) ID: 1 (0x01) type: DES3 length: 16 Version: 1 (0x01) ID: 2 (0x02) type: DES3 length: 16 Version: 1 (0x01) ID: 3 (0x03) type: DES3 length: 16 Version: 2 (0x02) ID: 1 (0x01) type: DES3 length: 16 Version: 2 (0x02) ID: 2 (0x02) type: DES3 length: 16 Version: 2 (0x02) ID: 3 (0x03) type: DES3 length: 16 Version: 3 (0x03) ID: 1 (0x01) type: DES3 length: 16 Version: 3 (0x03) ID: 2 (0x02) type: DES3 length: 16 Version: 3 (0x03) ID: 3 (0x03) type: DES3 length: 16 [WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02 [WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02 [WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02 [INFO] GPSession - Using card master keys: ENC=8B51206FD44FFA22F78D5667EACA8F82 (KCV: 3ED224) MAC=F5773D2E3D95E2EA17066B2CAEA23BAB (KCV: 7700E6) DEK=151172F572C28CE1E9786E017CDDEDEA (KCV: 0E4F82) for null [TRACE] GPSession - Generated host challenge: DED2CBB9C3C56B3C A>> T=0 (4+0008) 80500000 08 DED2CBB9C3C56B3C 00 A<< (0028+2) (45ms) 0000000000000000000070020000A8997B05365335826B44CB9AC949 9000 [DEBUG] GPSession - Host challenge: DED2CBB9C3C56B3C [DEBUG] GPSession - Card challenge: 0000A8997B053653 [DEBUG] GPSession - Card reports SCP02 with key version 112 (0x70) [INFO] GPSession - Diversified card keys: ENC=8B51206FD44FFA22F78D5667EACA8F82 (KCV: 3ED224) MAC=F5773D2E3D95E2EA17066B2CAEA23BAB (KCV: 7700E6) DEK=151172F572C28CE1E9786E017CDDEDEA (KCV: 0E4F82) for SCP02 [INFO] GPSession - Session keys: ENC=16E408F9553C47761542E952DD97B394 MAC=E78A3D3927210175DEA9B2D857AD5513 RMAC=CC714D744EABC33C5092B891B1009158, card keys=ENC=8B51206FD44FFA22F78D5667EACA8F82 (KCV: 3ED224) MAC=F5773D2E3D95E2EA17066B2CAEA23BAB (KCV: 7700E6) DEK=151172F572C28CE1E9786E017CDDEDEA (KCV: 0E4F82) for SCP02 [DEBUG] GPSession - Verified card cryptogram: 35826B44CB9AC949 [DEBUG] GPSession - Calculated host cryptogram: F9648541EF098BA7 [TRACE] SCP02Wrapper - MAC input: 8482010010F9648541EF098BA7 A>> T=0 (4+0016) 84820100 10 F9648541EF098BA79B446AD3799B5E0A A<< (0000+2) (17ms) 6982 External authenticate failed: 0x6982 (Security status not satisfied)