search

martinpaljak / GlobalPlatformPro

🌐 πŸ” Manage applets and keys on JavaCard-s like a pro (via command line or from your Java project)
https://javacard.pro/globalplatform
GNU Lesser General Public License v3.0
679 stars 210 forks source link

Error: INSTALL [for load] failed in customized security domain #259

Open luckiday opened 3 years ago

luckiday commented 3 years ago

Describe the bug

I am trying to load and install the .cap applet following the command in https://github.com/martinpaljak/GlobalPlatformPro/blob/next/tests/sce70.sh after compiling the gp.jar. But it cannot load the applet to the security domain when running $GP -key default -load $CAP -to $DOM. I am not sure if it's an issue from the card's capability.

Information about your card

Expected behavior

I am trying to install the .cap to the customized SD. Tested with both my cap file and the example in https://github.com/martinpaljak/GlobalPlatformPro/tree/next/tests.

Full log

Re-run your command with -d -v -i switches and:

% gp -key default -load my.cap -to $DOM -d -v -i
# gp -key default -load my.cap -to 010101010101 -d -v -i
SCardConnect("Identiv SCR3500 A Contact Reader", T=*) -> T=1, 3BDB18FF8191FE1FC38031A073BE211367432007E3
# GlobalPlatformPro 19.05.16-124-g50bd9f9
# Running on Mac OS X 10.16 x86_64, Java 1.8.0_275 by Amazon.com Inc.
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (37ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0045+2) (14ms) 9F7F2A4790D32147000000000093265191959940790000000000000000161D8431393139350000000000000000 9000
[WARN] GPData - Invalid CPLC date: 8431
CPLC: ICFabricator=4790
      ICType=D321
      OperatingSystemID=4700
      OperatingSystemReleaseDate=0000 (2010-01-01)
      OperatingSystemReleaseLevel=0000
      ICFabricationDate=9326 (2019-11-22)
      ICSerialNumber=51919599
      ICBatchIdentifier=4079
      ICModuleFabricator=0000
      ICModulePackagingDate=0000 (2010-01-01)
      ICCManufacturer=0000
      ICEmbeddingDate=0000 (2010-01-01)
      ICPrePersonalizer=161D
      ICPrePersonalizationEquipmentDate=8431 (invalid date format)
      ICPrePersonalizationEquipmentID=39313935
      ICPersonalizer=0000
      ICPersonalizationDate=0000 (2010-01-01)
      ICPersonalizationEquipmentID=00000000

A>> T=1 (4+0000) 80CA0042 00 
A<< (0000+2) (11ms) 6A88
[DEBUG] GPData - GET DATA(IIN): N/A
A>> T=1 (4+0000) 80CA0045 00 
A<< (0000+2) (11ms) 6A88
[DEBUG] GPData - GET DATA(CIN): N/A
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0079+2) (18ms) 664D734B06072A864886FC6B01600B06092A864886FC6B020203630906072A864886FC6B03640B06092A864886FC6B040255650D060B2A864886FC6B0507020000660C060A2B060104012A026E0103 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.3
-> GP Version: 2.3
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.2.85
-> GP SCP02 i=55
Tag 65: 1.2.840.114283.5.7.2.0.0
Tag 66: 1.3.6.1.4.1.42.2.110.1.3
-> JavaCard v3
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0038+2) (13ms) 6724A0098001028104153555758103E5BEC082031E030083010284010285017B86010C87017B 9000
Supports SCP02 i=15 i=35 i=55 i=75
Supported DOM privileges: SecurityDomain, DAPVerification, DelegatedManagement, CardReset, MandatedDAPVerification, TrustedPath, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration, CipheredLoadFileDataBlock
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, FinalApplication, GlobalService
Supported LFDB hash: SHA-256
Supported Token Verification ciphers: RSA1024_SHA1, RSAPSS_SHA256, CMAC_AES128, CMAC_AES192, CMAC_AES256, ECCP256_SHA256
Supported Receipt Generation ciphers: DES_MAC, CMAC_AES128
Supported DAP Verification ciphers: RSA1024_SHA1, RSAPSS_SHA256, CMAC_AES128, CMAC_AES192, CMAC_AES256, ECCP256_SHA256
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0020+2) (15ms) E012C00401018010C00402018010C00403018010 9000
Version:   1 (0x01) ID:   1 (0x01) type: DES3         length:  16
Version:   1 (0x01) ID:   2 (0x02) type: DES3         length:  16
Version:   1 (0x01) ID:   3 (0x03) type: DES3         length:  16

[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
A>> T=1 (4+0008) 80500000 08 BA4940FC5EF5E307 00
A<< (0028+2) (45ms) 00009326519195994079010200B6B93D8B1089F125AD45AC06B213EB 9000
[DEBUG] GPSession - SSC: 00B6
[DEBUG] GPSession - Host challenge: BA4940FC5EF5E307
[DEBUG] GPSession - Card challenge: 00B6B93D8B1089F1
[DEBUG] GPSession - Card reports SCP02 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=E780F67ADF19C07F22446B6B3BF143E0 MAC=D5A8521B533FB79829B7A3FB22629FCF RMAC=1311B6BC4DEE117ECB4F7A50C0DC538B
[DEBUG] GPSession - Verified card cryptogram: 25AD45AC06B213EB
[DEBUG] GPSession - Calculated host cryptogram: 967076008B2590CB
A>> T=1 (4+0016) 84820100 10 967076008B2590CBB05AB2DE9DEF53AA
A<< (0000+2) (25ms) 9000
CAP file (v2.1), contains: applets for JavaCard 2.2.2/GlobalPlatform 2.2.1
Package: applet 010203040506070809 v0.1
Applet:  0102030405060708090102
Import:  A0000000620101                   v1.3 javacard.framework
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620102                   v1.3 javacard.security
Import:  A00000015100                     v1.6 org.globalplatform
Import:  A0000000620201                   v1.3 javacardx.crypto
Generated by Sun Microsystems Inc. converter 1.3
On Sat Mar 06 15:08:56 EST 2021 with JDK 1.8.0_275 (Amazon.com Inc.)
Code size 13840 bytes (16574 with debug)
SHA-256 c1d8c9ec40e96bdd2f07961d56580fa032cd2d2c302f5586bb80ab7d72803306
SHA-1   57c10591bbdccb81e689767ed6d970ab1780cab5
A>> T=1 (4+0010) 84F28002 0A 4F00D2D39025016D02AD 00
A<< (0040+2) (24ms) E3264F08A0000001510000009F700101C5039EFE80C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F006A741114D52FFE92 00
A<< (0116+2) (42ms) E3264F08A0000001515350419F70010FC503E08000C407A0000001515350CC08A000000151000000E3244F060101010101019F70010FC503808000C407A0000001515350CC08A000000151000000E3244F060202020202029F700107C503A08000C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F21002 0A 4F002BDB9A4715EF33D1 00
A<< (0097+2) (38ms) E3254F07A00000015153509F700101CE02FFFF8408A000000151535041CC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0010) 84F22002 0A 4F00DC2A6EBDAEE893C5 00
A<< (0087+2) (35ms) E31B4F07A00000015153509F700101CE02FFFFCC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0028) 84E60200 1C 0901020304050607080906010101010101000000FBE7876332B5ADDB
A<< (0000+2) (142ms) 6985
Applet loading not allowed. Are you sure the domain can accept it?
Error: INSTALL [for load] failed: 0x6985 (Conditions of use not satisfied)
SCardDisconnect("Identiv SCR3500 A Contact Reader", true) tx:167/rx:596

Additional context

I am trying to build an applet that has the capability to load and install the other applets using an SCP02 card(like the RAM functions). What are the privileges that I should give my applet?

martinpaljak commented 3 years ago

Please also add gp -ldv output and how the domain was created

luckiday commented 3 years ago

One of my issues is that the create simple domain command from the branch next does not work with my card. 

# gp -dv -key default -domain 010101010101 --allow-to --allow-from
SCardConnect("Identiv SCR3500 A Contact Reader", T=*) -> T=1, 3BDB18FF8191FE1FC38031A073BE211367432007E3
# GlobalPlatformPro 19.05.16-129-gdfb2cfb
# Running on Mac OS X 10.16 x86_64, Java 11.0.10 by AdoptOpenJDK
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (19ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
[INFO] GPSession - Using card master keys with version 0 for setting up session with MAC 
A>> T=1 (4+0008) 80500000 08 7FAACBDF4D12D8E9 00
A<< (0028+2) (45ms) 00009326519195994079010200C7FAE7E08D6D38786E1737C311218E 9000
[DEBUG] GPSession - KDD: 00009326519195994079
[DEBUG] GPSession - SSC: 00C7
[DEBUG] GPSession - Host challenge: 7FAACBDF4D12D8E9
[DEBUG] GPSession - Card challenge: 00C7FAE7E08D6D38
[DEBUG] GPSession - Card reports SCP02 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=CA0A9629B52B3ADA8D17DAD8E131D611 MAC=929BF363BD6A81DF1406ABE10AF06F1F RMAC=ED7ED6DFBA8A821135B00431907B99EC
[DEBUG] GPSession - Verified card cryptogram: 786E1737C311218E
[DEBUG] GPSession - Calculated host cryptogram: 250DDE60557E503E
A>> T=1 (4+0016) 84820100 10 250DDE60557E503EF57B561F6C200C62
A<< (0000+2) (25ms) 9000
A>> T=1 (4+0010) 84F28002 0A 4F0087BEEE4891698F12 00
A<< (0040+2) (24ms) E3264F08A0000001510000009F700101C5039EFE80C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F0005CD697DB4CD983A 00
A<< (0040+2) (24ms) E3264F08A0000001515350419F70010FC503E08000C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F21002 0A 4F0028531F045BADC6EF 00
A<< (0097+2) (38ms) E3254F07A00000015153509F700101CE02FFFF8408A000000151535041CC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0010) 84F22002 0A 4F00C9884007F38D86DE 00
A<< (0087+2) (36ms) E31B4F07A00000015153509F700101CE02FFFFCC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
# Note: using detected default AID-s for SSD instantiation: A000000151535041 from A0000001515350
# Final parameters: 810202008202202087022020
A>> T=1 (4+0050) 84E60C00 32 07A000000151535008A0000001515350410601010101010101800EC90C81020200820220208702202000A0979B2B6C040838
A<< (0000+2) (237ms) 6A80
Error: INSTALL [for install and make selectable] failed: 0x6A80 (Wrong data/incorrect values in data)
SCardDisconnect("Identiv SCR3500 A Contact Reader", true) tx:159/rx:326

So I switch back to the master branch and recompiled gp. Then the domain is created. Here is the log.

%gp -dv -key default -domain $DOM --allow-to --allow-from
# gp -dv -key default -domain 010101010101 --allow-to --allow-from
SCardConnect("Identiv SCR3500 A Contact Reader", T=*) -> T=1, 3BDB18FF8191FE1FC38031A073BE211367432007E3
# GlobalPlatformPro 19.05.16-124-g50bd9f9
# Running on Mac OS X 10.16 x86_64, Java 11.0.10 by AdoptOpenJDK
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (19ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
A>> T=1 (4+0008) 80500000 08 EBB5B44D35997157 00
A<< (0028+2) (45ms) 00009326519195994079010200BEAFB62D5028FAFBDBDDA508739DC5 9000
[DEBUG] GPSession - SSC: 00BE
[DEBUG] GPSession - Host challenge: EBB5B44D35997157
[DEBUG] GPSession - Card challenge: 00BEAFB62D5028FA
[DEBUG] GPSession - Card reports SCP02 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=61312BB4F30C1A9576C122005DA3527E MAC=BDD3B922E3DAAB7C361DFDAA9EE8C019 RMAC=59AB83296D36C48A474DE91497936E1B
[DEBUG] GPSession - Verified card cryptogram: FBDBDDA508739DC5
[DEBUG] GPSession - Calculated host cryptogram: CAC6F1B23C6848F8
A>> T=1 (4+0016) 84820100 10 CAC6F1B23C6848F8685AA2048B5B462E
A<< (0000+2) (26ms) 9000
A>> T=1 (4+0010) 84F28002 0A 4F0025ECF2BD8679C5FB 00
A<< (0040+2) (23ms) E3264F08A0000001510000009F700101C5039EFE80C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F00A8FB58D9932432C1 00
A<< (0040+2) (24ms) E3264F08A0000001515350419F70010FC503E08000C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F21002 0A 4F006C644970424FEBA4 00
A<< (0097+2) (37ms) E3254F07A00000015153509F700101CE02FFFF8408A000000151535041CC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0010) 84F22002 0A 4F00557FCF50A691D4B4 00
A<< (0087+2) (36ms) E31B4F07A00000015153509F700101CE02FFFFCC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
# Note: using detected default AID-s for SSD instantiation: A000000151535041 from A0000001515350
Notice: 0x81 already in parameters or no parameters
# Final parameters: 
A>> T=1 (4+0038) 84E60C00 26 07A000000151535008A00000015153504106010101010101018002C90000834B0BC7DBF0C264
A<< (0001+2) (257ms) 00 9000
SCardDisconnect("Identiv SCR3500 A Contact Reader", true) tx:147/rx:327

%gp -connect $DOM -key default -lock emv:default
Looking at key version
010101010101 locked with: 404142434445464748494A4B4C4D4E4F
Keys were diversified with EMV and 00009326519195994079
Write this down, DO NOT FORGET/LOSE IT!

%gp -l
# Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
ISD: A000000151000000 (OP_READY)
     Parent:   A000000151000000
     From:     A0000001515350
     Privs:    SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

DOM: A000000151535041 (PERSONALIZED)
     Parent:   A000000151000000
     From:     A0000001515350
     Privs:    SecurityDomain, DAPVerification, DelegatedManagement, TrustedPath

DOM: 010101010101 (PERSONALIZED)
     Parent:   A000000151000000
     From:     A0000001515350
     Privs:    SecurityDomain, TrustedPath

PKG: A0000001515350 (LOADED)
     Parent:   A000000151000000
     Version:  255.255
     Applet:   A000000151535041

PKG: A0000000620204 (LOADED)
     Parent:   A000000151000000
     Version:  1.0

PKG: A0000000620202 (LOADED)
     Parent:   A000000151000000
     Version:  1.3

Install the example cap:

% CAP=tests/Empty_0102030405_8d5ac9e2_2.2.1.cap
% gp -key default -load $CAP -to $DOM -dvl
# gp -key default -load tests/Empty_0102030405_8d5ac9e2_2.2.1.cap -to 010101010101 -dvl
SCardConnect("Identiv SCR3500 A Contact Reader", T=*) -> T=1, 3BDB18FF8191FE1FC38031A073BE211367432007E3
# GlobalPlatformPro 19.05.16-124-g50bd9f9
# Running on Mac OS X 10.16 x86_64, Java 11.0.10 by AdoptOpenJDK
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (36ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
A>> T=1 (4+0008) 80500000 08 A012E7D45549D80A 00
A<< (0028+2) (45ms) 00009326519195994079010200C218C143D7040C164CDB4CB916754D 9000
[DEBUG] GPSession - SSC: 00C2
[DEBUG] GPSession - Host challenge: A012E7D45549D80A
[DEBUG] GPSession - Card challenge: 00C218C143D7040C
[DEBUG] GPSession - Card reports SCP02 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=125C2A9822D7E11FACB8B2619A4BCE61 MAC=00BD061DFE11161FEACE88CE53081E06 RMAC=66E5D1AED9B8333962786227FB336224
[DEBUG] GPSession - Verified card cryptogram: 164CDB4CB916754D
[DEBUG] GPSession - Calculated host cryptogram: 582AC29FF0AA2F8F
A>> T=1 (4+0016) 84820100 10 582AC29FF0AA2F8FC736858DF62DE930
A<< (0000+2) (25ms) 9000
CAP file (v2.1), contains: applets for JavaCard 2.2.1
Package: testapplets.empty 0102030405 v0.0
Applet:  testapplets.empty.Empty 0102030405060708
Import:  A0000000620101                   v1.2 javacard.framework
Import:  A0000000620102                   v1.2 javacard.security
Import:  A0000000620001                   v1.0 java.lang
Generated by Oracle Corporation converter  [v3.0.5]
On Mon Mar 08 06:55:27 EET 2021 with JDK 11.0.11-ea (Debian)
Code size 211 bytes (283 with debug)
SHA-256 8d5ac9e226e3f0a89457fb078470a9378daed8b96ba6cbe839513cdf08d27a38
SHA-1   bd74ff188cff4d78d95a6ac1952166338c49f485
A>> T=1 (4+0010) 84F28002 0A 4F007CA0E829B0C9E2B2 00
A<< (0040+2) (24ms) E3264F08A0000001510000009F700101C5039EFE80C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F00FB47902BC215B590 00
A<< (0078+2) (33ms) E3264F08A0000001515350419F70010FC503E08000C407A0000001515350CC08A000000151000000E3244F060101010101019F70010FC503808000C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F21002 0A 4F009090E39249BC17BC 00
A<< (0097+2) (37ms) E3254F07A00000015153509F700101CE02FFFF8408A000000151535041CC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0010) 84F22002 0A 4F00135243EC2FA1C474 00
A<< (0087+2) (35ms) E31B4F07A00000015153509F700101CE02FFFFCC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0024) 84E60200 18 05010203040506010101010101000000D597263D7A61BC5E
A<< (0000+2) (153ms) 6985
Applet loading not allowed. Are you sure the domain can accept it?
Error: INSTALL [for load] failed: 0x6985 (Conditions of use not satisfied)
SCardDisconnect("Identiv SCR3500 A Contact Reader", true) tx:133/rx:364
luckiday commented 3 years ago

For the issue of creating the domain in the next branch, it seems that the application specific parameters are not supported in my card

A>> T=1 (4+0050) 84E60C00 32 07A000000151535008A0000001515350410601010101010101800E *C90C810202008202202087022020* 00A0979B2B6C040838