Open jlanza opened 2 years ago
I don't see difference in diversified key for next branch and the mentioned version.
I can confirm that "visa2" is broken in GlobalPlatformPro version 325fe84.
Can you give a working version number?
I spent some time to investigate, to provide to you a detailed answer. I setup a card with a visa2 key and trial many last releadse versions.
GPpro200123 : 🆗 ✅ GPpro200414 : 🆗 ✅ GPpro200704 : 🐛 ❌ GPpro200812 : 🐛 ❌
From the logs, it seems the keys are not diversified, the key used are the master one. Like it skips the diversification step.
Card is setup : KeyVersion=01 MasterKey=303132333435363738393A3B3C3D3E3F with "visa2" derivation.
Logs :
$ gp200123-STABLE.exe -l -visa2 -key 303132333435363738393A3B3C3D3E3F -v -d
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Windows 10 10.0 amd64, Java 1.8.0_241 by Oracle Corporation
# Detected readers from JNA2PCSC
[*] Identiv uTrust 3700 F CL Reader 0
SCardConnect("Identiv uTrust 3700 F CL Reader 0", T=*) -> T=1, XXXX
SCardBeginTransaction("Identiv uTrust 3700 F CL Reader 0")
Reader: Identiv uTrust 3700 F CL Reader 0
ATR: XXXX
A>> T=1 (4+0000) 00A40400 00
A<< (0018+2) (17ms) 6F108408A000000151000000A5049F6501FF 9000
[TRACE] GPSession - [6F]
[TRACE] GPSession - [84] A000000151000000
[TRACE] GPSession - [A5]
[TRACE] GPSession - [9F65] FF
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[INFO] GPSession - Using card master keys: ENC=303132333435363738393A3B3C3D3E3F (KCV: B73D56) MAC=303132333435363738393A3B3C3D3E3F (KCV: B73D56) DEK=303132333435363738393A3B3C3D3E3F (KCV: B73D56) for null
[TRACE] GPSession - Generated host challenge: 9D2060FE9DCB0706
A>> T=1 (4+0008) 80500000 08 9D2060FE9DCB0706 00
A<< (0028+2) (46ms) 00009326522854994079010200033CAD56063D650FBA6A3115F73A07 9000
[DEBUG] GPSession - Host challenge: 9D2060FE9DCB0706
[DEBUG] GPSession - Card challenge: 00033CAD56063D65
[DEBUG] GPSession - Card reports SCP02 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=FE59CD146F317CE3B554F57D07C90EA7 (KCV: 4F46A6) MAC=7DB0530B9CFC73499FFAF2507CC9D1F0 (KCV: 525472) DEK=EFB56F5E08C0298A7F81515C58AABCF1 (KCV: 1726DA) for SCP02
[INFO] GPSession - Session keys: ENC=7A93C31F071E7081C17A5368948CA8F5 MAC=3C45CBFFA4A2A102A7F2DB7AFEA8F427 RMAC=2FACE6F407D2070BC97C9D1D849002F1, card keys=ENC=FE59CD146F317CE3B554F57D07C90EA7 (KCV: 4F46A6) MAC=7DB0530B9CFC73499FFAF2507CC9D1F0 (KCV: 525472) DEK=EFB56F5E08C0298A7F81515C58AABCF1 (KCV: 1726DA) for SCP02
[DEBUG] GPSession - Verified card cryptogram: 0FBA6A3115F73A07
[DEBUG] GPSession - Calculated host cryptogram: 9025D9B24AD10517
[TRACE] SCP02Wrapper - MAC input: 84820100109025D9B24AD10517
A>> T=1 (4+0016) 84820100 10 9025D9B24AD105174C9495F11D1144A4
A<< (0000+2) (25ms) 9000
[TRACE] SCP02Wrapper - MAC input: 84F280020A4F00
A>> T=1 (4+0010) 84F28002 0A 4F0033BA1B8F72E0FE17 00
A<< (0040+2) (21ms) E3264F08A0000001510000009F700101C5039EFE80C407A0000001515350CC08A000000151000000 9000
[TRACE] GPRegistry - [E3]
[TRACE] GPRegistry - [4F] A000000151000000
[TRACE] GPRegistry - [9F70] 01
[TRACE] GPRegistry - [C5] 9EFE80
[TRACE] GPRegistry - [C4] A0000001515350
[TRACE] GPRegistry - [CC] A000000151000000
...
$ gp200414.exe -l -visa2 -key 303132333435363738393A3B3C3D3E3F -v -d
SCardConnect("Identiv uTrust 3700 F CL Reader 0", T=*) -> T=1, XXXX
GlobalPlatformPro v20.04.14-0-geaee04c
Running on Windows 10 10.0 amd64, Java 1.8.0_241 by Oracle Corporation
A>> T=1 (4+0000) 00A40400 00
A<< (0018+2) (19ms) 6F108408A000000151000000A5049F6501FF 9000
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=303132333435363738393A3B3C3D3E3F (KCV: B73D56) MAC=303132333435363738393A3B3C3D3E3F (KCV: B73D56) DEK=303132333435363738393A3B3C3D3E3F (KCV: B73D56) for null
A>> T=1 (4+0008) 80500000 08 374D1D807BDB5C00 00
A<< (0028+2) (46ms) 0000932652285499407901020004C1BD78FEE76E2FB047C532B643AD 9000
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=FE59CD146F317CE3B554F57D07C90EA7 (KCV: 4F46A6) MAC=7DB0530B9CFC73499FFAF2507CC9D1F0 (KCV: 525472) DEK=EFB56F5E08C0298A7F81515C58AABCF1 (KCV: 1726DA) for SCP02
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=2BFF5259CB2BA80D2F22EE28E128BD9A MAC=6AE6663FE6CF71B2CA21FEDBFCA1ED2C RMAC=644BF78C7A86A50D68C84626E1305864, card keys=ENC=FE59CD146F317CE3B554F57D07C90EA7 (KCV: 4F46A6) MAC=7DB0530B9CFC73499FFAF2507CC9D1F0 (KCV: 525472) DEK=EFB56F5E08C0298A7F81515C58AABCF1 (KCV: 1726DA) for SCP02
A>> T=1 (4+0016) 84820100 10 9A37228EC5D682E6AE044CD677DCCD89
A<< (0000+2) (25ms) 9000
A>> T=1 (4+0010) 84F28002 0A 4F00CD99A42AB85AB4BF 00
A<< (0040+2) (21ms) E3264F08A0000001510000009F700101C5039EFE80C407A0000001515350CC08A000000151000000 9000
...
$ gp200704.exe -l -visa2 -key 303132333435363738393A3B3C3D3E3F -v -d
#
# gp -l -visa2 -key 303132333435363738393A3B3C3D3E3F -v -d
SCardConnect("Identiv uTrust 3700 F CL Reader 0", T=*) -> T=1, XXXX
# GlobalPlatformPro v20.07.04-0-gc48cdec
# Running on Windows 10 10.0 amd64, Java 1.8.0_241 by Oracle Corporation
A>> T=1 (4+0000) 00A40400 00
A<< (0018+2) (17ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC]
A>> T=1 (4+0008) 80500000 08 B506A751696CBD68 00
A<< (0028+2) (46ms) 00009326522854994079010200064E9579614347FA56DEBD5A46D953 9000
[DEBUG] GPSession - Host challenge: B506A751696CBD68
[DEBUG] GPSession - Card challenge: 00064E9579614347
[DEBUG] GPSession - Card reports SCP02 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=303132333435363738393A3B3C3D3E3F (KCV: B73D56) MAC=303132333435363738393A3B3C3D3E3F (KCV: B73D56) DEK=303132333435363738393A3B3C3D3E3F (KCV: B73D56) for SCP02
[INFO] GPSession - Session keys: ENC=4594BDF2CCB901B405C93654D810531B MAC=7A4EB18E66A32E2F39632775132EB8D2 RMAC=93D847B11D536E4060958733C37DBFC7
Failed to open secure channel: Card cryptogram invalid!
Received: FA56DEBD5A46D953
Expected: 190D64D93FAD39EE
$ gp200812.exe -l -visa2 -key 303132333435363738393A3B3C3D3E3F -v -d
#
# gp -l -visa2 -key 303132333435363738393A3B3C3D3E3F -v -d
SCardConnect("Identiv uTrust 3700 F CL Reader 0", T=*) -> T=1, XXXX
# GlobalPlatformPro 325fe84
# Running on Windows 10 10.0 amd64, Java 1.8.0_241 by Oracle Corporation
A>> T=1 (4+0000) 00A40400 00
A<< (0018+2) (18ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC]
A>> T=1 (4+0008) 80500000 08 F5BA35B03381BF5A 00
A<< (0028+2) (46ms) 00009326522854994079010200064E95796143470AA595D39E4739CB 9000
[DEBUG] GPSession - SSC: 0006
[DEBUG] GPSession - Host challenge: F5BA35B03381BF5A
[DEBUG] GPSession - Card challenge: 00064E9579614347
[DEBUG] GPSession - Card reports SCP02 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=303132333435363738393A3B3C3D3E3F (KCV: B73D56) MAC=303132333435363738393A3B3C3D3E3F (KCV: B73D56) DEK=303132333435363738393A3B3C3D3E3F (KCV: B73D56) for SCP02
[INFO] GPSession - Session keys: ENC=4594BDF2CCB901B405C93654D810531B MAC=7A4EB18E66A32E2F39632775132EB8D2 RMAC=93D847B11D536E4060958733C37DBFC7
Failed to open secure channel: Card cryptogram invalid!
Received: 0AA595D39E4739CB
Expected: FF809F63A82C49A2
OK, I just see in a documentation, this is a breaking change, where the syntax changed for this derivation kind, and the "-visa2" argument is deprecated. Using the new syntax "-key visa2:303132333435363738393A3B3C3D3E3F", it works. Too bad the documentation is not very clear about, that these "options are still supported". Well that's true if one sticks to the "stable" release and doesn't work with pre-release. The documentation could state properly an exact version number where after it is actually deprecated (not usable anymore). Also in this newest versions, a warning message catching "-visa2" and print that this is no more supported could be very helpful for users.
Absolutely noted.
I have to add one more thing. I tested the other way : use the new syntax with the stable release (20.01.23). And it doesn't work. So the documentation is unmatched. It says "GPPro supports a bunch of key diversification methods out of the box. To use a master key with a key derivation function, specify the KDF before the key: -key visa2:. Then the "shorthand -visa2 option is still supported, but deprecated.". From what I can see the syntax is incompatible between versions. Stable current only understands the legacy shorthand option, and newest prerelease can only understand new key syntax.
$ gp200123.exe -l -key visa2:47454D5850524553534F53414D504C45 -v -d
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Windows 10 10.0 amd64, Java 1.8.0_241 by Oracle Corporation
# Detected readers from JNA2PCSC
[*] Identiv uTrust 3700 F CL Reader 0
SCardConnect("Identiv uTrust 3700 F CL Reader 0", T=*) -> T=1, XXXX
SCardBeginTransaction("Identiv uTrust 3700 F CL Reader 0")
Reader: Identiv uTrust 3700 F CL Reader 0
ATR: XXXX
A>> T=1 (4+0000) 00A40400 00
A<< (0018+2) (17ms) 6F108408A000000151000000A5049F6501FF 9000
[TRACE] GPSession - [6F]
[TRACE] GPSession - [84] A000000151000000
[TRACE] GPSession - [A5]
[TRACE] GPSession - [9F65] FF
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
SCardEndTransaction("Identiv uTrust 3700 F CL Reader 0")
SCardDisconnect("Identiv uTrust 3700 F CL Reader 0", true) tx:5/rx:20
Exception in thread "main" java.lang.IllegalArgumentException: Odd number of characters: VISA247454D5850524553534F53414D504C45
at apdu4j.HexUtils.decodeHexString_imp(HexUtils.java:51)
at apdu4j.HexUtils.stringToBin(HexUtils.java:83)
at pro.javacard.gp.GPTool.main(GPTool.java:266)
Indeed. I'll remove the old options and bring this out better in docs.
Describe the bug
VISA2 diversification is not properly working in GlobalPlatformPro 325fe84
Information about your card
As much information as you have:
Expected behavior
Properly authenticate using Gemalto Keys
Full log
Additional context
I'm sorry currently I don't have time to look at the code to check :(