search

martinpaljak / GlobalPlatformPro

🌐 🔐 Manage applets and keys on JavaCard-s like a pro (via command line or from your Java project)
https://javacard.pro/globalplatform
GNU Lesser General Public License v3.0
673 stars 210 forks source link

Installing applet to newly created SSD fails with 0x6985 (Conditions of use not satisfied) #306

Open asdfjkl opened 1 year ago

asdfjkl commented 1 year ago

I am trying to create a supplemental security domain (SSD) and install a hello world application to it. Card is a NXP J3H145 Using

# gp --version
# GlobalPlatformPro 325fe84

the creation of the SSD and key installation works, but installing the applet fails with 

0x6985 (Conditions of use not satisfied)

Briefly:

java -jar gp.jar --domain A000000151000001 --allow-to --allow-from
Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
Notice: 0x81 already in parameters or no parameters

java -jar gp.jar --connect A000000151000001 --lock 404142434445464748494A4B4C4D4E4F
Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
Looking at key version
A000000151000001 locked with: 404142434445464748494A4B4C4D4E4F
Write this down, DO NOT FORGET/LOSE IT!

java -jar gp.jar --install ../JCHelloWorld/cap/hw.cap --to A000000151000001
Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
Applet loading not allowed. Are you sure the domain can accept it?
Error: INSTALL [for load] failed: 0x6985 (Conditions of use not satisfied)

If I replace (only) in the first step (the creation of the security domain) gp.jar with an old version, namely:

GlobalPlatformPro 18.09.14-0-gb439b52

everything installs fine

Log for creating SSD with latest version (# GlobalPlatformPro 325fe84, Release Release v20.01.23) of gp.jar

user@kallisto:~/MyFiles/workspace/gp$ java -jar gp.jar -dvi --domain A000000151000001 --allow-to --allow-from
# 
# gp -dvi --domain A000000151000001 --allow-to --allow-from
SCardConnect("SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00", T=*) -> T=1, 3B80800101
# GlobalPlatformPro 325fe84
# Running on Linux 5.15.0-58-generic amd64, Java 17.0.5 by Private Build
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (24ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0045+2) (14ms) 9F7F2A4790050382116351030280480093540734694E3050383037474D32313030393335341300011EFD121047 9000
[WARN] GPData - Invalid CPLC date: 474D
[WARN] GPData - Invalid CPLC date: 011E
CPLC: ICFabricator=4790
      ICType=0503
      OperatingSystemID=8211
      OperatingSystemReleaseDate=6351 (2016-12-16)
      OperatingSystemReleaseLevel=0302
      ICFabricationDate=8048 (2018-02-17)
      ICSerialNumber=00935407
      ICBatchIdentifier=3469
      ICModuleFabricator=4E30
      ICModulePackagingDate=5038 (2015-02-07)
      ICCManufacturer=3037
      ICEmbeddingDate=474D (invalid date format)
      ICPrePersonalizer=3231
      ICPrePersonalizationEquipmentDate=3030 (2013-01-30)
      ICPrePersonalizationEquipmentID=39333534
      ICPersonalizer=1300
      ICPersonalizationDate=011E (invalid date format)
      ICPersonalizationEquipmentID=FD121047

A>> T=1 (4+0000) 80CA0042 00 
A<< (0003+2) (12ms) 420100 9000
IIN: 420100
A>> T=1 (4+0000) 80CA0045 00 
A<< (0010+2) (13ms) 45080000000000000000 9000
CIN: 45080000000000000000
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0065+2) (15ms) 663F733D06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040300660C060A2B060104012A026E0102 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.3.0
-> GP SCP03 i=00
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0060+2) (14ms) 673A6738A006800102810155A00A8001038102001082010781039EFE8082031E03008301028504010208408602040887040102084088050102030405 9000
[WARN] GPData - Bogus data detected, fixing double tag
Supports SCP02 i=55
Supports SCP03 i=00 i=10 with AES-128 AES-196 AES-256
Supported DOM privileges: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, FinalApplication, GlobalService
Supported LFDB hash: SHA-256
Supported Token Verification ciphers: RSA1024_SHA1, ECCP521_SHA512
Supported Receipt Generation ciphers: DES_MAC
Supported DAP Verification ciphers: RSA1024_SHA1, ECCP521_SHA512
Supported ECC Key Parameters: 0102030405
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0020+2) (18ms) E012C00401018810C00402018810C00403018810 9000
Version:   1 (0x01) ID:   1 (0x01) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   2 (0x02) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   3 (0x03) type: AES          length:  16 (AES-128)

Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
A>> T=1 (4+0008) 80500000 08 39CC4BB182ED4137 00
A<< (0029+2) (99ms) 000080480093540734690103004CCBC99C893977D7AD5CF3670800EBF5 9000
[DEBUG] GPSession - SSC: null
[DEBUG] GPSession - Host challenge: 39CC4BB182ED4137
[DEBUG] GPSession - Card challenge: 4CCBC99C893977D7
[DEBUG] GPSession - Card reports SCP03 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) MAC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) DEK=404142434445464748494A4B4C4D4E4F (KCV: 504A77) for SCP03
[INFO] GPSession - Session keys: ENC=833FBDEFA83956FA04B792E60C0553D4 MAC=C829CCFEE8234598154CD6CB7367C473 RMAC=71D8CB54B5444EE0540AC1359838002D
[DEBUG] GPSession - Verified card cryptogram: AD5CF3670800EBF5
[DEBUG] GPSession - Calculated host cryptogram: 4FD115BB0A2F3AA8
A>> T=1 (4+0016) 84820100 10 4FD115BB0A2F3AA865EA344281B09E40
A<< (0000+2) (153ms) 9000
A>> T=1 (4+0010) 84F28002 0A 4F003BE13DF6D7854E66 00
A<< (0044+2) (112ms) E32A4F08A0000001510000009F700107C5039EFE80C407A0000000620001CE020100CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F00D489B4B0D6449D29 00
A<< (0042+2) (102ms) E3284F08A0000006472F00019F700107C503000000C405A000000647CE020000CC08A000000151000000 9000
A>> T=1 (4+0010) 84F21002 0A 4F00962D908C66E479D8 00
A<< (0048+2) (103ms) E3174F07A00000015153509F7001018408A000000151535041E3154F05A0000006479F7001018408A0000006472F0001 9000
A>> T=1 (4+0010) 84F22002 0A 4F007646D5E00614BFE2 00
A<< (0028+2) (102ms) E30D4F07A00000015153509F700101E30B4F05A0000006479F700101 9000
# Note: using detected default AID-s for SSD instantiation: A000000151535041 from A0000001515350
Notice: 0x81 already in parameters or no parameters
# Final parameters: 
A>> T=1 (4+0040) 84E60C00 28 07A000000151535008A00000015153504108A000000151000001018002C9000084390249FF369091
A<< (0001+2) (2s932ms) 00 9000
SCardDisconnect("SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00", true) tx:179/rx:441

Log with version GlobalPlatformPro 18.09.14-0-gb439b52 (Release [18.09.14:]

user@kallisto:~/MyFiles/workspace/gp$ java -jar gp_tmp.jar -dvi --domain A000000151000001 --allow-to --allow-from
GlobalPlatformPro 18.09.14-0-gb439b52
Running on Linux 5.15.0-58-generic amd64, Java 17.0.5 by Private Build
# Detected readers from JNA2PCSC
[*] SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00
SCardConnect("SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00", T=*) -> T=1, 3B80800101
SCardBeginTransaction("SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00")
Reader: SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00
ATR: 3B80800101
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3B80800101

A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (24ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GlobalPlatform - Auto-detected ISD: A000000151000000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0045+2) (14ms) 9F7F2A4790050382116351030280480093540734694E3050383037474D32313030393335341300011EFD121047 9000
[WARN] GPData - Invalid CPLC date: 474D
[WARN] GPData - Invalid CPLC date: 011E
CPLC: ICFabricator=4790
      ICType=0503
      OperatingSystemID=8211
      OperatingSystemReleaseDate=6351 (2016-12-16)
      OperatingSystemReleaseLevel=0302
      ICFabricationDate=8048 (2018-02-17)
      ICSerialNumber=00935407
      ICBatchIdentifier=3469
      ICModuleFabricator=4E30
      ICModulePackagingDate=5038 (2015-02-07)
      ICCManufacturer=3037
      ICEmbeddingDate=474D (invalid date format)
      ICPrePersonalizer=3231
      ICPrePersonalizationEquipmentDate=3030 (2013-01-30)
      ICPrePersonalizationEquipmentID=39333534
      ICPersonalizer=1300
      ICPersonalizationDate=011E (invalid date format)
      ICPersonalizationEquipmentID=FD121047

A>> T=1 (4+0000) 80CA0042 00 
A<< (0003+2) (13ms) 420100 9000
IIN: 420100
A>> T=1 (4+0000) 80CA0045 00 
A<< (0010+2) (13ms) 45080000000000000000 9000
CIN: 45080000000000000000
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0065+2) (15ms) 663F733D06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040300660C060A2B060104012A026E0102 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.3.0
-> GP SCP03 i=00
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0060+2) (14ms) 673A6738A006800102810155A00A8001038102001082010781039EFE8082031E03008301028504010208408602040887040102084088050102030405 9000
[WARN] GPData - Bogus data detected, fixing double tag
Supports: SCP02 i=55
Supports: SCP03 i=00 i=10 with AES-128 AES-196 AES-256
Supported DOM privileges: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, FinalApplication, GlobalService
Supported LFDB hash: 02
Supported Token Verification ciphers: 01020840
Supported Receipt Generation ciphers: 0408
Supported DAP Verification ciphers: 01020840
Supported ECC Key Parameters: 0102030405
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0020+2) (18ms) E012C00401018810C00402018810C00403018810 9000
Version:   1 (0x01) ID:   1 (0x01) type: AES  length:  16 (AES-128)
Version:   1 (0x01) ID:   2 (0x02) type: AES  length:  16 (AES-128)
Version:   1 (0x01) ID:   3 (0x03) type: AES  length:  16 (AES-128)
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
A>> T=1 (4+0008) 80500000 08 246BE6A559F5BC46 00
A<< (0029+2) (99ms) 00008048009354073469010300182AE4BBA0CBE9CE0884D8C139029F77 9000
[DEBUG] GlobalPlatform - Host challenge: 246BE6A559F5BC46
[DEBUG] GlobalPlatform - Card challenge: 182AE4BBA0CBE9CE
[DEBUG] GlobalPlatform - Card reports SCP03 i=00 with key version 1 (0x01)
[DEBUG] GlobalPlatform - Will do SCP03 (3)
[DEBUG] PlaintextKeys - Card keys: {ENC=type=RAW bytes=404142434445464748494A4B4C4D4E4F, DEK=type=RAW bytes=404142434445464748494A4B4C4D4E4F, MAC=type=RAW bytes=404142434445464748494A4B4C4D4E4F}
[DEBUG] GlobalPlatform - Verified card cryptogram: 0884D8C139029F77
[DEBUG] GlobalPlatform - Calculated host cryptogram: A40EB7C046431C14
A>> T=1 (4+0016) 84820100 10 A40EB7C046431C14EA7AEF0D8C88CC6E
A<< (0000+2) (153ms) 9000
Note: using default AID-s for SSD instantiation: A000000151535041 from A0000001515350
A>> T=1 (4+0010) 84F28002 0A 4F00BD03D9C62760C0B9 00
A<< (0044+2) (112ms) E32A4F08A0000001510000009F700107C5039EFE80C407A0000000620001CE020100CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F009F95779B757B8580 00
A<< (0042+2) (102ms) E3284F08A0000006472F00019F700107C503000000C405A000000647CE020000CC08A000000151000000 9000
A>> T=1 (4+0010) 84F22002 0A 4F0046EB4623179150FC 00
A<< (0028+2) (102ms) E30D4F07A00000015153509F700101E30B4F05A0000006479F700101 9000
A>> T=1 (4+0010) 84F21002 0A 4F005289772109EB432C 00
A<< (0048+2) (104ms) E3174F07A00000015153509F7001018408A000000151535041E3154F05A0000006479F7001018408A0000006472F0001 9000
A>> T=1 (4+0046) 84E60C00 2E 07A000000151535008A00000015153504108A000000151000001018008C90682012087012000AE28BB6AFD8B9EFF
A<< (0001+2) (2s965ms) 00 9000
SCardEndTransaction(SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00)
SCardDisconnect("SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00", true)

PS: Sorry for the frequent edits of this issue. Took some time to pin point the problem.