search

martinpaljak / GlobalPlatformPro

🌐 🔐 Manage applets and keys on JavaCard-s like a pro
https://javacard.pro/globalplatform
GNU Lesser General Public License v3.0
713 stars 212 forks source link

Too long list of installed applets causes IllegalStateException: Length is out of the range (older gppro v0.3.4 works) #327

Closed petrs closed 1 year ago

petrs commented 1 year ago

Describe the bug

The list of installed applets is not displayed in current version of gppro while is correctly displayed in gppro v0.3.4. If some applets are uninstalled (via gppro v0.3.4), --list start to work again.

A>> T=0 (4+0010) 84F21002 0A 4F008AA81E9D512C9E76 00 A<< (0256+2) (50ms) E31C4F090102030405060708099F700101840B0102030405060708090103E3134F0500000000019F7001018406000000000102E3144F0500112233449F70010184070011223344AABBE3134F0500000000049F7001018406000000000401E3144F05A1000000009F7001018407A1000000000001E30F4F09A00000006303010C029F700101E31B4F09A00000006303010C019F700101840AA00000006303010C0101E30F4F09A00000006403010C029F700101E31B4F09A00000006403010C019F700101840AA00000006403010C0101E30F4F09A00000006503010C029F700101E31B4F09A00000006503010C019F700101840AA00000006503010C0101E314 9000 SCardEndTransaction("Alcor Micro USB Smart Card Reader 0") SCardDisconnect("Alcor Micro USB Smart Card Reader 0", true) tx:104/rx:702 Exception in thread "main" java.lang.IllegalStateException: Length is out of the range [offset=256, len=20, array.length=256, level=1] at com.payneteasy.tlv.BerTlvParser.parseWithResult(BerTlvParser.java:58) at com.payneteasy.tlv.BerTlvParser.addChildren(BerTlvParser.java:120) at com.payneteasy.tlv.BerTlvParser.parseWithResult(BerTlvParser.java:84) at com.payneteasy.tlv.BerTlvParser.parse(BerTlvParser.java:41) at com.payneteasy.tlv.BerTlvParser.parse(BerTlvParser.java:32) at pro.javacard.gp.GPRegistry.populate_tags(GPRegistry.java:149) at pro.javacard.gp.GPRegistry.parse(GPRegistry.java:201) at pro.javacard.gp.GPSession.getStatus(GPSession.java:1106) at pro.javacard.gp.GPSession.getRegistry(GPSession.java:1028) at pro.javacard.gp.GPTool.main(GPTool.java:689)

Information about your card and used reader

As much information as you have: (card info is likely not relevant)

  1. Card Vendor: Taisys
  2. Card Product Name: SimONE Vault
  3. Card Platform Version:
  4. Reader model/name

Expected behavior

The list of installed applets is displayed as in older version.

Full log

Re-run your command with -d -v -i switches and:

>gp2 -l -d
GlobalPlatformPro 19.06.16-0-gbaccf34
Running on Windows 10 10.0 amd64, Java 17.0.1 by Oracle Corporation
# Detected readers from JNA2PCSC
[*] Alcor Micro USB Smart Card Reader 0
SCardConnect("Alcor Micro USB Smart Card Reader 0", T=*) -> T=0, 3B9F95803FC7A08031E073FA21106300000083F09000BB
SCardBeginTransaction("Alcor Micro USB Smart Card Reader 0")
A>> T=0 (4+0000) 00A40400 00
A<< (0019+2) (10ms) 6F118408A000000003000000A5059F65020100 9000
[TRACE] GPSession -  [6F]
[TRACE] GPSession -      [84] A000000003000000
[TRACE] GPSession -      [A5]
[TRACE] GPSession -          [9F65] 0100
[DEBUG] GPSession - Auto-detected ISD: A000000003000000
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[INFO] GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[TRACE] GPSession - Generated host challenge: 6E8A4A0F36AF8B3D
A>> T=0 (4+0008) 80500000 08 6E8A4A0F36AF8B3D 00
A<< (0028+2) (11ms) 112233445566778899AA2002013D6E774DBEBE3FE67093D6FA51009D 9000
[DEBUG] GPSession - Host challenge: 6E8A4A0F36AF8B3D
[DEBUG] GPSession - Card challenge: 013D6E774DBEBE3F
[DEBUG] GPSession - Card reports SCP02 with key version 32 (0x20)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=1B2D8DD33BA5AE171365F39A4911DFA0 MAC=6F54A84638B60D1A7D5E83454990A263 RMAC=C534ACCDDEA2A99B9BF35616116970C5, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[DEBUG] GPSession - Verified card cryptogram: E67093D6FA51009D
[DEBUG] GPSession - Calculated host cryptogram: 2485433A32EB8CF6
[DEBUG] SCP02Wrapper - MAC input: 84820100102485433A32EB8CF6
A>> T=0 (4+0016) 84820100 10 2485433A32EB8CF63179ADE6A46CDDB6
A<< (0000+2) (42ms) 9000
[DEBUG] SCP02Wrapper - MAC input: 84F280020A4F00
A>> T=0 (4+0010) 84F28002 0A 4F007F3387D16F22B97F 00
A<< (0022+2) (16ms) E3144F08A0000000030000009F70020101C5039EFE80 9000
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A000000003000000
[TRACE] GPRegistry -      [9F70] 0101
[TRACE] GPRegistry -      [C5] 9EFE80
[DEBUG] SCP02Wrapper - MAC input: 84F240020A4F00
A>> T=0 (4+0010) 84F24002 0A 4F00AFF280F2FBB85240 00
A<< (0179+2) (31ms) E3174F0B01020304050607080901039F70020701C503000000E3124F060000000001029F70020701C503000000E3134F070011223344AABB9F70020701C503000000E3124F060000000004019F70020701C503000000E3134F07A10000000000019F70020701C503000000E3164F0AA00000006303010C01019F70020701C503000000E3164F0AA00000006403010C01019F70020701C503000000E3164F0AA00000006503010C01019F70020701C503000000 9000
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] 0102030405060708090103
[TRACE] GPRegistry -      [9F70] 0701
[TRACE] GPRegistry -      [C5] 000000
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] 000000000102
[TRACE] GPRegistry -      [9F70] 0701
[TRACE] GPRegistry -      [C5] 000000
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] 0011223344AABB
[TRACE] GPRegistry -      [9F70] 0701
[TRACE] GPRegistry -      [C5] 000000
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] 000000000401
[TRACE] GPRegistry -      [9F70] 0701
[TRACE] GPRegistry -      [C5] 000000
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A1000000000001
[TRACE] GPRegistry -      [9F70] 0701
[TRACE] GPRegistry -      [C5] 000000
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A00000006303010C0101
[TRACE] GPRegistry -      [9F70] 0701
[TRACE] GPRegistry -      [C5] 000000
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A00000006403010C0101
[TRACE] GPRegistry -      [9F70] 0701
[TRACE] GPRegistry -      [C5] 000000
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A00000006503010C0101
[TRACE] GPRegistry -      [9F70] 0701
[TRACE] GPRegistry -      [C5] 000000
[DEBUG] SCP02Wrapper - MAC input: 84F220020A4F00
A>> T=0 (4+0010) 84F22002 0A 4F00EF9BDDDD82D4AA30 00
A<< (0184+2) (32ms) E30F4F090102030405060708099F700101E30B4F0500000000019F700101E30B4F0500112233449F700101E30B4F0500000000049F700101E30B4F05A1000000009F700101E30F4F09A00000006303010C029F700101E30F4F09A00000006303010C019F700101E30F4F09A00000006403010C029F700101E30F4F09A00000006403010C019F700101E30F4F09A00000006503010C029F700101E30F4F09A00000006503010C019F700101E30B4F05001122334A9F700101 9000
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] 010203040506070809
[TRACE] GPRegistry -      [9F70] 01
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] 0000000001
[TRACE] GPRegistry -      [9F70] 01
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] 0011223344
[TRACE] GPRegistry -      [9F70] 01
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] 0000000004
[TRACE] GPRegistry -      [9F70] 01
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A100000000
[TRACE] GPRegistry -      [9F70] 01
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A00000006303010C02
[TRACE] GPRegistry -      [9F70] 01
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A00000006303010C01
[TRACE] GPRegistry -      [9F70] 01
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A00000006403010C02
[TRACE] GPRegistry -      [9F70] 01
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A00000006403010C01
[TRACE] GPRegistry -      [9F70] 01
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A00000006503010C02
[TRACE] GPRegistry -      [9F70] 01
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] A00000006503010C01
[TRACE] GPRegistry -      [9F70] 01
[TRACE] GPRegistry -  [E3]
[TRACE] GPRegistry -      [4F] 001122334A
[TRACE] GPRegistry -      [9F70] 01
[DEBUG] SCP02Wrapper - MAC input: 84F210020A4F00
A>> T=0 (4+0010) 84F21002 0A 4F008AA81E9D512C9E76 00
A<< (0256+2) (50ms) E31C4F090102030405060708099F700101840B0102030405060708090103E3134F0500000000019F7001018406000000000102E3144F0500112233449F70010184070011223344AABBE3134F0500000000049F7001018406000000000401E3144F05A1000000009F7001018407A1000000000001E30F4F09A00000006303010C029F700101E31B4F09A00000006303010C019F700101840AA00000006303010C0101E30F4F09A00000006403010C029F700101E31B4F09A00000006403010C019F700101840AA00000006403010C0101E30F4F09A00000006503010C029F700101E31B4F09A00000006503010C019F700101840AA00000006503010C0101E314 9000
SCardEndTransaction("Alcor Micro USB Smart Card Reader 0")
SCardDisconnect("Alcor Micro USB Smart Card Reader 0", true) tx:104/rx:702
Exception in thread "main" java.lang.IllegalStateException: Length is out of the range [offset=256,  len=20, array.length=256, level=1]
        at com.payneteasy.tlv.BerTlvParser.parseWithResult(BerTlvParser.java:58)
        at com.payneteasy.tlv.BerTlvParser.addChildren(BerTlvParser.java:120)
        at com.payneteasy.tlv.BerTlvParser.parseWithResult(BerTlvParser.java:84)
        at com.payneteasy.tlv.BerTlvParser.parse(BerTlvParser.java:41)
        at com.payneteasy.tlv.BerTlvParser.parse(BerTlvParser.java:32)
        at pro.javacard.gp.GPRegistry.populate_tags(GPRegistry.java:149)
        at pro.javacard.gp.GPRegistry.parse(GPRegistry.java:201)
        at pro.javacard.gp.GPSession.getStatus(GPSession.java:1106)
        at pro.javacard.gp.GPSession.getRegistry(GPSession.java:1028)
        at pro.javacard.gp.GPTool.main(GPTool.java:689)

Additional context

Add any other context about the problem here.

martinpaljak commented 1 year ago

Do you have a comparable log with a working version?

The last line is the culprit. According to the specification, 0x6310 should be returned if there is more data to return with GET STATUS than fits into current APDU. This is a full 256 byte return APDU, it is apparently truncated, but the status word from the chip does not indicate "more data available". Looking at the code of v0.3.4 that should fail the same way. maybe issuing additional GET STATUS to the chip actually returns the additional portion (even if it is not indicated by the chip) and a workaround is possible ("if parsing fails with incomplete data, try to read more 1..N times").

martinpaljak commented 1 year ago

OK. What you are possibly observing (older version working for delete and newer not) is that later versions try to read the registry before issuing a DELETE command, to check if things are there and/or to give helpful recommendations. That will indeed fail with later versions, as the registry is tried to be constructed and that fails with an exception and you can't even delete. The culprit here is still a broken chip that does not indicate additional data when the returned data buffer is too large (too many applets installed). Thing to improve here would be make sure that "-f" would blindly issue a delete command, as not to "lock you out"

petrs commented 1 year ago

Thank you for dissecting the issue. I did not tried to do delete command initially, just the --list . Only when I used older version, I was able to finish list and got AIDs to delete. But I agree that the culprit is likely what you described. I will try to get card back into the same state with too many applets to fit into single GET DATA apdu and provide logs again

petrs commented 1 year ago

I tried to hard reproduce it again with clean Taysis SIMoME card(s) ICFabricationDate=6194 (2016-07-12) by continually uploading enough applets to overflow the response in 84F21002 command. As response to 84F21002 grows but below 256B, it is returning SW 9000 as expected. Then as it was bigger than 256B, I got SW 6310 (again as expected). Subsequent 84F21003 then returns remaining data - again, as expected. (see the log below). 

A>> T=0 (4+0010) 84F21002 0A 4F00D82080260D79F3AA 00
A<< (0256+2) (65ms) E31C4F0845435465737465729F700101840C454354657374657230333362E3194F0874657374706169649F7001018409746573747061696431E3154F061234567890019F700101840712345678900101E31B4F094A43416C67546573749F700101840A4A43416C675465737431E31A4F096D797061636B6167319F70010184096D7970616330303031E31C4F09D480424C4E534B53009F700101840BD480424C4E534B53000001E3244F0DD480424C4E5357616C6C6574009F700101840FD480424C4E5357616C6C6574000001E3154F0501020304059F70010184080102030405060708E3154F05C1C2C3C4C59F7001018408C1C2C3C4C5C6C7C8E31F4F0B53 6310
A>> T=0 (4+0010) 84F21003 0A 4F0069C4B70D5F0B7E7A 00
A<< (0028+2) (16ms) 686172655365727665729F700101840C536861726553657276657201 9000

I now believe that either the problem was on some older Taysis SIMoME card with slightly different behavior than the cards I test on now, or caused by non-deterministic behavior as a result of us testing with many different applets - just overflow >256B of the 84F21002 response is not enough to cause it.

Feel free to close this issue as unreproducible. Thank you again for looking into it.

martinpaljak commented 1 year ago

OK, thx, closing as not repeatable...