search

martinpaljak / GlobalPlatformPro

🌐 🔐 Manage applets and keys on JavaCard-s like a pro (via command line or from your Java project)
https://javacard.pro/globalplatform
GNU Lesser General Public License v3.0
673 stars 210 forks source link

Post commit 2d4bb36c145bd8c13606f12aa14e6e29d8ecef78 GPPro versions fail to install applet on NXP cards #355

Open timolehto opened 2 months ago

timolehto commented 2 months ago

This may or may not be the same issue as this https://github.com/martinpaljak/GlobalPlatformPro/issues/255, but since that issue hardly contained any useful information I figured a clean new issue is probably in order.

So, in short, I can not install (any) applet with any of the prereleases (or self built "next") to any of my JCOP cards. I can install applets with latest stable and self built up-to commit 2d4bb36c145bd8c13606f12aa14e6e29d8ecef78, but with the next commit 6347f0f5dc7eff1a48c22d498dc8007c8a0ff995 it no longer works. I suspect this is likely due to the apdu4j update, but I haven't yet gotten that far that I could definitely say that.

The card in question is NXP J3R180 SecId, I also have another card that is suppose to be pretty much the same, but reports different ATR, so I'm not entirely sure. It has the same issues. For additional context, I can tell that I actually have the same issues with the GPShell, but I haven't debugged that any deeper yet.

With our normal applet of code size of 6479 bytes it's always the CAP loading that fails.. usually around chunck 14 or 15, but sometimes even 16, but also sometimes it can also fail right off the bat on first chunk.

If I try to just install a minimal applet of code size 1206 bytes, it actually sometimes succeeds loading it, but at least so far, it then still fails with making it selectable.

Log of failure to make selectable

java -jar bin/gp_v20.01.23-7-g6347f0f_apdu4j_updated.jar -ivd -install JavaCardApplet_F0000000000000000000000000D16122_ddcec3da_3.0.4_jdk8.cap
SCardConnect("ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00", T=*) -> T=1, 3B8580018073C821100E
GlobalPlatformPro v20.01.23-7-g6347f0f
Running on Linux 6.8.9-100.fc38.x86_64 amd64, Java 1.8.0_292 by AdoptOpenJDK
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (12ms) 6F108408A000000151000000A5049F6501FF 9000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0000+2) (10ms) 6985
A>> T=1 (4+0000) 00CA9F7F 00 
A<< (0000+2) (9ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(CPLC) not supported
A>> T=1 (4+0000) 80CA0042 00 
A<< (0000+2) (9ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(IIN) not supported
A>> T=1 (4+0000) 80CA0045 00 
A<< (0000+2) (10ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(CIN) not supported
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0000+2) (10ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(Card Data) not supported
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0000+2) (9ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(Card Capabilities) not supported
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0000+2) (9ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(Key Info Template) not supported
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
A>> T=1 (4+0008) 80500000 08 5916BD7CF6B1AE90 00
A<< (0028+2) (47ms) 0000835301531999183801020656987061FCEBA8822427BCBC17F6BD 9000
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=D41F017494F868CD3C7716F8403DEBD5 MAC=3A363AC221B912CC31550F1FE7220E03 RMAC=2B0BDBA2C2835810FC0F0C5F929E7AE1, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
A>> T=1 (4+0016) 84820100 10 C393E3C171B108F3FA74546FAC345D5C
A<< (0000+2) (26ms) 9000
CAP file (v2.1), contains: applets for JavaCard 3.0.4
Package: id.digizen.card F0000000000000000000000000D16122 v0.0
Applet:  id.digizen.card.JavaCardApplet F0000000000000000000000000D16123
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620101                   v1.5 javacard.framework
Generated by Oracle Corporation converter  [v3.2.0]
On Sat Jun 01 14:08:51 EEST 2024 with JDK 1.8.0_292 (AdoptOpenJDK)
Code size 1206 bytes (1385 with debug)
SHA-256 ddcec3da1def12ad791ab81c84005f086f1ba4892112674735377fd4cb254071
SHA-1   1ea3801a0a082d7944b29da09eabb6b4bdc988d7
A>> T=1 (4+0010) 84F28002 0A 4F001F9A247F16C00949 00
A<< (0040+2) (24ms) E3264F08A0000001510000009F700101C5039EFE80C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F0026F678E32B0743E7 00
A<< (0000+2) (16ms) 6A88
A>> T=1 (4+0010) 84F21002 0A 4F002A6138CD4EF97A35 00
A<< (0097+2) (39ms) E3254F07A00000015153509F700101CE02FFFF8408A000000151535041CC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0010) 84F22002 0A 4F0090461ABD55BA67BD 00
A<< (0087+2) (37ms) E31B4F07A00000015153509F700101CE02FFFFCC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0037) 84E60200 25 10F0000000000000000000000000D1612208A00000015100000000000051C123740556CBB7
A<< (0001+2) (85ms) 00 9000
A>> T=1 (4+0255) 84E80000 FF C48204B601001ADECAFFED010204000010F0000000000000000000000000D1612202001F001A001F001400150022001C004203AC000D000000B0000C0006039002010004001502000107A0000000620001050107A00000006201010300140110F0000000000000000000000000D16123001306001C00800000FF000100000000810300FF00040400000029FFFF00210033070042000110188C00007A0140188C0001188B00027A05308F00033D181D1E8C00043B7A0110188C000504780110188C00057A00107A0121198B00062D188B000760037A7A0803AC000C00060006030002900003000003001000000000000000000000000000434862CBC60F03AB
A<< (0001+2) (129ms) 00 9000
A>> T=1 (4+0255) 84E80001 FF 000000030010F0000000000000000000000000D16123030020000000000000000000000000000000000000000000000000000000000000000003034E0550055A004CDEBC6F0D405DAE7182BD167D82757E1D84143120BAC2A8D2A2ED0C66E00DB94DDEBC6F0D405DAE7182BD167D82757E1D84143120BAC2A8D2A2ED0C66E00DB94D010001009DE9829D827FC8E306BFAFAFA7F23FFD0E1F087E8F4AAA3B22D3659A49A25BC86CCA34ECA806B0AFE591BB265179B8232D34A0A545FAB836FB90277AE3C4C58FDA4D6BAEE382050A8F69A42ED4F30D085E80310306513AA3F71D71C49F99228751908BC3D26E8CFD5836AFDF5A23A625C567617B7DDBBEC402
A<< (0000+2) (935ms) 6982
Error: LOAD failed: 0x6982 (Security status not satisfied)
➜  TestCardApplet git:(code_review) ✗ java -jar bin/gp_v20.01.23-7-g6347f0f_apdu4j_updated.jar -ivd -install JavaCardApplet_F0000000000000000000000000D16122_ddcec3da_3.0.4_jdk8.cap
SCardConnect("ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00", T=*) -> T=1, 3B8580018073C821100E
GlobalPlatformPro v20.01.23-7-g6347f0f
Running on Linux 6.8.9-100.fc38.x86_64 amd64, Java 1.8.0_292 by AdoptOpenJDK
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (12ms) 6F108408A000000151000000A5049F6501FF 9000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0000+2) (9ms) 6985
A>> T=1 (4+0000) 00CA9F7F 00 
A<< (0000+2) (9ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(CPLC) not supported
A>> T=1 (4+0000) 80CA0042 00 
A<< (0000+2) (10ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(IIN) not supported
A>> T=1 (4+0000) 80CA0045 00 
A<< (0000+2) (10ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(CIN) not supported
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0000+2) (10ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(Card Data) not supported
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0000+2) (9ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(Card Capabilities) not supported
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0000+2) (10ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(Key Info Template) not supported
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
A>> T=1 (4+0008) 80500000 08 51D196C03582CBD2 00
A<< (0028+2) (46ms) 000083530153199918380102065773C501576A812DF4F4D40046436D 9000
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=0A0F8BBEB8A449A1365E080A4AE320E9 MAC=251FD4F58279C6D415BAA43DBA97CCB7 RMAC=76E068A4796F240C2B1DFA803AFF9BE3, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
A>> T=1 (4+0016) 84820100 10 A8DCE43815F2A687B9C8C0F8E6FF8BB5
A<< (0000+2) (26ms) 9000
CAP file (v2.1), contains: applets for JavaCard 3.0.4
Package: id.digizen.card F0000000000000000000000000D16122 v0.0
Applet:  id.digizen.card.JavaCardApplet F0000000000000000000000000D16123
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620101                   v1.5 javacard.framework
Generated by Oracle Corporation converter  [v3.2.0]
On Sat Jun 01 14:08:51 EEST 2024 with JDK 1.8.0_292 (AdoptOpenJDK)
Code size 1206 bytes (1385 with debug)
SHA-256 ddcec3da1def12ad791ab81c84005f086f1ba4892112674735377fd4cb254071
SHA-1   1ea3801a0a082d7944b29da09eabb6b4bdc988d7
A>> T=1 (4+0010) 84F28002 0A 4F00463326C9DB782CAA 00
A<< (0040+2) (24ms) E3264F08A0000001510000009F700101C5039EFE80C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F000F86C2B3DCB309E1 00
A<< (0000+2) (18ms) 6A88
A>> T=1 (4+0010) 84F21002 0A 4F007CE735E8D1B65D05 00
A<< (0097+2) (39ms) E3254F07A00000015153509F700101CE02FFFF8408A000000151535041CC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0010) 84F22002 0A 4F005B89E43ADA1D95BC 00
A<< (0087+2) (38ms) E31B4F07A00000015153509F700101CE02FFFFCC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0037) 84E60200 25 10F0000000000000000000000000D1612208A0000001510000000000000576881E39D94D66
A<< (0001+2) (86ms) 00 9000
A>> T=1 (4+0255) 84E80000 FF C48204B601001ADECAFFED010204000010F0000000000000000000000000D1612202001F001A001F001400150022001C004203AC000D000000B0000C0006039002010004001502000107A0000000620001050107A00000006201010300140110F0000000000000000000000000D16123001306001C00800000FF000100000000810300FF00040400000029FFFF00210033070042000110188C00007A0140188C0001188B00027A05308F00033D181D1E8C00043B7A0110188C000504780110188C00057A00107A0121198B00062D188B000760037A7A0803AC000C00060006030002900003000003001000000000000000000000000000489EEA0FC1D798D8
A<< (0001+2) (130ms) 00 9000
A>> T=1 (4+0255) 84E80001 FF 000000030010F0000000000000000000000000D16123030020000000000000000000000000000000000000000000000000000000000000000003034E0550055A004CDEBC6F0D405DAE7182BD167D82757E1D84143120BAC2A8D2A2ED0C66E00DB94DDEBC6F0D405DAE7182BD167D82757E1D84143120BAC2A8D2A2ED0C66E00DB94D010001009DE9829D827FC8E306BFAFAFA7F23FFD0E1F087E8F4AAA3B22D3659A49A25BC86CCA34ECA806B0AFE591BB265179B8232D34A0A545FAB836FB90277AE3C4C58FDA4D6BAEE382050A8F69A42ED4F30D085E80310306513AA3F71D71C49F99228751908BC3D26E8CFD5836AFDF5A23A625C5E3D6F36BBB6FD4C2
A<< (0001+2) (48ms) 00 9000
A>> T=1 (4+0255) 84E80002 FF 5268E905A8C523015FA2645E4A1DCB4B9B44450AD180B2A36A4BEEAFADD6309AC8D469FEBF21EAB9DA993DF6768C7CC45F78915F96EFABBCF6B7B7DFCEF74F5834D8ADA83B94D5202A314F6E233E6738274C3448C59D053BDC1DCEA32EA142649FCA988180A33D3F271E17820BF3392C9FCD2E0C4C4F6885F9115A1BF827538C4344CC786452C6C673262A2C5A795B5B8748F4B99885B162F511B4085FAFA63F90D999DE8999CDBE0DF8BB614F211DA950B5163424D83F3EC688F21016C2DBB3C54E32A51D0F604407E10A7936F92E09D5EDB29330EC5AE4CD828A91ED65380440A74898FD83689E6778937393ACAF73C34E0EB324CFB1AC3D0600ACA9A224
A<< (0001+2) (52ms) 00 9000
A>> T=1 (4+0255) 84E80003 FF 64646F304BA0C69EE3C46366245C21C1AC190754ECBDBB7B01D25C47C61C4FC23A45ED0F4D4159AE8DD74DEFC8533DCD697259C2FB6FEEEAE755620CDDB8DC44F640188DB4B3C38710B7B7C9587E70013F3F3B8BB298EBC16109E8779C076320EFD853ED872046D6E990B559C1E719874AA9C3211400F649F56158AF5D75D335049FEF5E0B8512D35D8DF6B8685E0724D2C62DFFC80E5112010001009DE9829D827FC8E306BFAFAFA7F23FFD0E1F087E8F4AAA3B22D3659A49A25BC86CCA34ECA806B0AFE591BB265179B8232D34A0A545FAB836FB90277AE3C4C58FDA4D6BAEE382050A8F69A42ED4F30D085E80310306513AA3F71D7135DCA47AAE45C7DD
A<< (0001+2) (50ms) 00 9000
A>> T=1 (4+0230) 84E88004 E6 C49F99228751908BC3D26E8CFD5836AFDF5A23A625C55268E905A8C523015FA2645E4A1DCB4B9B44450AD180B2A36A4BEEAFADD6309AC8D469FEBF21EAB9DA993DF6768C7CC45F78915F96EFABBCF6B7B7DFCEF74F5834D8ADA83B94D5202A314F6E233E6738274C3448C59D053BDC1DCEA32EA142649FCA988180A33D3F271E17820BF3392C9FCD2E0C4C4F6885F9115A1BF827538C4344CC786452C6C673262A2C5A795B00000000050022000806800000068103000381030101000A00060000080600003003810A010381030309000D00000009050704060708080A05344618B7478F5BCD
A<< (0001+2) (326ms) 00 9000
CAP loaded
A>> T=1 (4+0010) 84F28002 0A 4F00ADFB631722C52A20 00
A<< (0000+2) (1s313ms) 6982
[main] WARN pro.javacard.gp.GPSession - GET STATUS failed for 80F28002024F0000 with 0x6982 (Security status not satisfied)
A>> T=1 (4+0010) 84F24002 0A 4F0043D3CA0DBDC42D53 00
A<< (0000+2) (9ms) 6982
[main] WARN pro.javacard.gp.GPSession - GET STATUS failed for 80F24002024F0000 with 0x6982 (Security status not satisfied)
A>> T=1 (4+0010) 84F21002 0A 4F0042609C330995AA37 00
A<< (0000+2) (9ms) 6982
[main] WARN pro.javacard.gp.GPSession - GET STATUS failed for 80F21002024F0000 with 0x6982 (Security status not satisfied)
A>> T=1 (4+0010) 84F22002 0A 4F0032C25C75BA9E864C 00
A<< (0000+2) (9ms) 6982
[main] WARN pro.javacard.gp.GPSession - GET STATUS failed for 80F22002024F0000 with 0x6982 (Security status not satisfied)
A>> T=1 (4+0065) 84E60C00 41 10F0000000000000000000000000D1612210F0000000000000000000000000D1612310F0000000000000000000000000D16123010002C900009D7BF880285E5896
A<< (0000+2) (15ms) 6982
Error: INSTALL [for install and make selectable] failed: 0x6982 (Security status not satisfied)

Log where it fails already during load

java -jar bin/gp_v20.01.23-7-g6347f0f_apdu4j_updated.jar -ivd -install JavaCardApplet_F0000000000000000000000000D16122_ddcec3da_3.0.4_jdk8.cap
SCardConnect("ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00", T=*) -> T=1, 3B8580018073C821100E
GlobalPlatformPro v20.01.23-7-g6347f0f
Running on Linux 6.8.9-100.fc38.x86_64 amd64, Java 1.8.0_292 by AdoptOpenJDK
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (12ms) 6F108408A000000151000000A5049F6501FF 9000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0000+2) (10ms) 6985
A>> T=1 (4+0000) 00CA9F7F 00 
A<< (0000+2) (9ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(CPLC) not supported
A>> T=1 (4+0000) 80CA0042 00 
A<< (0000+2) (9ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(IIN) not supported
A>> T=1 (4+0000) 80CA0045 00 
A<< (0000+2) (10ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(CIN) not supported
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0000+2) (10ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(Card Data) not supported
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0000+2) (9ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(Card Capabilities) not supported
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0000+2) (9ms) 6985
[main] WARN pro.javacard.gp.GPData - GET DATA(Key Info Template) not supported
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
A>> T=1 (4+0008) 80500000 08 5916BD7CF6B1AE90 00
A<< (0028+2) (47ms) 0000835301531999183801020656987061FCEBA8822427BCBC17F6BD 9000
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=D41F017494F868CD3C7716F8403DEBD5 MAC=3A363AC221B912CC31550F1FE7220E03 RMAC=2B0BDBA2C2835810FC0F0C5F929E7AE1, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
A>> T=1 (4+0016) 84820100 10 C393E3C171B108F3FA74546FAC345D5C
A<< (0000+2) (26ms) 9000
CAP file (v2.1), contains: applets for JavaCard 3.0.4
Package: id.digizen.card F0000000000000000000000000D16122 v0.0
Applet:  id.digizen.card.JavaCardApplet F0000000000000000000000000D16123
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620101                   v1.5 javacard.framework
Generated by Oracle Corporation converter  [v3.2.0]
On Sat Jun 01 14:08:51 EEST 2024 with JDK 1.8.0_292 (AdoptOpenJDK)
Code size 1206 bytes (1385 with debug)
SHA-256 ddcec3da1def12ad791ab81c84005f086f1ba4892112674735377fd4cb254071
SHA-1   1ea3801a0a082d7944b29da09eabb6b4bdc988d7
A>> T=1 (4+0010) 84F28002 0A 4F001F9A247F16C00949 00
A<< (0040+2) (24ms) E3264F08A0000001510000009F700101C5039EFE80C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F0026F678E32B0743E7 00
A<< (0000+2) (16ms) 6A88
A>> T=1 (4+0010) 84F21002 0A 4F002A6138CD4EF97A35 00
A<< (0097+2) (39ms) E3254F07A00000015153509F700101CE02FFFF8408A000000151535041CC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0010) 84F22002 0A 4F0090461ABD55BA67BD 00
A<< (0087+2) (37ms) E31B4F07A00000015153509F700101CE02FFFFCC08A000000151000000E31B4F07A00000006202049F700101CE020100CC08A000000151000000E31B4F07A00000006202029F700101CE020103CC08A000000151000000 9000
A>> T=1 (4+0037) 84E60200 25 10F0000000000000000000000000D1612208A00000015100000000000051C123740556CBB7
A<< (0001+2) (85ms) 00 9000
A>> T=1 (4+0255) 84E80000 FF C48204B601001ADECAFFED010204000010F0000000000000000000000000D1612202001F001A001F001400150022001C004203AC000D000000B0000C0006039002010004001502000107A0000000620001050107A00000006201010300140110F0000000000000000000000000D16123001306001C00800000FF000100000000810300FF00040400000029FFFF00210033070042000110188C00007A0140188C0001188B00027A05308F00033D181D1E8C00043B7A0110188C000504780110188C00057A00107A0121198B00062D188B000760037A7A0803AC000C00060006030002900003000003001000000000000000000000000000434862CBC60F03AB
A<< (0001+2) (129ms) 00 9000
A>> T=1 (4+0255) 84E80001 FF 000000030010F0000000000000000000000000D16123030020000000000000000000000000000000000000000000000000000000000000000003034E0550055A004CDEBC6F0D405DAE7182BD167D82757E1D84143120BAC2A8D2A2ED0C66E00DB94DDEBC6F0D405DAE7182BD167D82757E1D84143120BAC2A8D2A2ED0C66E00DB94D010001009DE9829D827FC8E306BFAFAFA7F23FFD0E1F087E8F4AAA3B22D3659A49A25BC86CCA34ECA806B0AFE591BB265179B8232D34A0A545FAB836FB90277AE3C4C58FDA4D6BAEE382050A8F69A42ED4F30D085E80310306513AA3F71D71C49F99228751908BC3D26E8CFD5836AFDF5A23A625C567617B7DDBBEC402
A<< (0000+2) (935ms) 6982
Error: LOAD failed: 0x6982 (Security status not satisfied)
timolehto commented 2 months ago

I've dug into the pcscd logs and I can see that the actual error seems to be that we start to see these SCARD_E_SHARING_VIOLATION errors appear in the logs at some point during the install process and after bunch of those (I guess there's probalby some retry logic as the error seems to appera a bunch of times, but the exact amount varies quite a bit from 4 to 27), the command ultimately fails with the 0x6982 (Security status not satisfied) error. Any idea what could have changed related to handling these connections in https://github.com/martinpaljak/GlobalPlatformPro/commit/6347f0f5dc7eff1a48c22d498dc8007c8a0ff995? As said this is working fine prior to that commit and where I never see these errors or have any problems installing applets, but with that commit the issues begin. And also as said, strangely enough I also experience these exact same issues when using the GPShell from https://github.com/kaoh/globalplatform, which is presumably completely unrelated except of course for the underlying libpcsclite.so, but that's not bundled or updated and is also shared and used with the older GlobalPlatformPro versions that work fine, so how could that be the problem?

Here's a small excert of the logs

00000002 [139811161638592] winscard.c:352:SCardConnect() powerState: POWER_STATE_IN_USE
00004439 [139810981283520] <- 000000 80 2A 00 00 00 00 79 00 81 00 E3 26 4F 08 A0 00 00 01 51 00 00 00 9F 70 01 01 C5 03 9E FE 80 C4 07 A0 00 00 01 51 53 50 CC 08 A0 00 00 01 51 00 00 00 90 00
00000013 [139810981283520] SW: E3 26 4F 08 A0 00 00 01 51 00 00 00 9F 70 01 01 C5 03 9E FE 80 C4 07 A0 00 00 01 51 53 50 CC 08 A0 00 00 01 51 00 00 00 90 00
00000002 [139810981283520] winscard.c:1649:SCardTransmit() UnrefReader() count was: 3
00000002 [139811161638592] winscard.c:430:SCardConnect() Active Protocol: T=1
00000000 [139810981283520] winscard_svc.c:694:ContextThread() TRANSMIT for client 18, rv=SCARD_S_SUCCESS
00000012 [139811161638592] winscard.c:456:SCardConnect() hCard Identity: 4ff29d70
00000003 [139811161638592] winscard.c:518:SCardConnect() UnrefReader() count was: 2
00000002 [139811161638592] winscard_svc.c:523:ContextThread() CONNECT for client 13, rv=SCARD_S_SUCCESS
00000079 [139811161638592] winscard_svc.c:361:ContextThread() Received command: BEGIN_TRANSACTION from client 13
00000011 [139811161638592] readerfactory.c:866:RFReaderInfoById() RefReader() count was: 1
00000002 [139811161638592] winscard.c:1083:SCardBeginTransaction() Status: rv=SCARD_S_SUCCESS
00000001 [139811161638592] winscard.c:1086:SCardBeginTransaction() UnrefReader() count was: 2
00000001 [139811161638592] winscard_svc.c:575:ContextThread() BEGIN_TRANSACTION for client 13, rv=SCARD_S_SUCCESS
00000039 [139811161638592] winscard_svc.c:361:ContextThread() Received command: TRANSMIT from client 13
00000008 [139811161638592] readerfactory.c:866:RFReaderInfoById() RefReader() count was: 1
00000002 [139811161638592] winscard.c:1596:SCardTransmit() Send Protocol: T=1
00000003 [139811161638592] APDU: 00 A4 04 00 07 62 76 01 FF 00 00 00
00000003 [139811161638592] ifdhandler.c:1674:IFDHTransmitToICC() usb:072f/223b:libudev:0:/dev/bus/usb/001/027 (lun: 0)
00000002 [139811161638592] commands.c:1832:CmdXfrBlockAPDU_extended() T=0 (extended): 12 bytes
00000005 [139811161638592] -> 000000 6F 0C 00 00 00 00 7A 00 00 00 00 A4 04 00 07 62 76 01 FF 00 00 00
A<< (0040+2) (24ms) E3264F08A0000001510000009F700101C5039EFE80C407A0000001515350CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F00ECDBDCFB8FE84D16 00
00002448 [139810981283520] winscard_svc.c:361:ContextThread() Received command: TRANSMIT from client 18
00000009 [139810981283520] readerfactory.c:866:RFReaderInfoById() RefReader() count was: 2
00000001 [139810981283520] winscard.c:1649:SCardTransmit() UnrefReader() count was: 3
00000002 [139810981283520] winscard_svc.c:694:ContextThread() TRANSMIT for client 18, rv=SCARD_E_SHARING_VIOLATION
00006101 [139811161638592] <- 000000 80 02 00 00 00 00 7A 00 81 00 6A 82
00000006 [139811161638592] SW: 6A 82
00000002 [139811161638592] winscard.c:1649:SCardTransmit() UnrefReader() count was: 2
00000002 [139811161638592] winscard_svc.c:694:ContextThread() TRANSMIT for client 13, rv=SCARD_S_SUCCESS
00000060 [139811161638592] winscard_svc.c:361:ContextThread() Received command: END_TRANSACTION from client 13
timolehto commented 2 months ago

After further analysing the pcscd logs, I think I know why this happens. In the logs I can see 2 primary clients. There's client 13, which I'm not entirely sure what that is actually, but I presume it's some system service polling for cards in the reader. It is continously acquiring and releasing a lock on the reader to do a short transmit.

And then there is client 18, which is GlobalPlatformaPro. With versions prior to the commit https://github.com/martinpaljak/GlobalPlatformPro/commit/6347f0f5dc7eff1a48c22d498dc8007c8a0ff995? the logs show clearly that all of the TRANSMIT commands are wrapped inside BEGIN_TRANSACTION - END_TRANSACTION and this cuts off the client 13. However, with newer versions of GPP there is no trace of BEGIN_TRANSACTION for client 18, instead it just goes on with the TRANSMIT commands without establishing a transaction and then at random moment in the middle of client 18 issuing its TRANSMIT commands, client 13 activates again issues CONNECT, followed by BEGING_TRANSACTION and that's when client 18 gets its first SCARD_E_SHARING_VIOLATION and is never able to recover.

So, this is actually quite clear now. The original connect lines handled connecting like this, clearly establishing an exclusive transaction: https://github.com/martinpaljak/GlobalPlatformPro/blob/2d4bb36c145bd8c13606f12aa14e6e29d8ecef78/tool/src/main/java/pro/javacard/gp/GPTool.java#L190-L194

but with the breaking commit, it was reduced to just this and no calls to begin (or end) exclusives exists https://github.com/martinpaljak/GlobalPlatformPro/blob/6347f0f5dc7eff1a48c22d498dc8007c8a0ff995/tool/src/main/java/pro/javacard/gp/GPTool.java#L67

So, the fix is to reintroduce exclusive transaction locks. Shouldn't be that difficult to recover the old behaviour.

timolehto commented 2 months ago

I created a PR to restore the old behaviour. Works great for me: https://github.com/martinpaljak/GlobalPlatformPro/pull/356