3

I am trying to develop Java Card applications. I am using the newest Eclipse 4.4.2, the Java Card SDK 2.2.2, and the Eclipse Java Card Development Environment (EclipseJCDE). Previously I succeeded with the JCWDE Java Card Emulator and the APDU Tool. I was using a very basic applet that I had found in this tutorial (youtube: Tutorial 1 Java Card Master SID ENSET 20 01 14) and it was working flawlessly. What I would like to do is deploy this applet to a real Java Card (brand new Gemalto IDCore 3010), but I haven't managed so far.

I have found also this clever and straightforward tutorial (youtube:Developing on Java Card JCOP Hardware Tutorial w/ Python) about deploying applets on real cards, but it just doesn't work for me. After creating a very basic applet it uses a so called Global Platform Pro command line interface - very handy indeed - to load and manage the applets. Sadly I fail right after the first command, which would dump the ATR of the smartcard (gp -i command). This is the error message that I get after re-running the command with -d -v -i switches:

C:\JavaCard\GP>gp -d -v -i
# Detected readers from SunPCSC
[*] OMNIKEY AG Smart Card Reader USB 0
SCardConnect("OMNIKEY AG Smart Card Reader USB 0", T=*) -> T=0, 3B7D960000803180
65B0831111AC83009000
SCardBeginTransaction("OMNIKEY AG Smart Card Reader USB 0")
Reader: OMNIKEY AG Smart Card Reader USB 0
ATR: 3B7D96000080318065B0831111AC83009000
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3B7D96000080318065B0831111AC83009
000

A>> T=0 (4+0000) 00A40400 00
A<< (0027+2) (646ms) 6F198408A000000018434D00A50D9F6E061291518101009F6501FF 9000

Auto-detected ISD AID: A000000018434D00
***** Card info:
A>> T=0 (4+0000) 80CA9F7F 00
A<< (0045+2) (12ms) 9F7F2A40705072129151810100927100004DCDC6C0033201190333011903
340119000000610000000000000000 9000
Card CPLC:
ICFabricator: 4070
ICType: 5072
OperatingSystemID: 1291
OperatingSystemReleaseDate: 5181
OperatingSystemReleaseLevel: 0100
ICFabricationDate: 9271
ICSerialNumber: 00004DCD
ICBatchIdentifier: C6C0
ICModuleFabricator: 0332
ICModulePackagingDate: 0119
ICCManufacturer: 0333
ICEmbeddingDate: 0119
ICPrePersonalizer: 0334
ICPrePersonalizationEquipmentDate: 0119
ICPrePersonalizationEquipmentID: 00000061
ICPersonalizer: 0000
ICPersonalizationDate: 0000
ICPersonalizationEquipmentID: 00000000
***** CARD DATA
A>> T=0 (4+0000) 80CA0066 00
A<< (0000+2) (5ms) 6A88
NO CARD DATA
***** KEY INFO
A>> T=0 (4+0000) 80CA00E0 00
A<< (0020+2) (11ms) E012C00401FF8110C00402FF8110C00403FF8110 9000
SCardEndTransaction()
SCardDisconnect("OMNIKEY AG Smart Card Reader USB 0", false)
Exception in thread "main" java.lang.RuntimeException: pro.javacard.gp.GPKeySet$
GPKey currently only support DES and AES keys
        at pro.javacard.gp.GPKeySet$GPKey.<init>(GPKeySet.java:80)
        at pro.javacard.gp.GPData.get_key_template_list(GPData.java:145)
        at pro.javacard.gp.GlobalPlatform.getKeyInfoTemplate(GlobalPlatform.java
:268)
        at pro.javacard.gp.GPData.print_card_info(GPData.java:260)
        at pro.javacard.gp.GPTool.main(GPTool.java:339)

The other command that would list what is on the card returns an even worse error message:

pro.javacard.gp.GPException: STRICT WARNING: Card cryptogram invalid!
Card: 6B7F3BA2EF7DFC99
Host: 0FCFF9EDF25027BA
!!! DO NOT RE-TRY THE SAME COMMAND/KEYS OR YOU MAY BRICK YOUR CARD !!!
        at pro.javacard.gp.GlobalPlatform.printStrictWarning(GlobalPlatform.java
:184)
        at pro.javacard.gp.GlobalPlatform.openSecureChannel(GlobalPlatform.java:
513)
        at pro.javacard.gp.GPTool.main(GPTool.java:371)

Since this Global Platform Pro was not working, I tried working with the less manageable standard Global Platform Interface (sourceforge: GPShell), but without any luck. Even when I tried to run their sample scripts that were given originally, I got the same error message. Having run the GPShell.exe list.txt for example (that would list the applets on the card), I got the output that the application to be selected could not be found, which I don't understand.

I copy the source code here just in case, but that shouldn't be the problem as it worked with the emulator:

package jctest;

import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.ISO7816;
import javacard.framework.ISOException;

public class JCTest extends Applet {

    private byte counter = 0;
    private final static byte CLS = (byte) 0xB0;
    private final static byte INC = (byte) 0x00;
    private final static byte DEC = (byte) 0x01;
    private final static byte GET = (byte) 0x02;
    private final static byte INIT = (byte) 0x03;

    private JCTest() {
    }

    public static void install(byte bArray[], short bOffset, byte bLength) throws ISOException {
        new JCTest().register();
    }

    public void process(APDU apdu) throws ISOException {
        if (this.selectingApplet())
            return;
        byte[] buffer = apdu.getBuffer();
        if (buffer[ISO7816.OFFSET_CLA] != CLS)
            ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
        switch (buffer[ISO7816.OFFSET_INS]) {
        case INC:
            ++counter;
            break;
        case DEC:
            --counter;
            break;
        case GET:
            buffer[0] = counter;
            apdu.setOutgoingAndSend((short) 0, (short) 1);
            break;
        case INIT:
            apdu.setIncomingAndReceive();
            counter = buffer[ISO7816.OFFSET_CDATA];
            break;
        }
    }
}

After many days of trying I am sort of desperate that I can't make my brand new Java Cards work. When I insert the card into the reader, the computer only recognizes that, but not the card itself since it doesn't find a driver (I also couldn't find one, but I think that it is not essential to make things work). The task is supposed to be very simple, I just want to use an already working applet on a real Java Card. What is wrong? What am I missing?

After having finally run the gp -i command successfully, this is what I get as the output for the command: gp -visa2 -key 47454D5850524553534F53414D504C45 -unlock -virgin -d -v

C:\JavaCard\GP>gp -visa2 -key 47454D5850524553534F53414D504C45 -unlock -virgin -
d -v
# Detected readers from SunPCSC
[*] OMNIKEY CardMan 3x21 0
SCardConnect("OMNIKEY CardMan 3x21 0", T=*) -> T=0, 3B7D96000080318065B0831111AC
83009000
SCardBeginTransaction("OMNIKEY CardMan 3x21 0")
Reader: OMNIKEY CardMan 3x21 0
ATR: 3B7D96000080318065B0831111AC83009000
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3B7D96000080318065B0831111AC83009
000

A>> T=0 (4+0000) 00A40400 00
A<< (0027+2) (645ms) 6F198408A000000018434D00A50D9F6E061291518101009F6501FF 9000

Auto-detected ISD AID: A000000018434D00
A>> T=0 (4+0008) 80500000 08 0681B19093C4A93B 00
A<< (0028+2) (72ms) 4D00927100004DD4C6C0FF01E87D06549F536080A8D1AB091B6BBE07 900
0
Host challenge: 0681B19093C4A93B
Card challenge: E87D06549F536080
Card reports SCP01 with version 255 keys
Master keys:
Version 0
ENC: Ver:0 ID:0 Type:DES3 Len:16 Value:47454D5850524553534F53414D504C45
MAC: Ver:0 ID:0 Type:DES3 Len:16 Value:47454D5850524553534F53414D504C45
KEK: Ver:0 ID:0 Type:DES3 Len:16 Value:47454D5850524553534F53414D504C45
Diversififed master keys:
Version 0
ENC: Ver:0 ID:0 Type:DES3 Len:16 Value:5B9387DE5E618B12760EBE6037B077AC
MAC: Ver:0 ID:0 Type:DES3 Len:16 Value:5454366589B6AE522F58EE7072C101DF
KEK: Ver:0 ID:0 Type:DES3 Len:16 Value:72590E8782F97E80406E4B66199B7CB2
Derived session keys:
Version 0
ENC: Ver:0 ID:0 Type:DES3 Len:16 Value:87B5171538F81656E88F60D4818CEB8A
MAC: Ver:0 ID:0 Type:DES3 Len:16 Value:E9E45A4046E1316200E9E1787A7E9CD0
KEK: Ver:0 ID:0 Type:DES3 Len:16 Value:72590E8782F97E80406E4B66199B7CB2
Verified card cryptogram: A8D1AB091B6BBE07
Calculated host cryptogram: 8E1CE84781FA24C3
A>> T=0 (4+0016) 84820100 10 8E1CE84781FA24C34BEFC7F70A76E60F
A<< (0000+2) (36ms) 9000
A>> T=0 (4+0008) 84CA00E0 08 E59D6ECDF1B764ED 00
A<< (0020+2) (13ms) E012C00401FF8110C00402FF8110C00403FF8110 9000
Replace: false
PUT KEY:Ver:1 ID:1 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
PUT KEY:Ver:1 ID:2 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
PUT KEY:Ver:1 ID:3 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
A>> T=0 (4+0008) 84CA00E0 08 2B4AD25011601191 00
A<< (0020+2) (13ms) E012C00401FF8110C00402FF8110C00403FF8110 9000
A>> T=0 (4+0075) 84D80081 4B 0180100F8DB2F2600B53F9002C36CB377D55AF038BAF4780100
F8DB2F2600B53F9002C36CB377D55AF038BAF4780100F8DB2F2600B53F9002C36CB377D55AF038BA
F47B387704000A3A1AA
A<< (0000+2) (49ms) 6A80
pro.javacard.gp.GPException: PUT KEY failed SW: 6A80
        at pro.javacard.gp.GlobalPlatform.check(GlobalPlatform.java:1092)
        at pro.javacard.gp.GlobalPlatform.putKeys(GlobalPlatform.java:993)
        at pro.javacard.gp.GPTool.main(GPTool.java:555)

Solution: A new GlobalPlatformPro release was necessary for this specific Gemalto card.

The command that lists the applets on the card:

gp -visa2 -key 47454D5850524553534F53414D504C45 -l
John Saunders
  • 160,644
  • 26
  • 247
  • 397
bp14
  • 244
  • 4
  • 16
  • Do you have Gemalto Developer Suite? – Ebrahim Ghasemi Mar 21 '15 at 19:02
  • @Abraham: I don't, but I heard that the JCardManager wasn't working with the new open platform cards, and also I have found [this thread](http://stackoverflow.com/questions/3351812/installing-gemalto-developer-suite-on-windows-7) saying that it is not working properly on Windows 7 64-bit, which is the operating system that I'm using. – bp14 Mar 21 '15 at 19:20

2 Answers2

3

Mutual authentication is a mandatory step for uploading and installing applets on smart cards(And also for listing installed applets and packages). Different cards use different cryptigraphy algoritms to do this mutual authentication procedure. It seems that your card using an algorithm that the GlobalPlatformPro does not supporting it. You must take a look at the card's datasheet to see which algorithm your card use.

About the GPShell : There is an entity on the cards that is named "Security Domain". This entity is responsible for loading, intalling and listing applets. It has an AID and you must select it by Select APDU command. There is an AID in the list.txt script and you must replace it with the AID of the SD of your card.
And about the driver alert: It's OK! I have the same pop up alert when I insert my card in the reader, but everything works fine.

Finally, please don't try to test other tools in such this way! 10 failure in mutual authentication in a row, make the card locked.(not useable anymore).

Ebrahim Ghasemi
  • 5,850
  • 10
  • 52
  • 113
  • The GlobalPlatformPro error message states that GPKey currently only supports DES and **AES** keys. In the datasheet under the cryptographic algos section you can find this: symmetric: 3DES (ECB, CBC), **AES (128, 192, 256 bits)**, that is, it looks like that it supports AES keys, so I still don't understand. At least now I know that it should be okay without a card driver. Thanks! – bp14 Mar 21 '15 at 19:07
  • @bp14 Adding output of `gp -i` to your question may help the viewers to help you. – Ebrahim Ghasemi Mar 21 '15 at 19:31
  • I updated the question with the output of the `gp -d -v -i` command. – bp14 Mar 21 '15 at 20:02
  • In the _list.txt_ file I changed the SD as you suggested (to A000000003000000 as it is a GP211 card). I also changed the default _mode_201_ to _mode_211_, but I didn't change the other commands. I got this output: `mode_211 enable_trace establish_context card_connect select -AID A000000003000000 Command --> 00A4040008A000000003000000 Wrapped command --> 00A4040008A000000003000000 Response <-- 6A82 select_application() returns 0x80216A82 (6A82: The application to be selected could not be found.)` Do I need to change the other things as well? Should I set the readerName after `card_connect`? – bp14 Mar 21 '15 at 20:45
  • 1
    @bp14 As I see in the output of `gp -i -d -v`, the AID of your card's ISD is `A000000018434D00` – Ebrahim Ghasemi Mar 22 '15 at 05:30
  • 1
    You must replace the above AID in the list.txt. And if your reader is not a dual interface reader you don't need to specify it in the script. Specifying the reader is necessary in situations that two different reader is connected or your connected reader is a dual one and the tool's default reader is not the one that you want to be. – Ebrahim Ghasemi Mar 22 '15 at 05:37
  • Thanks, it was indeed the correct AID. I opened a [new thread](http://stackoverflow.com/questions/29195907/opening-a-secure-connection-with-java-card-and-global-platform) with this question, concentrating on the `open_sc` command. If I get an error message like _referenced data not found_, is that also a failure in mutual authentication? – bp14 Mar 22 '15 at 15:08
2

GlobalPlatformPro README has a well-placed (well-hidden?) hint on this one:

Set the default 40..4F keys to a card that uses VISA2 diversification with the well-known mother key on a Gemalto card:

gp -visa2 -key 47454D5850524553534F53414D504C45 -unlock

But keep in mind, that you need to know the keying material. The hints are only for well-known public cases.

Martin Paljak
  • 4,119
  • 18
  • 20
  • I tried this but sadly it won't work. I get the same error message, that GPKey currently only supports DES and AES keys... In the datasheet it clearly states that it supports these: Symmetric: 3DES (ECB, CBC), AES (128, 192, 256 bits), so I don't understand. – bp14 Mar 22 '15 at 22:20
  • 1
    The natural thing to do would be to file a bug request when you see an exception in software. The used key type (81) is RESERVED according to GP specification, so a card-specific hack needs to be introduced. Where did you get your card from and did it come with keying information? – Martin Paljak Mar 23 '15 at 05:20
  • 1
    Please go try a newer version of GPPro from Git. https://github.com/martinpaljak/GlobalPlatformPro/commit/e175a632b6ef651d365f6a52636160a2d5b02910 – Martin Paljak Mar 23 '15 at 05:22
  • 1
    Indeed, this was a regression (and a strangeness from Gemalto) that got fixed by the last commit. Go fetch the new release: https://github.com/martinpaljak/GlobalPlatformPro/releases/tag/v0.3.4 – Martin Paljak Mar 23 '15 at 12:36
  • I think the tool need another patch for the following problem also. Please take a look at it. It is updated after your last view:http://stackoverflow.com/questions/28512945/java-card-weird-response-to-long-aid-and-short-aid-applets – Ebrahim Ghasemi Mar 23 '15 at 20:35
  • Thanks! I tried the gp -i command and it worked, however I still have problems with `gp -l`: _Card cryptogram invalid!_ I also ran `gp -visa2 -key 47454D5850524553534F53414D504C45 -unlock`, but I got an error message: _pro.javacard.gp.GPException: STRICT WARNING: Trying to replace factory keys, when you need to add new ones? Is this a virgin card? (use --virgin)_. I want to be sure before running the commands, because I don't want to break my card. Btw I got my card from a local gemalto distributor, but they only gave me the card with the mother key. Thank you for your help! @MartinPaljak – bp14 Mar 23 '15 at 21:55
  • 1
    Your card uses visa2 diversification and the master key is (probably) 47454D5850524553534F53414D504C45 You don't have to unlock (change the keys), you can easily keep on using the default Gemalto master key. gp -visa2 -key 47454D5850524553534F53414D504C45 -l – Martin Paljak Mar 24 '15 at 07:37
  • Thank you! I successfully listed the applets on the card and uploaded the sample cap file of GlobalPlatform. – bp14 Mar 24 '15 at 22:44