I encountered problems when I tried to put the public RSA key on the Supplementary Security Domain (SSD) with the Delegate Management(DM) privs to smart card using the GPShell utility. What I do:
1) I generate a private key using the options:
openssl genrsa -out ./pr.pem -des -passout pass:12345678 1024
2) Based on it, I generate a public key:
openssl rsa -in ./pr.pem -pubout -out pub.pem
3) I create on the smart card a domain with Delegated Management privs with the help of Global Platform Pro:
gp keys --domain A000000004000001 --privs DelegatedManagement
Reuslt:
DOM: A000000004000001 (SELECTABLE)
Privs: SecurityDomain, DelegatedManagement
4) I install the keys MAC, ENC and DEK (By Global Platform Pro):
gp --sdaid A000000004000001 -lock [key]
Domain became PERSONALIZED:
DOM: A000000004000001 (PERSONALIZED)
Privs: SecurityDomain, DelegatedManagement
5) With the help of GPShell I try to put the public RSA key to the domain:
mode_211
enable_trace
enable_timer
establish_context
command time: 4 ms
card_connect
command time: 61 ms
select -AID A000000004000001
Command --> 00A4040008A000000004000001
Wrapped command --> 00A4040008A000000004000001
Response <-- 6F108408A000000004000001A5049F6501FF9000
command time: 59 ms
open_sc -scp 2 -security 3 -scpimpl 0x15 -keyver 0 -mac_key [key_mac] -enc_key [key_enc] -kek_key [key_kek]
Command --> 8050000008275D44D56FE9B1C300
Wrapped command --> 8050000008275D44D56FE9B1C300
Response <-- 000172850008B6DE043C01020000CA5C85B8CA6F97B71320C829ABD79000
Command --> 8482030010BA266EA9661D13493D3DC8FED7F45961
Wrapped command --> 8482030010BA266EA9661D13493D3DC8FED7F45961
Response <-- 9000
command time: 260 ms
put_dm_keys -keyver 0 -newkeyver 2 -file pub.pem -pass [The_key_is_8_characters_in_length] -key [The_key_is_64_characters_in_length]
Command --> 80D80001A002A1803BAC9523A55469AF1035251FBFF034BB324CE3720808430AE6D8C2473D548CA86A6E1C4BF94EEB899C67D6EAD11A995D77F914654473BB7E088CB930CE953893BA01372CE4D128D980AB5B5657764E26AB1F6B01B954CF77554DD191309F1BFBD356ABAC8ADE1BCD87B83C6FC868F6FFE08A9C6DE02A1FFA9285E184EFAE7ACE00A00301000100801085272E4D9EF376D285272E4D9EF376D2038CA64D00
Wrapped command --> 84D80001B0ACA2E440664B9437FF05EAC64B0119C732BCCE420A5D3AD8DD96CB3C6C23CA46BE0E4ACC85F76D06FC5AB6A98B85726729320253F53D4079A331A4A1EA66F0FE64B83F18FB544B9E81B2A72BA5CD653ABE3E4C5783231DA1ED4F726C0D2A34C2FD5A75532A6A21690E4C0292125617D68D140E93EB815700507B940265B2E7A4E871095B9B4AC70067348132BF4E3650CA23B0B0D130738F6C6248337344F36C753A3BA4ABD3B54A9C3AB047A0807F0800
Response <-- 6A86
put_delegated_management_keys() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)
Gives out the error parameters P1, P2, but I can not understand what the problem is and what I'm doing wrong. It is possible that the length of the password or the key, or their appearance, does not. Is it possible to somehow load keys with the help of Global Platform Pro or is it possible only with the help of GPShell?
UPDATE:
Since the use of third-party programs did not really help me, I decided to try to compose the APDU command manually, but got confused in the DATE parameter from the Global Platform 11.8.2 specification. There are two formats for the transfer of keys, but I can not understand which one to use and in what form the RSA key is to be passed.
Below is my algorithm of actions, which, unfortunately, did not lead to a positive result:
I set :
CLA: 80
INS: D8
P1: 00 - because key not exist (I think)
P2: 01 - key identifier
LC: Total data length
DATA: Format 1 or Format 2 ??? (11.8.2.3 Data Field Sent in the Command Message)
But I did not understand a bit of which formats I should choose for the key data field.
I trying Format 1:
Key type: A0 (RSA Public Key - public exponent e component (clear text) from paragraph 11.1.8 Key Type Coding)
Length of key or key component data: Key Length
Key or key component data value: If i load RSA public key generated by openssl Unix tool I need to translate the generated key into the HEX format. For example I generate public RSA key:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOeq7vhOGFkvofKuBtnIrg//Zo
yG88uIfNG96KrKtW0/sbnzCR0U1Vd89UuQFrH6smTnZXVlurgNko0eQsNwG6kziV
zjC5jAh+u3NEZRT5d12ZGtHq1mecietO+UscbmqojFQ9R8LY5gpDCAhy40wyuzTw
vx8lNRCvaVSlI5WsOwIDAQAB
Translate it In HEX format:
4d4947664d413047435371475349623344514542415155414134474e4144434269514b426751444f65713776684f47466b766f664b7542746e4972672f2f5a6f794738387549664e4739364b724b7457302f73626e7a43523055315664383955755146724836736d546e5a58566c7572674e6b6f306551734e7747366b7a69567a6a43356a41682b75334e455a5254356431325a47744871316d65636965744f2b557363626d716f6a46513952384c59356770444341687934307779757a54777678386c4e5243766156536c493557734f77494441514142
Length of key check value: 00 (I don't set check value because it is not mandatory, but i think I must calculate it...)
Key check value: -
Total Data key part:
A0 D7 4d4947664d413047435371475349623344514542415155414134474e4144434269514b426751444f65713776684f47466b766f664b7542746e4972672f2f5a6f794738387549664e4739364b4b7457302f73626e7a43523055315664383955755146724836736d546e5a58566c7572674e6b6f306551734e7747366b7a69567a6a43356a41682b75334e455a5254356431325a47744871316d65636965744f2b557363626d716f6a46513952384c59356770444341687934307779757a54777678386c4e5243766156536c493557734f77494441514142
00
As a result, I received an APDU command of the following form:
80D80001DAAOD74d4947664d413047435371475349623344514542415155414134474e4144434269514b426751444f65713776684f47466b766f664b7542746e4972672f2f5a6f794738387549664e4739364b4b7457302f73626e7a43523055315664383955755146724836736d546e5a58566c7572674e6b6f306551734e7747366b7a69567a6a43356a41682b75334e455a5254356431325a47744871316d65636965744f2b557363626d716f6a46513952384c59356770444341687934307779757a54777678386c4e5243766156536c493557734f7749444151414200
But in return I get error "6A80 - The parameters in the data field are incorrect."
Please tell me where I could make a mistake or I used an inappropriate format.
