Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installing applet to newly created SSD fails with 0x6985 (Conditions of use not satisfied) #306

Open
asdfjkl opened this issue Feb 3, 2023 · 0 comments
Open

Installing applet to newly created SSD fails with 0x6985 (Conditions of use not satisfied) #306

asdfjkl opened this issue Feb 3, 2023 · 0 comments

Comments

@asdfjkl
Copy link

asdfjkl commented Feb 3, 2023
edited
Loading

I am trying to create a supplemental security domain (SSD) and install a hello world application to it. Card is a NXP J3H145
Using

# gp --version
# GlobalPlatformPro 325fe84

the creation of the SSD and key installation works, but installing the applet fails with

0x6985 (Conditions of use not satisfied)

Briefly:

java -jar gp.jar --domain A000000151000001 --allow-to --allow-from
Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
Notice: 0x81 already in parameters or no parameters

java -jar gp.jar --connect A000000151000001 --lock 404142434445464748494A4B4C4D4E4F
Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
Looking at key version
A000000151000001 locked with: 404142434445464748494A4B4C4D4E4F
Write this down, DO NOT FORGET/LOSE IT!

java -jar gp.jar --install ../JCHelloWorld/cap/hw.cap --to A000000151000001
Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
Applet loading not allowed. Are you sure the domain can accept it?
Error: INSTALL [for load] failed: 0x6985 (Conditions of use not satisfied)

If I replace (only) in the first step (the creation of the security domain) gp.jar with an old version, namely:

GlobalPlatformPro 18.09.14-0-gb439b52

everything installs fine

Log for creating SSD with latest version (# GlobalPlatformPro 325fe84, Release Release v20.01.23) of gp.jar

user@kallisto:~/MyFiles/workspace/gp$ java -jar gp.jar -dvi --domain A000000151000001 --allow-to --allow-from
# 
# gp -dvi --domain A000000151000001 --allow-to --allow-from
SCardConnect("SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00", T=*) -> T=1, 3B80800101
# GlobalPlatformPro 325fe84
# Running on Linux 5.15.0-58-generic amd64, Java 17.0.5 by Private Build
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (24ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0045+2) (14ms) 9F7F2A4790050382116351030280480093540734694E3050383037474D32313030393335341300011EFD121047 9000
[WARN] GPData - Invalid CPLC date: 474D
[WARN] GPData - Invalid CPLC date: 011E
CPLC: ICFabricator=4790
      ICType=0503
      OperatingSystemID=8211
      OperatingSystemReleaseDate=6351 (2016-12-16)
      OperatingSystemReleaseLevel=0302
      ICFabricationDate=8048 (2018-02-17)
      ICSerialNumber=00935407
      ICBatchIdentifier=3469
      ICModuleFabricator=4E30
      ICModulePackagingDate=5038 (2015-02-07)
      ICCManufacturer=3037
      ICEmbeddingDate=474D (invalid date format)
      ICPrePersonalizer=3231
      ICPrePersonalizationEquipmentDate=3030 (2013-01-30)
      ICPrePersonalizationEquipmentID=39333534
      ICPersonalizer=1300
      ICPersonalizationDate=011E (invalid date format)
      ICPersonalizationEquipmentID=FD121047

A>> T=1 (4+0000) 80CA0042 00 
A<< (0003+2) (12ms) 420100 9000
IIN: 420100
A>> T=1 (4+0000) 80CA0045 00 
A<< (0010+2) (13ms) 45080000000000000000 9000
CIN: 45080000000000000000
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0065+2) (15ms) 663F733D06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040300660C060A2B060104012A026E0102 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.3.0
-> GP SCP03 i=00
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0060+2) (14ms) 673A6738A006800102810155A00A8001038102001082010781039EFE8082031E03008301028504010208408602040887040102084088050102030405 9000
[WARN] GPData - Bogus data detected, fixing double tag
Supports SCP02 i=55
Supports SCP03 i=00 i=10 with AES-128 AES-196 AES-256
Supported DOM privileges: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, FinalApplication, GlobalService
Supported LFDB hash: SHA-256
Supported Token Verification ciphers: RSA1024_SHA1, ECCP521_SHA512
Supported Receipt Generation ciphers: DES_MAC
Supported DAP Verification ciphers: RSA1024_SHA1, ECCP521_SHA512
Supported ECC Key Parameters: 0102030405
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0020+2) (18ms) E012C00401018810C00402018810C00403018810 9000
Version:   1 (0x01) ID:   1 (0x01) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   2 (0x02) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   3 (0x03) type: AES          length:  16 (AES-128)

Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
A>> T=1 (4+0008) 80500000 08 39CC4BB182ED4137 00
A<< (0029+2) (99ms) 000080480093540734690103004CCBC99C893977D7AD5CF3670800EBF5 9000
[DEBUG] GPSession - SSC: null
[DEBUG] GPSession - Host challenge: 39CC4BB182ED4137
[DEBUG] GPSession - Card challenge: 4CCBC99C893977D7
[DEBUG] GPSession - Card reports SCP03 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) MAC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) DEK=404142434445464748494A4B4C4D4E4F (KCV: 504A77) for SCP03
[INFO] GPSession - Session keys: ENC=833FBDEFA83956FA04B792E60C0553D4 MAC=C829CCFEE8234598154CD6CB7367C473 RMAC=71D8CB54B5444EE0540AC1359838002D
[DEBUG] GPSession - Verified card cryptogram: AD5CF3670800EBF5
[DEBUG] GPSession - Calculated host cryptogram: 4FD115BB0A2F3AA8
A>> T=1 (4+0016) 84820100 10 4FD115BB0A2F3AA865EA344281B09E40
A<< (0000+2) (153ms) 9000
A>> T=1 (4+0010) 84F28002 0A 4F003BE13DF6D7854E66 00
A<< (0044+2) (112ms) E32A4F08A0000001510000009F700107C5039EFE80C407A0000000620001CE020100CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F00D489B4B0D6449D29 00
A<< (0042+2) (102ms) E3284F08A0000006472F00019F700107C503000000C405A000000647CE020000CC08A000000151000000 9000
A>> T=1 (4+0010) 84F21002 0A 4F00962D908C66E479D8 00
A<< (0048+2) (103ms) E3174F07A00000015153509F7001018408A000000151535041E3154F05A0000006479F7001018408A0000006472F0001 9000
A>> T=1 (4+0010) 84F22002 0A 4F007646D5E00614BFE2 00
A<< (0028+2) (102ms) E30D4F07A00000015153509F700101E30B4F05A0000006479F700101 9000
# Note: using detected default AID-s for SSD instantiation: A000000151535041 from A0000001515350
Notice: 0x81 already in parameters or no parameters
# Final parameters: 
A>> T=1 (4+0040) 84E60C00 28 07A000000151535008A00000015153504108A000000151000001018002C9000084390249FF369091
A<< (0001+2) (2s932ms) 00 9000
SCardDisconnect("SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00", true) tx:179/rx:441

Log with version GlobalPlatformPro 18.09.14-0-gb439b52 (Release [18.09.14:]

user@kallisto:~/MyFiles/workspace/gp$ java -jar gp_tmp.jar -dvi --domain A000000151000001 --allow-to --allow-from
GlobalPlatformPro 18.09.14-0-gb439b52
Running on Linux 5.15.0-58-generic amd64, Java 17.0.5 by Private Build
# Detected readers from JNA2PCSC
[*] SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00
SCardConnect("SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00", T=*) -> T=1, 3B80800101
SCardBeginTransaction("SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00")
Reader: SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00
ATR: 3B80800101
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3B80800101

A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (24ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GlobalPlatform - Auto-detected ISD: A000000151000000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0045+2) (14ms) 9F7F2A4790050382116351030280480093540734694E3050383037474D32313030393335341300011EFD121047 9000
[WARN] GPData - Invalid CPLC date: 474D
[WARN] GPData - Invalid CPLC date: 011E
CPLC: ICFabricator=4790
      ICType=0503
      OperatingSystemID=8211
      OperatingSystemReleaseDate=6351 (2016-12-16)
      OperatingSystemReleaseLevel=0302
      ICFabricationDate=8048 (2018-02-17)
      ICSerialNumber=00935407
      ICBatchIdentifier=3469
      ICModuleFabricator=4E30
      ICModulePackagingDate=5038 (2015-02-07)
      ICCManufacturer=3037
      ICEmbeddingDate=474D (invalid date format)
      ICPrePersonalizer=3231
      ICPrePersonalizationEquipmentDate=3030 (2013-01-30)
      ICPrePersonalizationEquipmentID=39333534
      ICPersonalizer=1300
      ICPersonalizationDate=011E (invalid date format)
      ICPersonalizationEquipmentID=FD121047

A>> T=1 (4+0000) 80CA0042 00 
A<< (0003+2) (13ms) 420100 9000
IIN: 420100
A>> T=1 (4+0000) 80CA0045 00 
A<< (0010+2) (13ms) 45080000000000000000 9000
CIN: 45080000000000000000
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0065+2) (15ms) 663F733D06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040300660C060A2B060104012A026E0102 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.3.0
-> GP SCP03 i=00
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0060+2) (14ms) 673A6738A006800102810155A00A8001038102001082010781039EFE8082031E03008301028504010208408602040887040102084088050102030405 9000
[WARN] GPData - Bogus data detected, fixing double tag
Supports: SCP02 i=55
Supports: SCP03 i=00 i=10 with AES-128 AES-196 AES-256
Supported DOM privileges: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, FinalApplication, GlobalService
Supported LFDB hash: 02
Supported Token Verification ciphers: 01020840
Supported Receipt Generation ciphers: 0408
Supported DAP Verification ciphers: 01020840
Supported ECC Key Parameters: 0102030405
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0020+2) (18ms) E012C00401018810C00402018810C00403018810 9000
Version:   1 (0x01) ID:   1 (0x01) type: AES  length:  16 (AES-128)
Version:   1 (0x01) ID:   2 (0x02) type: AES  length:  16 (AES-128)
Version:   1 (0x01) ID:   3 (0x03) type: AES  length:  16 (AES-128)
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
A>> T=1 (4+0008) 80500000 08 246BE6A559F5BC46 00
A<< (0029+2) (99ms) 00008048009354073469010300182AE4BBA0CBE9CE0884D8C139029F77 9000
[DEBUG] GlobalPlatform - Host challenge: 246BE6A559F5BC46
[DEBUG] GlobalPlatform - Card challenge: 182AE4BBA0CBE9CE
[DEBUG] GlobalPlatform - Card reports SCP03 i=00 with key version 1 (0x01)
[DEBUG] GlobalPlatform - Will do SCP03 (3)
[DEBUG] PlaintextKeys - Card keys: {ENC=type=RAW bytes=404142434445464748494A4B4C4D4E4F, DEK=type=RAW bytes=404142434445464748494A4B4C4D4E4F, MAC=type=RAW bytes=404142434445464748494A4B4C4D4E4F}
[DEBUG] GlobalPlatform - Verified card cryptogram: 0884D8C139029F77
[DEBUG] GlobalPlatform - Calculated host cryptogram: A40EB7C046431C14
A>> T=1 (4+0016) 84820100 10 A40EB7C046431C14EA7AEF0D8C88CC6E
A<< (0000+2) (153ms) 9000
Note: using default AID-s for SSD instantiation: A000000151535041 from A0000001515350
A>> T=1 (4+0010) 84F28002 0A 4F00BD03D9C62760C0B9 00
A<< (0044+2) (112ms) E32A4F08A0000001510000009F700107C5039EFE80C407A0000000620001CE020100CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F009F95779B757B8580 00
A<< (0042+2) (102ms) E3284F08A0000006472F00019F700107C503000000C405A000000647CE020000CC08A000000151000000 9000
A>> T=1 (4+0010) 84F22002 0A 4F0046EB4623179150FC 00
A<< (0028+2) (102ms) E30D4F07A00000015153509F700101E30B4F05A0000006479F700101 9000
A>> T=1 (4+0010) 84F21002 0A 4F005289772109EB432C 00
A<< (0048+2) (104ms) E3174F07A00000015153509F7001018408A000000151535041E3154F05A0000006479F7001018408A0000006472F0001 9000
A>> T=1 (4+0046) 84E60C00 2E 07A000000151535008A00000015153504108A000000151000001018008C90682012087012000AE28BB6AFD8B9EFF
A<< (0001+2) (2s965ms) 00 9000
SCardEndTransaction(SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00)
SCardDisconnect("SCM Microsystems Inc. SCL010 Contactless Reader [SCL010 Contactless Reader] (00000741000005) 00 00", true)

PS: Sorry for the frequent edits of this issue. Took some time to pin point the problem.
@asdfjkl asdfjkl changed the title Installing applet to newly created SSD fails with 0x6985 Installing applet to newly created SSD fails with Invalid argument: Should be string Feb 3, 2023
@asdfjkl asdfjkl changed the title Installing applet to newly created SSD fails with Invalid argument: Should be string Installing applet to newly created SSD fails with "Invalid argument: Should be string" Feb 3, 2023
@asdfjkl asdfjkl changed the title Installing applet to newly created SSD fails with "Invalid argument: Should be string" Installing applet to newly created SSD fails with 0x6985 (Conditions of use not satisfied) Feb 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@asdfjkl