vletoux / gidsapplet Goto Github PK
View Code? Open in Web Editor NEWGeneric Identity Device Specification Applet
License: GNU General Public License v3.0
Generic Identity Device Specification Applet
License: GNU General Public License v3.0
run into problems while testing EIDAuthenticate
the applet can be successfully dowlnloaded, installed, and initialized.
however, when I open EIDAuthenticate try to install a cert on it, I got following message.
Environment:
win10 1803 x64 enterprise (no AD)
EIDAuthenticate 1.2.5.0
Card:
NXP J3H081 EMV JC3.0.4 GP 2.2.2 (may be a JCOP31 card)
got form here http://www.javacardsdk.com/product/j3h081/
Error message:
Page03CreateOrImportACertificate.cpp(249)
0x80100022 - This smart card does not support the requested feature (win10 1709, 1803)
0x8010001F - An unexpected card error has occurred (win7 sp1)
Hi Vletoux, I wonder if you could give me some details about how to run the unit tests, do they use a proprietary card emulator or the reference implementation from Oracle? If you could describe a bit the setup that would be great, or start a wiki page for that and I'm happy to contribute to it.
I poked at Ant some more to get the tests running using the jcardsim library: see https://github.com/rpavlik/GidsApplet/tree/junit . All the tests pass (on both variants), except for one: CryptoTest.
It fails on line 53, with the error message: expected: 9000 but was: 618c
. Line 53 has the commennt "generate asymmetric key" and is using instruction 0x47.
I can't find where it's actually returning 618c in the first place, so I'm not sure if this is an issue with the jcardsim or something else.
Here's the log file:
TEST-com.mysmartlogon.gidsAppletTests.CryptoTest.txt
I checked out the 1.3 source without touching the build system, and it looks like it too has the same issue, though 1.2 does not.
Not sure what version of jcardsim you used originally, maybe I can revert to that version?
I'm running the tests with jcardsim 3.0.5 under jdk17, though I build the applet with jdk8.
Well, this is not an issue and this may not be the most appropriate place to ask.
Is it possible using available tools (Microsoft Minidriver or OpenSC PKCS*- suite tools) to create data objects on a GIDS card? It seems I can create a file under mscp/ folder using Gemalto Minidriver tool, but I can't read or write these files using OpenSC tools.
Thank you in advance.
So I've done the naive thing and bought 3 "Giesecke and Devrient Sm@rtCafé Expert 3.2 72K". AKA SmartCafe Expert 3.2 Java card 72k Specifically because the keying was called out and made to look easy at this here and GPP's readmes. And also because US DOE is thinking about G+D cards but that's my own work trauma that started this adventure and I don't want to go into it too much.
I'm going to keep the GlobalPlatformPros discussion prompts as structure to avoid restating a lot of things. Also lol, you can tell I'm considering filing this against GPP.
If you are sure that this is a bug or missing feature (with available documentation/specification), do open an issue. If you do not know the exact keying information, please ask your card vendor.
-- I thought I would know this as it is called out explicitly here in Gids and there in GlobalPlatformPro. But the feedback when I actually run the commands is weird and hard to understand which I'll get to below. The weird feedback between two different versions of GPP probably is be a bug in GPP not Gids. HOWEVER:
using two different versions of GPP I get two different confusing command prompts back. (lack of feedback really, like maybe it worked but then I can't list things so I'm pretty sure it didn't.)
GlobalplatformPro Version: I've gotten both the 2018 release (which supports the proper short opts as documented) and the 2020 release which I was having some troubles translating its long options into what is written on both here and GPPs README. :/ This if this is where my troubles start I'll move this over to GPP's discussion forum instead.
Card Platform Version: These Smartcafe Expert 3.2s are Javacard 2.2.1 and GlobalPlatform 2.1.1. That means they were last state of the art in ~2006!! (Eesh)
Reader model/name: SCR3310 by Identive. The UFO puck. I also have a HID 3121 is that helps.
After running
gp -unlock -emv
like as described both on the readme and the Testedcards bit
and
gp -install GidsApplet.cap -default
❯ globalplatformpro -install Downloads/GidsApplet.cap -default -d -v -i
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
I expected it to just work. As the -unlock is supposed to remove the key diversification. But it only get the below message when I try to list my card. And nothing else!! I'm just following the directions. I'm left with a headscratcher.
(this is using the older 2018 release of gpp as it doesn't just fail with the help syntax)
❯ globalplatformpro -l -d -v -i
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
I think I'm getting the keying correct because before I did the proper key stuff I used to get errors like described in these posts like this
"Error: At position 1 the len is more then 3 [32]" from GlobalPlatformPro.
https://stackoverflow.com/questions/68087131/cannot-list-or-install-cap-files-in-javacard-after-unlocking-why-and-how-to-so
https://muscle.musclecard.narkive.com/AWWgaYSL/get-error-while-loading-applet-on-smartcafe-expert-3-2-72k-smart-card
kaoh/globalplatform#48
According to this: https://www.javacardos.com/javacardforum/viewtopic.php?t=1974
it should work, but all I get is:
Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
CAP loaded
Error: INSTALL [for install and make selectable] failed: 0x6A80 (Wrong data/incorrect values in data)
and not as expected SELECTABLE: https://confluence.certgate.com/pages/viewpage.action?pageId=70254684
(by the way, impossible to download the .cap from above link, as login required & nowhere to register for such login!)
Please provide how data is formatted in GIDS applet by this i mean...
if there is any documentation let me know.
Thanks for this great work! (And sorry for breaking your issue-free streak, hopefully it's just user error 😉 ) I've managed to get it going with an on-card generated 4096-bit RSA key and OpenSC as follows:
gp --install GidsApplet.cap --default
gids-tool --initialize
pkcs15-init -v -v --verify-pin --generate-key rsa/4096 --auth-id 80 --key-usage sign --label test
However, if I replace that last step with pkcs15-init -v -v --verify-pin --store-private-key pyprivate_ca.pem --auth-id 80 --key-usage sign --label test
where pyprivate_ca.pem
is a 4096-bit private key (dumped from py crypto), I eventually get this from OpenSC:
P:2735428; T:0x140230475139136 11:02:20.472 [pkcs15-init] card-gids.c:1537:gids_import_key: unable to put the private key - key greater than 2048 bits ?: -1217 (Not enough memory on card)
Failed to store private key: Not enough memory on card
I'm using a 180K J3R180 card https://www.amazon.com/dp/B0CFFCJ9W1 so I would think the actual card space is OK, though perhaps the applet doesn't allocate enough.
Strangely, after I do this, pkcs15-tool --dump
seems to suggest the key is there anyway:
PKCS#15 Card [GIDS card]:
Version : 2
Serial number : f5e011e64b2b0dd153d85205f3f1fd86
Manufacturer ID: www.mysmartlogon.com
Flags :
PIN [UserPIN]
Object Flags : [0x03], private, modifiable
ID : 80
Flags : [0x12], local, initialized
Length : min_len:4, max_len:15, stored_len:0
Pad char : 0x00
Reference : 128 (0x80)
Type : ascii-numeric
Tries left : 3
Private RSA Key [test]
Object Flags : [0x01], private
Usage : [0x04], sign
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 4096
Key ref : 129 (0x81)
Native : yes
Auth ID : 80
ID : 00
MD:guid : 4bd0fb77-a08c-5848-733e-98a23e7df51c
Public RSA Key [test]
Object Flags : [0x00]
Usage : [0x40], verify
Access Flags : [0x02], extract
ModLength : 4096
Key ref : 129 (0x81)
Native : yes
Path : 3fffb081
ID : 00
I did not try actually using it yet. I did find I could not delete it with pkcs15-init without gp --uninstall GidsApplet.cap
.
Updates:
pkcs15-init -v -v --verify-pin --store-private-key merged.p12 --format pkcs12 --auth-id 80 --key-usage sign --label testimportopenssl
so there may be two issues here.
FLASH_BUF_SIZE = 3072
- 2047 was not enough. No idea if this will work on a cheaper/older card, but it appears to work on this (jc 3.0.4) card.I've successfully used GidsApplet on a SmartCafe Expert 6.0 80K card. However, I'm having trouble using GidsApplet on a JavaCOS A22 card - GidsApplet on this card seems to generate invalid RSA signatures. I'm not sure how to go about debugging this, so I'm wondering if you can point me in the right direction?
I purchased this card from here: http://www.smartcardfocus.com/shop/ilp/id~712/javacos-a22-dual-interface-java-card-150k/p/index.shtml
ATR is 3b:fc:18:00:00:81:31:80:45:90:67:46:4a:00:68:08:04:00:00:00:00:0e
I installed the Applet:
gp -install GidsApplet.cap
Then I tried to initialize it with gids-tool, but libopensc detected it as an entersafe card instead of a gids card - Apparently the entersafe driver in libopensc matches this card based on ATR rather than Applet/Package ID. I commented out the ATR in src/libopensc/card-entersafe.c in opensc, then recompiled opensc to get past this issue.
Then I initialized it:
openssl rand -rand /dev/urandom -hex 24 > admin_key
openssl rand -rand /dev/urandom 128 | tr -dc [:alnum:] | head -c 6 > pin ; echo >> pin
gids-tool --initialize --serial-number '' --admin-key "$(cat admin_key)" --pin "$(cat pin)"
And generated a key:
pkcs15-init --verify-pin --auth-id 80 --pin "$(cat pin)" --generate-key rsa/2048 --id 0 --label 'testKey'
Everything seemed to be working fine up until this point.
Then I tried to generate a cert request, but openssl failed when validating the request's signature:
$ openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/ssl/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so
OpenSSL> req -new -engine pkcs11 -keyform engine -key 0 -subj '/CN=request' -out request -verify
engine "pkcs11" set.
PKCS#11 token PIN:
verify failure
139997861942936:error:04070066:rsa routines:RSA_padding_check_PKCS1_type_1:bad fixed header decrypt:rsa_pk1.c:116:
139997861942936:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:773:
139997861942936:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218:
OpenSSL>
Generating a private key using openssl and loading it on the card (rather than generating the key on the card) does not change the behavior:
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
pkcs11-tool --login --pin "$(cat pin)" --write-object private_key.pem --type privkey
Any pointers you can give me to help troubleshoot this would be appreciated. Thanks!
Deleting keys does not work / leaves the card in a crippled state.
This is the log where I create a keypair on an empty device and try to delete it afterwards:
$ pkcs11-tool -O
Using slot 0 with a present token (0x0)
$ pkcs11-tool --login --keypairgen --key-type rsa:2048
Using slot 0 with a present token (0x0)
Logging in to "GIDS card (UserPIN)".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: Private Key 00
ID: 75f9a87240334fdd08c43e54bd034539421cbd9f
Usage: decrypt, sign, unwrap
Access: none
Public Key Object; RSA 2048 bits
label: Private Key 00
ID: 75f9a87240334fdd08c43e54bd034539421cbd9f
Usage: encrypt, verify, wrap
Access: none
$ pkcs11-tool -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
label: Private Key 00
ID: 00
Usage: encrypt, verify
Access: none
$ pkcs11-tool --login --delete-object --type pubkey --id 00
Using slot 0 with a present token (0x0)
Logging in to "GIDS card (UserPIN)".
Please enter User PIN:
$ pkcs11-tool -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
label: Private Key 00
ID: 00
Usage: encrypt, verify
Access: none
$ pkcs11-tool --login --delete-object --type privkey --id 00
Using slot 0 with a present token (0x0)
Logging in to "GIDS card (UserPIN)".
Please enter User PIN:
$ pkcs11-tool -O
Using slot 0 with a present token (0x0)
warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_GENERAL_ERROR (0x5)
Public Key Object; RSA 0 bits
label:
ID: 00
Usage: none
Access: none
The InitializeGids.exe is working fine in Windows 7 but fails in Windows 10 Anniversary Update (at least when they are both running in a VMware Fusion virtual machine). Would you like to share the source code for that tool and I can have a look and send a pull request so it also works in Windows 10?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.