ย ย ย ย from JavaCardPro
Load and manage applets on compatible JavaCards from command line or from your Java project with a Do What I Mean approach (testimonials).
Provides an easy to use and high level interface that most of the time JustWorks(TM), is flexible and 100% open source!
Building JavaCard applets is equally pleasing with ant-javacard
Like it? Become a sponsor!
- Download latest pre-built .JAR or .EXE from release area
- Requires JDK-11
brew install martinapaljak/brew/gppro --HEAD # installs the master branchBuild it yourself, it is really easy:
git clone https://github.com/martinpaljak/GlobalPlatformPro
cd GlobalPlatformPro
./mvnw package- GlobalPlatformPro received a small recognition from Google Open Source as a Peer Bonus. (Thanks, @konstantint!)
- JavaCard Buyer's Guide
Beware: both command line and Java API are subject to change without notice. Check back often.
Command line samples assume default test keys of 40..4F. If you need a custom key, specify it with -key (you can give separate keyset components with -key-mac, -key-enc and -key-kek. You need to know the details or ask your card provider. Some cards require key diversification with -emv or -visa2 (ask your vendor if unsure). A Key Check Value can be given with -kcv option.
-
Show some basic information about a card (failsafe):
java -jar gp.jar -info-
On Windows just replace
java -jar gp.jarwithgp.exelike this:gp.exe -info -
On Linux it is easier to add an alias to the shell like this:
alias gp="java -jar $PWD/gp.jar" # Now you can avoid typing `java -jar` and `gp` works from any folder gp -h
-
Please consult the help output for options that are not described here
-
List applets (this and following commands open the secure channel and thus can brick your card with wrong keys!):
gp -list # or gp -lHow to interpret the output:
- All AID-s of on-card objects are listed, starting with Issuer Security Domain (
ISD) - Object's type, lifecycle state and privileges are listed below the
AIDline - Applications have type
Appand a state (likeSELECTABLE) and privileges (likeDefault selected) - Executable Modules (type
ExM, representing Java packages) are listed together with applets in them (which can be initiated with--create) - Security Domains have type
SeD
- All AID-s of on-card objects are listed, starting with Issuer Security Domain (
-
Delete current default applet's package and all instances:
gp -delete -default -
Delete package
D27600012401and all applets from it:gp -delete D27600012401 -
Install
applet.capas default applet (with AID information from the CAP):gp -install applet.cap -default -
Install
applet.cap(with AID information from the CAP):gp -install applet.cap -
Unistall
applet.cap(with AID information from the CAP):gp -uninstall applet.cap -
Force installation of
applet.cap, deleting anything that's necessary, with AID information from the CAP:gp -f -install applet.cap -
Create new instance of applet
D2760001240102000000000000000000from packageD27600012401with AIDD2760001240102000000000272950000:gp -package D27600012401 -applet D2760001240102000000000000000000 -create D2760001240102000000000272950000 -
Same as previous, but takes the package/applet AID-s from CAP file and makes the new instance default selected:
gp -cap OpenPGPApplet.cap -create D2760001240102000000000272950000 -default
-default- makes the applet default selected-terminate- gives card lock and card terminate privileges to the applet-params <hex>- installation parameters for applet
-
Set
010B0371D78377B801F2D62AFC671D95key to a card with default40..4Fkeys:gp -lock 010B0371D78377B801F2D62AFC671D95 -
Set default
40..4Fkeys to card that was previously locked with key010B0371D78377B801F2D62AFC671D95:gp -key 010B0371D78377B801F2D62AFC671D95 -unlock -
Set the default
40..4Fkeys to a card that uses EMV diversification (like G&D):gp -emv -unlock* note that you will have to use
--relaxoption after this operation to get rid of the warning about probably needed diversification, which is not true any more. -
Set the default
40..4Fkeys to a card that uses VISA2 diversification with the well-known mother key on a Gemalto card:gp -visa2 -key 47454D5850524553534F53414D504C45 -unlock -mode clr
-
Show APDU-s sent to the card:
add
-debugor-dto your command -
Be more verbose about decisions and conditions:
add
-verboseor-vto your command -
Don't use MAC on commands (plain GlobalPlatform syntax):
add
-mode clrto your command (not supported on all cards) -
Show all options recognized by
gputility:add
-helpor-hor--helpto yourgpcommand
Include the dependency:
<!-- https://mvnrepository.com/artifact/com.github.martinpaljak/globalplatformpro -->
<dependency>
<groupId>com.github.martinpaljak</groupId>
<artifactId>globalplatformpro</artifactId>
<version>0.3.10-rc6</version>
</dependency>- For now consult the command line utility source code
- Rudimentary Javadoc
- General rules:
- Expect
RuntimeException-s when things go unexpectedly wrong CardException-s when link layer failsGPException-s when protocol layer fails
- Expect
- NEW! JavaCard Buyer's Guide of 2018
- See TestedCards
- Generally speaking any modern JavaCard that speaks GlobalPlatform 2.1.1+
- Available cards from all major vendors have been tested for basic compatibility: Athena, Gemalto, Giesecke & Devrient, Infineon, NXP (JCOP), Morpho, Oberthur
- If you are a smart card vendor please do get in touch for clarification and better support!
The ancestor of this code is GPJ (Global Platform for SmartCardIO) which is (still) available from http://gpj.sourceforge.net. I started the project because I felt that messing with cryptic script files was not nice and I wanted to have a simple, open source, usable and native-to-the-rest-of-development-environment (Java) toolchain.
- Wojciech Mostowski [email protected],
- Francois Kooman [email protected]
- Martijn Oostdijk [email protected]
- Martin Paljak [email protected]
- Hendrik Tews
- Dusan Kovacevic
- gpj (the grandparent) - http://gpj.sf.net (LGPL)
- written in Java
- continued as GlobalPlatformPro
- harder to use from the command line
- no new features or standards
- GPShell + globalplatform library - http://sourceforge.net/projects/globalplatform/ (LGPL)
- written in C
- often referred to as the de facto open source GlobalPlatform implementation
- several components need to be compiled and installed before usage
- requires more complex "script files" and does not provide a direct command line utility
- jcManager - http://www.brokenmill.com/2010/03/java-secure-card-manager/ (LGPL)
- written in Java
- has a basic GUI
- old and not maintained
- gpjNG - https://github.com/SimplyTapp/gpjNG (LGPL)
- fork of gpj with minor additions, mostly a "script mode" that makes it similar to GPShell
- Ruby smartcard module - http://smartcard.rubyforge.org/classes/Smartcard/Gp/GpCardMixin.html (MIT)
- written in Ruby
- does not seem to expose all functionality (key diversification, key change etc)
- no command line utility
- JGPShell - https://sourceforge.net/projects/jgpshell/ (GPL2)
- written in Java
- GPShell-style scripting goal
- not really usable and also abandoned
- OPAL - https://bitbucket.org/ssd/opal (CeCILL, GPLv2 compatible)
- written in Java
- claims to have SCP03 support (but no tested cards)
- looks "heavy" and over-engineered
- smoke tests give exceptions and doesn't work on OSX nor Debian.
- gpcomm - https://code.google.com/p/gpcomm/
- written in Java
- incomplete and abandoned
- globalplatform.net - https://github.com/sepulo/globalplatform.net
- written in c#
- unclear license (missing)
- only supports SCP01 and SCP02
- GlobalPlatform.NET - https://github.com/jamesharling/GlobalPlatform.NET (GPLv3)
- wirtten in c#
- only supports SCP02
- fluent interface
- asterix - https://github.com/suma12/asterix (LGPL 2.1)
- written in Python
- SCP02, SCP03
- LuaGP - https://github.com/bondhan/LuaGP
- written in Lua
- unclear license (missing)
- JCOP tools, RADIII, JCardManager4, JLoad, PyApduTool etc
- not publicly available cross-platform open source projects and thus not suitable for this comparision
- focus on real life and practical daily use cases
- KISS, YAGNI, DWIM, no-NIH
- APDU-chat over anything that extends
CardChannelto (most probably real) tokens - thin and self-contained, re-usable, easy to integrate
- easily readable, auditable and secure codebase (less is more)
The promise of GlobalPlatformPro is similar to OpenSSL:
Why buy a smart card software kit as a black box when you can get an open one for free?
In regard to GlobalPlatform, the goal is to make simple operations like installing and removing applets and locking the card with new keys as easy as next-next-done - you don't have to know the whole Global Platform specification by heart for that or buy a piece of proprietary software for a few hundred euros! For all those features that are not described in the GlobalPlatform specification that actually make your card work... you still have to use those proprietary commands, but OpenKMS GlobalPlatformPro toolkit's flexibility (and its license) should allow you to do that as well.
- LGPL-3.0 for derived code and MIT/LGPL3 for original code.
- BouncyCastle for OID parsing and NIST SP 800-108/NIST SP 800-38B (MIT)
- JOpt Simple for parsing command line (MIT)
- Launch4j for generating the .exe (BSD/MIT)
- apdu4j for APDU level PC/SC access/logging/replaying (MIT)
- ber-tlv for tag parsing (Apache)
- For technical support:
- Re-run your failing command with
-d -v -iswitches and send the output, information about your card and applet/CAP - Only plaintext logs. NO screenshots, pictures, word documents. NO generic questions about java/linux/windows/globalplatform. Questions about jcshell/gpshell/gpj/something else shall be ignored.
- If unsure, first read about asking questions
- For "How do I ... ?" questions start a thread in discussions
- Re-run your failing command with
- Generic enquiries
- E-mail [email protected]
- For reporting bugs and issues (ask for help and questions in discussions)
- File an issue
- Better yet - open a pull request!
- Security issues - see SECURITY.md)
- Please donate!
- See sponsors page or e-mail [email protected] directly
The casual: trademarks to their owners, copyrights to authors, software patents to hell, legal letters to /dev/null PGP key 0x1d86f74c7b9dd593. Everything is provided AS-IS AND THERE IS A CONSTANT RISK OF DEATH FROM SUDDEN LIGHTNING. Writing in all caps made it look like serious, didn't it?
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent