vletoux / gidsapplet Goto Github PK

Hi Vletoux, I wonder if you could give me some details about how to run the unit tests, do they use a proprietary card emulator or the reference implementation from Oracle? If you could describe a bit the setup that would be great, or start a wiki page for that and I'm happy to contribute to it.

So I've done the naive thing and bought 3 "Giesecke and Devrient Sm@rtCafé Expert 3.2 72K". AKA SmartCafe Expert 3.2 Java card 72k Specifically because the keying was called out and made to look easy at this here and GPP's readmes. And also because US DOE is thinking about G+D cards but that's my own work trauma that started this adventure and I don't want to go into it too much.

I'm going to keep the GlobalPlatformPros discussion prompts as structure to avoid restating a lot of things. Also lol, you can tell I'm considering filing this against GPP.

If you can't authenticate to the card, first read this

If you are sure that this is a bug or missing feature (with available documentation/specification), do open an issue. If you do not know the exact keying information, please ask your card vendor.
-- I thought I would know this as it is called out explicitly here in Gids and there in GlobalPlatformPro. But the feedback when I actually run the commands is weird and hard to understand which I'll get to below. The weird feedback between two different versions of GPP probably is be a bug in GPP not Gids. HOWEVER:

https://www.mysmartlogon.com/generic-identity-device-specification-gids-smart-card/tested-cards/ says that this "Needs and unpublished version of the applet" <- Is that out of date or still real?!

Describe the bug

using two different versions of GPP I get two different confusing command prompts back. (lack of feedback really, like maybe it worked but then I can't list things so I'm pretty sure it didn't.)

Information about your card and used reader

GlobalplatformPro Version: I've gotten both the 2018 release (which supports the proper short opts as documented) and the 2020 release which I was having some troubles translating its long options into what is written on both here and GPPs README. :/ This if this is where my troubles start I'll move this over to GPP's discussion forum instead.
Card Platform Version: These Smartcafe Expert 3.2s are Javacard 2.2.1 and GlobalPlatform 2.1.1. That means they were last state of the art in ~2006!! (Eesh)
Reader model/name: SCR3310 by Identive. The UFO puck. I also have a HID 3121 is that helps.

Expected behavior/ of what you expected to happen.

After running
gp -unlock -emv like as described both on the readme and the Testedcards bit
and
gp -install GidsApplet.cap -default

❯ globalplatformpro -install Downloads/GidsApplet.cap   -default -d -v -i
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F

I expected it to just work. As the -unlock is supposed to remove the key diversification. But it only get the below message when I try to list my card. And nothing else!! I'm just following the directions. I'm left with a headscratcher.

(this is using the older 2018 release of gpp as it doesn't just fail with the help syntax)

❯ globalplatformpro -l -d -v -i
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F

I think I'm getting the keying correct because before I did the proper key stuff I used to get errors like described in these posts like this
"Error: At position 1 the len is more then 3 [32]" from GlobalPlatformPro.
https://stackoverflow.com/questions/68087131/cannot-list-or-install-cap-files-in-javacard-after-unlocking-why-and-how-to-so
https://muscle.musclecard.narkive.com/AWWgaYSL/get-error-while-loading-applet-on-smartcafe-expert-3-2-72k-smart-card
kaoh/globalplatform#48

Please provide how data is formatted in GIDS applet by this i mean...

1. Which comression technique is used in certificate
2. What are different Tags
3. Why opensc is choosing File id as A000, A010... and how we decide what should be the value in it?

if there is any documentation let me know.

I poked at Ant some more to get the tests running using the jcardsim library: see https://github.com/rpavlik/GidsApplet/tree/junit . All the tests pass (on both variants), except for one: CryptoTest.

It fails on line 53, with the error message: expected: 9000 but was: 618c. Line 53 has the commennt "generate asymmetric key" and is using instruction 0x47.

I can't find where it's actually returning 618c in the first place, so I'm not sure if this is an issue with the jcardsim or something else.

Here's the log file:
TEST-com.mysmartlogon.gidsAppletTests.CryptoTest.txt

I checked out the 1.3 source without touching the build system, and it looks like it too has the same issue, though 1.2 does not.

Not sure what version of jcardsim you used originally, maybe I can revert to that version?

I'm running the tests with jcardsim 3.0.5 under jdk17, though I build the applet with jdk8.

Thanks for this great work! (And sorry for breaking your issue-free streak, hopefully it's just user error 😉 ) I've managed to get it going with an on-card generated 4096-bit RSA key and OpenSC as follows:

• gp --install GidsApplet.cap --default
• Cycle the card
• gids-tool --initialize
• pkcs15-init -v -v --verify-pin --generate-key rsa/4096 --auth-id 80 --key-usage sign --label test

However, if I replace that last step with pkcs15-init -v -v --verify-pin --store-private-key pyprivate_ca.pem --auth-id 80 --key-usage sign --label test where pyprivate_ca.pem is a 4096-bit private key (dumped from py crypto), I eventually get this from OpenSC:

P:2735428; T:0x140230475139136 11:02:20.472 [pkcs15-init] card-gids.c:1537:gids_import_key: unable to put the private key - key greater than 2048 bits ?: -1217 (Not enough memory on card)
Failed to store private key: Not enough memory on card

I'm using a 180K J3R180 card https://www.amazon.com/dp/B0CFFCJ9W1 so I would think the actual card space is OK, though perhaps the applet doesn't allocate enough.

Strangely, after I do this, pkcs15-tool --dump seems to suggest the key is there anyway:

PKCS#15 Card [GIDS card]:
	Version        : 2
	Serial number  : f5e011e64b2b0dd153d85205f3f1fd86
	Manufacturer ID: www.mysmartlogon.com
	Flags          : 


PIN [UserPIN]
	Object Flags   : [0x03], private, modifiable
	ID             : 80
	Flags          : [0x12], local, initialized
	Length         : min_len:4, max_len:15, stored_len:0
	Pad char       : 0x00
	Reference      : 128 (0x80)
	Type           : ascii-numeric
	Tries left     : 3

Private RSA Key [test]
	Object Flags   : [0x01], private
	Usage          : [0x04], sign
	Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
	Algo_refs      : 0
	ModLength      : 4096
	Key ref        : 129 (0x81)
	Native         : yes
	Auth ID        : 80
	ID             : 00
	MD:guid        : 4bd0fb77-a08c-5848-733e-98a23e7df51c

Public RSA Key [test]
	Object Flags   : [0x00]
	Usage          : [0x40], verify
	Access Flags   : [0x02], extract
	ModLength      : 4096
	Key ref        : 129 (0x81)
	Native         : yes
	Path           : 3fffb081
	ID             : 00

I did not try actually using it yet. I did find I could not delete it with pkcs15-init without gp --uninstall GidsApplet.cap.

Updates:

• Unfortunately it does not show up in Key Store Explorer (over PKCS#11), and trying to import the key using that also returns an error that looks like a memory/size error ("CKR_DEVICE_MEMORY").
• Hmm, maybe not showing up in key store explorer is not a big deal, the generated key doesn't either. That said, using the key via pkcs11 in Java is my main use case, so if it doesn't do that, I probably need to pick a different applet.-
• OK, if I generate a 4096 in KSE, it shows up fine and appears to work fine.
• Importing a RSA/2048 (from a combined p12 file with both the private key and the cert) also works fine and shows up in KSE: pkcs15-init -v -v --verify-pin --store-private-key merged.p12 --format pkcs12 --auth-id 80 --key-usage sign --label testimportopenssl so there may be two issues here.
  • a - Keys generated on-card with pkcs15-init do not show up using pkcs11. (Might be user error?)
  • b - Cannot import anything bigger than RSA/2048 (Seems unlikely to be user error but I can't see where in the code the limit is.)
• OK, I think the limit is related to the FLASH_BUF_SIZE in TransmitManager.java
• OK, got it working. Had to set FLASH_BUF_SIZE = 3072 - 2047 was not enough. No idea if this will work on a cheaper/older card, but it appears to work on this (jc 3.0.4) card.

The InitializeGids.exe is working fine in Windows 7 but fails in Windows 10 Anniversary Update (at least when they are both running in a VMware Fusion virtual machine). Would you like to share the source code for that tool and I can have a look and send a pull request so it also works in Windows 10?

According to this: https://www.javacardos.com/javacardforum/viewtopic.php?t=1974
it should work, but all I get is:

Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
CAP loaded
Error: INSTALL [for install and make selectable] failed: 0x6A80 (Wrong data/incorrect values in data)

and not as expected SELECTABLE: https://confluence.certgate.com/pages/viewpage.action?pageId=70254684

(by the way, impossible to download the .cap from above link, as login required & nowhere to register for such login!)

run into problems while testing EIDAuthenticate

the applet can be successfully dowlnloaded, installed, and initialized.
however, when I open EIDAuthenticate try to install a cert on it, I got following message.

Environment:

win10 1803 x64 enterprise (no AD)
EIDAuthenticate 1.2.5.0

Card:

NXP J3H081 EMV JC3.0.4 GP 2.2.2 (may be a JCOP31 card)
got form here http://www.javacardsdk.com/product/j3h081/

Error message:

Page03CreateOrImportACertificate.cpp(249)
0x80100022 - This smart card does not support the requested feature (win10 1709, 1803)
0x8010001F - An unexpected card error has occurred (win7 sp1)

I've successfully used GidsApplet on a SmartCafe Expert 6.0 80K card. However, I'm having trouble using GidsApplet on a JavaCOS A22 card - GidsApplet on this card seems to generate invalid RSA signatures. I'm not sure how to go about debugging this, so I'm wondering if you can point me in the right direction?

I purchased this card from here: http://www.smartcardfocus.com/shop/ilp/id~712/javacos-a22-dual-interface-java-card-150k/p/index.shtml
ATR is 3b:fc:18:00:00:81:31:80:45:90:67:46:4a:00:68:08:04:00:00:00:00:0e

I installed the Applet:
gp -install GidsApplet.cap
Then I tried to initialize it with gids-tool, but libopensc detected it as an entersafe card instead of a gids card - Apparently the entersafe driver in libopensc matches this card based on ATR rather than Applet/Package ID. I commented out the ATR in src/libopensc/card-entersafe.c in opensc, then recompiled opensc to get past this issue.
Then I initialized it:

openssl rand -rand /dev/urandom -hex 24 > admin_key
openssl rand -rand /dev/urandom 128 | tr -dc [:alnum:] | head -c 6 > pin ; echo >> pin
gids-tool --initialize --serial-number '' --admin-key "$(cat admin_key)" --pin "$(cat pin)"

And generated a key:
pkcs15-init --verify-pin --auth-id 80 --pin "$(cat pin)" --generate-key rsa/2048 --id 0 --label 'testKey'
Everything seemed to be working fine up until this point.

Then I tried to generate a cert request, but openssl failed when validating the request's signature:

$ openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/ssl/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so
OpenSSL> req -new -engine pkcs11 -keyform engine -key 0  -subj '/CN=request' -out request -verify
engine "pkcs11" set.
PKCS#11 token PIN: 
verify failure
139997861942936:error:04070066:rsa routines:RSA_padding_check_PKCS1_type_1:bad fixed header decrypt:rsa_pk1.c:116:
139997861942936:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:773:
139997861942936:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218:
OpenSSL> 

Generating a private key using openssl and loading it on the card (rather than generating the key on the card) does not change the behavior:

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
pkcs11-tool --login --pin "$(cat pin)" --write-object private_key.pem --type privkey

Any pointers you can give me to help troubleshoot this would be appreciated. Thanks!

Deleting keys does not work / leaves the card in a crippled state.

This is the log where I create a keypair on an empty device and try to delete it afterwards:

$ pkcs11-tool -O
Using slot 0 with a present token (0x0)

$ pkcs11-tool --login --keypairgen --key-type rsa:2048
Using slot 0 with a present token (0x0)
Logging in to "GIDS card (UserPIN)".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: Private Key 00
ID: 75f9a87240334fdd08c43e54bd034539421cbd9f
Usage: decrypt, sign, unwrap
Access: none
Public Key Object; RSA 2048 bits
label: Private Key 00
ID: 75f9a87240334fdd08c43e54bd034539421cbd9f
Usage: encrypt, verify, wrap
Access: none

$ pkcs11-tool -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
label: Private Key 00
ID: 00
Usage: encrypt, verify
Access: none

$ pkcs11-tool --login --delete-object --type pubkey --id 00
Using slot 0 with a present token (0x0)
Logging in to "GIDS card (UserPIN)".
Please enter User PIN:

$ pkcs11-tool -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
label: Private Key 00
ID: 00
Usage: encrypt, verify
Access: none

$ pkcs11-tool --login --delete-object --type privkey --id 00
Using slot 0 with a present token (0x0)
Logging in to "GIDS card (UserPIN)".
Please enter User PIN:

$ pkcs11-tool -O
Using slot 0 with a present token (0x0)
warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_GENERAL_ERROR (0x5)

Public Key Object; RSA 0 bits
label:
ID: 00
Usage: none
Access: none

Well, this is not an issue and this may not be the most appropriate place to ask.

Is it possible using available tools (Microsoft Minidriver or OpenSC PKCS*- suite tools) to create data objects on a GIDS card? It seems I can create a file under mscp/ folder using Gemalto Minidriver tool, but I can't read or write these files using OpenSC tools.

Thank you in advance.