我一直在寻找一种最佳实践来安装和配置具有自己的安全通道密钥集和 DAP 验证的补充安全域 (SSD),以便没有人可以安装除卡上签名的小程序之外的任何小程序。 不幸的是,我找不到任何好的讨论来达成这个问题的结果。最好的讨论是 GlobalPlatformPro github 中的 this 和 GPShell 中的 this 的讨论。这些就是我正在做的事情:
首先,我使用
opensslgenrsa -out ./rsaPrivateKey.pem 1024
rsa -pubout -in ./rsaPrivateKey.pem -out rsaPublicKey.pem
并使用 rsa 私钥对小程序进行签名:
capfile -s ./rsaPrivateKey.pem applet.cap
然后我执行以下步骤来安装和个性化 SSD:
A0000001515350
包中安装SSD(如果卡支持)并为其授予
DAPVerification权限。我通过 GlobalPlatformPro 的
gp -domain A000000151535041 -privs DAPVerification --allow-to命令执行此操作,结果是:
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
Note: using default AID-s for SSD instantiation: A000000151535041 from A0000001515350
安装具有 DAP 验证权限的 SSD,如 gp -l
确认:
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
ISD: A000000151000000 (OP_READY)
Parent: A000000151000000
From: A0000001515350
Privs: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration
DOM: A000000151535041 (SELECTABLE)
Parent: A000000151000000
From: A0000001515350
Privs: SecurityDomain, DAPVerification, TrustedPath
PKG: A0000001515350 (LOADED)
Parent: A000000151000000
Version: -1.-1
Applet: A000000151535041
PKG: A00000016443446F634C697465 (LOADED)
Parent: A000000151000000
Version: 1.0
Applet: A00000016443446F634C69746501
PKG: A0000000620204 (LOADED)
Parent: A000000151000000
Version: 1.0
PKG: A0000000620202 (LOADED)
Parent: A000000151000000
Version: 1.3
PUT KEY
命令设置(正确吗?选择SSD后只需执行PUT KEY?或者我需要在此之前进行身份验证吗?)或使用gp pro
gp -d -v -i -sdaid A000000151535041 --lock 404142434445464748494A4B4C4D4E4F进行设置使用默认键结果:
...
Card locked with: 404142434445464748494A4B4C4D4E4F
Write this down, DO NOT FORGET/LOSE IT!
SCardEndTransaction(ACS ACR1281 1S Dual Reader ICC 0)
SCardDisconnect("ACS ACR1281 1S Dual Reader ICC 0", true)
并通过 gp -d -v -i -sdaid A000000151535041 -new-keyver 0x73 -put-key rsaPublicKey.pem -key 404142434445464748494A4B4C4D4E4F
添加 DAP 密钥:
gp -d -v -i -sdaid A000000151535041 -new-keyver 0x73 -put-key rsaPublicKey.pem -key 404142434445464748494A4B4C4D4E4F
Reader: ACS ACR1281 1S Dual Reader ICC 0
ATR: 3BD518FF8191FE1FC38073C821100A
More information about your card:
http://smartcard-atr.appspot.com/parse?ATR=3BD518FF8191FE1FC38073C821100A
[DEBUG] GlobalPlatform - (I)SD AID: A000000151535041
A>> T=1 (4+0008) 00A40400 08 A000000151535041 00
A<< (0018+2) (22ms) 6F108408A000000151535041A5049F6501FF 9000
[DEBUG] GlobalPlatform - Auto-detected block size: 255
A>> T=1 (4+0000) 80CA9F7F 00
A<< (0045+2) (16ms) 9F7F2A4790D3214700000000002345406114204839000000000000000012594530363131340000000000000000 9000
[WARN] GPData - Invalid CPLC date: 4530
CPLC: ICFabricator=4790
ICType=D321
OperatingSystemID=4700
OperatingSystemReleaseDate=0000 (2010-01-01)
OperatingSystemReleaseLevel=0000
ICFabricationDate=2345 (2012-12-10)
ICSerialNumber=40611420
ICBatchIdentifier=4839
ICModuleFabricator=0000
ICModulePackagingDate=0000 (2010-01-01)
ICCManufacturer=0000
ICEmbeddingDate=0000 (2010-01-01)
ICPrePersonalizer=1259
ICPrePersonalizationEquipmentDate=4530 (invalid date format)
ICPrePersonalizationEquipmentID=36313134
ICPersonalizer=0000
ICPersonalizationDate=0000 (2010-01-01)
ICPersonalizationEquipmentID=00000000
A>> T=1 (4+0000) 80CA0042 00
A<< (0000+2) (13ms) 6A88
[DEBUG] GPData - GET DATA(IIN): N/A
A>> T=1 (4+0000) 80CA0045 00
A<< (0000+2) (12ms) 6A88
[DEBUG] GPData - GET DATA(CIN): N/A
Card Data:
A>> T=1 (4+0000) 80CA0066 00
A<< (0000+2) (12ms) 6A88
[DEBUG] GPData - GET DATA(Card Data): N/A
Card Capabilities:
A>> T=1 (4+0000) 80CA0067 00
A<< (0000+2) (10ms) 6A88
[DEBUG] GPData - GET DATA(Card Capabilities): N/A
A>> T=1 (4+0000) 80CA00E0 00
A<< (0020+2) (15ms) E012C00401018010C00402018010C00403018010 9000
Version: 1 (0x01) ID: 1 (0x01) type: DES3 length: 16
Version: 1 (0x01) ID: 2 (0x02) type: DES3 length: 16
Version: 1 (0x01) ID: 3 (0x03) type: DES3 length: 16
A>> T=1 (4+0008) 80500000 08 F84B1304E9CCCB89 00
A<< (0028+2) (44ms) 00002345406114204839010200008858A82BFF2ADFE98536447C2ABB 9000
[DEBUG] GlobalPlatform - Host challenge: F84B1304E9CCCB89
[DEBUG] GlobalPlatform - Card challenge: 00008858A82BFF2A
[DEBUG] GlobalPlatform - Card reports SCP02 with key version 1 (0x01)
[DEBUG] GlobalPlatform - Will do SCP02 (8)
[DEBUG] PlaintextKeys - Card keys: {ENC=type=RAW bytes=404142434445464748494A4B4C4D4E4F, DEK=type=RAW bytes=404142434445464748494A4B4C4D4E4F, MAC=type=RAW bytes=404142434445464748494A4B4C4D4E4F}
[DEBUG] GlobalPlatform - Verified card cryptogram: DFE98536447C2ABB
[DEBUG] GlobalPlatform - Calculated host cryptogram: 841DAA1B25EA1743
A>> T=1 (4+0016) 84820100 10 841DAA1B25EA17431205662BFF634819
A<< (0000+2) (25ms) 9000
SCardEndTransaction(ACS ACR1281 1S Dual Reader ICC 0)
SCardDisconnect("ACS ACR1281 1S Dual Reader ICC 0", true)
Exception in thread "main" java.lang.NumberFormatException: For input string: "[0x73]"
at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.base/java.lang.Integer.parseInt(Integer.java:652)
at java.base/java.lang.Integer.parseInt(Integer.java:770)
at pro.javacard.gp.GPCommands.intValue(GPCommands.java:1037)
at pro.javacard.gp.GPTool.main(GPTool.java:429)
当我尝试使用
gp -to A000000151535041 -key 404142434445464748494A4B4C4D4E4F -load applet.cap
加载已签名的小程序时,我得到:
Applet loading failed. Are you sure the CAP file target is compatible with your card?
INSTALL [for load] failed: 0x6985 (Conditions of use not satisfied)
看起来 DAP 密钥没有设置!我这里有库存,但我不知道 DAP 密钥是否已设置以及我在哪里丢失了!正确的步骤是什么?我在哪里犯了错误?
附录1:
gp -version
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Windows 11 10.0 amd64, Java 11.0.20 by Oracle Corporation
并运行以下命令:
gp -d -v -i -sdaid A000000151535041 -new-keyver 0x73 -put-key rsaPublicKey.pem -key 404142434445464748494A4B4C4D4E4F
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Windows 11 10.0 amd64, Java 11.0.20 by Oracle Corporation
# Detected readers from JNA2PCSC
[*] ACS ACR1281 1S Dual Reader ICC 0
[ ] ACS ACR1281 1S Dual Reader PICC 0
[ ] ACS ACR1281 1S Dual Reader SAM 0
[ ] JAVACOS Virtual Contact Reader 0
[ ] JAVACOS Virtual Contactless Reader 1
SCardConnect("ACS ACR1281 1S Dual Reader ICC 0", T=*) -> T=1, 3BD518FF8191FE1FC38073C821100A
SCardBeginTransaction("ACS ACR1281 1S Dual Reader ICC 0")
Reader: ACS ACR1281 1S Dual Reader ICC 0
ATR: 3BD518FF8191FE1FC38073C821100A
More information about your card:
http://smartcard-atr.appspot.com/parse?ATR=3BD518FF8191FE1FC38073C821100A
[DEBUG] GPSession - (I)SD AID: A000000151535041
A>> T=1 (4+0008) 00A40400 08 A000000151535041 00
A<< (0018+2) (63ms) 6F108408A000000151535041A5049F6501FF 9000
[TRACE] GPSession - [6F]
[TRACE] GPSession - [84] A000000151535041
[TRACE] GPSession - [A5]
[TRACE] GPSession - [9F65] FF
[DEBUG] GPSession - Auto-detected block size: 255
[TRACE] GPData - GET DATA(CPLC)
A>> T=1 (4+0000) 80CA9F7F 00
A<< (0045+2) (17ms) 9F7F2A4790D3214700000000002345406114204839000000000000000012594530363131340000000000000000 9000
[WARN] GPData - Invalid CPLC date: 4530
CPLC: ICFabricator=4790
ICType=D321
OperatingSystemID=4700
OperatingSystemReleaseDate=0000 (2010-01-01)
OperatingSystemReleaseLevel=0000
ICFabricationDate=2345 (2012-12-10)
ICSerialNumber=40611420
ICBatchIdentifier=4839
ICModuleFabricator=0000
ICModulePackagingDate=0000 (2010-01-01)
ICCManufacturer=0000
ICEmbeddingDate=0000 (2010-01-01)
ICPrePersonalizer=1259
ICPrePersonalizationEquipmentDate=4530 (invalid date format)
ICPrePersonalizationEquipmentID=36313134
ICPersonalizer=0000
ICPersonalizationDate=0000 (2010-01-01)
ICPersonalizationEquipmentID=00000000
[TRACE] GPData - GET DATA(IIN)
A>> T=1 (4+0000) 80CA0042 00
A<< (0000+2) (12ms) 6A88
[DEBUG] GPData - GET DATA(IIN): N/A
[TRACE] GPData - GET DATA(CIN)
A>> T=1 (4+0000) 80CA0045 00
A<< (0000+2) (12ms) 6A88
[DEBUG] GPData - GET DATA(CIN): N/A
Card Data:
[TRACE] GPData - GET DATA(Card Data)
A>> T=1 (4+0000) 80CA0066 00
A<< (0000+2) (13ms) 6A88
[DEBUG] GPData - GET DATA(Card Data): N/A
Card Capabilities:
[TRACE] GPData - GET DATA(Card Capabilities)
A>> T=1 (4+0000) 80CA0067 00
A<< (0000+2) (11ms) 6A88
[DEBUG] GPData - GET DATA(Card Capabilities): N/A
[TRACE] GPData - GET DATA(Key Info Template)
A>> T=1 (4+0000) 80CA00E0 00
A<< (0002+2) (9ms) E000 9000
[TRACE] GPKeyInfo - [E0]
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[INFO] GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[TRACE] GPSession - Generated host challenge: CBF9FD30F7E7CC91
A>> T=1 (4+0008) 80500000 08 CBF9FD30F7E7CC91 00
A<< (0028+2) (48ms) 0000234540611420483901020040E44E27742BEE237DE8DBC26EEA8F 9000
[DEBUG] GPSession - Host challenge: CBF9FD30F7E7CC91
[DEBUG] GPSession - Card challenge: 0040E44E27742BEE
[DEBUG] GPSession - Card reports SCP02 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=AB72716E9FD59960B411D3302BE52BA4 MAC=9AC631F205CADC0651DE5D5B59D57C2A RMAC=2B8D43219A94F5B243BCF1EDD20EFAF5, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[DEBUG] GPSession - Verified card cryptogram: 237DE8DBC26EEA8F
[DEBUG] GPSession - Calculated host cryptogram: B529E033BCDB174E
[TRACE] SCP02Wrapper - MAC input: 8482010010B529E033BCDB174E
A>> T=1 (4+0016) 84820100 10 B529E033BCDB174E55AB271149BAD1D1
A<< (0000+2) (25ms) 9000
[TRACE] SCP02Wrapper - MAC input: 84D800019173A180E29DE024AA485070A1CD8A028901096BADFFE68B510DF933938CDB13AC7BFAD6C51A43094E841EEC140046664F537E7F9C3D0A552016C1350B6ABA4648826125243145C4DBC9045A968FE05E7B7AACE3315CEF54AB7555FAD5520F7DADC4C4CB39A22BF9092A620B992B5B273C00FA3C46D6E3C7AB0197BBF69D88F9CFFF641BA00301000100
A>> T=1 (4+0145) 84D80001 91 73A180E29DE024AA485070A1CD8A028901096BADFFE68B510DF933938CDB13AC7BFAD6C51A43094E841EEC140046664F537E7F9C3D0A552016C1350B6ABA4648826125243145C4DBC9045A968FE05E7B7AACE3315CEF54AB7555FAD5520F7DADC4C4CB39A22BF9092A620B992B5B273C00FA3C46D6E3C7AB0197BBF69D88F9CFFF641BA003010001007D8AC84F6F39BA77
A<< (0000+2) (30ms) 6985
PUT KEY failed: 0x6985 (Conditions of use not satisfied)
https://github.com/martinpaljak/GlobalPlatformPro/issues/118中找到。此问题首次在预发布版本 19.05.16 中修复
我建议使用已修复问题的最新版本20.01.23。
对于输入字符串:“[0x73]”
来自密钥版本
-new-keyver 0x73
gp