PivApplet
PivApplet copied to clipboard
Published
20 hours ago •
arekinath
arekinath
Support for JC2.2.1
Hello,
Great work on these projects! I'm getting into JavaCard Development and would like to start playing around with this applet however it appears I seem to be hitting an error when trying to load the cap onto my card.
# user@javacard-dev: ~/PivApplet <master ✔ > (0:32:09)
→ ant [736e1bb]
Buildfile: /home/user/PivApplet/build.xml
dist:
jcpro:
[mkdir] Created dir: /tmp/jcpro1300806508
[javac] Compiling 1 source file to /tmp/jcpro1300806508
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.7
[javac] 1 warning
dist:
[jar] Building jar: /home/user/PivApplet/ext/ant/ant-javacard.jar
[cap] INFO: using JavaCard v2.2.2 SDK in /home/user/oracle_javacard_sdks/jc222_kit
[cap] Setting package name to net.cooperi.pivapplet
[cap] Building CAP with 1 applet from package net.cooperi.pivapplet
[cap] net.cooperi.pivapplet.PivApplet A000000308000010000100
[compile] Compiling 4 source files to /home/user/PivApplet/bin
[cap] CAP saved to /home/user/PivApplet/bin/PivApplet.cap
[verify] Copyright 2005 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.
[verify] Verifying CAP file /home/user/PivApplet/bin/PivApplet.cap
[verify] Verification completed with 0 warnings and 0 errors.
BUILD SUCCESSFUL
Total time: 3 seconds
# user@javacard-dev: ~/PivApplet <master ✔ > (0:32:15)
→ java -jar ~/gp.jar --key-dek XXXX --key-enc XXXX --key-mac XXXX --op201 --install /home/user/PivApplet/bin/PivApplet.cap
LOAD failed: 0x6438
I think I'm missing a dependency perhaps?
0x6438 == Imported package not found.
Any help with this would be appreciated, cheers!
Does this help at all?
→ java -jar ~/gp.jar --key-dek XXXX --key-enc XXXX --key-mac XXXX --op201 --info
GlobalPlatformPro v0.3.10rc8-0-gf1dcf34
Reader: Alcor Micro AU9560 00 00
ATR: 3B9F96803FC7A08031E073FE2113635530AA8307900087
More information about your card:
http://smartcard-atr.appspot.com/parse?ATR=3B9F96803FC7A08031E073FE2113635530AA8307900087
CPLC: ICFabricator=5354
ICType=4731
OperatingSystemID=5542
OperatingSystemReleaseDate=7103 (2017-04-13)
OperatingSystemReleaseLevel=0300
ICFabricationDate=0000 (2010-01-01)
ICSerialNumber=00000000
ICBatchIdentifier=0000
ICModuleFabricator=1022
ICModulePackagingDate=0000 (2010-01-01)
ICCManufacturer=0000
ICEmbeddingDate=0000 (2010-01-01)
ICPrePersonalizer=0000
ICPrePersonalizationEquipmentDate=0000 (2010-01-01)
ICPrePersonalizationEquipmentID=00000000
ICPersonalizer=0000
ICPersonalizationDate=0000 (2010-01-01)
ICPersonalizationEquipmentID=00000000
***** GET DATA:
GET DATA(IIN): not supported: 0x6A88 (Referenced data not found)
GET DATA(CIN): not supported: 0x6A88 (Referenced data not found)
GET DATA(SSC): 0029
***** CARD DATA
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.2
-> GP Version: 2.2
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.0
-> GP SCP80 i=00
Tag 64: 1.2.840.114283.4.2.85
-> GP SCP02 i=55
Tag 65: 1.2.840.114283.5.4
Tag 66: 1.3.6.1.4.1.42.2.110.1.3
-> JavaCard v3?
***** KEY INFO
Version: 32 (0x20) ID: 1 (0x01) type: DES3 length: 16
Version: 32 (0x20) ID: 2 (0x02) type: DES3 length: 16
Version: 32 (0x20) ID: 3 (0x03) type: DES3 length: 16
Version: 2 (0x02) ID: 1 (0x01) type: DES3 length: 16
Version: 2 (0x02) ID: 2 (0x02) type: DES3 length: 16
Version: 2 (0x02) ID: 3 (0x03) type: DES3 length: 16
Version: 3 (0x03) ID: 1 (0x01) type: DES3 length: 16
Version: 3 (0x03) ID: 2 (0x02) type: DES3 length: 16
Version: 3 (0x03) ID: 3 (0x03) type: DES3 length: 16
I'm experiencing that same error code on a card that only supports JavaCard 2.2.1.
I'm working on a fork of PivApplet that supports 2.2.1 and very low memory cards. It loses extended APDU support, but I think I can keep the applet mostly the same.
The errors seem to come from things like JC2.2.1 not having the classes for Extended length APDUs, or the convenience methods that parse the APDUs.
If you'd like to test if this is the problem, I'd suggest trying JCAlgTest:
https://github.com/crocs-muni/JCAlgTest/releases/tag/v1.7.1.1
If AlgTest_v1.7.1_jc221.cap will install, but AlgTest_v1.7.6_jc222.cap won't, this is probably your issue.
@kategray Is your fork with 2.2.1 support around anywhere? Also, I'm curious -- do you know anywhere to buy 2.2.1 only cards online? I'd be tempted to fix it up for you if I had one. The build properties system in master and 0.8.0 lets you turn off the extended APDU bits now.
I ended up not finishing my 2.2.1 fork. I ended up using GIDSapplet, though I much prefer PIVApplet, obviously.
This is the card.
https://www.cardlogix.com/product/cardlogix-credentsys-lite-java-card-72k/
I’ve got a pile of sim cut ones, if you would like me to ship you a dozen or so.
If 2.2.1 were supported, I’d be really tempted to do a proper programming utility.
@kategray If you could send one or two cards for testing purposes, would be cool.
@kategray I'd love to get a few to test with. In the mean time, I did make two .cap files for JC221 in the latest release -- you can get the smallest of the two at https://github.com/arekinath/PivApplet/releases/download/v0.8.1/PivApplet-0.8.1-jc221-RESL.cap
I tested it on a JC222 card and it works there at least, so it might be worth a shot if you have any time.
@arekinath @martinpaljak Let me know where to send them, and I'll get them out.
It kinda worked, but then it borked.
C:\Kate\JavaCard>gp --info
GlobalPlatformPro v20.04.14-0-geaee04c
Running on Windows 10 10.0 amd64, Java 1.8.0_251 by Oracle Corporation
[main] WARN pro.javacard.gp.GPData - Invalid CPLC date: 0850
CPLC: ICFabricator=4180
ICType=0107
OperatingSystemID=8211
OperatingSystemReleaseDate=6250 (2016-09-05)
OperatingSystemReleaseLevel=0714
ICFabricationDate=0850 (invalid date format)
ICSerialNumber=0012062B
ICBatchIdentifier=0645
ICModuleFabricator=0000
ICModulePackagingDate=0000 (2009-12-31)
ICCManufacturer=0000
ICEmbeddingDate=0000 (2009-12-31)
ICPrePersonalizer=0000
ICPrePersonalizationEquipmentDate=0000 (2009-12-31)
ICPrePersonalizationEquipmentID=00000000
ICPersonalizer=0000
ICPersonalizationDate=0000 (2009-12-31)
ICPersonalizationEquipmentID=00000000
IIN: 420100
CIN: 45080000000000000000
Card Data:
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.1.5
-> GP SCP01 i=05
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities:
Version: 255 (0xFF) ID: 1 (0x01) type: DES3 length: 16
Version: 255 (0xFF) ID: 2 (0x02) type: DES3 length: 16
Version: 255 (0xFF) ID: 3 (0x03) type: DES3 length: 16
Key version suggests factory keys
C:\Kate\JavaCard>gp --install PivApplet-0.8.1-jc221-RESL.cap
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=B7AB71604A0D1E06AD40FBB050321B26 MAC=B7AB71604A0D1E06AD40FBB050321B26 RMAC=, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
CAP loaded
C:\Kate\JavaCard>"c:\Program Files (x86)\Yubico\YubiKey PIV Manager\yubico-piv-tool.exe" --reader="Identiv SCR3500 A Contact Reader 0" --action=generate --slot=9e --algorithm=RSA2048 --hash=SHA256
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0X07FSQdhVgUGovORyG/
AkgoMLM76G/WKHQVh94x73TihfYWZtpgBn+dBi3ckVBkfr85y/wtSPXcvthOEf1j
b7t31QWBGBw/ZdGZ8tOSol7uTbQ5CeW9KA/lfsXGVVA5xtEC7VgUKyrrBb8iGhcA
/cSOjpQlta+ysLtbiPQdv9nbutW56Y5OnGSULJ2ZxiKk/231woRo+UoQV8bK9LSt
FDp0kjN0jYhxzQcvdXFNwBS+MiPNXbKShIwqtlUqF2xJbl9gCH64dh/RI89X1kuu
LW5MOk3AME6Ff48VqJicjLU8JIvgDEqBhBvSfQgsItzX7FCf1lSeTCsn8DdtypXh
0wIDAQAB
-----END PUBLIC KEY-----
Successfully generated a new private key.
C:\Kate\JavaCard>gp --uninstall PivApplet-0.8.1-jc221-RESL.cap
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=E9E9CD968D1F62F08A06B2576547BAA4 MAC=E9E9CD968D1F62F08A06B2576547BAA4 RMAC=, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
A000000308000010 deleted.
C:\Kate\JavaCard>gp --install PivApplet-0.8.1-jc221-RESL.cap -v
GlobalPlatformPro v20.04.14-0-geaee04c
Running on Windows 10 10.0 amd64, Java 1.8.0_251 by Oracle Corporation
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=83A620FCDE54224E86B2750DEF4CF2A8 MAC=83A620FCDE54224E86B2750DEF4CF2A8 RMAC=, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
CAP file (v2.1), contains: applets for JavaCard 2.2.1
Package: net.cooperi.pivapplet A000000308000010 v1.0
Applet: A000000308000010000100
Import: A0000000620001 v1.0 java.lang
Import: A0000000620101 v1.2 javacard.framework
Import: A0000000620102 v1.2 javacard.security
Import: A0000000620201 v1.2 javacardx.crypto
Generated by Sun Microsystems Inc. converter 1.3
On Thu May 28 20:35:39 AEST 2020 with JDK 1.8.0_242 (Oracle Corporation)
Code size 20465 bytes (24506 with debug)
SHA-256 ec719d2d53f0ec4a1d957453882fccc59ef24de213e9bed938d24f0cafad9bf5
SHA-1 d85982c6f880a1cf2c382a652dcc81deb66092bd
CAP loaded
Error: INSTALL [for install and make selectable] failed: 0x6985 (Conditions of use not satisfied)
Fresh card - can generate but not sign.
C:\Kate\JavaCard>gp --info -v
GlobalPlatformPro v20.04.14-0-geaee04c
Running on Windows 10 10.0 amd64, Java 1.8.0_251 by Oracle Corporation
[main] WARN pro.javacard.gp.GPData - Invalid CPLC date: 0850
CPLC: ICFabricator=4180
ICType=0107
OperatingSystemID=8211
OperatingSystemReleaseDate=6250 (2016-09-05)
OperatingSystemReleaseLevel=0714
ICFabricationDate=0850 (invalid date format)
ICSerialNumber=0012042A
ICBatchIdentifier=0645
ICModuleFabricator=0000
ICModulePackagingDate=0000 (2009-12-31)
ICCManufacturer=0000
ICEmbeddingDate=0000 (2009-12-31)
ICPrePersonalizer=0000
ICPrePersonalizationEquipmentDate=0000 (2009-12-31)
ICPrePersonalizationEquipmentID=00000000
ICPersonalizer=0000
ICPersonalizationDate=0000 (2009-12-31)
ICPersonalizationEquipmentID=00000000
IIN: 420100
CIN: 45080000000000000000
Card Data:
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.1.5
-> GP SCP01 i=05
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities:
Version: 255 (0xFF) ID: 1 (0x01) type: DES3 length: 16
Version: 255 (0xFF) ID: 2 (0x02) type: DES3 length: 16
Version: 255 (0xFF) ID: 3 (0x03) type: DES3 length: 16
Key version suggests factory keys
C:\Kate\JavaCard>gp --install PivApplet-0.8.1-jc221-RESL.cap -v
GlobalPlatformPro v20.04.14-0-geaee04c
Running on Windows 10 10.0 amd64, Java 1.8.0_251 by Oracle Corporation
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=23F764E67DAFED5322DB72B5AB212B09 MAC=23F764E67DAFED5322DB72B5AB212B09 RMAC=, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
CAP file (v2.1), contains: applets for JavaCard 2.2.1
Package: net.cooperi.pivapplet A000000308000010 v1.0
Applet: A000000308000010000100
Import: A0000000620001 v1.0 java.lang
Import: A0000000620101 v1.2 javacard.framework
Import: A0000000620102 v1.2 javacard.security
Import: A0000000620201 v1.2 javacardx.crypto
Generated by Sun Microsystems Inc. converter 1.3
On Thu May 28 20:35:39 AEST 2020 with JDK 1.8.0_242 (Oracle Corporation)
Code size 20465 bytes (24506 with debug)
SHA-256 ec719d2d53f0ec4a1d957453882fccc59ef24de213e9bed938d24f0cafad9bf5
SHA-1 d85982c6f880a1cf2c382a652dcc81deb66092bd
CAP loaded
C:\Kate\JavaCard>"c:\Program Files (x86)\Yubico\YubiKey PIV Manager\yubico-piv-tool.exe" -r "Identiv SCR3500 A Contact Reader 0" --action=generate --slot=9a --algorithm=RSA1024 --hash=SHA1
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCo4NqXmWghObwmxQ61QjuAW0rP
a0EixGjXWOe/grEi/CztcjIqfKSjWCNzBrrN9sCYZ2yAHSpxM9/MDvFSCVakZbcl
3yUAZ4l/tFDzf9myoWG57EbeYJgKgM+SIhN8upCiDKrRzKcDwIVfMoR0yIIUp2bg
beL4A//RAPD7X8JFLwIDAQAB
-----END PUBLIC KEY-----
Successfully generated a new private key.
C:\Kate\JavaCard>"c:\Program Files (x86)\Yubico\YubiKey PIV Manager\yubico-piv-tool.exe" --reader="Identiv SCR3500 A Contact Reader 0" --action=verify-pin --action=selfsign --slot=9a --subject="/CN=Kate Gray/OU=test/O=github.com/"
Enter PIN:
Successfully verified PIN.
Please paste the public key...
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCo4NqXmWghObwmxQ61QjuAW0rP
a0EixGjXWOe/grEi/CztcjIqfKSjWCNzBrrN9sCYZ2yAHSpxM9/MDvFSCVakZbcl
3yUAZ4l/tFDzf9myoWG57EbeYJgKgM+SIhN8upCiDKrRzKcDwIVfMoR0yIIUp2bg
beL4A//RAPD7X8JFLwIDAQAB
-----END PUBLIC KEY-----
Failed signing certificate.
Importing a cert fails, too.
C:\Kate\JavaCard>"c:\Program Files (x86)\Yubico\YubiKey PIV Manager\yubico-piv-tool.exe" --reader="Identiv SCR3500 A Contact Reader 0" --action=import-key --action=import-certificate -KPKCS12 --input=comodo.p12 --slot=9a
Enter Password:
Successfully imported a new private key.
Successfully imported a new certificate.
PuTTY-CAC:
Using username "kate".
Authenticating with public key "CAPI:de609b0da693f233cd80b06b5f60930460898ad4 " from agent
Server refused public-key signature despite accepting key!
@kategray Can you run yubico-piv-tool with -v2 so it shows the APDUs that it's sending to the card and which one fails?
C:\Kate\JavaCard>"c:\Program Files (x86)\Yubico\YubiKey PIV Manager\yubico-piv-tool.exe" -v2 --reader="Identiv SCR3500 A Contact Reader 0" --action=generate --action=verify-pin --action=selfsign --action=import-certificate --slot=9c --algorithm=RSA1024 --subject="/CN=Kate Gray/OU=test/O=github.com/"
trying to connect to reader 'Identiv SCR3500 A Contact Reader 0'.
> 00 a4 04 00 08 a0 00 00 05 27 20 01 01
< 6a 82
Failed selecting yk application: 6a82
> 00 a4 04 00 05 a0 00 00 03 08
< 61 69 4f 0b a0 00 00 03 08 00 00 10 00 01 00 79 0d 4f 0b a0 00 00 03 08 00 00 10 00 01 00 50 15 50 69 76 41 70 70 6c 65 74 20 76 30 2e 38 2e 31 2f 52 45 53 4c 5f 50 26 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 61 72 65 6b 69 6e 61 74 68 2f 50 69 76 41 70 70 6c 65 74 ac 0b 80 01 03 80 01 06 80 01 07 06 00 90 00
> 00 fd 00 00 00
< 05 03 00 90 00
Authenticating since action 'generate' needs that.
> 00 87 03 9b 04 7c 02 80 00
< 7c 0a 80 08 a9 b3 ce 28 33 d6 00 d2 90 00
> 00 87 03 9b 16 7c 14 80 08 e2 b7 3a 44 4e 6a 72 a6 81 08 a7 f3 ba cf fc aa ec 9d
< 7c 0a 82 08 a1 f6 5d 9b 83 a2 0f c7 90 00
Successful application authentication.
Action 'verify-pin' does not need authentication.
Action 'selfsign-certificate' does not need authentication.
Skipping authentication for 'import-certificate' since it's already done.
Now processing for action 'generate'.
Going to send 5 bytes in this go.
> 00 47 00 9c 05 ac 03 80 01 06
< 7f 49 81 88 81 81 80 ef ff 1e 80 d0 14 4c 73 f0 b2 57 d9 31 9d 6c 03 ba 82 98 78 e9 31 d1 bf 6f 25 ea 4a fe 5d 6e 57 74 19 50 b6 fd d7 df 93 17 4e 44 6c e5 5e b7 6d 54 c9 5a 17 98 ec 11 f6 91 46 15 48 4a fb 29 45 05 a7 89 ef 6e b0 09 c1 c5 7b 80 35 a5 bf e2 b9 ee 4d 0c ee 58 8a c9 a2 f9 93 bf ef fc 6d e6 39 2c 0f d7 7f 19 55 91 61 06 c2 62 3c 89 10 fb 01 67 4f e2 0e 9a 2c 2b c7 f7 a0 49 33 a6 91 3c 45 82 03 01 00 01 90 00
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDv/x6A0BRMc/CyV9kxnWwDuoKY
eOkx0b9vJepK/l1uV3QZULb919+TF05EbOVet21UyVoXmOwR9pFGFUhK+ylFBaeJ
726wCcHFe4A1pb/iue5NDO5Yismi+ZO/7/xt5jksD9d/GVWRYQbCYjyJEPsBZ0/i
DposK8f3oEkzppE8RQIDAQAB
-----END PUBLIC KEY-----
Successfully generated a new private key.
Now processing for action 'verify-pin'.
Enter PIN:
> 00 20 00 80 08 31 32 33 34 35 36 ff ff
< 90 00
Successfully verified PIN.
Now processing for action 'selfsign-certificate'.
Please paste the public key...
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDv/x6A0BRMc/CyV9kxnWwDuoKY
eOkx0b9vJepK/l1uV3QZULb919+TF05EbOVet21UyVoXmOwR9pFGFUhK+ylFBaeJ
726wCcHFe4A1pb/iue5NDO5Yismi+ZO/7/xt5jksD9d/GVWRYQbCYjyJEPsBZ0/i
DposK8f3oEkzppE8RQIDAQAB
-----END PUBLIC KEY-----
Going to send 136 bytes in this go.
> 00 87 06 9c 88 7c 81 85 82 00 81 81 80 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 74 2c a8 70 0b 49 34 04 70 a1 b3 70 88 8d 35 37 95 b1 3f 7a 62 81 70 ae 8a dc 38 fc 8e dc a8 c2
< 67 00
Failed sign command with code 6700.
Failed signing certificate.
And "gp -ldvi" after an install and uninstall would also be of interest (to understand why the install-loading issue might happen)
C:\Kate\JavaCard>gp --uninstall PivApplet-0.8.1-jc221-RESL.cap
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=1D8076C4CC2F25D0EA6E4D2737DA1944 MAC=1D8076C4CC2F25D0EA6E4D2737DA1944 RMAC=, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
A000000308000010 deleted.
C:\Kate\JavaCard>gp -lvdi
SCardConnect("Identiv SCR3500 A Contact Reader 0", T=*) -> T=1, 3BDF95FF8091FE1FC38025A0000000685319000173C8211329
GlobalPlatformPro v20.04.14-0-geaee04c
Running on Windows 10 10.0 amd64, Java 1.8.0_251 by Oracle Corporation
A>> T=1 (4+0000) 00A40400 00
A<< (0017+2) (394ms) 6F0F8407A0000001510000A5049F6501FF 9000
A>> T=1 (4+0000) 80CA9F7F 00
A<< (0045+2) (40ms) 9F7F2A4180010782116250071408500012062B0645000000000000000000000000000000000000000000000000 9000
[main] WARN pro.javacard.gp.GPData - Invalid CPLC date: 0850
CPLC: ICFabricator=4180
ICType=0107
OperatingSystemID=8211
OperatingSystemReleaseDate=6250 (2016-09-06)
OperatingSystemReleaseLevel=0714
ICFabricationDate=0850 (invalid date format)
ICSerialNumber=0012062B
ICBatchIdentifier=0645
ICModuleFabricator=0000
ICModulePackagingDate=0000 (2010-01-01)
ICCManufacturer=0000
ICEmbeddingDate=0000 (2010-01-01)
ICPrePersonalizer=0000
ICPrePersonalizationEquipmentDate=0000 (2010-01-01)
ICPrePersonalizationEquipmentID=00000000
ICPersonalizer=0000
ICPersonalizationDate=0000 (2010-01-01)
ICPersonalizationEquipmentID=00000000
A>> T=1 (4+0000) 80CA0042 00
A<< (0003+2) (36ms) 420100 9000
IIN: 420100
A>> T=1 (4+0000) 80CA0045 00
A<< (0010+2) (37ms) 45080000000000000000 9000
CIN: 45080000000000000000
Card Data:
A>> T=1 (4+0000) 80CA0066 00
A<< (0065+2) (42ms) 663F733D06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040105660C060A2B060104012A026E0102 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.1.5
-> GP SCP01 i=05
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities:
A>> T=1 (4+0000) 80CA0067 00
A<< (0000+2) (36ms) 6A88
A>> T=1 (4+0000) 80CA00E0 00
A<< (0020+2) (36ms) E012C00401FF8010C00402FF8010C00403FF8010 9000
Version: 255 (0xFF) ID: 1 (0x01) type: DES3 length: 16
Version: 255 (0xFF) ID: 2 (0x02) type: DES3 length: 16
Version: 255 (0xFF) ID: 3 (0x03) type: DES3 length: 16
Key version suggests factory keys
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
A>> T=1 (4+0008) 80500000 08 2ABEA198C210F63A 00
A<< (0028+2) (125ms) 000008500012062B0645FF013AECA92123644686F38DF5B5B12A0465 9000
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=109E80036AF7DFF0347F96148FAFB5AF MAC=109E80036AF7DFF0347F96148FAFB5AF RMAC=, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
A>> T=1 (4+0016) 84820100 10 68AF5F7D24219E85FBAD3D7B7C729280
A<< (0000+2) (72ms) 9000
A>> T=1 (4+0010) 84F28002 0A 4F00DB5FB36A785F1C53 00
A<< (0018+2) (68ms) E3104F07A00000015100009F700101C5019E 9000
A>> T=1 (4+0010) 84F24002 0A 4F008A35409A9AAAE3A1 00
A<< (0000+2) (64ms) 6A88
A>> T=1 (4+0010) 84F21002 0A 4F000FAADD7D8A064A87 00
A<< (0000+2) (65ms) 6A88
A>> T=1 (4+0010) 84F22002 0A 4F00207CC858706B6C4B 00
A<< (0000+2) (65ms) 6A88
ISD: A0000001510000 (OP_READY)
Privs: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement
C:\Kate\JavaCard>gp --install PivApplet-0.8.1-jc221-RESL.cap
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=305D7836E5FABE5BC83EB72C08D42725 MAC=305D7836E5FABE5BC83EB72C08D42725 RMAC=, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
CAP loaded
Error: INSTALL [for install and make selectable] failed: 0x6985 (Conditions of use not satisfied)
C:\Kate\JavaCard>gp -lvdi
SCardConnect("Identiv SCR3500 A Contact Reader 0", T=*) -> T=1, 3BDF95FF8091FE1FC38025A0000000685319000173C8211329
GlobalPlatformPro v20.04.14-0-geaee04c
Running on Windows 10 10.0 amd64, Java 1.8.0_251 by Oracle Corporation
A>> T=1 (4+0000) 00A40400 00
A<< (0017+2) (430ms) 6F0F8407A0000001510000A5049F6501FF 9000
A>> T=1 (4+0000) 80CA9F7F 00
A<< (0045+2) (40ms) 9F7F2A4180010782116250071408500012062B0645000000000000000000000000000000000000000000000000 9000
[main] WARN pro.javacard.gp.GPData - Invalid CPLC date: 0850
CPLC: ICFabricator=4180
ICType=0107
OperatingSystemID=8211
OperatingSystemReleaseDate=6250 (2016-09-06)
OperatingSystemReleaseLevel=0714
ICFabricationDate=0850 (invalid date format)
ICSerialNumber=0012062B
ICBatchIdentifier=0645
ICModuleFabricator=0000
ICModulePackagingDate=0000 (2010-01-01)
ICCManufacturer=0000
ICEmbeddingDate=0000 (2010-01-01)
ICPrePersonalizer=0000
ICPrePersonalizationEquipmentDate=0000 (2010-01-01)
ICPrePersonalizationEquipmentID=00000000
ICPersonalizer=0000
ICPersonalizationDate=0000 (2010-01-01)
ICPersonalizationEquipmentID=00000000
A>> T=1 (4+0000) 80CA0042 00
A<< (0003+2) (32ms) 420100 9000
IIN: 420100
A>> T=1 (4+0000) 80CA0045 00
A<< (0010+2) (40ms) 45080000000000000000 9000
CIN: 45080000000000000000
Card Data:
A>> T=1 (4+0000) 80CA0066 00
A<< (0065+2) (41ms) 663F733D06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040105660C060A2B060104012A026E0102 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.1.5
-> GP SCP01 i=05
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities:
A>> T=1 (4+0000) 80CA0067 00
A<< (0000+2) (36ms) 6A88
A>> T=1 (4+0000) 80CA00E0 00
A<< (0020+2) (40ms) E012C00401FF8010C00402FF8010C00403FF8010 9000
Version: 255 (0xFF) ID: 1 (0x01) type: DES3 length: 16
Version: 255 (0xFF) ID: 2 (0x02) type: DES3 length: 16
Version: 255 (0xFF) ID: 3 (0x03) type: DES3 length: 16
Key version suggests factory keys
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
A>> T=1 (4+0008) 80500000 08 A20EE5833E2AA11D 00
A<< (0028+2) (124ms) 000008500012062B0645FF01EA1B81F6A363BE57D7E51FDF0D85AE6F 9000
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=0808C0A8E5CC4D60500E6963306E02DA MAC=0808C0A8E5CC4D60500E6963306E02DA RMAC=, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
A>> T=1 (4+0016) 84820100 10 869D921D45E4EA6D8E00B638C8091670
A<< (0000+2) (72ms) 9000
A>> T=1 (4+0010) 84F28002 0A 4F00311D5ED979D46FB6 00
A<< (0018+2) (66ms) E3104F07A00000015100009F700101C5019E 9000
A>> T=1 (4+0010) 84F24002 0A 4F004C620EC974AA9AB1 00
A<< (0000+2) (65ms) 6A88
A>> T=1 (4+0010) 84F21002 0A 4F009A95C85A4D0086CE 00
A<< (0029+2) (67ms) E31B4F08A0000003080000109F700101840BA000000308000010000100 9000
A>> T=1 (4+0010) 84F22002 0A 4F0056C3AAFCA253B24D 00
A<< (0016+2) (64ms) E30E4F08A0000003080000109F700101 9000
ISD: A0000001510000 (OP_READY)
Privs: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement
PKG: A000000308000010 (LOADED) (|........|)
Applet: A000000308000010000100 (|...........|)
Ok, well, I can see at least one problem here with an easy-ish solution. Would you mind trying https://lax.manta.blenco.net.au/alex/public/PivApplet-git339e473-jc221-RESL.cap for me? Hopefully that will fix up the issue with signing.
~~I'm not sure why SELECT is failing though -- I wonder if these cards don't support selection by the shortened AID without the version on the end?~~ EDIT: I see, the selection is for the yubico applet, so it failing is expected, sorry.
As far as the install failure, once I uninstall the applet, they don't want to install anymore. They work on first install, though.
Whatever you just did helped. I'm going to test signing with SSH, but it didn't error out this time.
C:\Kate\JavaCard>gp -v --install PivApplet-git339e473-jc221-RESL.cap
GlobalPlatformPro v20.04.14-0-geaee04c
Running on Windows 10 10.0 amd64, Java 1.8.0_251 by Oracle Corporation
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
[main] INFO pro.javacard.gp.GPSession - Session keys: ENC=9E87D04D05B6626844877B25126E93EE MAC=9E87D04D05B6626844877B25126E93EE RMAC=, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP01
CAP file (v2.1), contains: applets for JavaCard 2.2.1
Package: net.cooperi.pivapplet A000000308000010 v1.0
Applet: A000000308000010000100
Import: A0000000620001 v1.0 java.lang
Import: A0000000620101 v1.2 javacard.framework
Import: A0000000620102 v1.2 javacard.security
Import: A0000000620201 v1.2 javacardx.crypto
Generated by Sun Microsystems Inc. converter 1.3
On Fri May 29 17:49:59 AEST 2020 with JDK 1.8.0_242 (Oracle Corporation)
Code size 20506 bytes (24565 with debug)
SHA-256 b6e083edae6280f5245ee0b95363028ef78fdfe253abd7967d1136eb096356df
SHA-1 5e39101f9fee565d8619fdb06e16b67f48bdd600
CAP loaded
C:\Kate\JavaCard>"c:\Program Files (x86)\Yubico\YubiKey PIV Manager\yubico-piv-tool.exe" -v2 --reader="Identiv SCR3500 A Contact Reader 0" --action=generate --action=verify-pin --action=selfsign --action=import-certificate --slot=9c --algorithm=RSA1024 --subject="/CN=Kate Gray/OU=test/O=github.com/"
trying to connect to reader 'Identiv SCR3500 A Contact Reader 0'.
> 00 a4 04 00 08 a0 00 00 05 27 20 01 01
< 6a 82
Failed selecting yk application: 6a82
> 00 a4 04 00 05 a0 00 00 03 08
< 61 69 4f 0b a0 00 00 03 08 00 00 10 00 01 00 79 0d 4f 0b a0 00 00 03 08 00 00 10 00 01 00 50 15 50 69 76 41 70 70 6c 65 74 20 76 30 2e 38 2e 31 2f 52 45 53 4c 5f 50 26 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 61 72 65 6b 69 6e 61 74 68 2f 50 69 76 41 70 70 6c 65 74 ac 0b 80 01 03 80 01 06 80 01 07 06 00 90 00
> 00 fd 00 00 00
< 05 03 00 90 00
Authenticating since action 'generate' needs that.
> 00 87 03 9b 04 7c 02 80 00
< 7c 0a 80 08 fa 7f 05 7b d9 86 4d 42 90 00
> 00 87 03 9b 16 7c 14 80 08 29 1d ea 1d 67 35 5f 89 81 08 53 91 eb 40 b9 0d 7f 7b
< 7c 0a 82 08 8e 97 e7 a4 7c 65 d6 c2 90 00
Successful application authentication.
Action 'verify-pin' does not need authentication.
Action 'selfsign-certificate' does not need authentication.
Skipping authentication for 'import-certificate' since it's already done.
Now processing for action 'generate'.
Going to send 5 bytes in this go.
> 00 47 00 9c 05 ac 03 80 01 06
< 7f 49 81 88 81 81 80 ec c7 e6 3d f3 95 8a 80 f3 6e fa c3 f2 66 d6 06 e4 67 c0 85 2a d3 9d 0e 80 3a 6b b4 99 34 98 d5 e8 67 b8 c6 09 cc d9 31 26 58 c3 30 7a 68 1c b9 17 30 84 c8 7b 18 1b 35 88 1f d2 a9 4b 3d 5e d5 ca 97 19 4a da fc a0 d5 d5 cd e9 48 6c 94 7a 6e 1d 76 40 c1 bb 12 7e 02 5d a4 33 2e 88 dd 69 dc 40 21 4b e6 68 23 ac 5a 51 d8 47 13 03 e3 ec 98 48 ec c9 a0 04 3b 28 3e 76 42 1a 6e a4 e5 89 e9 82 03 01 00 01 90 00
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsx+Y985WKgPNu+sPyZtYG5GfA
hSrTnQ6AOmu0mTSY1ehnuMYJzNkxJljDMHpoHLkXMITIexgbNYgf0qlLPV7VypcZ
Str8oNXVzelIbJR6bh12QMG7En4CXaQzLojdadxAIUvmaCOsWlHYRxMD4+yYSOzJ
oAQ7KD52QhpupOWJ6QIDAQAB
-----END PUBLIC KEY-----
Successfully generated a new private key.
Now processing for action 'verify-pin'.
Enter PIN:
> 00 20 00 80 08 31 32 33 34 35 36 ff ff
< 90 00
Successfully verified PIN.
Now processing for action 'selfsign-certificate'.
Please paste the public key...
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsx+Y985WKgPNu+sPyZtYG5GfA
hSrTnQ6AOmu0mTSY1ehnuMYJzNkxJljDMHpoHLkXMITIexgbNYgf0qlLPV7VypcZ
Str8oNXVzelIbJR6bh12QMG7En4CXaQzLojdadxAIUvmaCOsWlHYRxMD4+yYSOzJ
oAQ7KD52QhpupOWJ6QIDAQAB
-----END PUBLIC KEY-----
Going to send 136 bytes in this go.
> 00 87 06 9c 88 7c 81 85 82 00 81 81 80 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 6e 7c ee 10 6c d0 4b c6 03 7a 3a 20 36 70 3d 47 fe ac 42 56 60 62 15 a3 23 c8 e2 da 67 0f 3f 2c
< 7c 81 83 82 81 80 a8 19 6b 23 50 f4 13 a7 f9 e5 1d 01 d4 e7 c3 12 5e ef bc c4 b9 64 0a 18 c1 bc 6c 70 4d 3f 5b 83 76 34 be ca 3e 97 93 f9 11 18 a7 6b ac e7 4a 40 b0 34 0e 38 3a b7 95 16 b1 16 ee a7 19 a0 ef bf 02 1e 99 94 3b 54 cf 8b d7 e8 09 5f 77 07 8e fd 68 a5 3c 67 ba 55 8e c9 29 d4 0f a1 88 84 ee 0b 72 ff 53 f3 e6 82 57 22 3e 34 83 7d 7c 4a 8b d2 b9 45 15 db b8 5a f4 7d 77 ac 6b 4c cf b0 48 d2 90 00
-----BEGIN CERTIFICATE-----
MIIB7DCCAVWgAwIBAgIJAPvGwK2auTIAMA0GCSqGSIb3DQEBCwUAMDgxEjAQBgNV
BAMMCUthdGUgR3JheTENMAsGA1UECwwEdGVzdDETMBEGA1UECgwKZ2l0aHViLmNv
bTAeFw0yMDA1MjkwODAwMjNaFw0yMTA1MjkwODAwMjNaMDgxEjAQBgNVBAMMCUth
dGUgR3JheTENMAsGA1UECwwEdGVzdDETMBEGA1UECgwKZ2l0aHViLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7MfmPfOVioDzbvrD8mbWBuRnwIUq050O
gDprtJk0mNXoZ7jGCczZMSZYwzB6aBy5FzCEyHsYGzWIH9KpSz1e1cqXGUra/KDV
1c3pSGyUem4ddkDBuxJ+Al2kMy6I3WncQCFL5mgjrFpR2EcTA+PsmEjsyaAEOyg+
dkIabqTliekCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCoGWsjUPQTp/nlHQHU58MS
Xu+8xLlkChjBvGxwTT9bg3Y0vso+l5P5ERina6znSkCwNA44OreVFrEW7qcZoO+/
Ah6ZlDtUz4vX6AlfdweO/WilPGe6VY7JKdQPoYiE7gty/1Pz5oJXIj40g318SovS
uUUV27ha9H13rGtMz7BI0g==
-----END CERTIFICATE-----
Successfully generated a new self signed certificate.
Now processing for action 'import-certificate'.
Please paste the certificate...
-----BEGIN CERTIFICATE-----
MIIB7DCCAVWgAwIBAgIJAPvGwK2auTIAMA0GCSqGSIb3DQEBCwUAMDgxEjAQBgNV
BAMMCUthdGUgR3JheTENMAsGA1UECwwEdGVzdDETMBEGA1UECgwKZ2l0aHViLmNv
bTAeFw0yMDA1MjkwODAwMjNaFw0yMTA1MjkwODAwMjNaMDgxEjAQBgNVBAMMCUth
dGUgR3JheTENMAsGA1UECwwEdGVzdDETMBEGA1UECgwKZ2l0aHViLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7MfmPfOVioDzbvrD8mbWBuRnwIUq050O
gDprtJk0mNXoZ7jGCczZMSZYwzB6aBy5FzCEyHsYGzWIH9KpSz1e1cqXGUra/KDV
1c3pSGyUem4ddkDBuxJ+Al2kMy6I3WncQCFL5mgjrFpR2EcTA+PsmEjsyaAEOyg+
dkIabqTliekCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCoGWsjUPQTp/nlHQHU58MS
Xu+8xLlkChjBvGxwTT9bg3Y0vso+l5P5ERina6znSkCwNA44OreVFrEW7qcZoO+/
Ah6ZlDtUz4vX6AlfdweO/WilPGe6VY7JKdQPoYiE7gty/1Pz5oJXIj40g318SovS
uUUV27ha9H13rGtMz7BI0g==
-----END CERTIFICATE-----
Going to send 255 bytes in this go.
> 10 db 3f ff ff 5c 03 5f c1 0a 53 82 01 f9 70 82 01 f0 30 82 01 ec 30 82 01 55 a0 03 02 01 02 02 09 00 fb c6 c0 ad 9a b9 32 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 38 31 12 30 10 06 03 55 04 03 0c 09 4b 61 74 65 20 47 72 61 79 31 0d 30 0b 06 03 55 04 0b 0c 04 74 65 73 74 31 13 30 11 06 03 55 04 0a 0c 0a 67 69 74 68 75 62 2e 63 6f 6d 30 1e 17 0d 32 30 30 35 32 39 30 38 30 30 32 33 5a 17 0d 32 31 30 35 32 39 30 38 30 30 32 33 5a 30 38 31 12 30 10 06 03 55 04 03 0c 09 4b 61 74 65 20 47 72 61 79 31 0d 30 0b 06 03 55 04 0b 0c 04 74 65 73 74 31 13 30 11 06 03 55 04 0a 0c 0a 67 69 74 68 75 62 2e 63 6f 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 ec c7 e6 3d f3 95 8a 80 f3 6e fa c3 f2 66 d6 06 e4 67 c0 85 2a d3 9d 0e 80 3a
< 90 00
Going to send 255 bytes in this go.
> 10 db 3f ff ff 6b b4 99 34 98 d5 e8 67 b8 c6 09 cc d9 31 26 58 c3 30 7a 68 1c b9 17 30 84 c8 7b 18 1b 35 88 1f d2 a9 4b 3d 5e d5 ca 97 19 4a da fc a0 d5 d5 cd e9 48 6c 94 7a 6e 1d 76 40 c1 bb 12 7e 02 5d a4 33 2e 88 dd 69 dc 40 21 4b e6 68 23 ac 5a 51 d8 47 13 03 e3 ec 98 48 ec c9 a0 04 3b 28 3e 76 42 1a 6e a4 e5 89 e9 02 03 01 00 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 a8 19 6b 23 50 f4 13 a7 f9 e5 1d 01 d4 e7 c3 12 5e ef bc c4 b9 64 0a 18 c1 bc 6c 70 4d 3f 5b 83 76 34 be ca 3e 97 93 f9 11 18 a7 6b ac e7 4a 40 b0 34 0e 38 3a b7 95 16 b1 16 ee a7 19 a0 ef bf 02 1e 99 94 3b 54 cf 8b d7 e8 09 5f 77 07 8e fd 68 a5 3c 67 ba 55 8e c9 29 d4 0f a1 88 84 ee 0b 72 ff 53 f3 e6 82 57 22 3e 34 83 7d 7c 4a 8b d2 b9 45 15 db b8 5a f4 7d 77 ac 6b 4c cf b0 48 d2 71
< 90 00
Going to send 4 bytes in this go.
> 00 db 3f ff 04 01 00 fe 00
< 90 00
Successfully imported a new certificate.
That works!
These were some very cost-competitive cards, and available in large quantities, so I'm absolutely stoked that PIVApplet works. Now to work on a nice automatic PIV configuration app :)
Using username "root".
Authenticating with public key "CAPI:c261dac29d20cd4fa5896df269d1785d0a46f8de " from agent
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
Maybe manually running garbage collection after uninstall would help? https://www.win.tue.nl/pinpasjc/docs/apis/jc221/javacard/framework/JCSystem.html#requestObjectDeletion()
Maybe manually running garbage collection after uninstall would help? https://www.win.tue.nl/pinpasjc/docs/apis/jc221/javacard/framework/JCSystem.html#requestObjectDeletion()
Is that something that has to be done on the uninstalling applet side, or is that something that can be done by the newly-installed applet?
Ok, well, I can see at least one problem here with an easy-ish solution. Would you mind trying https://lax.manta.blenco.net.au/alex/public/PivApplet-git339e473-jc221-RESL.cap for me? Hopefully that will fix up the issue with signing.
Out of curiosity, what was the problem?
See 339e4730f8e7c5d6a97e0e21cd5e9a4606b49293 -- just me forgetting how sign-extension works.
That might have been what broke my fork, actually. I fixed the compilation errors, but was running into issues actually using the card.
It may be off topic for the JC 2.2.1 fork, as it's for yet another version, but if there is interest, I have written mods for the project to support the NXP proprietary EC functionality in the J2D081/J3D081 (and could support a few other older versions as well) to do the full precomputed hash signatures using the NXP function on those cards, even though they are only JC 3.0.1.
I can certainly distribute my code, though I doubt I could distribute the NXP library .exp (export) files necessary to compile. Is there any interest in this or would it just be pollution in the project?
Would it be possible to get this on a release? The applet from this issue works well, but I have accidentally tried to use the release .cap a couple times.