Cannot open secure channel to Sm@rt Caffe

[bob-613]

I have tried to list and install apps using GP Pro, but it didn't work (https://stackoverflow.com/questions/68087131/cannot-list-or-install-cap-files-in-javacard-after-unlocking-why-and-how-to-so) so I tried GP, but it also not working

I tried the sample. but not working

C:\gpshell>gpshell
enable_trace
enable_trace
establish_context
establish_context
card_connect
card_connect
* reader name Identiv uTrust 4701 F CL Reader 0
* reader name Identiv uTrust 4701 F Contact Reader 0
select -AID a0000000030000
select -AID a0000000030000
Command --> 00A4040007A0000000030000
Wrapped command --> 00A4040007A0000000030000
Response <-- 6F108408A000000003000000A5049F6501FF9000
Unwrapped response <-- 6F108408A000000003000000A5049F6501FF9000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
Command --> 8050000008D067FF312745EBE500
Wrapped command --> 8050000008D067FF312745EBE500
Response <-- 000021619600596445050102000E2E07A5F0A58F617901CC45908A6D9000
Unwrapped response <-- 000021619600596445050102000E2E07A5F0A58F617901CC45908A6D9000
mutual_authentication() returns 0x80302000 (The verification of the card cryptogram failed.)

Also this not working:

enable_trace
establish_context
card_connect


get_status -element e0
open_sc -security 1 -keyind 0 -keyver 0 -key 404142434445464748494a4b4c4d4e4f -keyDerivation emvcps11

Some more info that may help:

:\gpshell>gp -i
# GlobalPlatformPro 325fe84
# Running on Windows 10 10.0 amd64, Java 11.0.11 by Oracle Corporation
CPLC: ICFabricator=4790
      ICType=5022
      OperatingSystemID=1671
      OperatingSystemReleaseDate=7354 (2017-12-20)
      OperatingSystemReleaseLevel=4325
      ICFabricationDate=2161 (2012-06-09)
      ICSerialNumber=96005964
      ICBatchIdentifier=4505
      ICModuleFabricator=4792
      ICModulePackagingDate=2257 (2012-09-13)
      ICCManufacturer=1673
      ICEmbeddingDate=7354 (2017-12-20)
      ICPrePersonalizer=1674
      ICPrePersonalizationEquipmentDate=2257 (2012-09-13)
      ICPrePersonalizationEquipmentID=00000052
      ICPersonalizer=0000
      ICPersonalizationDate=0000 (2010-01-01)
      ICPersonalizationEquipmentID=00000000

Card Data:
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.2.21
-> GP SCP02 i=15
Tag 65: 1.3.656.840.100.2.1.3
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities:
Version:   1 (0x01) ID:   1 (0x01) type: DES3         length:  16
Version:   1 (0x01) ID:   2 (0x02) type: DES3         length:  16
Version:   1 (0x01) ID:   3 (0x03) type: DES3         length:  16

Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F

emv_cps11_key_derivation
Unknown command emv_cps11_key_derivation

get_data -identifier 00cf
get_data -identifier 00cf
Command --> 80CA00CF00
Wrapped command --> 80CA00CF00
Response <-- CF0A000021619600596445059000
Unwrapped response <-- CF0A000021619600596445059000
CF0A00002161960059644505

I'm trying to understand. (I didn't found a spec to it ( emvco.com/specifications.aspx?id=20 ))

Also I'm trying to understand:

1. When I did gp -emv -unlock what is it doing? No I only need keys and it is not emv any more?
2. What don't I need to specify -emv later (when doing gp -l -emv it's falied)

What are the keys here (https://community.oracle.com/tech/developers/discussion/2258766/gpshell-command-for-smart-cafe-expert-3-2) Do I need to specify it somewhere?

(key data: 00009154910006b87350 (used for diversification)
ENC: 4f02a08926fe1af412136d2f9d207dc4
MAC: fc7170883874160e6298e67e04818a00
DEK: 7e22e16075c4734c622040cf0eca473a)

4. What can I do to open secure channel with the card by using gpshell?

[kaoh]

1. I'm not familiar with gp, but I would assume that in the mode a master key is used and the 3 keys are derived from it for the secure channel. It should be possible to specify the master key, otherwise maybe also 4041... is used. The derivation is useful because then just the public key diversification data is needed for calculating the keys and it is not necessary to store for all cards the keys anymore.
2. I'm not familiar with gp, but this looks strange, it should then also use the emv mode.
3. No, these keys will be calculated based on the master key and the key derivation mode.
4. The default keys seem to be correct. gp can authenticate.

You cannot call get_status -element e0 before the authentication.

But actually I do not see that gp is using derivation. Use:

mode_211
enable_trace
enable_timer
establish_context
card_connect
select -AID a0000000030000
open_sc -security 1 -scp 2 -keyind 0 -keyver 1 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
card_disconnect
release_context

Give this a try with key derivation:

mode_211
enable_trace
establish_context
card_connect
select -AID a000000003000000
open_sc -security 1 -keyind 0 -keyver 0 -key 404142434445464748494a4b4c4d4e4f -keyDerivation emvcps11
card_disconnect
release_context

The options for the key derivation are here: https://github.com/kaoh/globalplatform/blob/master/gpshell/src/gpshell.1.md#key-derivation.

BTW. You can also use a script file, instead of typing it in like referenced in the description in https://github.com/kaoh/globalplatform/blob/master/gpshell/src/gpshell.1.md, e.g. https://github.com/kaoh/globalplatform/blob/master/gpshell/helloInstallGP211.txt

[bob-613]

Wow! thanks you VERY much! What solve the issue is just using mode_211 (I dont need -scp 2) But I'm still not able to list apps, or install apps. Very strange.

Install applet:

install -file helloworld.cap
install_for_load() returns 0x80206A88 (6A88: Referenced data not found.)

List applets:

get_status -element e0
get_status() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)

[kaoh]

Can you please provide the full APDU log again for both scripts (list applets + install applet)? The enable_trace does this. Then I can dissemble the sent data.

[kaoh]

Do you have any updates regarding this?

[kaoh]

@bob-613 : Can you please provide the full APDU log again for both scripts (list applets + install applet)? The enable_trace does this. Then I can dissemble the sent data.