open-keychain icon indicating copy to clipboard operation
open-keychain copied to clipboard

Published 20 hours ago verified publisher icon open-keychain

OKC installs broken PGP Applet on Smartcard. OKC crashes if smart card is read by OKC.

Open randomisresistance opened this issue 3 years ago • 1 comments

Expected Behavior

Openkeychain should try to install a working version on the Fidesmo or Fidesmo wearable device. Uninstalling the applet should also be possible. OKC should not crash

Current Behavior

The installation partially crashes. After successful installation, PGP can no longer be uninstalled on some devices.

Also it seems to be possible to install applets with batchIDs that are not allowed. Later then it is not possile to delete the Applet again.

$ java -jar fdsm.jar --trace-api --run 0cdc651e/OKC-install
[...]
GET:
https://api.fidesmo.com/apThe installation partially crashes. After successful installation, PGP can no longer be uninstalled on some devices. 
$ java -jar fdsm.jar --trace-api --run 0cdc651e/OKC-install
[..
Also it seems to be possible to install Applets on batchIDs that are not allowed. Later then it is not possile to delete the Applet again.The installation partially crashes. After successful installation, PGP can no longer be uninstalled on some devices. 

Also it seems to be possible to install Applets on batchIDs that are not allowed. Later then it is not possile to delete the Applet again.
ps/0cdc651e/services/OKC-install?cin=000108FE10FFB9
RECV: 200 OK
{
  "app" : {
    "appId" : "0cdc651e",
    "currency" : "EUR",
    "description" : "[...]",
    "Feature" :
"Https://S3-Eu-West-1.Amazonaws.Com/Logos.Fidesmo.Com/0cdc651e.Feature",
    "installServices" : [
      "install"
[...]
RECV: 200 OK
{
  "cin" : "000108FE10XXXX",
  "description" : {
    "batch" : {
      "batchId" : 264,
      "issuer" : 4,
      "persoBureauId" : "000015"
[...]
  "forbiddenBatchId" : [
        100,
[...]
        264,
        265,
        266,
        267,
        275,
        276,
        278
      ]
    },

The batchId is on the forbidden list. However, for the OKC of the PGP applet you get a:

RECV: 200 OK
{
  "completed" : true,
  "encrypted" : false,
  "status" : {
    "message" : {
      "en" : "The Fidesmo PGP was successfully installed on the card.",
      "es" : "La aplicación Fidesmo PGP se ha instalado en la tarjeta
con éxito",
      "sv" : "Fidesmos PGP app installerades framgångsrikt på kortet"
    },
    "success" : true
  }
}

So you can install the OKC version of PGP even though the batchId is forbidden. is forbidden. With the normal app

0cdc651e/install

this does not work.

Löschen kann man die App aber auch nicht mehr:

[...]
GET:
https://api.fidesmo.com/apps/0cdc651e/services/OKC-delete?cin=000108FE10FFB9

FDSM: status code: 404, reason phrase: HTTP/1.1 404 Not Found
Service description is not found

Furthermore the OKC crashes when the ring is brought next to the NFC reader in the mobile phone. But this is maybe related to the issue with the applet, but I'm not sure with this.

Possible Solution

The service seems to be defective. An uninstallation should be possible in any case to be able to install other PGP apps.

The installation of PGP should work and install a functional version of the PGP applet on the smart card chip.

Steps to Reproduce (for bugs)

  1. Download latest fdsm.jar or .exe from https://github.com/fidesmo/fdsm/releases
  2. $ java -jar fdsm.jar --trace-api --run 0cdc651e/OKC-install
  3. $ java -jar fdsm.jar --trace-api --run 0cdc651e/OKC-uninstall

Context

Trying to use this with a Pagopace Ring with an NXP P71

Your Environment

  • Android Version: GrapehenOS latest Version (2021112404)
  • Device Model: Pixel 3a
  • OpenKeychain Version: latest (5.7.5 [57500])
  • From Google Play or F-Droid?: F-Droid

randomisresistance avatar Dec 05 '21 19:12 randomisresistance

Gave Fidesmo a ping about this.

ckahlo avatar Dec 09 '21 22:12 ckahlo