GlobalPlatform 安全连接问题

Question

我正在尝试使用 Gemalto sim 卡（JavaCard 3.0、GlobalPlatform 2.2.1）。我想阅读小程序列表和卡片寿命状态。然后设置 OP_SECURED 状态并与卡上的自定义小程序通信。

我试图在 GPShell-1.4.4 中运行简单的脚本

`

establish_context
enable_trace
enable_timer
card_connect
select -AID A000000151000000
open_sc -scp 1 -scpimpl 0x15 -security 3 -keyind 0 -keyver 0 -key 404142434445464748494a4b4c4d4e4f
get_status -element e0
card_disconnect
release_context

`

但收到“6985：不允许命令 - 不满足使用条件”

`

select -AID A000000151000000
Command --> 00A4040008A000000151000000
Wrapped command --> 00A4040008A000000151000000
Response <-- 6F7E8408A000000151000000A572736306072A864886FC6B01600B06092A864886FC6B020202630906072A864886FC6B03640B06092A864886FC6B048000640B06092A864886FC6B040255650E060C2A864886FC6B0506010000016616060A2B060104012A026E0103060847544F303034011C9F6E0600773136011C9F6501FF9000
command time: 47 ms
open_sc -scp 1 -scpimpl 0x15 -security 3 -keyind 0 -keyver 0 -key 404142434445464748494a4b4c4d4e4f
Command --> 805000000808FC675C589A284D00
Wrapped command --> 805000000808FC675C589A284D00
Response <-- 6985
mutual_authentication() returns 0x80206985 (6985: Command not allowed - Conditions of use not satisfied.)

`

另外，我尝试使用 GlobalPlatformPro，但收到了相同的结果。来自 GPP 的卡信息：

`

[WARN] GPData - Invalid CPLC date: 2A23
[WARN] GPData - Invalid CPLC date: FFFF
[WARN] GPData - Invalid CPLC date: FFFF
[WARN] GPData - Invalid CPLC date: FFFF
[WARN] GPData - Invalid CPLC date: FFFF
CPLC: ICFabricator=1290
      ICType=00D2
      OperatingSystemID=0077
      OperatingSystemReleaseDate=3136 (2013-05-16)
      OperatingSystemReleaseLevel=011C
      ICFabricationDate=2A23 (invalid date format)
      ICSerialNumber=FF300050
      ICBatchIdentifier=0002
      ICModuleFabricator=FFFF
      ICModulePackagingDate=FFFF (invalid date format)
      ICCManufacturer=FFFF
      ICEmbeddingDate=FFFF (invalid date format)
      ICPrePersonalizer=FFFF
      ICPrePersonalizationEquipmentDate=FFFF (invalid date format)
      ICPrePersonalizationEquipmentID=FFFFFFFF
      ICPersonalizer=FFFF
      ICPersonalizationDate=FFFF (invalid date format)
      ICPersonalizationEquipmentID=FFFFFFFF

IIN: 42048938003F
CIN: 450A8938003990338914650F
Card Data:
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.2
-> GP Version: 2.2
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.0
-> GP SCP80 i=00
Tag 64: 1.2.840.114283.4.2.85
-> GP SCP02 i=55
Tag 65: 1.2.840.114283.5.6.1.0.0.1
Tag 66: 1.3.6.1.4.1.42.2.110.1.3
-> JavaCard v3
Card Capabilities:
Supports: SCP02 i=05 i=15 i=55
Supports: SCP03 i=00 i=10 i=20 i=30 i=60 i=70 with AES-128 AES-196 AES-256
Supports: SCP80 i=00
Supported DOM privileges: SecurityDomain, DelegatedManagement, CardLock, CardTer
minate, CardReset, CVMManagement, MandatedDAPVerification, TrustedPath, Authoriz
edManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, Final
Application, GlobalService, ReceiptGeneration, CipheredLoadFileDataBlock, Contac
tlessActivation, ContactlessSelfActivation
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, Tru
stedPath, GlobalRegistry, FinalApplication, GlobalService, ContactlessActivation
, ContactlessSelfActivation
Supported LFDB hash: 01020304
Supported Token Verification ciphers: FF03
Supported Receipt Generation ciphers: FF03
Supported DAP Verification ciphers: FF03
Version:   2 (0x02) ID:   1 (0x01) type: DES3 length:  24
Version:   2 (0x02) ID:   2 (0x02) type: DES3 length:  24
Version:   2 (0x02) ID:   3 (0x03) type: DES3 length:  24
Version:  32 (0x20) ID:   1 (0x01) type: DES3 length:  16
Version:  32 (0x20) ID:   2 (0x02) type: DES3 length:  16
Version:  32 (0x20) ID:   3 (0x03) type: DES3 length:  16

`

我不明白如何解决这个问题。

Answer 1

最好切换到 SCP03，因为 SCP02 已被标记为不安全并已被弃用。根据第二个线程，这张卡也支持 SCP03

Answer 2

尝试 SCP02，因为 GP 2.2 不推荐使用 SCP01

参考http://www.unsads.com/specs/GlobalPlatform/2.2/GPCardSpec_22_ReleaseNotes_20060325.pdf

第 6 节安全通道协议。