This discussion is archived
9 Replies Latest reply: Jul 18, 2012 10:07 AM by safarmer RSS

Problem with select APDU

932074 Newbie
Currently Being Moderated
Hi all

I have a problem when trying to test an applet created by me like Sebastian Lorquet proposed in this post:

Re: Ask Global Platform SecureChannel

I managed to install my applet on the card, and when I check the applets it contains I can see that the AID of mine appears.

But when I use it and send APDUs through it, the SELECT command fails me.

The SELECT APDU instruction is:

Command -> 00A404000B0102030405060708090000

where 01 02 03 04 05 06 07 08 09 00 00 is the AID of my applet

The response is as follows:

Response <- 6D00 (Invalid instruction byte / Command not supported or invalid)

Do not understand why I get that answer.

I am using gpshell, and the command used is:

select -AID 0102030405060708090000

Thanks in advance

Edited by: bra_racing on 05-jul-2012 15:28
  • 1. Re: Problem with select APDU
    Umer Journeyer
    Currently Being Moderated
    Include the following code as the first line of code in the process method:
    if (selectingApplet ())
    {
    return;
    }
  • 2. Re: Problem with select APDU
    932074 Newbie
    Currently Being Moderated
    OK, the SELECT command now works (thanks Umer).

    Now my problem is in establishing the secure channel. The next command is sent to the card is a GET_DATA to obtain in this way in CRD (Card Recognition Data).

    But in any post I see that you use this command, only works with INITIALIZE_UPDATE and EXTERNAL_AUTHENTICATE. What should I do with this?

    Thanks
  • 3. Re: Problem with select APDU
    Umer Journeyer
    Currently Being Moderated
    bra_racing wrote:
    OK, the SELECT command now works (thanks Umer).
    welcome

    Actually I could not understand your question. Are you trying to authenticate your card ? Or you want to implement Secure Channel ?


    .
    Edited by: Umer on Jul 10, 2012 3:38 PM
  • 4. Re: Problem with select APDU
    932074 Newbie
    Currently Being Moderated
    In my Gpshell's script, after select-AID xxxx use the command open_sc ... to establish a secure channel. Internally, the execution of this command generates the GET_DATA command, and INITIALIZE_UPDATE and EXTERNAL_AUTHENTICATE. In the examples I found (and quoted above, in which I have drawn), I see that the commands INITIALIZE_UPDATE and EXTERNAL_AUTHENTICATE are treated but not the GET_DATA command.

    So when I run the applet on my card after open_sc command generates the following command:

    Command -> 80CA006600
    Wrapped command -> 80CA006600

    and get the answer:

    Response <- 6D00
    GP211_get_secure_channel_protocol_details () returns 0x80206D00 (6D00: Invalid instruction byte / Command not supported or invalid.)

    I hope my intentions are made clear.

    Thank you very much.
  • 5. Re: Problem with select APDU
    Umer Journeyer
    Currently Being Moderated
    ah ok. Just answer me one thing, are you using below code ?
    /**
     * 
     */
    package test;
     
    import javacard.framework.APDU;
    import javacard.framework.Applet;
    import javacard.framework.ISO7816;
    import javacard.framework.ISOException;
     
    import org.globalplatform.GPSystem;
    import org.globalplatform.SecureChannel;
     
    /**
     * @author shane
     * 
     */
    public class TestSecureChannel extends Applet {
        private final static byte INS_INIT_UPDATE = 0x50;
        private final static byte INS_EXT_AUTH = (byte) 0x82;
     
        private TestSecureChannel() {
            // empty
        }
     
        public static void install(byte bArray[], short bOffset, byte bLength) throws ISOException {
            new TestSecureChannel().register();
        }
     
        public void process(APDU apdu) throws ISOException {
            if (selectingApplet()) {
                return;
            }
     
            byte[] buffer = apdu.getBuffer();
     
            byte cla = buffer[ISO7816.OFFSET_CLA];
            byte ins = buffer[ISO7816.OFFSET_INS];
            SecureChannel sc = GPSystem.getSecureChannel();
     
            if ((byte) (cla & 0x80) == 0x80) {
                switch (ins) {
                    case INS_INIT_UPDATE:
                    case INS_EXT_AUTH:
                        apdu.setOutgoingAndSend(ISO7816.OFFSET_CDATA, sc.processSecurity(apdu));
                        return;
     
                    default:
                        // fall through
                }
            }
     
            switch (ins) {
                case (byte) 0x01:
                    buffer[0] = sc.getSecurityLevel();
                    apdu.setOutgoingAndSend((short) 0, (short) 1);
                    break;
                default:
                    ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
            }
     
        }
    }
    If not above one then copy past your code here. For time being for what I understand it that to send get data command your currently selected application should be card manager.


    Edited by: Umer on Jul 10, 2012 4:34 PM
  • 6. Re: Problem with select APDU
    932074 Newbie
    Currently Being Moderated
    Exactly, my code looks like that the one you describe.

    Then, it is not possible open a secure channel with a selected applet which is different to the card manager?

    There is not another possibility?

    Thak you very much, Umer
  • 7. Re: Problem with select APDU
    Umer Journeyer
    Currently Being Moderated
    bra_racing wrote:
    Exactly, my code looks like that the one you describe.

    Then, it is not possible open a secure channel with a selected applet which is different to the card manager?
    Yes it should be possilbe but in that case your applet should behave like a card manager as if you noted then you realize that a card manager is just an applet which do necessary tasks like authentication and applet loading installation etc.
    There is not another possibility?
    Can you tell us why you want to use your own applet rather than card manager for secure channel ? after knowing the reason experts here can help you (i am not including myself in experts :-) )

    Regards
    Umer
  • 8. Re: Problem with select APDU
    932074 Newbie
    Currently Being Moderated
    I am researching this topic as part of my final year project, and I want to initially implement a Javacard applet that communicates using a Secure Channel (I don't want to create a new JCManager).

    In fact I have a program developed in Java that implements all part of cryptography and establishes the secure channel, quite similar to the GPShell. Now I'm with the Javacard part.

    This is more or less what I want to achieve right now:

    PCClient MyJCApplet
    <---- Establish secure channel --->
    Send APDU and reponses over this secure channel

    Then, is the applet code above the right one to do so? How do I establish the secure channel? Does my PC client have to communicate directly with myJCapplet or do I have to create a secure channel with the JC manager and then use this secure channel to communicate with myJCapplet? Which of these options is the good one:
    A)
    - Select JC manager
    - Open Secure Channel
    - Select Myapplet
    - Send APDU "encripted

    B)
    - Select Myapplet
    - Open Secure Channel
    - send APDU "encripted"

    The other issue I don't know is how to deal with the keys that are used (specially in case B).

    If you have a very simple example, I would really appreciate as I'm stuck with that. I will continue trying things.

    Thanks a lot for your help.

    帖子经 bra_racing编辑过

    帖子经 bra_racing编辑过
  • 9. Re: Problem with select APDU
    safarmer Expert
    Currently Being Moderated
    GPShell is issuing a GET DATA command to get the data required to derive card keys etc. This is something that the card manager handles. I believe that GPShell is designed to authenticate to the card manager and not a particular applet. I do not of a way that GPShell can just send the INITIALIZE UPDATE and EXT_AUTH commands.

    Shane

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points