This discussion is archived
8 Replies Latest reply: Jan 30, 2013 6:51 AM by 955319 RSS

Install Applet in new Secure Domain

955319 Newbie
Currently Being Moderated
I would like to install an applet in a new created secure domain, I dont care weither direct install or with extraditing.

Actually situation: I installed a secure domain within the preloaded sd package, then I put keys to the new secure domain, therfore it is personalized now. I am able to select the new SD with the new keys.

card info:

Card Manager AID : A000000003000000
Card Manager state : OP_READY

Application: SELECTABLE (--------) FFFFFFFFFFFFFFFFFFAABBCCDD
Sec. Domain:PERSONALIZED (S-------) AABBCCDDEE000000
Load File : LOADED (--------) A0000000035350 (Security Domain)
Module : A000000003535041
Load File : LOADED (--------) FFFFFFFFFFFFFFFFFF
Module : FFFFFFFFFFFFFFFFFFAABBCCDD

BUT, if I open a SCP to the new SD I am not able to upload a package in it with JCShell Command upload.

Try to upload to my SD:

cm> upload -b 250 -s "4B41444F55000000" "C:/applet.cap"
=> 80 E6 02 00 16 09 FF FF FF FF FF FF FF FF FF 08
AA BB CC DD EE 00 00 00 00 00 00 00
(27695 usec)
<= 69 85 i.
Status: Conditions of use not satisfied
jcshell: Error code: 6985 (Conditions of use not satisfied)
jcshell: Wrong response APDU: 6985

also I am not able to extradite an existing applet instance from ISD to my SD.

Try to extradite:
cm> /send 80E610001B08AABBCCDDEE000000000DFFFFFFFFFFFFFFFFFFAABBCCDD
=> 80 E6 10 00 1B 08 AA BB CC DD EE 00 00 00 00 0D
FF FF FF FF FF FF FF FF FF AA BB CC DD 00 00 00
(23873 usec)
<= 69 85
Status: Conditions of use not satisfied

If I connect directly to my SD with SCP02 and try to install, then I get INS Value not supported!!

please can anybody help me?

br
  • 1. Re: Install Applet in new Secure Domain
    safarmer Expert
    Currently Being Moderated
    I think the problem is with how you install your SSD. Do you pass any install parameters through? Looking at the JCOP Tools help files they use an install param to make it work. I see that without it extradite fails but with it extradite works.
    install -i |ssd.01 -q c9#(45) -s A0000000035350 A000000003535041
    Here is my complete script that seems to work on the emulator:
    /card
    
    set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f
    set-key 1/1/DES-ECB/404142434445464748494a4b4c4d4e4f 1/2/DES-ECB/404142434445464748494a4b4c4d4e4f 1/3/DES-ECB/404142434445464748494a4b4c4d4e4f
    
    auth
    -delete |instance
    -delete |testpkg
    -delete |ssd.01
    
    install -i |ssd.01 -q c9#(45) -s A0000000035350 A000000003535041
    
    /select |ssd.01
    auth mac
    put-keyset 1
    
    select
    auth
    ls
    
    /mode trace=off
    upload -c "test.cap"
    /mode trace=on
    
    install -i |instance -q c9#() |testpkg |testapp
    
    extradite |ssd.01 |instance
    ls
    - Shane
  • 2. Re: Install Applet in new Secure Domain
    950748 Newbie
    Currently Being Moderated
    Dear Shane/

    I have installed SSD as you write.
    Than i have extradite 1 application from ISD to SSD.

    After that i select SSD, auth with keys from ISD(the same keys), and when i wanted to delete application, i have got an error

    SW1/SW2=6D00 (Checking error: Invalid instruction (0)) Lr=0

    And now
    1. Ii can't delete SSD because it has a link to Application.
    2. I can't Get Status from SSD, i can't Install new applications to SSD

    I think when i Installed SSD i didn't set some priviges. Which privileges i must Set?
    If you can, wirte me an INSTALL APDU with such privileges
  • 3. Re: Install Applet in new Secure Domain
    safarmer Expert
    Currently Being Moderated
    Hi,

    You can't install to an SSD you have to extradite to it. This also means you cannot delete when authenticating to the SSD, you delete the application when authenticated to the ISD. You need to have Authorised Management privileges to be able to load, install and delete. These are not given to an SSD. You can think of the SSD as a security partition where you can have the chip divided into partitions for authentication. That way you can have an applet in SSD1 that uses keys from SSD1 to open a secure channel and another in SSD2 and each of these have separate keys so that the owner of SSD1 and SSD2 can have unique keys.

    - Shane
  • 4. Re: Install Applet in new Secure Domain
    950748 Newbie
    Currently Being Moderated
    Shane, thank you very much for your answer.

    I have auth to ISD but for some reasons i can't delete the applet from SSD. I have got error 6985.

    Yes, i know that applet can use Global Platform API for using Security Channel of his security domain keys.

    Is it possible to make SSD with such privileges -- Authorized Management or delegate Menagement(I did not encounter with such managemen, but i think that you must have token in Install command.The Token have made with ISD keys) to have opportunity installing applets only if i know keys of SSD.

    I read in documentations, that if i have keys of SSD i can install there my applets,

    Edited by: Tigran on Aug 23, 2012 12:22 PM
  • 5. Re: Install Applet in new Secure Domain
    957464 Newbie
    Currently Being Moderated
    How do yo have created the new SD? I have a smartcard GP 2.1.1 compatible and I want to create my own SD but don't know how.

    Could you please tell me the hardware you use?

    TA
  • 6. Re: Install Applet in new Secure Domain
    safarmer Expert
    Currently Being Moderated
    I have auth to ISD but for some reasons i can't delete the applet from SSD. I have got error 6985.
    Try deleting the package with related objects (delete -r pkgAid in JCOP tools).
    Is it possible to make SSD with such privileges -- Authorized Management or delegate Menagement(I did not encounter with such managemen, but i think that you must have token in Install command.The Token have made with ISD keys) to have opportunity installing applets only if i know keys of SSD.
    You can install an SSD with delegated management but you do need LOAD and INSTALL tokens to be able to use it. The tokens are generated based on a key and details of the object to be loaded/installed so it is a little restrictive (by design).
    I read in documentations, that if i have keys of SSD i can install there my applets,
    That is essentially how the install and extradite mentioned above works. You install in the ISD and then extradite to the SSD so it is in a different security zone with different keys for secure channel.

    - Shane
  • 7. Re: Install Applet in new Secure Domain
    safarmer Expert
    Currently Being Moderated
    How do yo have created the new SD? I have a smartcard GP 2.1.1 compatible and I want to create my own SD but don't know how.
    In GP 2.1.1 you can create an SSD. Is this what you mean? If you want a separate security domain with Authorised Management that behaves just like the ISD does, you can't in GP2.1.1 (to the best of my knowledge).

    - Shane
  • 8. Re: Install Applet in new Secure Domain
    955319 Newbie
    Currently Being Moderated
    >
    install -i |ssd.01 -q c9#(45) -s A0000000035350 A000000003535041
    Is there anywhere a specification which C9 application parameters are possible?

    br Markus

    Edited by: deadpoint on 30.01.2013 06:51

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points