12 Replies Latest reply: Jul 30, 2014 11:21 PM by 2657670 RSS

    how can i change my JAVA card life cycle state to secured?

    2657670

      when I install a applet ,the Card Manager state is OP_READY

      I want to lock the card .now I need to go to the secured status .but what GP command should I send  to transfer the state from OP_READY to secured .

        • 1. Re: how can i change my JAVA card life cycle state to secured?
          dimatteo

          Hi,

          In my opinion you need to send two APDU commands "SET STATUS":

          1) Change status from OP_READY to INITIALIZED (ie. 80F04007 | Lc | AID)

          2) Change status from INITIALIZED to SECURED (ie. 80F0400F | Lc | AID)

          Regards

          • 2. Re: how can i change my JAVA card life cycle state to secured?
            2657670

            thanks,but I also want to know the different between ( 80F04007 | Lc | AID) and (80F08007 | Lc | AID)

            I think 40 is for applet and 80 is for card? is that right?

            and I  find there are two aid. One is Card Manager AID ,another is applet AID ,which one should I use?

            thanks! For your help!

            • 3. Re: how can i change my JAVA card life cycle state to secured?
              2657670

              I want to chang the Card Manager state from  OP_READY to SECURED for lock the card ,but there is error ! For help!

              Card Manager AID   :  A000000003000000

              Card Manager state :  OP_READY

               

               

                  Application:  SELECTABLE (---L--P-) A0000000000101 

                  Load File  :      LOADED (--------) A0000000035350   (Security Domain)

                   Module    :                        A000000003535041

                  Load File  :      LOADED (--------) A000000000     

                   Module    :                        A0000000000101

               

              cm>  /send 80f0400707A0000000000101

              => 80 F0 40 07 07 A0 00 00 00 00 01 01           

              (2808 usec)

              <= 69 85                                        

              Status: Conditions of use not satisfied

              cm>  /send 80f0400707A0000000035350

              => 80 F0 40 07 07 A0 00 00 00 03 53 50          

              (1701 usec)

              <= 6A 88                                           

              Status: Reference data not found

              cm>  /send 80f0400708A000000003000000

              => 80 F0 40 07 08 A0 00 00 00 03 00 00 00          

              (690226 nsec)

              <= 6A 88     

              • 4. Re: how can i change my JAVA card life cycle state to secured?
                dimatteo

                Hi,

                 

                Please see below the P2 byte possible values:

                 

                80h: ISD

                40h: Applications (including SSDs)

                • 5. Re: how can i change my JAVA card life cycle state to secured?
                  2657670

                  Hi, I also don't understand why I send commend but have  errror response. /send 80f04007

                  should I send 80f08007?

                  • 6. Re: how can i change my JAVA card life cycle state to secured?
                    dimatteo

                    Hi again,

                    Before you switch the CardManager into SECURED state, please note that the final ISD keys should be loaded and applets intended for card issuance should be personalized.

                    Please see below my script with porocedure of switching ISD from state OP_READY to SECURED:

                    mode_211

                    enable_trace

                    establish_context

                    card_connect

                    select -AID a00000

                    Command --> 00A4040003A00000

                    Wrapped command --> 00A4040003A00000

                    Response <-- 6F658408A000000003000000A5599F6501FF9F6E06479100783300734A06072A864

                    886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B0

                    40215650B06092B8510864864020103660C060A2B060104012A026E01029000

                    open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4

                    f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4

                    d4e4f // Put secure channel keys

                    Command --> 80CA006600

                    Wrapped command --> 80CA006600

                    Response <-- 664C734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864

                    886FC6B03640B06092A864886FC6B040215650B06092B8510864864020103660C060A2B060104012

                    A026E01029000

                    Command --> 80500000085A7A6CF0AEBADFCB00

                    Wrapped command --> 80500000085A7A6CF0AEBADFCB00

                    Response <-- 00000273000586915788020200212E6BEC9E332B0FDEA566575A5C409000

                    Command --> 8482010010B097EC4DFB5DABCD412C7C0BCCA75CCE

                    Wrapped command --> 8482010010B097EC4DFB5DABCD412C7C0BCCA75CCE

                    Response <-- 9000

                    send_apdu -sc 1 -APDU 80F0800708A000000003000000

                    Command --> 80F0800708A000000003000000

                    Wrapped command --> 84F0800710A0000000030000004ED9673E665BF560

                    Response <-- 9000

                    send_APDU() returns 0x80209000 (9000: Success. No error.)

                    send_apdu -sc 1 -APDU 80F0800F08A000000003000000

                    Command --> 80F0800F08A000000003000000

                    Wrapped command --> 84F0800F10A0000000030000000E05219330A6CD64

                    Response <-- 9000

                    send_APDU() returns 0x80209000 (9000: Success. No error.)

                    get_status -element 10

                    Command --> 80F21000024F0000

                    Wrapped command --> 84F210000A4F0007B58A8B9C43D0AC00

                    Response <-- 07A000000003535001000108A00000000353504106A000000063020100010CA0000

                    00063504B43532D31359000

                     

                    List of Ex. Load File (AID state Ex. Module AIDs)

                    a0000000035350  1

                            a000000003535041

                    a00000006302    1

                            a000000063504b43532d3135

                    get_status -element 20

                    Command --> 80F22000024F0000

                    Wrapped command --> 84F220000A4F00FBD1AF5251304E8E00

                    Response <-- 07A0000000035350010006A0000000630201009000

                     

                    List of elements (AID state privileges)

                    a0000000035350  1       0

                    a00000006302    1       0

                    get_status -element 40

                    Command --> 80F24000024F0000

                    Wrapped command --> 84F240000A4F000BA0A963B3624C3200

                    Response <-- 0CA000000063504B43532D313507069000

                     

                    List of elements (AID state privileges)

                    a000000063504b43532d3135        7       6

                    get_status -element 80

                    Command --> 80F28000024F0000

                    Wrapped command --> 84F280000A4F00D361AD2803DA752A00

                    Response <-- 08A0000000030000000F9A9000

                     

                    List of elements (AID state privileges)

                    a000000003000000        f       9a

                     

                    Regards

                    • 7. Re: how can i change my JAVA card life cycle state to secured?
                      2657670

                      Thank you for your reply,but you say I must insure that the applet is personalized. I also have anther question for your help.

                      when  I already install the applet as follows:

                      //////////////////////////////////////////////////////////////////////

                      Card Manager AID   :  A000000003000000

                      Card Manager state :  OP_READY

                       

                          Application:  SELECTABLE (---L--P-) A0000000000101

                          Load File  :      LOADED (--------) A0000000035350   (Security Domain)

                           Module    :                        A000000003535041

                          Load File  :      LOADED (--------) A000000000   

                           Module    :                        A0000000000101

                      ///////////////////////////////////////////////////////////////////////

                      in order to  personalize,I select the applet  (send 00a4040007A0000000000101) ,then  send personalize commends. now the applet is personalized.

                      the next is to change the card manage to SECURED.

                      But after  I send   00A4040008A00000000300000000 to select the Card Manager AID,the SET STATUS commend (/send 80f0800708A000000003000000) return "6985"

                      where is wrong?

                      If I don't select the Card Manager AID, the SET STATUS commend is also wrong because the applet AID  is selected just now.

                      ///////////////////////////////////////////////////////////

                      cm>  send 00A4040008A00000000300000000

                      => 00 A4 04 00 08 A0 00 00 00 03 00 00 00 00          ..............

                      (700998 nsec)

                      <= 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65    oe...........Y.e

                          01 FF 9F 6E 06 47 91 81 07 31 00 73 4A 06 07 2A    ...n.G...1.sJ..*

                          86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B    .H..k.`...*.H..k

                          02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64    ....c...*.H..k.d

                          0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09    ...*.H..k...e...

                          2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01    +...Hd...f...+..

                          04 01 2A 02 6E 01 02 90 00                         ..*.n....

                      Status: No Error

                      cm>  /send 80f0800708A000000003000000

                      => 80 F0 80 07 08 A0 00 00 00 03 00 00 00             .............

                      (696032 nsec)

                      <= 69 85          

                      ////////////////////////////////////////////////////////

                      thanks.

                      • 8. Re: how can i change my JAVA card life cycle state to secured?
                        dimatteo

                        Hi,

                        You need to authenticate to Card Manager first (2 APDU commands: initailize update + external authenticate).

                         

                        Command --> 80500000085A7A6CF0AEBADFCB00 (Initialize Update)

                        Wrapped command --> 80500000085A7A6CF0AEBADFCB00

                        Response <-- 00000273000586915788020200212E6BEC9E332B0FDEA566575A5C409000

                        Command --> 8482010010B097EC4DFB5DABCD412C7C0BCCA75CCE (External Authenticate)

                        Wrapped command --> 8482010010B097EC4DFB5DABCD412C7C0BCCA75CCE

                        Response <-- 9000

                         

                        I recommend you to download GPShell tool and run the following script file:

                         

                        mode_211

                        enable_trace

                        establish_context

                        card_connect

                         

                        select -AID a00000

                        open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -kek_key 404142434445464748494a4b4c4d4e4f

                        send_apdu -sc 1 -APDU 80F0800708A000000003000000

                        send_apdu -sc 1 -APDU 80F0800F08A000000003000000

                        card_disconnect

                        release_context

                         

                        Regards

                        • 9. Re: how can i change my JAVA card life cycle state to secured?
                          2657670

                          Thank you very much! Now I can change to the SECURED state sucessfully!

                          • 10. Re: how can i change my JAVA card life cycle state to secured?
                            2657670

                            Hi, can I ask another JCOP CARD question?

                            I can download my .cap file to a java card emulator success , now I buy a real JCOP V2.4.1 CARD, the Card Manager state is initalized.

                            but when I send load commend to the real card ,it responses to 6A80,where is wrong

                            First I send initailize update + external authenticate ,then I send install for load commend and is success.

                            The next load .cap commend is error( 84E80000E6C4822A....)

                            what is the difference between the emulator and the real card?

                            • 11. Re: how can i change my JAVA card life cycle state to secured?
                              Sebastien_Lorquet

                              there is probably a word of differences

                               

                              the first error causes could be

                              -the wrong javacard api version (you may be compiling for a jc version that is too recent for your card)

                              -the absence of a required package on the card.

                              • 12. Re: how can i change my JAVA card life cycle state to secured?
                                2657670

                                hi,thanks for your reply.

                                but my package of the cap file is

                                cap_data  = header.cap+directory.cap+import.cap+applet.cap+class.cap+method.cap+staticfield.cap+constantPool.cap+reflocation.cap

                                with this cap file, I can successfully download to the emulator ,but can not download to the jcop card with a 6A80 error.