This content has been marked as final. Show 8 replies
I think the problem is with how you install your SSD. Do you pass any install parameters through? Looking at the JCOP Tools help files they use an install param to make it work. I see that without it extradite fails but with it extradite works.
Here is my complete script that seems to work on the emulator:
install -i |ssd.01 -q c9#(45) -s A0000000035350 A000000003535041
/card set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f set-key 1/1/DES-ECB/404142434445464748494a4b4c4d4e4f 1/2/DES-ECB/404142434445464748494a4b4c4d4e4f 1/3/DES-ECB/404142434445464748494a4b4c4d4e4f auth -delete |instance -delete |testpkg -delete |ssd.01 install -i |ssd.01 -q c9#(45) -s A0000000035350 A000000003535041 /select |ssd.01 auth mac put-keyset 1 select auth ls /mode trace=off upload -c "test.cap" /mode trace=on install -i |instance -q c9#() |testpkg |testapp extradite |ssd.01 |instance ls
I have installed SSD as you write.
Than i have extradite 1 application from ISD to SSD.
After that i select SSD, auth with keys from ISD(the same keys), and when i wanted to delete application, i have got an error
SW1/SW2=6D00 (Checking error: Invalid instruction (0)) Lr=0
1. Ii can't delete SSD because it has a link to Application.
2. I can't Get Status from SSD, i can't Install new applications to SSD
I think when i Installed SSD i didn't set some priviges. Which privileges i must Set?
If you can, wirte me an INSTALL APDU with such privileges
You can't install to an SSD you have to extradite to it. This also means you cannot delete when authenticating to the SSD, you delete the application when authenticated to the ISD. You need to have Authorised Management privileges to be able to load, install and delete. These are not given to an SSD. You can think of the SSD as a security partition where you can have the chip divided into partitions for authentication. That way you can have an applet in SSD1 that uses keys from SSD1 to open a secure channel and another in SSD2 and each of these have separate keys so that the owner of SSD1 and SSD2 can have unique keys.
Shane, thank you very much for your answer.
I have auth to ISD but for some reasons i can't delete the applet from SSD. I have got error 6985.
Yes, i know that applet can use Global Platform API for using Security Channel of his security domain keys.
Is it possible to make SSD with such privileges -- Authorized Management or delegate Menagement(I did not encounter with such managemen, but i think that you must have token in Install command.The Token have made with ISD keys) to have opportunity installing applets only if i know keys of SSD.
I read in documentations, that if i have keys of SSD i can install there my applets,
Edited by: Tigran on Aug 23, 2012 12:22 PM
I have auth to ISD but for some reasons i can't delete the applet from SSD. I have got error 6985.Try deleting the package with related objects (delete -r pkgAid in JCOP tools).
Is it possible to make SSD with such privileges -- Authorized Management or delegate Menagement(I did not encounter with such managemen, but i think that you must have token in Install command.The Token have made with ISD keys) to have opportunity installing applets only if i know keys of SSD.You can install an SSD with delegated management but you do need LOAD and INSTALL tokens to be able to use it. The tokens are generated based on a key and details of the object to be loaded/installed so it is a little restrictive (by design).
I read in documentations, that if i have keys of SSD i can install there my applets,That is essentially how the install and extradite mentioned above works. You install in the ISD and then extradite to the SSD so it is in a different security zone with different keys for secure channel.
How do yo have created the new SD? I have a smartcard GP 2.1.1 compatible and I want to create my own SD but don't know how.In GP 2.1.1 you can create an SSD. Is this what you mean? If you want a separate security domain with Authorised Management that behaves just like the ISD does, you can't in GP2.1.1 (to the best of my knowledge).