Monday, 24 August 2009

More on GPShell commands

It can be hard to know the AID of the applet instance to select with the GPShell select command, and the accompanying readme really doesn't enlighten the novice developer.

I find that the best way to get the necessary info is to open a secure channel to the Card Manager, and then do a get_status instruction. For example:
select -AID a000000003000000
mode_211
enable_trace
establish_context
card_connect
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
get_status -element 40
This returns all selectable applet instances on the card.

Note that the select command requires hex values: ASCII characters don't seem to be supported (with or without single or double quotation marks), and an error is not thrown; instead some default domain or package on the card is selected (APDU 00A4040000). This can lead to extreme frustration on the part of the developer when all subsequent test APDU's return the status word 6D00 (unknown INS value).

Card Recognition Data

To get the GPShell open_sc command to work with an applet instance (not the Security Domain), we must ensure that the correct Secure Channel Protocol implementation number is specified.

This number can be retrieved from the Card Recognition Data TLV fields via the OpenPlatform get-data command on tag 0x66 (send APDU 80CA0066) after selecting the Card Manager. For example, with the Nokia 6131 NFC phone, the command returns:
66 4C
--73 4A
----06 07 2A864886FC6B 01
--60 0C
----06 0A 2A864886FC6B 02 02 01 01
--63 09
----06 07 2A864886FC6B 03
--64 0B
----06 09 2A864886FC6B 04 02 55
--65 0B
----06 09 2B8510864864020103
--66 0C
--06 0A 2B060104012A026E0102
9000
The response is formatted into TLV fields according to GP 2.1.1 Section F.2 or GP 2.2 Section H.2, "Structure of Card Recognition Data".

The field at tag 64 (offset 50 in the unformatted string) aka "application tag - GP OID 04" has scp=0x2 (SCP02), i=0x55=85 (scpimpl). Note that this is different from the default i=0x15!

The field at tag 60 aka "application tag - GP OID 02" specifies the GlobalPlatform version, namely GP2v2.1.1 (compare with value in given by ATR and OpenPlatform get-cplc command). This gives a clue as to the Java Card version that can be expected (2.2.1).

The GPShell command to open a secure channel (MAC and ENC) to an applet in the Secure Domain would then be (after selecting the applet):
open_sc -security 3 -keyind FF -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f -scpimpl 85 -scp 2
where "-scpimpl 85" specifies the decimal value of the SCP number.

Note: according to the GP spec. H.3, the GP select command on the Security Domain may return TLV values which - if present - override the Card Recognition Data described previously. What exactly this implies I still have to figure out ...


****
Update: I discovered that the COS on the IC in the Nokia is G&D SmartCafe Expert 3.1 which is indeed Java Card 2.2.1 compliant. See this post.

Thursday, 20 August 2009

JCOP version and feature info

On my desk I have two of NXP JCOP smart cards (contact and dual interface), and I'm wondering how to get details about the OS, features and which version of GlobalPlatform they are compatible with.

Using JCOP Tools v3.1.2, start with /atr on the single interface card:
ATR=3B F9 18 00 00 81 31 FE 45 4A 43 4F 50 32 31 56 ;.....1.EJCOP21V
32 32 A9 22.
ATR: T=1, FI=1/DI=8 (31clk/etu), N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP21V22"
IBM has a load of old information including briefs about JCOP. Useful to know: IBM calls JCOP the "WebSphere Everyplace Chip Operating System" (WECOS).

It seems JCOP21 is GlobalPlatform2.1.1 compliant (and I take the "V22" in the ATR to mean JavaCard2.2.1, since I obtained this card in 2007 before GlobalPlatform v2.2 was released). [EDIT: No, it refers to v2.2 of JCOP21]. Older versions of JCOP (1.0, 2.0 and 3.0) are usually OpenPlatform 2.0.1' compliant. A way to test this is to see if the card supports SCP02 - if it does, it is GP2.1.1 or later, otherwise OP2.0.1'.

To confirm this, we try OpenPlatform command get-data 0066:
Global Platform version : 2.1.1
Global Platform Secure Channel Protocol: 02 option 15
Java Card version : 2.2
Of course, you could also write an applet containing the JavaCard command JCSystem.getVersion()...

The get-cplc command (send APDU 80CA9F7F) returns a load of cryptic information, as below (card has NXP packaging serial P521G072V0/T0PB108):
IC Fabricator : 4790
IC Type : 5016
Operating System ID : 4051
Operating System release date : 5158 (7.6.2005)
Operating System release level : 2400
IC Fabrication Date : 6165 (14.6.2006)
IC Serial Number : 00818890
IC Batch Identifier : 9886
IC Module Fabricator : 4810
IC Module Packaging Date : 6172 (21.6.2006)
ICC Manufacturer : 0000
IC Embedding Date : 0000
IC Pre-Personalizer : 0B12
IC Pre-Perso. Equipment Date : 3A30
IC Pre-Perso. Equipment ID : 38313838
IC Personalizer : 0000
IC Personalization Date : 0000
IC Perso. Equipment ID : 00000000
Apparently, Operating System ID 4051 is IBM. Since this card was obtained from NXP, I would guess that corresponds to IC Fabricator 4790. Apparently the list of ID-to-vendor mappings is proprietary info of VISA, and not readily disseminated (although it used to be included in OpenPlatform specs).

More obscure data about the chip type and mask can be obtained via JCOP Tools command /identify.

To personalise the card we would use the OpenPlatform command store-data (CLA 0x80, INS 0xE2, P1 0x80) with the payload data being the IC Personalizer field followed by the length and then the custom data.

As for JCOP features, lexdabear was kind enough to assemble and publish the following summary (Dec 2006) on JavaCard forum:
ProX family, JCOP v2
JCOP-10: DES, no SSD, contact interface
JCOP-20: DES, no SSD, dual interface
JCOP-30: DES and RSA, no SSD, dual interface
JCOP-31: DES and RSA, SSD, dual interface

SmartMX family, JCOP v2.2
JCOP-10: DES, no SSD, contact interface
JCOP-S-10: DES, no SSD, static, contact interface
JCOP-S-20: DES, RSA, no SSD, static, contact interface
JCOP-S-30: DES and RSA, no SSD, static, dual interface
JCOP-21: DES, AES*, RSA and ECC, SSD, contact interface
JCOP-31: DES, RSA and ECC, SSD, dual interface
JCOP-41: DES, AES*, RSA and ECC, SSD, dual interface

* According to the update thread below, JCOP v2.2.1 does not support AES.

And an update from Dec 2008:
SmartMX family, JCOP v2.3.1 (HW: CC EAL5 and OS: CC EAL4+ certified, USB compliance for JCOP 41)
JCOP-10: DES, no SSD, contact interface, 18kb EEPROM
JCOP-S-10: DES, no SSD, static, contact interface, 10kB EEPROM
JCOP-S-20: DES, RSA, no SSD, static, contact interface, 10kB EEPROM
JCOP-S-30: DES and RSA, no SSD, static, dual interface, 12kB EERPOM
JCOP-21: DES, AES, RSA and ECC, SSD, contact interface, 18kB, 36kB and 72kB EEPROM
JCOP-31: DES, RSA and ECC, SSD, dual interface (AES can be enabled via an encrypted APDU for 72kB version), 36kB and 72kB EEPROM
JCOP-41: DES, AES, RSA and ECC, SSD, tripple interface (T=0/1/15, power class A/B/C, T=CL up to 424kB, USB according to ISO7816-12), 72kB EEPROM

SmartMX family, JCOP v2.3.2, Visa edition (HW: CC EAL5 and OS: CC EAL4+ certified)
JCOP-10: DES, no SSD, contact interface, 18kb EEPROM
JCOP-S-10: DES, no SSD, static, contact interface, 10kB EEPROM
JCOP-S-20: DES, RSA, no SSD, static, contact interface, 10kB EEPROM
JCOP-S-30: DES and RSA, no SSD, static, dual interface, 12kB EERPOM
JCOP-21: DES, AES, RSA and ECC, SSD, contact interface, 18kB and 36kB EEPROM
JCOP-31: DES, RSA and ECC, SSD, dual interface (AES can be enabled via an encrypted APDU for 72kB version), 36kB and 72kB EEPROM

SmartMX family, JCOP v2.4, eGov edition, CMOS14 technology (CMOS18 previously)
JCOP-31: DES, AES, RSA and ECC (GFp up to 320 bit and F2M), SSD, dual interface, 80kB EEPROM

SmartMX family, JCOP v2.4.1, eGov edition, CMOS14 technology, Java Card 2.2.2, (HW: CC EAL5; OS certification ongoing targeting EAL5)
JCOP-31: DES, AES, RSA and ECC (GFp up to 320 bit), SSD, dual interface, 80kB EEPROM
new features: Java Card 2.2.2, extended length, Mifare API according to JC 2.2.2 (IBM's JZsystem previously), SHA-2, ..
Much more info on JCOP features (as well as card IC detail) can be found at the NXP homepage in document 75016165.

Getting the info from the dual-interface card (NXP P521G072V0/T0PB108) delivers JCOP31v22, GP2.1.1, GP SCP 02 option 15, JavaCard v2.2, and same OS ID and IC fabricator as single interface card.

In closing, it must be mentioned that this is a lazy way of going about obtaining the information, but a developer in a hurry will find it useful. The right way is of course to read the GlobalPlatform card specifications, familiarising yourself with TLV encoding, and then playing around with the get-data command on all conceivable tag values.