Problems with downloading a public RSA key to a SSD with Delegate Management

[grv333]

I encountered problems when I tried to put the public RSA key on the Supplementary Security Domain (SSD) with the Delegate Management(DM) privs to smart card using the GPShell utility. What I do:

1. I generate a private key using the options:

openssl genrsa -out ./pr.pem -des -passout pass:12345678 1024

2. Based on it, I generate a public key:

openssl rsa -in ./pr.pem -pubout -out pub.pem

3. I create on the smart card a domain with Delegated Management privs with the help of Global Platform Pro:

gp keys --domain A000000004000001 --privs DelegatedManagement

Reuslt:

DOM: A000000004000001 (SELECTABLE) Privs: SecurityDomain, DelegatedManagement

4. I install the keys MAC, ENC and DEK (By Global Platform Pro):

gp --sdaid A000000004000001 -lock [key]

Domain became PERSONALIZED:

DOM: A000000004000001 (PERSONALIZED) Privs: SecurityDomain, DelegatedManagement

5. With the help of GPShell I try to put the public RSA key to the domain:

mode_211
enable_trace
enable_timer
establish_context
command time: 4 ms
card_connect
command time: 61 ms
select -AID A000000004000001
Command --> 00A4040008A000000004000001
Wrapped command --> 00A4040008A000000004000001
Response <-- 6F108408A000000004000001A5049F6501FF9000
command time: 59 ms
open_sc -scp 2 -security 3 -scpimpl 0x15 -keyver 0 -mac_key [key_mac] -enc_key [key_enc] -kek_key [key_kek]
Command --> 8050000008275D44D56FE9B1C300
Wrapped command --> 8050000008275D44D56FE9B1C300
Response <-- 000172850008B6DE043C01020000CA5C85B8CA6F97B71320C829ABD79000
Command --> 8482030010BA266EA9661D13493D3DC8FED7F45961
Wrapped command --> 8482030010BA266EA9661D13493D3DC8FED7F45961
Response <-- 9000
command time: 260 ms
put_dm_keys -keyver 0 -newkeyver 2 -file pub.pem -pass [The_key_is_8_characters_in_length] -key [The_key_is_64_characters_in_length]
Command --> 80D80001A002A1803BAC9523A55469AF1035251FBFF034BB324CE3720808430AE6D8C2473D548CA86A6E1C4BF94EEB899C67D6EAD11A995D77F914654473BB7E088CB930CE953893BA01372CE4D128D980AB5B5657764E26AB1F6B01B954CF77554DD191309F1BFBD356ABAC8ADE1BCD87B83C6FC868F6FFE08A9C6DE02A1FFA9285E184EFAE7ACE00A00301000100801085272E4D9EF376D285272E4D9EF376D2038CA64D00
Wrapped command --> 84D80001B0ACA2E440664B9437FF05EAC64B0119C732BCCE420A5D3AD8DD96CB3C6C23CA46BE0E4ACC85F76D06FC5AB6A98B85726729320253F53D4079A331A4A1EA66F0FE64B83F18FB544B9E81B2A72BA5CD653ABE3E4C5783231DA1ED4F726C0D2A34C2FD5A75532A6A21690E4C0292125617D68D140E93EB815700507B940265B2E7A4E871095B9B4AC70067348132BF4E3650CA23B0B0D130738F6C6248337344F36C753A3BA4ABD3B54A9C3AB047A0807F0800
Response <-- 6A86
put_delegated_management_keys() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)

Gives out the error parameters P1, P2, but I can not understand what the problem is and what I'm doing wrong. It is possible that the length of the password or the key, or their appearance, does not. Is it possible to somehow load keys with the help of Global Platform Pro or is it possible only with the help of GPShell?

[grv333]

I understand that in the GlobalPlatformPro, the public RSA key must be loaded using the
"--put-key Put a new key "
parameter, but nowhere are there any examples of its use. What parameters should be specified in conjunction with "--put-key"? And in what form do you give the keys? In the form of an ordinary line or something special? There is very little normal instruction with a detailed description of all the commands and examples.
I generally have a feeling that in the current version the command simply does not work, because judging by the logs, nothing happens.
Debug output:
gp --put-key MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOeq7vhOGFkvofKuBtnIrg//ZoyG88uIfNG96KrKtW0/sbnzCR0U1Vd89UuQFrH6smTnZXVlurgNko0eQsNwG6kziVzjC5jAh+u3NEZRT5d12ZGtHq1mecietO+UscbmqojFQ9R8LY5gpDCAhy40wyuzTwvx8lNRCvaVSlI5WsOwIDAQAB --key-id 01 --sdaid A000000004000001 -d
GlobalPlatformPro v0.3.10rc8-0-gf1dcf34
Running on Linux 4.4.0-124-generic amd64, Java 1.8.0_151 by Oracle Corporation
Unlimited crypto policy is NOT installed!
# Detected readers from JNA2PCSC
[*] OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00
[ ] ACS ACR 38U-CCID - CP 01 00
SCardConnect("OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00", T=*) -> T=0, 3B6800000073C84011009000
SCardBeginTransaction("OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00")
[DEBUG] GlobalPlatform - (I)SD AID: A000000004000001
A>> T=0 (4+0008) 00A40400 08 A000000004000001 00
A<< (0018+2) (51ms) 6F108408A000000004000001A5049F6501FF 9000
[TRACE] GPData - [6F]
[TRACE] GPData - [84] A000000004000001
[TRACE] GPData - [A5]
[TRACE] GPData - [9F65] FF
[DEBUG] GlobalPlatform - Auto-detected block size: 255
SCardEndTransaction(OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00)
SCardDisconnect("OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00", true)

[martinpaljak]

Loading of RSA keys is not implemented in the released version, yet. But Having requests for it probably speeds up the release.

If it will actually work for your card, is a different question.

[grv333]

Thanks for the answer, Martin!
I apologize for blaming the program for being inoperable. I just thought that if the parameter already exists in the "gp -h" output, then it already works. Then I will try to solve this problem on my own. If I find a solution, I will unsubscribe here.

[martinpaljak]

There is code for this that is not published, but current availability of time does not permit working more on it before a week or even two.

[grv333]

It will be very cool if in the future Global Platform Pro will support this feature. Thanks again for the answer!)

[martinpaljak]

You can use the latest master and use --put-key pubkey.pem with the right --new-keyver to load the key. CLI interface due to change and docs coming later.

[martinpaljak]

I assume it works for RSA. Be sure to set the right key version number.

[grv333]

Good afternoon, Martin!

Thank you for adding the RSA key loading feature!
I decided to try it today and found that for some reason the parameter --new-keyver takes the version as a numeric value instead of a string.
From Global Platform Spec. RSA key:
RSA_KEY_ID = A1
and
KEY_VERSION = 70 (112 in dec)
(Fix me if I Wrong =) )

gp -key 404142434445464748494a4b4c4d4e4f -emv --put-key ./priv.pem --key-id A1  --new-keyver 112 -d 
GlobalPlatformPro 18.09.14-0-gb439b52
Running on Linux 4.15.0-42-generic amd64, Java 1.8.0_151 by Oracle Corporation
Unlimited crypto policy is NOT installed!
# Detected readers from JNA2PCSC
[*] OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00
SCardConnect("OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00", T=*) -> T=0, 3B6A00FF0031C173C84000009000
SCardBeginTransaction("OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00")
A>> T=0 (4+0000) 00A40400 00 
A<< (0018+2) (85ms) 6F108408A000000151000000A5049F6501FF 9000
[TRACE] GPData -      [6F]
[TRACE] GPData -          [84] A000000151000000
[TRACE] GPData -          [A5]
[TRACE] GPData -              [9F65] FF
[DEBUG] GlobalPlatform - Auto-detected ISD: A000000151000000
[TRACE] GlobalPlatform - Generated host challenge: B16E08E366A9D620
A>> T=0 (4+0008) 80500000 08 B16E08E366A9D620 00
A<< (0028+2) (160ms) 000072090096510184640102003203BD8F4AB63543BC200E390B4CA5 9000
[DEBUG] GlobalPlatform - Host challenge: B16E08E366A9D620
[DEBUG] GlobalPlatform - Card challenge: 003203BD8F4AB635
[DEBUG] GlobalPlatform - Card reports SCP02 with key version 1 (0x01)
[DEBUG] GlobalPlatform - Will do SCP02 (8)
[DEBUG] PlaintextKeys - Card keys: {MAC=type=RAW bytes=404142434445464748494A4B4C4D4E4F, ENC=type=RAW bytes=404142434445464748494A4B4C4D4E4F, DEK=type=RAW bytes=404142434445464748494A4B4C4D4E4F}
[TRACE] PlaintextKeys - Derived per-card keys: {MAC=type=RAW bytes=128D52B709BE5222754C2A60AF537464, ENC=type=RAW bytes=315F47C16C036632E45F08062DC26F72, DEK=type=RAW bytes=2ACB644C47CAA52644BFF013A5B7366A}
[TRACE] PlaintextKeys - Session keys: {MAC=type=DES3 bytes=78C5E17E5796EA96EB153A5740C47A73 kcv=3D682A, ENC=type=DES3 bytes=2FBBEA6CF19989D7C340B7D78A69E220 kcv=FF9E42, DEK=type=DES3 bytes=2AE0D9AE36DC742C5D38AB56A1BC5028 kcv=7D2F39}
[DEBUG] GlobalPlatform - Verified card cryptogram: 43BC200E390B4CA5
[DEBUG] GlobalPlatform - Calculated host cryptogram: 7A088B802ACDBDA6
A>> T=0 (4+0016) 84820100 10 7A088B802ACDBDA6734A4BA88F6A0C6D
A<< (0000+2) (111ms) 9000
SCardEndTransaction(OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00)
SCardDisconnect("OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00", true)
Exception in thread "main" java.lang.NumberFormatException: For input string: "[112]"
	at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
	at java.lang.Integer.parseInt(Integer.java:580)
	at java.lang.Integer.parseInt(Integer.java:615)
	at pro.javacard.gp.GPCommands.intValue(GPCommands.java:1037)
	at pro.javacard.gp.GPTool.main(GPTool.java:429)

Maybe I somehow enter the wrong version, although I tried it in the form of HEX (70 or 0x70) values and in the form of a prime number (112).

If i use HEX value 70 :

gp -key 404142434445464748494a4b4c4d4e4f -emv --put-key ./priv.pem --key-id A1  --new-keyver 70 -d 
GlobalPlatformPro 18.09.14-0-gb439b52
Running on Linux 4.15.0-42-generic amd64, Java 1.8.0_151 by Oracle Corporation
Unlimited crypto policy is NOT installed!
# Detected readers from JNA2PCSC
[*] OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00
SCardConnect("OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00", T=*) -> T=0, 3B6A00FF0031C173C84000009000
SCardBeginTransaction("OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00")
A>> T=0 (4+0000) 00A40400 00 
A<< (0018+2) (88ms) 6F108408A000000151000000A5049F6501FF 9000
[TRACE] GPData -      [6F]
[TRACE] GPData -          [84] A000000151000000
[TRACE] GPData -          [A5]
[TRACE] GPData -              [9F65] FF
[DEBUG] GlobalPlatform - Auto-detected ISD: A000000151000000
[TRACE] GlobalPlatform - Generated host challenge: F7E6BBE3D52EC2D4
A>> T=0 (4+0008) 80500000 08 F7E6BBE3D52EC2D4 00
A<< (0028+2) (160ms) 0000720900965101846401020033FEA404E5E91816C6E70F4AF46684 9000
[DEBUG] GlobalPlatform - Host challenge: F7E6BBE3D52EC2D4
[DEBUG] GlobalPlatform - Card challenge: 0033FEA404E5E918
[DEBUG] GlobalPlatform - Card reports SCP02 with key version 1 (0x01)
[DEBUG] GlobalPlatform - Will do SCP02 (8)
[DEBUG] PlaintextKeys - Card keys: {MAC=type=RAW bytes=404142434445464748494A4B4C4D4E4F, ENC=type=RAW bytes=404142434445464748494A4B4C4D4E4F, DEK=type=RAW bytes=404142434445464748494A4B4C4D4E4F}
[TRACE] PlaintextKeys - Derived per-card keys: {MAC=type=RAW bytes=128D52B709BE5222754C2A60AF537464, ENC=type=RAW bytes=315F47C16C036632E45F08062DC26F72, DEK=type=RAW bytes=2ACB644C47CAA52644BFF013A5B7366A}
[TRACE] PlaintextKeys - Session keys: {MAC=type=DES3 bytes=626934EEBF545B096DD67FA77ED637A3 kcv=794E01, ENC=type=DES3 bytes=51F2428C8AA05D693E51B8110A01C3F8 kcv=3BB6A2, DEK=type=DES3 bytes=5F356A6300197A27492F8B2FA7E8FDED kcv=EF7FAE}
[DEBUG] GlobalPlatform - Verified card cryptogram: 16C6E70F4AF46684
[DEBUG] GlobalPlatform - Calculated host cryptogram: 9F9D8757423DB05A
A>> T=0 (4+0016) 84820100 10 9F9D8757423DB05A68DABBDCB7003F6B
A<< (0000+2) (111ms) 9000
SCardEndTransaction(OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00)
SCardDisconnect("OMNIKEY CardMan 5321 (OKCM0021304100114184447278959568) 00 00", true)
Exception in thread "main" java.lang.NumberFormatException: For input string: "[70]"
	at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
	at java.lang.Integer.parseInt(Integer.java:580)
	at java.lang.Integer.parseInt(Integer.java:615)
	at pro.javacard.gp.GPCommands.intValue(GPCommands.java:1037)
	at pro.javacard.gp.GPTool.main(GPTool.java:429)

Maybe I use the parameters in the wrong sequence or do not specify something else?

[martinpaljak]

Thanks for the update. I'll update the CLI to accommodate your use case before Christmas.

[grv333]

Thanks for the reply, Martin!
I would be very happy for your help.