为什么 Javacard 阻止在单个 javacard 程序的 AID .cap 文件中上传不同的文件?

Why Javacard prevent uploading different in AID .cap files of a single javacard program?

这是一个简单的 javacard 程序(它什么都不做!):

package testAID;

import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.ISOException;

public class TestAID extends Applet {

    private TestAID() {
    }

    public static void install(byte bArray[], short bOffset, byte bLength)
            throws ISOException {
        new TestAID().register();
    }

    public void process(APDU arg0) throws ISOException {
        // TODO Auto-generated method stub
    }

}

我把它转换成三个不同AID的.cap文件如下:

  1. 文件 A:PkgAID=0000000000 & AppAID=000000000011
  2. 文件 B:PkgAID=0000000000 & AppAID=000000000022
  3. 文件 C:PkgAID=000000000011 & AppAID=00000000001111

正如您在上面看到的,文件 A文件 B 仅在 AppAID 中不同. PkgAID of File C 等于 AppAID of File A[=131] =].

现在我想将此文件上传到我的 NXP JCOP v2.4.2 r3 智能卡上。先来看看内容:

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)  

GP: 

OK,只有标清

第 1 步:安装 文件 A :

GP: gp -install e:\TestAID\FileA.cap

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: 000000000011 (|......|)
     App SELECTABLE: (none)

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

成功完成。

步骤 2:安装 文件 B

GP: gp -install e:\TestAID\FileB.cap
openkms.gp.GPException: STRICT WARNING: Package with AID 0000000000 is already p
resent on card
        at openkms.gp.GlobalPlatform.printStrictWarning(GlobalPlatform.java:159)

        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:572)
        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:565)
        at openkms.gp.GPTool.main(GPTool.java:330)

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: 000000000011 (|......|)
     App SELECTABLE: (none)

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

安装失败。 gp -list 命令 returns 与之前相同的结果。

步骤 3:安装 文件 C:

GP: gp -install e:\TestAID\FileC.cap
openkms.gp.GPException: STRICT WARNING: Package with AID 000000000011 is already
 present on card
        at openkms.gp.GlobalPlatform.printStrictWarning(GlobalPlatform.java:159)

        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:572)
        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:565)
        at openkms.gp.GPTool.main(GPTool.java:330)

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: 000000000011 (|......|)
     App SELECTABLE: (none)

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

再次安装失败,gp -list 命令 returns 与之前的结果相同。

问题:

1-第一个错误的来源是什么?分两步上传两个 AID 不同且 PkgAID 相同的 .cap 文件是否违法?

2-第二个错误的来源是什么? returns

Package with AID 000000000011 is already present on card

但是没有!是applet AID,不是Package AID。

3-gp 是否阻止安装此小程序或错误的来源是 JCRE?


因为我认为是 GP 工具限制了我的安装,所以我也尝试了 JCManager。结果不一样!

首先我删除了除SD之外的所有内容:

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

GP:

我使用 JCManager 重复相同的步骤:

步骤 1:安装 文件 A:

....[Authenitication Procedure]...

Authenticated
************
UplaodCAP
*************
Get AID from header.cap file
FOR LOAD DATA: EF 04 C6 02 F4
AID:00 00 00 00 00
Applet AID:00 00 00 00 00 11
Try to delete if existing...
-> 84 E4 00 00 18 6D C3 FF 8F 54 97 BD 96 CC 57 91 5E 9F 2A 67 B9 8E 98 BA 6B 99 27 27 FB
<- 6A 88
-> 84 E4 00 00 10 43 CC 7D DB 96 C3 29 FD 31 A1 96 7E DE D8 4F 29
<- 6A 88
Loading cap file. Please wait...
Install for Load
-> 84 E6 02 00 18 52 4F 5C 69 37 7A 85 E4 57 D8 86 C8 EC 44 28 51 06 38 6C 14 BA 52 1B 1B
<- 00 90 00
Load CAP
-> 84 E8 00 00 D8 9A 2C 89 B4 2D F8 81 15 A9 CD 27 A0 61 9B ED 5A 4C B5 77 F6 EF 3C 54 9F ED BB E0 BC 9E 2D 41 A8 7E DA DA 64 7F 72 97 BF D6 55 3B E0 7C 50 86 90 42 BC 16 06 B3 5C 89 26 BF 3E 79 75 F8 A4 2D 5E 60 39 D2 B3 9C 69 C8 E7 06 02 AA 24 09 70 F6 52 7A 9E 1E F9 A7 2E 3E AD AF A0 41 EE 39 92 0D 7A 4B AA CC 2F 69 E7 2A A5 85 45 A1 80 DA 35 C7 5B A6 D5 CC 22 B5 32 D7 D2 91 1E C6 ED 9C 67 D9 33 18 B9 DA 00 06 DE 89 DC 24 A6 6D 32 9A BC 93 E4 4D 4A 73 E5 2E D0 A5 4B EF 22 21 C3 B5 61 47 7A FC 8A 55 E0 70 39 C9 8D AD D1 A7 E1 B3 7F 7E F3 E6 3A 13 EC 7B 3B 20 85 7C 3D B1 A1 4B FA EE B9 02 7D 94 BE 7C 3D 88 E1 9A 4A 32 55 23 6E 83 2B 2E 9C A8 1E A5 6B E6 C1
<- 00 90 00
-> 84 E8 80 01 38 BE 83 33 E7 A7 7E 99 59 B7 C9 A2 05 2E A3 35 0E 92 A4 47 CB C4 C5 73 F0 AD A1 1B 23 04 EC EE D1 A6 83 B4 B5 85 91 C4 C5 9C 3F 3A D9 A8 8B 0F 32 F2 1C 48 A7 FC C0 4E 28
<- 00 90 00
-> 84 E6 0C 00 28 0B 9A 13 70 1F 55 53 72 F9 B0 C4 20 62 B3 43 6D 11 C2 7D 68 8B 68 54 51 BC 0D 31 CB 13 42 CC DD D4 02 02 D2 7A 46 56 7A
<- 00 90 00
Applet loaded & registered

结果:

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: 000000000011 (|......|)
     App SELECTABLE: (none)

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

GP:

正如你在上面看到的,它像 GP

一样成功完成

步骤 2:安装 文件 B

....[Authenitication Procedure]...
Authenticated
************
UplaodCAP
*************
Get AID from header.cap file
FOR LOAD DATA: EF 04 C6 02 F4
AID:00 00 00 00 00
Applet AID:00 00 00 00 00 22
Try to delete if existing...
-> 84 E4 00 00 18 29 1D 33 74 43 25 B0 AE 43 BE C4 9F 57 6A 43 3F 12 9B 23 09 F2 61 D1 95
<- 6A 88
-> 84 E4 00 00 10 6F 88 E7 64 AB 0F 04 0E EA F6 D4 80 C0 40 9D 00
<- 69 85
Loading cap file. Please wait...
Install for Load
-> 84 E6 02 00 18 1C CF 09 73 5D 1F FC 06 8F 3A DA 4D 3F 9E 1E 64 72 14 56 1D 25 44 A3 10
<- 69 85
Load CAP
-> 84 E8 00 00 D8 7A 2B 5B 1B 05 C3 D4 E3 DF 4D 1A DE 47 DD FA F9 3A A4 91 28 9F 3D 8D A4 D1 89 87 24 95 65 5A 60 C4 CD ED 41 81 99 D3 71 20 C5 CC 65 7E DB 79 21 FB 56 0D 93 2B 4F 12 28 A3 26 D0 88 16 14 26 96 AA CE C3 97 0A FE 1E 81 8C 84 AE 56 9E 68 01 26 78 AE 8E 88 99 11 67 C0 E7 CA A2 44 72 7A 77 1F 08 7C 74 07 45 5B 38 E4 9B 45 58 6F 61 7A 79 BC AD 58 71 4F D6 D6 0E 15 B8 16 CA 7F 37 5F B0 5C A4 AB 1F 0D 3C 25 81 E4 E0 21 6F B7 E5 AA 17 97 C3 4E 2A 82 87 DB A8 5E 84 C7 70 20 FF C9 CB 21 BA 36 73 15 3F 48 50 D7 C4 16 A4 BA A1 D6 7A 67 3A 9A 15 8C 63 7A 3A 22 97 D4 71 05 3B 3C 2D 3D 60 61 48 1F 3F 40 0C 04 4A 25 E7 FB 2F E6 CB 6E 0E 2A 5E 9A D0 64 7E 98
<- 69 85
-> 84 E6 0C 00 28 D7 ED 13 DB 14 E1 7B 46 1E 25 77 27 BB 12 D5 B5 3A 2D 53 C3 7C 81 9D 50 6F 96 45 DD 12 B8 FB 8B 48 1C 39 5F 53 4B 1E 88
<- 6A 88
Could not load applet. See debug for more info

结果:

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: 000000000011 (|......|)
     App SELECTABLE: (none)

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

GP:

也和GP的第2步一样。

但是看看第 3 步:

步骤 3:安装 文件 C:

Authenticated
************
UplaodCAP
*************
Get AID from header.cap file
FOR LOAD DATA: EF 04 C6 02 F6
AID:00 00 00 00 00 11
Applet AID:00 00 00 00 00 11 11
Try to delete if existing...
-> 84 E4 00 00 18 21 3A 7F DF 3A D3 00 31 B9 42 AD 6C 9A D0 0E EF D7 7F CD 16 54 E2 B8 9E
<- 6A 88
-> 84 E4 00 00 18 F6 B6 22 BB 64 BE B7 1D CF 71 E2 15 6E 18 E3 A7 20 51 B1 6A 29 1E BF 6C
<- 00 90 00
Loading cap file. Please wait...
Install for Load
-> 84 E6 02 00 18 C0 68 EE 33 BE E0 34 72 2C 8A 36 51 44 39 A1 A7 AC DF E2 11 BE B6 D4 3F
<- 69 85
Load CAP
-> 84 E8 00 00 D8 5B 5F 71 2E C2 B6 9A 11 90 33 F8 58 8D 5E 88 02 98 55 55 F0 B2 42 74 BA 40 ED 61 31 35 33 1D 5A 07 37 F5 D0 AF 5C A8 45 39 EE 4B B6 FF 32 D8 68 EC 81 24 6B 91 CE 12 34 0F FF B3 B0 C2 F3 E8 24 5B 2C 3D B4 91 8F 3F 06 15 DF C8 F3 4D 04 FD 09 D4 EA 67 4C 0C E7 70 11 24 28 0F 74 46 C8 A4 85 8F 5A 36 8E 03 26 FC 60 7C AE 28 2F 28 4F 9F 58 C1 59 29 A8 CF 9D 9F B8 AA 75 9D B2 B6 65 C1 63 1E 31 80 F8 38 1B FF 82 6D B9 78 44 B9 C7 35 67 03 6D 08 67 D4 B3 B5 48 3E 6C AD 41 C0 07 E6 54 CD DF 93 BC 1E 76 52 E1 4B 60 14 55 81 63 FD CA E4 6D 4F 5E ED 02 FA 67 0E 78 F0 57 B9 51 78 8D 1B BD 7D 8D DC EF 9C E0 93 F2 77 9F 80 0D 1E FD 4F 84 72 36 8D 76 2A B1
<- 69 85
-> 84 E6 0C 00 28 4B 38 10 41 D2 77 D3 B5 25 BD EB BD 55 A9 F0 1D 18 CD 76 CD 68 19 FC E2 52 3B 5B 38 11 1D 71 6F DF 53 7C 26 24 CF 48 08
<- 6A 88
Could not load applet. See debug for more info

结果:

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

GP:

你看到了吗? JCManager删除了一个已安装的小程序,但无法上传文件C!

在这种情况下,我尝试用 GP 安装 File C,但我收到一个新错误,不是重复的 PkgAID 或 ...:[=​​33=]

GP: gp -install e:\TestAID\FileC.cap
openkms.gp.GPException: Install for Load failed SW: 6985
        at openkms.gp.GlobalPlatform.check(GlobalPlatform.java:924)
        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:600)
        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:565)
        at openkms.gp.GPTool.main(GPTool.java:330)

GP:

任何人都可以阐明这个问题吗?

JCManager returns 在出现错误时状态字的含义是什么?

再说一次,我问了不止一个问题post,但我觉得这些问题是环环相扣的,我不能把它们分解成三四个post !

1-第一个错误的来源是什么?分两步上传两个AID不同但PkgAID相同的.cap文件是否违法?

是的。你已经上传了那个包。因此,禁止再次上传相同的包。在这里,您有两个选择:

  1. 直接实例化AppAID=000000000022
  2. 删除软件包,然后重新安装(假设您要安装更新的软件包)

2-第二个错误的来源是什么? returns 卡上已经存在带有 AID 000000000011 的包。但是没有!是applet AID,不是Package AID。

引自 JavaCard222VMspec.pdf 第 4.2 节。并以粗体突出显示答案

Each applet installed on a Java Card technology enabled device must also have a unique AID. This AID is constructed similarly to a package AID. It is a concatenation of the applet provider’s RID and PIX for that applet. An applet AID must not have the same value as the AID of any package or the AID of any other applet. The RID of each applet in a package must be the same as the RID of the package.

3-gp 是否阻止安装此小程序或错误的来源是 JCRE?

这不是错误。相反,必须以这种方式实现 JCRE。请参阅 JavaCard222JCREspec.pdf 部分 11.1.5 安装程序行为。引用自:

The Java Card RE shall guarantee that an applet will not be deemed successfully installed in the following cases:

  • The applet package as identified by the package AID is already resident on the card.
  • The applet package contains an applet with the same Java Card platform name as that of another applet already resident on the card. The Java Card platform name of an applet identified by the AID item is described in Section 6.5 of the Virtual Machine Specification, Java Card Platform, Version 2.2.2.
  • ...etc

根据全球平台规范,有两个阶段:卡片内容加载和卡片内容安装。

正在加载 - 此阶段处理包。本阶段检查新加载包的AID:

On receipt of a load request (data contained in the INSTALL [for load] command), the OPEN shall:

  • Check that the AID of the Load File is not already present in the GlobalPlatform Registry as an Executable Load File or Application

  • ...

安装 - 此阶段处理小程序实例(这是调用小程序的 install() 方法的时刻)。在此阶段检查您的小程序实例的 AID:

On receipt of the install request (data contained within the INSTALL [for install] command), the OPEN shall:

  • Check that the Executable Module AID is present in the GlobalPlatform Registry,

  • Check that the Instance AID (for future selection of the Application) is not already present in the GlobalPlatform Registry as an Application or Executable Load File,

  • ...

我认为您的 gp -install 命令试图一步完成两个阶段。这就是为什么在安装文件 B 时出现错误 "Package with AID 0000000000 is already present on card",您的工具在尝试加载已经存在的包时在加载阶段失败的原因。

安装文件 C 时,由于文件 A 程序包 AID 和文件 C 小程序实例 AID 的冲突而出错。

我不知道你的 JCManager 工具,但它显然会尝试在再次加载小程序和程序包之前删除它们。状态字6A88的意思是"referenced data not found"(包不存在),状态字6985的意思是"conditions not satisfied"(有一个包依赖于你要删除的包,你必须先删除依赖包。)。这就是 JCManager 的行为不同的原因。