How to change applet's privilege and the card Historical Bytes?

问题

I already thought that changing Historical bytes is limited to Pre-Personalization step. But, I found a method named setATRHistBytes in the GlobalPlatform APIs today.

This is its description(GlobalPlatform 2.2 Page 172) :

setATRHistBytes

public static boolean setATRHistBytes(byte[] baBuffer, short sOffset, bytebLength)

For contact cards according to ISO/IEC 7816-4 and Type A contactless cards according to ISO/IEC 14443-3, this method sets the historical bytes. The sequence of bytes will be visible on a subsequent power-up or reset.

Notes:

• The OPEN locates the entry of the current applet context in the GlobalPlatform Registry and verifies that the Application has the Card Reset privilege for the current card I/O interface;

• The OPEN is responsible for synchronizing the length of historical bytes in Format Character T0 of the ATR.

Parameters:

baBuffer - the source byte array containing the historical bytes. Must be a global array.

sOffset - offset of the historical bytes within the source byte array.

bLength - the number of historical bytes.

Returns:

true if historical bytes set, false if the Application does not have the required privilege

Now I want to change the Historical Bytes of my card. So I wrote the below program and convert it to its cap file successfully :

... /imports

public class HistoricalBytesChanger extends Applet {
    public static byte[] state = { (byte) 0, (byte) 0 };
    public static byte[] HistByteArray = { (byte) 0x01, (byte) 0x02,
            (byte) 0x03, (byte) 0x04, (byte) 0x05, (byte) 0x06, (byte) 0x07,
            (byte) 0x08, (byte) 0x09, (byte) 0x0a };

    public static void install(byte[] bArray, short bOffset, byte bLength) {
        new HistoricalBytesChanger().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
    }

    public void process(APDU apdu) {
        if (selectingApplet()) {
            return;
        }

        byte[] buf = apdu.getBuffer();
        switch (buf[ISO7816.OFFSET_INS]) {
        case (byte) 0x00:
            GPSystem.setATRHistBytes(HistByteArray, (short) 0, (byte) 10);
            HistByteArray[0] = (byte) (HistByteArray[0] + 1);
            break;

        default:
            ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
        }
    }

}

As you see above it is written in way that assign 0102030405060708090A to Historical Bytes on reception of any APDU command with INS=0X00.

The problem is I don't have any idea how to set Card Reset privilege to this applet. I know that I must specify the privilege in the installation step, but I don't know how! Normally I upload my applets using GlobalPlatformPro tool. In the parameters that it support I couldn't see any related parameter :

E:\GP> gp -h
Option                            Description
------                            -----------
-V, --version                     Show information about the program
-a, --apdu                        Send raw APDU (hex)
--all                             Work with multiple readers
--applet <AID>                    Applet AID
--cap <File>                      Use a CAP file as source
--create <AID>                    Create new instance of an applet
-d, --debug                       Show PC/SC and APDU trace
--default                         Indicate Default Selected privilege
--delete [AID]                    Delete something
--deletedeps                      Also delete dependencies
--dump <File>                     Dump APDU communication to <File>
--emv                             Use EMV diversification
--enc <GPKeySet$GPKey>            Specify ENC key
-h, --help                        Shows this help string
-i, --info                        Show information
--install [File]                  Install applet(s) from CAP
--instance <AID>                  Instance AID
--kek <GPKeySet$GPKey>            Specify KEK key
--key <GPKeySet$GPKey>            Specify master key
--keyid <Integer>                 Specify key ID
--keyver <Integer>                Specify key version
-l, --list                        List the contents of the card
--load <File>                     Load a CAP file
--lock <GPKeySet>                 Set new key
--lock-applet <AID>               Lock specified applet
--mac <GPKeySet$GPKey>            Specify MAC key
--make-default <AID>              Make AID the default
--mode <GlobalPlatform$APDUMode>  APDU mode to use (mac/enc/clr)
--new-keyver <Integer>            key version for the new key
--nofix                           Do not try to fix PCSC/Java/OS issues
--package <AID>                   Package AID
--params                          Installation parameters
-r, --reader                      Use specific reader
--reinstall                       Remove card content during installation
--relax                           Relaxed error checking
--replay <File>                   Replay APDU responses from <File>
-s, --secure-apdu                 Send raw APDU (hex) via SCP
--scp <Integer>                   Force the use of SCP0X
--sdaid <AID>                     ISD AID
--sdomain                         Indicate Security Domain privilege
--terminate                       Indicate Card Lock+Terminate privilege
--uninstall <File>                Uninstall applet/package
--unlock                          Set default key
--unlock-applet <AID>             Lock specified applet
-v, --verbose                     Be verbose about operations
--virgin                          Card has virgin keys
--visa2                           Use VISA2 diversification

E:\GP>

Note that I installed the applet normally, but while it return 0x9000 in reception of that command, it can't change Historical Bytes and I need to set the Card Reset privilege to my applet :

OpenSC: osc -a
Using reader with a card: ACS CCID USB Reader 0
3b:68:00:00:00:73:c8:40:12:00:90:00

OpenSC: osc -s 00A4040006010203040101 -s 00000000
Using reader with a card: ACS CCID USB Reader 0
Sending: 00 A4 04 00 06 01 02 03 04 01 01
Received (SW1=0x90, SW2=0x00)
Sending: 00 00 00 00
Received (SW1=0x90, SW2=0x00)

OpenSC: osc -a
Using reader with a card: ACS CCID USB Reader 0
3b:68:00:00:00:73:c8:40:12:00:90:00

OpenSC:

Questions:

1- How can I change/set the privilege of my applet?

2- Why the card return 0x9000 on reception of 0x00 0x00 x00 0x00? (I expect it to return an exception, because it is mentioned in description of setATRHistBytes that this method returns false in cases that applet privilege is not Card Reset)

回答1:

The reset privilege was known before as the default selected privilege. This means you can just use the --default switch for your card - the same bit it flipped in the INSTALL for INSTALL privilege bytes if you do that.

Sometimes a card expects a cold reset (i.e. removing the card from the field or terminal) before the change in ATR bytes is communicated. This can also be a reader problem - not all readers perform a reset when reconnected, or they may cache the ATR bytes.

回答2:

To set card reset privilege to an applet you need to set bit3 of first privilege byte in Install and make selectable command of the applet. If the applet is only being installed and not made selectable with the same INSTALL command the Card Reset privilege cannot be set

Actually if the card is GP201/GP211 compliance then we refer Card Reset privilege as Default Selected privilege.

If Default Selected privilege is set in GP201/GP211 compliance card then it provides two functionalities to the applet as:

1. The applet can modify the historical bytes
2. The applet will be default selected applet on basic logical channel after cold reset.

If Card Reset privilege is set in GP22 or above version of compliance card then it provides following functionalities to the applet as:

1. The applet can modify the historical bytes
2. The applet can be implicit selectability on basic logical channel if it has not been awarded to another Application by setting implicit selectable parameters to tat applet.

来源：https://stackoverflow.com/questions/29457642/how-to-change-applets-privilege-and-the-card-historical-bytes