Delete APDU command with SSD AID in its data field, returns 6985

左心房为你撑大大i 提交于 2021-02-18 12:11:54

问题


I have a Javacard which contains a SSD (Supplementary Security Domain) and I want to delete it. Normally when I want to delete an applet or a package from my card, I send the following DELETE APDU command after a successful Mutual Authentication process (No MAC or data field encryption is required and Security Level == 0 is enough for DELETE APDU command):

--> 80 E4 00 00 LC 4F <AID Len> <AID>
<-- 90 00

The command above works fine for normal applets. But when I put the AID of my SSD in it, then the card responds with 69 85 status words, which means "Conditions of use not satisfied.".

Since Delegated Management feature is enabled in my card and a Public Token key and a Receipt key are loaded in the ISD, I thought maybe the mentioned error is due to not using the Delete Token in the DELETE APDU command. So I calculated the Delete Token as below:

Global Platform Card Specification 2.2.0.7 : Figure C-8: Delete Token Calculation

DeleteToken = RSA_Sign("00 00 LC 4F <SSD AID Len> <SSD AID>", TokenPrivateKey)

And then I tried to delete the SSD using the follwing command:

--> 80 E4 00 00 <LC+Len(DeleteToken)> 4F <SSD AID Len> <SSD AID> 9E <Len(DeleteToken> <DeleteToken>
<-- 69 85

But I got the 6985 status words again. Does anyone have any idea where the problem is and how I can solve it?

Update:

I even tried the DELETE APDU command with P2 = 0x80 to delete the SSD with all the related objects. But it failed too:

-->  80 E4 00 80 09 4F <SSD AID Len> <SSD AID>
<--  6A 86 (= Incorrect P1 or P2 parameter)

Update2:

I even tried to send the DELETE APDU command in a secure channel (SecLevel = 03). But again, I received 6985 status words. Which hash algorithm am I need to use to generate the Delete Token? As far as I know, The GP Specification doesn't specify the hash algorithm.

Update3:

The mentioned SSD is instanciated from the card's ISD package with 0E privilege, which means:

Security Domain + Delegated Management + DAP verification

Update4:

I think I found the issue!

Quouted from 2.1.1_Mapping_guidelines_v1.0.1-Final.pdf:

6.1. DELETE

6.1.2. Recommendation

Data Field Sent in the Command Message

(blah blah)

On an implementation supporting Supplementary Security Domains, if an attempt is being made to delete an instance of a Supplementary Security Domain and the Supplementary Security Domain has the DAP Verification privilege (bit 7 of the privileges byte set), the Security Domain is not deleted and a response of '6985' is returned.

Question1: Any idea why it is implemented/recommended like this? What is the purpose of making this type of SSD (SSD with DAP Verification privilege) non-removable?

Update5:

I've tried to change the priveleges of my SSD to remove DAP Verification privelege from it using INSTALL For REGISTRY UPDATE and then delete the SSD. But it failed with 6A 80 status words (Which means "The parameters in the data field are incorrect").

-->  00 A4 04 00 08 A0 00 00 00 03 00 00 00
<--  6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00

-->  80 50 00 00 08 DF 4B 4B B7 15 35 5A 93
<--  00 00 41 89 00 24 94 97 41 21 01 02 00 77 5C 2B 50 27 5A F4 8A 18 C0 8B 2D C2 20 50 90 00

-->  84 82 00 00 10 30 AD 04 C4 60 A2 80 8B 5A 61 7E 49 3A 39 B6 C6
<--  90 00

-->  80 E6 40 00 16 08 A0 00 00 00 03 00 00 00 00 07 <SSD AID> 01 80 00 00
<--  6A 80

Question2: What's wrong with the INSTALL For Registry Update command?


回答1:


The delegated management token when using RSA should use SHA-1 as hashing mechanism with the PKCS#1 scheme. I have some untested signing code and for assembling the token data. Maybe this is helpful as a start.

Regarding Question2:

I have not done this before, but you are passing the SSD AID and as application AID again the . The application AID is only needed if you want to modify privileges of an application, e.g. the default selected privilege.

Instead:

80 E6 40 00 16 08 A0 00 00 00 03 00 00 00 00 07 <SSD AID> 01 80 00 00

I would give this one a try:

80 E6 40 00 16 <Length SSD AID> <SSD AID> 00 01 80 00 00


来源:https://stackoverflow.com/questions/64848060/delete-apdu-command-with-ssd-aid-in-its-data-field-returns-6985

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!