无法通过GPShell将RSA公钥放在智能卡上

时间:2018-05-15 06:43:06

标签: key smartcard javacard globalplatform dm

当我尝试使用GPShell实用程序将公共RSA密钥放在具有智能卡的代理管理(DM)权限的补充安全域(SSD)上时,我遇到了问题。 我做了什么:

1)我使用选项生成私钥:

openssl genrsa -out ./pr.pem -des -passout pass:12345678 1024

2)基于它,我生成一个公钥:

openssl rsa -in ./pr.pem -pubout -out pub.pem

3)我在智能卡上创建了一个具有Delegated Management privs的域,在Global Platform Pro的帮助下:

gp keys --domain A000000004000001 --privs DelegatedManagement

Reuslt:

DOM: A000000004000001 (SELECTABLE)
 Privs:   SecurityDomain, DelegatedManagement

4)我安装了MAC,ENC和DEK键(由Global Platform Pro提供):

gp --sdaid A000000004000001 -lock [key]

域名变为个性化:

DOM: A000000004000001 (PERSONALIZED)
 Privs:   SecurityDomain, DelegatedManagement

5)在GPShell的帮助下,我尝试将公共RSA密钥放到域中:

mode_211
enable_trace
enable_timer
establish_context
command time: 4 ms
card_connect
command time: 61 ms
select -AID A000000004000001
Command --> 00A4040008A000000004000001
Wrapped command --> 00A4040008A000000004000001
Response <-- 6F108408A000000004000001A5049F6501FF9000
command time: 59 ms
open_sc -scp 2 -security 3 -scpimpl 0x15 -keyver 0 -mac_key [key_mac] -enc_key [key_enc] -kek_key [key_kek]
Command --> 8050000008275D44D56FE9B1C300
Wrapped command --> 8050000008275D44D56FE9B1C300
Response <-- 000172850008B6DE043C01020000CA5C85B8CA6F97B71320C829ABD79000
Command --> 8482030010BA266EA9661D13493D3DC8FED7F45961
Wrapped command --> 8482030010BA266EA9661D13493D3DC8FED7F45961
Response <-- 9000
command time: 260 ms
put_dm_keys -keyver 0 -newkeyver 2 -file pub.pem -pass [The_key_is_8_characters_in_length] -key [The_key_is_64_characters_in_length]
Command -->  80D80001A002A1803BAC9523A55469AF1035251FBFF034BB324CE3720808430AE6D8C2473D548CA86A6E1C4BF94EEB899C67D6EAD11A995D77F914654473BB7E088CB930CE953893BA01372CE4D128D980AB5B5657764E26AB1F6B01B954CF77554DD191309F1BFBD356ABAC8ADE1BCD87B83C6FC868F6FFE08A9C6DE02A1FFA9285E184EFAE7ACE00A00301000100801085272E4D9EF376D285272E4D9EF376D2038CA64D00
Wrapped command --> 84D80001B0ACA2E440664B9437FF05EAC64B0119C732BCCE420A5D3AD8DD96CB3C6C23CA46BE0E4ACC85F76D06FC5AB6A98B85726729320253F53D4079A331A4A1EA66F0FE64B83F18FB544B9E81B2A72BA5CD653ABE3E4C5783231DA1ED4F726C0D2A34C2FD5A75532A6A21690E4C0292125617D68D140E93EB815700507B940265B2E7A4E871095B9B4AC70067348132BF4E3650CA23B0B0D130738F6C6248337344F36C753A3BA4ABD3B54A9C3AB047A0807F0800
Response <-- 6A86
put_delegated_management_keys() returns 0x80206A86 (6A86: Incorrect     parameters (P1, P2).)

给出错误参数P1,P2,但我无法理解问题是什么以及我做错了什么。密码或密钥的长度或其外观可能不会。 是否可以在Global Platform Pro的帮助下以某种方式加载密钥,或者仅在GPShell的帮助下才可以加载密钥?

更新:

由于使用第三方程序并没有真正帮助我,我决定尝试手动编写APDU命令,但在全局平台11.8.2规范的DATE参数中感到困惑。密钥传输有两种格式,但我无法理解使用哪种格式以及传递RSA密钥的形式。 Chapter 11.8.2 Global Platform Spec 2.2.1 下面是我的行动算法,遗憾的是,这并没有带来积极的结果: 我设置:

CLA: 80
INS: D8
P1: 00 - because key not exist (I think)
P2: 01 - key identifier 
LC: Total data length 
DATA: Format 1 or Format 2 ??? (11.8.2.3 Data Field Sent in the Command Message)

但我不明白我应该为关键数据字段选择哪种格式。

我尝试格式1:

Key type: A0 (RSA Public Key - public exponent e component (clear text) from paragraph 11.1.8 Key Type Coding)
Length of key or key component data: Key Length

密钥或密钥组件数据值:如果我加载由openssl Unix工具生成的RSA公钥,我需要将生成的密钥转换为HEX格式。 例如,我生成公共RSA密钥:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOeq7vhOGFkvofKuBtnIrg//Zo
yG88uIfNG96KrKtW0/sbnzCR0U1Vd89UuQFrH6smTnZXVlurgNko0eQsNwG6kziV
zjC5jAh+u3NEZRT5d12ZGtHq1mecietO+UscbmqojFQ9R8LY5gpDCAhy40wyuzTw
vx8lNRCvaVSlI5WsOwIDAQAB

以十六进制格式翻译:

4d4947664d413047435371475349623344514542415155414134474e4144434269514b426751444f65713776684f47466b766f664b7542746e4972672f2f5a6f794738387549664e4739364b724b7457302f73626e7a43523055315664383955755146724836736d546e5a58566c7572674e6b6f306551734e7747366b7a69567a6a43356a41682b75334e455a5254356431325a47744871316d65636965744f2b557363626d716f6a46513952384c59356770444341687934307779757a54777678386c4e5243766156536c493557734f77494441514142

Length of key check value:  00 (I don't set check value because it is not mandatory, but i think I must calculate it...)
Key check value: -

总数据关键部分:

A0 D7 4d4947664d413047435371475349623344514542415155414134474e4144434269514b426751444f65713776684f47466b766f664b7542746e4972672f2f5a6f794738387549664e4739364b4b7457302f73626e7a43523055315664383955755146724836736d546e5a58566c7572674e6b6f306551734e7747366b7a69567a6a43356a41682b75334e455a5254356431325a47744871316d65636965744f2b557363626d716f6a46513952384c59356770444341687934307779757a54777678386c4e5243766156536c493557734f77494441514142
00

结果,我收到了以下形式的APDU命令:

80D80001DAAOD74d4947664d413047435371475349623344514542415155414134474e4144434269514b426751444f65713776684f47466b766f664b7542746e4972672f2f5a6f794738387549664e4739364b4b7457302f73626e7a43523055315664383955755146724836736d546e5a58566c7572674e6b6f306551734e7747366b7a69567a6a43356a41682b75334e455a5254356431325a47744871316d65636965744f2b557363626d716f6a46513952384c59356770444341687934307779757a54777678386c4e5243766156536c493557734f7749444151414200

但作为回报我收到错误“6A80 - 数据字段中的参数不正确。”

请告诉我哪里可能出错或使用了不合适的格式。

0 个答案:

没有答案