当我尝试使用GPShell实用程序将公共RSA密钥放在具有智能卡的代理管理(DM)权限的补充安全域(SSD)上时,我遇到了问题。 我做了什么:
1)我使用选项生成私钥:
openssl genrsa -out ./pr.pem -des -passout pass:12345678 1024
2)基于它,我生成一个公钥:
openssl rsa -in ./pr.pem -pubout -out pub.pem
3)我在智能卡上创建了一个具有Delegated Management privs的域,在Global Platform Pro的帮助下:
gp keys --domain A000000004000001 --privs DelegatedManagement
Reuslt:
DOM: A000000004000001 (SELECTABLE)
Privs: SecurityDomain, DelegatedManagement
4)我安装了MAC,ENC和DEK键(由Global Platform Pro提供):
gp --sdaid A000000004000001 -lock [key]
域名变为个性化:
DOM: A000000004000001 (PERSONALIZED)
Privs: SecurityDomain, DelegatedManagement
5)在GPShell的帮助下,我尝试将公共RSA密钥放到域中:
mode_211
enable_trace
enable_timer
establish_context
command time: 4 ms
card_connect
command time: 61 ms
select -AID A000000004000001
Command --> 00A4040008A000000004000001
Wrapped command --> 00A4040008A000000004000001
Response <-- 6F108408A000000004000001A5049F6501FF9000
command time: 59 ms
open_sc -scp 2 -security 3 -scpimpl 0x15 -keyver 0 -mac_key [key_mac] -enc_key [key_enc] -kek_key [key_kek]
Command --> 8050000008275D44D56FE9B1C300
Wrapped command --> 8050000008275D44D56FE9B1C300
Response <-- 000172850008B6DE043C01020000CA5C85B8CA6F97B71320C829ABD79000
Command --> 8482030010BA266EA9661D13493D3DC8FED7F45961
Wrapped command --> 8482030010BA266EA9661D13493D3DC8FED7F45961
Response <-- 9000
command time: 260 ms
put_dm_keys -keyver 0 -newkeyver 2 -file pub.pem -pass [The_key_is_8_characters_in_length] -key [The_key_is_64_characters_in_length]
Command --> 80D80001A002A1803BAC9523A55469AF1035251FBFF034BB324CE3720808430AE6D8C2473D548CA86A6E1C4BF94EEB899C67D6EAD11A995D77F914654473BB7E088CB930CE953893BA01372CE4D128D980AB5B5657764E26AB1F6B01B954CF77554DD191309F1BFBD356ABAC8ADE1BCD87B83C6FC868F6FFE08A9C6DE02A1FFA9285E184EFAE7ACE00A00301000100801085272E4D9EF376D285272E4D9EF376D2038CA64D00
Wrapped command --> 84D80001B0ACA2E440664B9437FF05EAC64B0119C732BCCE420A5D3AD8DD96CB3C6C23CA46BE0E4ACC85F76D06FC5AB6A98B85726729320253F53D4079A331A4A1EA66F0FE64B83F18FB544B9E81B2A72BA5CD653ABE3E4C5783231DA1ED4F726C0D2A34C2FD5A75532A6A21690E4C0292125617D68D140E93EB815700507B940265B2E7A4E871095B9B4AC70067348132BF4E3650CA23B0B0D130738F6C6248337344F36C753A3BA4ABD3B54A9C3AB047A0807F0800
Response <-- 6A86
put_delegated_management_keys() returns 0x80206A86 (6A86: Incorrect parameters (P1, P2).)
给出错误参数P1,P2,但我无法理解问题是什么以及我做错了什么。密码或密钥的长度或其外观可能不会。 是否可以在Global Platform Pro的帮助下以某种方式加载密钥,或者仅在GPShell的帮助下才可以加载密钥?
更新:
由于使用第三方程序并没有真正帮助我,我决定尝试手动编写APDU命令,但在全局平台11.8.2规范的DATE参数中感到困惑。密钥传输有两种格式,但我无法理解使用哪种格式以及传递RSA密钥的形式。 下面是我的行动算法,遗憾的是,这并没有带来积极的结果: 我设置:
CLA: 80
INS: D8
P1: 00 - because key not exist (I think)
P2: 01 - key identifier
LC: Total data length
DATA: Format 1 or Format 2 ??? (11.8.2.3 Data Field Sent in the Command Message)
但我不明白我应该为关键数据字段选择哪种格式。
我尝试格式1:
Key type: A0 (RSA Public Key - public exponent e component (clear text) from paragraph 11.1.8 Key Type Coding)
Length of key or key component data: Key Length
密钥或密钥组件数据值:如果我加载由openssl Unix工具生成的RSA公钥,我需要将生成的密钥转换为HEX格式。 例如,我生成公共RSA密钥:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOeq7vhOGFkvofKuBtnIrg//Zo
yG88uIfNG96KrKtW0/sbnzCR0U1Vd89UuQFrH6smTnZXVlurgNko0eQsNwG6kziV
zjC5jAh+u3NEZRT5d12ZGtHq1mecietO+UscbmqojFQ9R8LY5gpDCAhy40wyuzTw
vx8lNRCvaVSlI5WsOwIDAQAB
以十六进制格式翻译:
4d4947664d413047435371475349623344514542415155414134474e4144434269514b426751444f65713776684f47466b766f664b7542746e4972672f2f5a6f794738387549664e4739364b724b7457302f73626e7a43523055315664383955755146724836736d546e5a58566c7572674e6b6f306551734e7747366b7a69567a6a43356a41682b75334e455a5254356431325a47744871316d65636965744f2b557363626d716f6a46513952384c59356770444341687934307779757a54777678386c4e5243766156536c493557734f77494441514142
Length of key check value: 00 (I don't set check value because it is not mandatory, but i think I must calculate it...)
Key check value: -
总数据关键部分:
A0 D7 4d4947664d413047435371475349623344514542415155414134474e4144434269514b426751444f65713776684f47466b766f664b7542746e4972672f2f5a6f794738387549664e4739364b4b7457302f73626e7a43523055315664383955755146724836736d546e5a58566c7572674e6b6f306551734e7747366b7a69567a6a43356a41682b75334e455a5254356431325a47744871316d65636965744f2b557363626d716f6a46513952384c59356770444341687934307779757a54777678386c4e5243766156536c493557734f77494441514142
00
结果,我收到了以下形式的APDU命令:
80D80001DAAOD74d4947664d413047435371475349623344514542415155414134474e4144434269514b426751444f65713776684f47466b766f664b7542746e4972672f2f5a6f794738387549664e4739364b4b7457302f73626e7a43523055315664383955755146724836736d546e5a58566c7572674e6b6f306551734e7747366b7a69567a6a43356a41682b75334e455a5254356431325a47744871316d65636965744f2b557363626d716f6a46513952384c59356770444341687934307779757a54777678386c4e5243766156536c493557734f7749444151414200
但作为回报我收到错误“6A80 - 数据字段中的参数不正确。”
请告诉我哪里可能出错或使用了不合适的格式。