Fix DM with 2kRSA; add receipt verification (AES only)

Author: martinpaljak

library/src/main/java/pro/javacard/gp/DMTokenizer.java

@@ -111,8 +111,7 @@ protected boolean canTokenize(CommandAPDU apdu) {
         protected byte[] getToken(CommandAPDU apdu) {
             int keylen = (privateKey.getModulus().bitLength() + 7) / 8;
             byte[] dtbs = dtbs(apdu);
-            log.info("Signing DM with {} RSA", privateKey.getModulus().bitLength());
-            log.debug("DM token contents: {}", HexUtils.bin2hex(dtbs));
+
             try {
                 final byte[] token;
                 if (keylen == 128) {
@@ -131,7 +130,7 @@ protected byte[] getToken(CommandAPDU apdu) {
                     signer.update(dtbs);
                     token = signer.sign();
                 }
-                log.debug("DM token: {}", HexUtils.bin2hex(token));
+                log.trace("DM token: {}", HexUtils.bin2hex(token));
                 return token;
             } catch (GeneralSecurityException e) {
                 throw new GPException("Can not calculate DM token: " + e.getMessage(), e);

library/src/main/java/pro/javacard/gp/GPSession.java

@@ -105,6 +105,8 @@ public class GPSession {
     private APDUBIBO channel;
     private GPRegistry registry = null;
     private DMTokenizer tokenizer = DMTokenizer.none();
+    private ReceiptVerifier verifier = new ReceiptVerifier.NullVerifier();
+
     private boolean dirty = true; // True if registry is dirty.
 
     /*
@@ -220,6 +222,10 @@ public void setTokenizer(DMTokenizer tokenizer) {
         this.tokenizer = tokenizer;
     }
 
+    public void setVerifier(ReceiptVerifier verifier) {
+        this.verifier = verifier;
+    }
+
     public DMTokenizer getTokenizer() {
         return tokenizer;
     }
@@ -433,24 +439,12 @@ public void openSecureChannel(GPCardKeys keys, GPSecureChannelVersion scp, byte[
         } else if (this.scpVersion.scp == SCP03 && update_response.length == 32) {
             seq = Arrays.copyOfRange(update_response, offset, 32);
             offset += seq.length;
-
-            if ((scpVersion.i & 0x10) == 0x10) {
-                byte[] ctx = GPUtils.concatenate(seq, this.sdAID.getBytes());
-                logger.trace("Challenge calculation context: {}", HexUtils.bin2hex(ctx));
-                byte[] my_card_challenge = keys.scp3_kdf(KeyPurpose.ENC, GPCrypto.scp03_kdf_blocka((byte) 0x02, 64), ctx, 8);
-                if (!Arrays.equals(my_card_challenge, card_challenge)) {
-                    logger.warn("Pseudorandom card challenge does not match expected: {} vs {}", HexUtils.bin2hex(my_card_challenge), HexUtils.bin2hex(card_challenge));
-                } else {
-                    logger.debug("Pseudorandom card challenge matches expected value: {}", HexUtils.bin2hex(my_card_challenge));
-                }
-            }
         } else {
             seq = null;
         }
 
         if (offset != update_response.length) {
             logger.error("Unhandled data in INITIALIZE UPDATE response: {}", HexUtils.bin2hex(Arrays.copyOfRange(update_response, offset, update_response.length)));
-            //throw new GPDataException("Unhandled data in INITIALIZE UPDATE response", Arrays.copyOfRange(update_response, offset, update_response.length));
         }
 
         logger.debug("KDD: {}", HexUtils.bin2hex(diversification_data));
@@ -477,6 +471,19 @@ public void openSecureChannel(GPCardKeys keys, GPSecureChannelVersion scp, byte[
 
         logger.info("Diversified card keys: {}", cardKeys);
 
+        // Check pseudorandom card challenge. This must happen _after_ key diversification.
+        if (scpVersion.scp == SCP03 && (scpVersion.i & 0x10) == 0x10) {
+            byte[] ctx = GPUtils.concatenate(seq, this.sdAID.getBytes());
+            logger.trace("Challenge calculation context: {}", HexUtils.bin2hex(ctx));
+            byte[] my_card_challenge = keys.scp3_kdf(KeyPurpose.ENC, GPCrypto.scp03_kdf_blocka((byte) 0x02, 64), ctx, 8);
+            if (!Arrays.equals(my_card_challenge, card_challenge)) {
+                logger.warn("Pseudorandom card challenge does not match expected: {} vs {}", HexUtils.bin2hex(my_card_challenge), HexUtils.bin2hex(card_challenge));
+            } else {
+                logger.debug("Pseudorandom card challenge matches expected value: {}", HexUtils.bin2hex(my_card_challenge));
+            }
+        }
+
+
         // Derive session keys
         if (this.scpVersion.scp == GPSecureChannelVersion.SCP.SCP02) {
             sessionContext = seq.clone();
@@ -540,11 +547,23 @@ public void openSecureChannel(GPCardKeys keys, GPSecureChannelVersion scp, byte[
     // Pipe through secure channel
     public ResponseAPDU transmit(CommandAPDU command) throws IOException {
         try {
-            // TODO: BIBO pretty printer
-            //logger.trace("PT> {}", HexUtils.bin2hex(command.getBytes()));
-            ResponseAPDU unwrapped = wrapper.unwrap(channel.transmit(wrapper.wrap(command)));
-            //logger.trace("PT < {}", HexUtils.bin2hex(unwrapped.getBytes()));
-            return unwrapped;
+            CommandAPDU wrapped = wrapper.wrap(command);
+            ResponseAPDU resp = null;
+
+            // GPC 2.3.1 11.1.5.1
+            List<byte[]> chunks = GPUtils.splitArray(wrapped.getData(), blockSize);
+            if (chunks.size() > 1)
+                logger.debug("Chaining in {} chunks", chunks.size());
+
+            for (int i = 0; i < chunks.size(); i++) {
+                boolean last = i == chunks.size() - 1;
+                int p1 = last ? command.getP1() : command.getP1() | 0x80; // XXX: should check if instruction is eligible for this treatment
+                resp = channel.transmit(new CommandAPDU(wrapped.getCLA(), wrapped.getINS(), p1, wrapped.getP2(), chunks.get(i), 256));
+                if (!last) {
+                    GPException.check(resp);
+                }
+            }
+            return wrapper.unwrap(resp);
         } catch (GPException e) {
             throw new IOException("Secure channel failure: " + e.getMessage(), e);
         }
@@ -584,13 +603,13 @@ public void loadCapFile(CAPFile cap, AID targetDomain, AID dapDomain, byte[] dap
         byte[] hash = hashFunction == null ? new byte[0] : cap.getLoadFileDataHash(hashFunction.algo);
         byte[] code = cap.getCode();
         byte[] loadParams = new byte[0]; // FIXME
-
+        AID pkg = cap.getPackageAID();
 
         ByteArrayOutputStream bo = new ByteArrayOutputStream();
 
         try {
-            bo.write(cap.getPackageAID().getLength());
-            bo.write(cap.getPackageAID().getBytes());
+            bo.write(pkg.getLength());
+            bo.write(pkg.getBytes());
 
             bo.write(targetDomain.getLength());
             bo.write(targetDomain.getBytes());
@@ -609,6 +628,7 @@ public void loadCapFile(CAPFile cap, AID targetDomain, AID dapDomain, byte[] dap
         command = tokenizer.tokenize(command);
         ResponseAPDU response = transmitLV(command);
         GPException.check(response, "INSTALL [for load] failed");
+        verifier.check(response, ReceiptVerifier.load(pkg, targetDomain));
 
         // Construct load block
         ByteArrayOutputStream loadBlock = new ByteArrayOutputStream();
@@ -637,7 +657,7 @@ public void loadCapFile(CAPFile cap, AID targetDomain, AID dapDomain, byte[] dap
 
         for (int i = 0; i < blocks.size(); i++) {
             byte p1 = (i == (blocks.size() - 1)) ? P1_LAST_BLOCK : P1_MORE_BLOCKS;
-            CommandAPDU load = new CommandAPDU(CLA_GP, INS_LOAD, p1, (byte) i, blocks.get(i));
+            CommandAPDU load = new CommandAPDU(CLA_GP, INS_LOAD, p1, (byte) i, blocks.get(i), 256);
             response = transmit(load);
             GPException.check(response, "LOAD failed");
         }
@@ -654,6 +674,8 @@ public void installAndMakeSelectable(AID packageAID, AID appletAID, AID instance
         command = tokenizer.tokenize(command);
         ResponseAPDU response = transmitLV(command);
         GPException.check(response, "INSTALL [for install and make selectable] failed");
+
+        verifier.check(response, ReceiptVerifier.install_make_selectable(packageAID, instanceAID));
         dirty = true;
     }
 
@@ -664,6 +686,7 @@ private byte[] buildInstallData(AID packageAID, AID appletAID, AID instanceAID,
         if (installParams == null || installParams.length == 0) {
             installParams = new byte[]{(byte) 0xC9, 0x00};
         }
+        // FIXME: if the parameters parse as tlv, check for presence of 0xC9 before prepending
         // Simple use: only application parameters without tag, prepend 0xC9
         if (installParams[0] != (byte) 0xC9) {
             byte[] newparams = new byte[installParams.length + 2];
@@ -719,6 +742,8 @@ public void extradite(AID what, AID to) throws GPException, IOException {
         command = tokenizer.tokenize(command);
         ResponseAPDU response = transmitLV(command);
         GPException.check(response, "INSTALL [for extradition] failed");
+
+        verifier.check(response, ReceiptVerifier.extradite(sdAID, what, to));
         dirty = true;
     }
 
@@ -848,6 +873,7 @@ public void deleteAID(AID aid, boolean deleteDeps) throws GPException, IOExcepti
         command = tokenizer.tokenize(command);
         ResponseAPDU response = transmitTLV(command);
         GPException.check(response, "DELETE failed");
+        verifier.check(response, ReceiptVerifier.delete(aid));
         dirty = true;
     }
 
@@ -858,7 +884,7 @@ public void deleteKey(Integer keyver, Integer keyid) throws GPException, IOExcep
             throw new IllegalArgumentException("Must specify either key version or key ID");
 
         ByteArrayOutputStream bo = new ByteArrayOutputStream();
-        if (keyid != null ) {
+        if (keyid != null) {
             bo.write(0xd0); // Key Identifier
             bo.write(1);
             bo.write(0x01);
@@ -981,10 +1007,10 @@ byte[] encodeRSAKey(RSAPublicKey key) {
             byte[] exponent = GPUtils.positive(key.getPublicExponent());
 
             bo.write(0xA1); // Modulus
-            bo.write(modulus.length);
+            bo.write(GPUtils.encodeLength(modulus.length));
             bo.write(modulus);
             bo.write(0xA0);
-            bo.write(exponent.length);
+            bo.write(GPUtils.encodeLength(exponent.length));
             bo.write(exponent);
             bo.write(0x00); // No KCV
         } catch (IOException e) {

library/src/main/java/pro/javacard/gp/ReceiptVerifier.java

@@ -0,0 +1,147 @@
+/*
+ * GlobalPlatformPro - GlobalPlatform tool
+ *
+ * Copyright (C) 2024-present Martin Paljak, [email protected]
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3.0 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+package pro.javacard.gp;
+
+import apdu4j.core.HexUtils;
+import apdu4j.core.ResponseAPDU;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import pro.javacard.capfile.AID;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.util.Arrays;
+
+public abstract class ReceiptVerifier {
+
+    private static final Logger log = LoggerFactory.getLogger(ReceiptVerifier.class);
+
+    static byte[] get_receipt(byte[] response) {
+        return Arrays.copyOfRange(response, 2, 2 + response[1]);
+    }
+
+    static byte[] get_confirmation_data(byte[] response) {
+        return Arrays.copyOfRange(response, 2 + response[1], response[0] + 1);
+    }
+
+    abstract boolean check(ResponseAPDU response, byte[] context);
+
+    static public class AESReceiptVerifier extends ReceiptVerifier {
+        private final byte[] aes_key;
+
+        public AESReceiptVerifier(byte[] aesKey) {
+            aes_key = aesKey.clone();
+        }
+
+        @Override
+        boolean check(ResponseAPDU response, byte[] context) {
+            byte[] data = response.getData();
+            if (data[0] == 0x00) {
+                log.debug("No receipt");
+                return true;
+            }
+            try {
+                GPUtils.trace_lv(Arrays.copyOfRange(data, 1, data[0]), log);
+            } catch (Exception e) {
+                log.error("Invalid LV in response: {}", HexUtils.bin2hex(data));
+            }
+            byte[] card = get_receipt(data);
+            byte[] confdata = get_confirmation_data(data);
+
+            byte[] my = GPCrypto.scp03_mac(aes_key, GPUtils.concatenate(confdata, context), 128);
+            boolean verified = Arrays.equals(my, card);
+            if (!verified) {
+                log.error("Receipt verification: {}", verified);
+            } else {
+                log.info("Receipt verification: {}", verified);
+            }
+
+            return verified;
+        }
+    }
+
+    static public class NullVerifier extends ReceiptVerifier {
+
+        public NullVerifier() {
+        }
+
+        @Override
+        boolean check(ResponseAPDU response, byte[] context) {
+            return true;
+        }
+    }
+
+    public static byte[] load(AID pkg, AID sd) {
+        try {
+            ByteArrayOutputStream baos = new ByteArrayOutputStream();
+            baos.write(pkg.getLength());
+            baos.write(pkg.getBytes());
+            baos.write(sd.getLength());
+            baos.write(sd.getBytes());
+            return baos.toByteArray();
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+    public static byte[] install_make_selectable(AID pkg, AID instance) {
+        try {
+            ByteArrayOutputStream baos = new ByteArrayOutputStream();
+            baos.write(pkg.getLength());
+            baos.write(pkg.getBytes());
+            baos.write(instance.getLength());
+            baos.write(instance.getBytes());
+            return baos.toByteArray();
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+
+    public static byte[] extradite(AID from, AID what, AID to) {
+        try {
+            ByteArrayOutputStream baos = new ByteArrayOutputStream();
+            baos.write(from.getLength());
+            baos.write(from.getBytes());
+            baos.write(what.getLength());
+            baos.write(what.getBytes());
+            baos.write(to.getLength());
+            baos.write(to.getBytes());
+            return baos.toByteArray();
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+    public static byte[] delete(AID what) {
+        try {
+            ByteArrayOutputStream baos = new ByteArrayOutputStream();
+            baos.write(what.getLength());
+            baos.write(what.getBytes());
+            return baos.toByteArray();
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+    // TODO: registry update
+    // TODO: Combined Load, Install and Make Selectable
+}

library/src/main/java/pro/javacard/gp/SCP03Wrapper.java

@@ -99,7 +99,7 @@ protected CommandAPDU wrap(CommandAPDU command) throws GPException {
                 // 8 bytes for actual mac
                 cmd_mac = Arrays.copyOf(cmac, 8);
             }
-            // Constructing new a new command APDU ensures that the coding of LC and NE is correct; especially for Extend Length APDUs
+            // Constructing a new command APDU ensures that the coding of LC and NE is correct; especially for Extend Length APDUs
             CommandAPDU newAPDU = null;
 
             ByteArrayOutputStream newData = new ByteArrayOutputStream();

tool/src/main/java/pro/javacard/gptool/GPCommandLineInterface.java

@@ -108,6 +108,7 @@ abstract class GPCommandLineInterface {
     // Delegated management
     protected static OptionSpec<Key> OPT_DM_KEY = parser.accepts("dm-key", "Delegated Management key").withRequiredArg().ofType(Key.class).describedAs("PEM or hex");
     protected static OptionSpec<HexBytes> OPT_DM_TOKEN = parser.accepts("dm-token", "Delegated Management token").availableUnless(OPT_DM_KEY).withRequiredArg().ofType(HexBytes.class).describedAs("token");
+    protected static OptionSpec<HexBytes> OPT_RECEIPT_KEY = parser.accepts("receipt-key", "Receipt verification key (AES)").withRequiredArg().ofType(HexBytes.class).describedAs("key");
 
     // SSD-s
     protected static OptionSpec<AID> OPT_MOVE = parser.accepts("move", "Move something").withRequiredArg().ofType(AID.class);
@@ -117,11 +118,11 @@ abstract class GPCommandLineInterface {
 
     // DAP
     protected static OptionSpec<AID> OPT_DAP_DOMAIN = parser.accepts("dap-domain", "Domain to use for DAP verification").withRequiredArg().ofType(AID.class);
-    protected static OptionSpec<Void> OPT_SHA256 = parser.accepts("sha256", "Use SHA-256 for LFDB hash, not SHA-1");
+    protected static OptionSpec<Void> OPT_SHA256 = parser.accepts("sha256", "Use SHA-256 for LFDB hash");
+    protected static OptionSpec<Void> OPT_SHA1 = parser.accepts("sha1", "Use SHA-1 for LFDB hash");
 
     protected static OptionSpec<Key> OPT_DAP_KEY = parser.accepts("dap-key", "DAP key").withRequiredArg().ofType(Key.class).describedAs("PEM or hex");
     protected static OptionSpec<HexBytes> OPT_DAP_SIGNATURE = parser.accepts("dap-signature", "DAP signature").availableUnless(OPT_DAP_KEY).withRequiredArg().ofType(HexBytes.class).describedAs("signature");
-    protected static OptionSpec<File> OPT_DAP_SIGN = parser.accepts("dap-sign", "Create DAP signature").availableIf(OPT_DAP_KEY).withRequiredArg().ofType(File.class).describedAs("CAP file");
 
     // Personalization and store data
     protected static OptionSpec<HexBytes> OPT_STORE_DATA = parser.accepts("store-data", "STORE DATA blob").withRequiredArg().ofType(HexBytes.class).describedAs("data");