Unable to use SSD with DAP privileges to upload signed applets

[stepansnigirev]

Describe the bug

I am trying to create an SSD that will be able to install signed cap files. Using gp and capfile for that.

Information about your card

NXP J3H145 (JCOP3) bought from smartcardfocus

Expected behavior

I would expect to be able to install a signed cap file to the SSD with DAP priviliges,

Full log

Initial state of the card:

Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
ISD: A000000151000000 (INITIALIZED)
     Parent:   A000000151000000
     From:     A0000000620001
     Privs:    SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

PKG: A0000001515350 (LOADED)
     Applet:   A000000151535041

Cap file is built with AID 112233445500

Steps to reproduce:

1. Generate 1024-bit RSA key: openssl genrsa 1024 > rsa.pem
2. Sign applet: capfile -s rsa.pem applet.cap

CAP file (v2.1), contains: exports, applets for JavaCard 3.0.4
Package: secret 1122334455 v0.0
Applet:  secret.SecretApplet 112233445500
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620101                   v1.5 javacard.framework
Generated by Oracle Corporation converter  [v3.0.4]
On Sat Nov 14 11:31:12 CET 2020 with JDK 11.0.9.1 (Ubuntu)
Code size 285 bytes (461 with debug)
SHA-256 d6cc2848bf2ac2240f20cc63b9a11d01526f4866d9cc32d1883879532d07dbed
SHA-1   927dd9f441a0a975a5bb2fcd9edfffdc5d02fb9e
Signed applet.cap

3. create SSD
   gp -d -v -i -domain A000000151535041 -privs DAPVerification,DelegatedManagement --allow-to --allow-from

# gp -d -v -i -domain A000000151535041 -privs DAPVerification,DelegatedManagement --allow-to --allow-from
[DEBUG] TerminalManager - Selected the only reader with a card
SCardConnect("HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00", T=*) -> T=1, 3BDC18FF8191FE1FC38073C821136605036351000250
# GlobalPlatformPro 325fe84
# Running on Linux 5.4.0-52-generic amd64, Java 11.0.9.1 by Ubuntu
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (31ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0045+2) (16ms) 9F7F2A4790050382116351030280480047530734694E3050383037474D32313030343735331300011EFDE4C003 9000
[WARN] GPData - Invalid CPLC date: 474D
[WARN] GPData - Invalid CPLC date: 011E
CPLC: ICFabricator=4790
      ICType=0503
      OperatingSystemID=8211
      OperatingSystemReleaseDate=6351 (2016-12-16)
      OperatingSystemReleaseLevel=0302
      ICFabricationDate=8048 (2018-02-17)
      ICSerialNumber=00475307
      ICBatchIdentifier=3469
      ICModuleFabricator=4E30
      ICModulePackagingDate=5038 (2015-02-07)
      ICCManufacturer=3037
      ICEmbeddingDate=474D (invalid date format)
      ICPrePersonalizer=3231
      ICPrePersonalizationEquipmentDate=3030 (2013-01-30)
      ICPrePersonalizationEquipmentID=34373533
      ICPersonalizer=1300
      ICPersonalizationDate=011E (invalid date format)
      ICPersonalizationEquipmentID=FDE4C003

A>> T=1 (4+0000) 80CA0042 00 
A<< (0003+2) (13ms) 420100 9000
IIN: 420100
A>> T=1 (4+0000) 80CA0045 00 
A<< (0010+2) (13ms) 45080000000000000000 9000
CIN: 45080000000000000000
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0065+2) (18ms) 663F733D06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040300660C060A2B060104012A026E0102 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.3.0
-> GP SCP03 i=00
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0060+2) (37ms) 673A6738A006800102810155A00A8001038102001082010781039EFE8082031E03008301028504010208408602040887040102084088050102030405 9000
[WARN] GPData - Bogus data detected, fixing double tag
Supports SCP02 i=55
Supports SCP03 i=00 i=10 with AES-128 AES-196 AES-256
Supported DOM privileges: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, FinalApplication, GlobalService
Supported LFDB hash: SHA-256
Supported Token Verification ciphers: RSA1024_SHA1, ECCP521_SHA512
Supported Receipt Generation ciphers: DES_MAC
Supported DAP Verification ciphers: RSA1024_SHA1, ECCP521_SHA512
Supported ECC Key Parameters: 0102030405
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0020+2) (19ms) E012C00401FF8810C00402FF8810C00403FF8810 9000
Version: 255 (0xFF) ID:   1 (0x01) type: AES          length:  16 (AES-128, factory key)
Version: 255 (0xFF) ID:   2 (0x02) type: AES          length:  16 (AES-128, factory key)
Version: 255 (0xFF) ID:   3 (0x03) type: AES          length:  16 (AES-128, factory key)

Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
A>> T=1 (4+0008) 80500000 08 781C808DC96E6B10 00
A<< (0029+2) (96ms) 00008048004753073469FF0300B03734C50D5155569A3FAE3106BCC2F1 9000
[DEBUG] GPSession - SSC: null
[DEBUG] GPSession - Host challenge: 781C808DC96E6B10
[DEBUG] GPSession - Card challenge: B03734C50D515556
[DEBUG] GPSession - Card reports SCP03 with key version 255 (0xFF)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) MAC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) DEK=404142434445464748494A4B4C4D4E4F (KCV: 504A77) for SCP03
[INFO] GPSession - Session keys: ENC=4FD3ED379299F3F34DEB4BB20100A880 MAC=7069BC235F4FFD12D65D8A56BDAAF02B RMAC=AAE483DE9849B2F9048A02805C36A251
[DEBUG] GPSession - Verified card cryptogram: 9A3FAE3106BCC2F1
[DEBUG] GPSession - Calculated host cryptogram: 4FED32A401912615
A>> T=1 (4+0016) 84820100 10 4FED32A4019126157059490EBB32A8B6
A<< (0000+2) (145ms) 9000
A>> T=1 (4+0010) 84F28002 0A 4F008DB8375643E9A775 00
A<< (0044+2) (109ms) E32A4F08A0000001510000009F700107C5039EFE80C407A0000000620001CE020100CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F0042E3216FDCC56BF2 00
A<< (0000+2) (113ms) 6A88
A>> T=1 (4+0010) 84F21002 0A 4F001E3C2FDD87FD86A0 00
A<< (0025+2) (99ms) E3174F07A00000015153509F7001018408A000000151535041 9000
A>> T=1 (4+0010) 84F22002 0A 4F00A8336E700AC032F5 00
A<< (0015+2) (118ms) E30D4F07A00000015153509F700101 9000
# Note: using detected default AID-s for SSD instantiation: A000000151535041 from A0000001515350
Notice: 0x81 already in parameters or no parameters
# Final parameters: 
A>> T=1 (4+0040) 84E60C00 28 07A000000151535008A00000015153504108A00000015153504101E002C90000681DC890273B57CB
A<< (0001+2) (2s687ms) 00 9000
SCardDisconnect("HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00", true) tx:179/rx:363

4. check SSD was created:
   gp -l

Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
ISD: A000000151000000 (INITIALIZED)
     Parent:   A000000151000000
     From:     A0000000620001
     Privs:    SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

DOM: A000000151535041 (SELECTABLE)
     Parent:   A000000151000000
     From:     A0000001515350
     Privs:    SecurityDomain, DAPVerification, DelegatedManagement, TrustedPath

PKG: A0000001515350 (LOADED)
     Applet:   A000000151535041

5. Set personalization keys for the SSD
   gp -d -v -i -sdaid A000000151535041 --lock 404142434445464748494A4B4C4D4E4E

# GP_READER=HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00
# gp -d -v -i -sdaid A000000151535041 --lock 404142434445464748494A4B4C4D4E4E
[DEBUG] TerminalManager - Matched JnaCardTerminal{scardHandle=SCardContext{62e32d4e}, name=HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00}
SCardConnect("HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00", T=*) -> T=1, 3BDC18FF8191FE1FC38073C821136605036351000250
# GlobalPlatformPro 325fe84
# Running on Linux 5.4.0-52-generic amd64, Java 11.0.9.1 by Ubuntu
# -sdaid is deprecated, use -c/--connect <AID>
[DEBUG] GPSession - (I)SD AID: A000000151535041
A>> T=1 (4+0008) 00A40400 08 A000000151535041 00
A<< (0018+2) (33ms) 6F108408A000000151535041A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected block size: 255
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0000+2) (14ms) 6A88
A>> T=1 (4+0000) 00CA9F7F 00 
A<< (0000+2) (14ms) 6A88
[DEBUG] GPData - GET DATA(CPLC): N/A
A>> T=1 (4+0000) 80CA0042 00 
A<< (0000+2) (13ms) 6A88
[DEBUG] GPData - GET DATA(IIN): N/A
A>> T=1 (4+0000) 80CA0045 00 
A<< (0000+2) (14ms) 6A88
[DEBUG] GPData - GET DATA(CIN): N/A
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0000+2) (14ms) 6A88
[DEBUG] GPData - GET DATA(Card Data): N/A
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0000+2) (14ms) 6A88
[DEBUG] GPData - GET DATA(Card Capabilities): N/A
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0004+2) (15ms) E002C000 9000
[INFO] GPKeyInfo - Key template has zero length (empty). Skipping.

Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
A>> T=1 (4+0008) 80500000 08 1F30E2EA904F758C 00
A<< (0029+2) (145ms) 50418048004753073469FF0300DD43707D24B3930CE59582C1EEB02F49 9000
[DEBUG] GPSession - SSC: null
[DEBUG] GPSession - Host challenge: 1F30E2EA904F758C
[DEBUG] GPSession - Card challenge: DD43707D24B3930C
[DEBUG] GPSession - Card reports SCP03 with key version 255 (0xFF)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) MAC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) DEK=404142434445464748494A4B4C4D4E4F (KCV: 504A77) for SCP03
[INFO] GPSession - Session keys: ENC=241CF755EF87D852CCF9F48A1B85428F MAC=083299347DD67A29EDA5F7E3F0D310BF RMAC=6C9F66C80B8AE5F4E2028E89497FE3BC
[DEBUG] GPSession - Verified card cryptogram: E59582C1EEB02F49
[DEBUG] GPSession - Calculated host cryptogram: B76ADFFF96CC83B7
A>> T=1 (4+0016) 84820100 10 B76ADFFF96CC83B736BDD5A9D0DE8460
A<< (0000+2) (164ms) 9000
A>> T=1 (4+0008) 84CA00E0 08 A54FFFCA85E6F950 00
A<< (0004+2) (118ms) E002C000 9000
[INFO] GPKeyInfo - Key template has zero length (empty). Skipping.
# Keyset version: 1
Looking at key version
[DEBUG] GPSession - PUT KEY version 1 replace=false ENC=404142434445464748494A4B4C4D4E4E (KCV: 943B35) MAC=404142434445464748494A4B4C4D4E4E (KCV: 943B35) DEK=404142434445464748494A4B4C4D4E4E (KCV: 943B35) for SCP03
[DEBUG] PlaintextKeys - Encrypting ENC value (KCV=943B35) with DEK (KCV=504A77)
[DEBUG] PlaintextKeys - Encrypting MAC value (KCV=943B35) with DEK (KCV=504A77)
[DEBUG] PlaintextKeys - Encrypting DEK value (KCV=943B35) with DEK (KCV=504A77)
A>> T=1 (4+0078) 84D80081 4E 018811108C7C9BF1CAF7920A814CD8686E47B21E03943B358811108C7C9BF1CAF7920A814CD8686E47B21E03943B358811108C7C9BF1CAF7920A814CD8686E47B21E03943B35B1730E8F04BCE40D
A<< (0010+2) (1s349ms) 01943B35943B35943B35 9000
A000000151535041 locked with: 404142434445464748494A4B4C4D4E4E
Write this down, DO NOT FORGET/LOSE IT!
SCardDisconnect("HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00", true) tx:181/rx:89

6. Upload the key to the domain with key version 0x73 (DAP):
   gp -d -v -i -sdaid A000000151535041 -new-keyver 0x73 -put-key rsa.pem -key 404142434445464748494A4B4C4D4E4E

# GP_READER=HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00
# gp -d -v -i -sdaid A000000151535041 -new-keyver 0x73 -put-key rsa.pem -key 404142434445464748494A4B4C4D4E4E
[DEBUG] TerminalManager - Matched JnaCardTerminal{scardHandle=SCardContext{3491082f}, name=HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00}
SCardConnect("HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00", T=*) -> T=1, 3BDC18FF8191FE1FC38073C821136605036351000250
# GlobalPlatformPro 325fe84
# Running on Linux 5.4.0-52-generic amd64, Java 11.0.9.1 by Ubuntu
# -sdaid is deprecated, use -c/--connect <AID>
[DEBUG] GPSession - (I)SD AID: A000000151535041
A>> T=1 (4+0008) 00A40400 08 A000000151535041 00
A<< (0018+2) (33ms) 6F108408A000000151535041A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected block size: 255
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0000+2) (13ms) 6A88
A>> T=1 (4+0000) 00CA9F7F 00 
A<< (0000+2) (13ms) 6A88
[DEBUG] GPData - GET DATA(CPLC): N/A
A>> T=1 (4+0000) 80CA0042 00 
A<< (0000+2) (14ms) 6A88
[DEBUG] GPData - GET DATA(IIN): N/A
A>> T=1 (4+0000) 80CA0045 00 
A<< (0000+2) (15ms) 6A88
[DEBUG] GPData - GET DATA(CIN): N/A
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0000+2) (14ms) 6A88
[DEBUG] GPData - GET DATA(Card Data): N/A
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0000+2) (15ms) 6A88
[DEBUG] GPData - GET DATA(Card Capabilities): N/A
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0020+2) (21ms) E012C00401018810C00402018810C00403018810 9000
Version:   1 (0x01) ID:   1 (0x01) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   2 (0x02) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   3 (0x03) type: AES          length:  16 (AES-128)

[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
A>> T=1 (4+0008) 80500000 08 9A3E270F5541B709 00
A<< (0029+2) (104ms) 5041804800475307346901030008A0ED414CDC7A670FBEF258D95F48FC 9000
[DEBUG] GPSession - SSC: null
[DEBUG] GPSession - Host challenge: 9A3E270F5541B709
[DEBUG] GPSession - Card challenge: 08A0ED414CDC7A67
[DEBUG] GPSession - Card reports SCP03 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4E (KCV: 943B35) MAC=404142434445464748494A4B4C4D4E4E (KCV: 943B35) DEK=404142434445464748494A4B4C4D4E4E (KCV: 943B35) for SCP03
[INFO] GPSession - Session keys: ENC=700A8DB2F44203BDA14B3F0184C0CCB9 MAC=2B811AB67DC46ED12EFFA6A58A62F8E5 RMAC=2F83761D89D70A6B32F332AD3C599F32
[DEBUG] GPSession - Verified card cryptogram: 0FBEF258D95F48FC
[DEBUG] GPSession - Calculated host cryptogram: 7B771C775A769526
A>> T=1 (4+0016) 84820100 10 7B771C775A7695268F02D39801552F69
A<< (0000+2) (147ms) 9000
A>> T=1 (4+0145) 84D80001 91 73A180C9A49BAAF9B7044565FE1A2CF2431EAA8E7F2D19E8A00100315D84742D53AF6AD95E4414FA05E7FB1154A335F9D9B178DBB2E868CC557EC08B62DD5AB7718F49DE9CA42CDF97ACB9866021C5A690037F06FB33A24883482EC8C5C8DB4394E3F235213C9F919491207F39249700849CD1EE41EE6411FCFB6EAC58EB35DF059351A003010001002659FCF91C62BC8D 00
A<< (0001+2) (842ms) 73 9000
SCardDisconnect("HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00", true) tx:235/rx:90

7. check that domain becomes personalized
   gp -l

Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
ISD: A000000151000000 (INITIALIZED)
     Parent:   A000000151000000
     From:     A0000000620001
     Privs:    SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

DOM: A000000151535041 (PERSONALIZED)
     Parent:   A000000151000000
     From:     A0000001515350
     Privs:    SecurityDomain, DAPVerification, DelegatedManagement, TrustedPath

PKG: A0000001515350 (LOADED)
     Applet:   A000000151535041

8. try uploading signed applet to the domain - returns error 6985:
   gp -d -i -v -load applet.cap -to A000000151535041

# GP_READER=HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00
# gp -d -i -v -load applet.cap -to A000000151535041
[DEBUG] TerminalManager - Matched JnaCardTerminal{scardHandle=SCardContext{154d3d2}, name=HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00}
SCardConnect("HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00", T=*) -> T=1, 3BDC18FF8191FE1FC38073C821136605036351000250
# GlobalPlatformPro 325fe84
# Running on Linux 5.4.0-52-generic amd64, Java 11.0.9.1 by Ubuntu
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (31ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0045+2) (16ms) 9F7F2A4790050382116351030280480047530734694E3050383037474D32313030343735331300011EFDE4C003 9000
[WARN] GPData - Invalid CPLC date: 474D
[WARN] GPData - Invalid CPLC date: 011E
CPLC: ICFabricator=4790
      ICType=0503
      OperatingSystemID=8211
      OperatingSystemReleaseDate=6351 (2016-12-16)
      OperatingSystemReleaseLevel=0302
      ICFabricationDate=8048 (2018-02-17)
      ICSerialNumber=00475307
      ICBatchIdentifier=3469
      ICModuleFabricator=4E30
      ICModulePackagingDate=5038 (2015-02-07)
      ICCManufacturer=3037
      ICEmbeddingDate=474D (invalid date format)
      ICPrePersonalizer=3231
      ICPrePersonalizationEquipmentDate=3030 (2013-01-30)
      ICPrePersonalizationEquipmentID=34373533
      ICPersonalizer=1300
      ICPersonalizationDate=011E (invalid date format)
      ICPersonalizationEquipmentID=FDE4C003

A>> T=1 (4+0000) 80CA0042 00 
A<< (0003+2) (12ms) 420100 9000
IIN: 420100
A>> T=1 (4+0000) 80CA0045 00 
A<< (0010+2) (14ms) 45080000000000000000 9000
CIN: 45080000000000000000
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0065+2) (96ms) 663F733D06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040300660C060A2B060104012A026E0102 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.3.0
-> GP SCP03 i=00
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0060+2) (18ms) 673A6738A006800102810155A00A8001038102001082010781039EFE8082031E03008301028504010208408602040887040102084088050102030405 9000
[WARN] GPData - Bogus data detected, fixing double tag
Supports SCP02 i=55
Supports SCP03 i=00 i=10 with AES-128 AES-196 AES-256
Supported DOM privileges: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, FinalApplication, GlobalService
Supported LFDB hash: SHA-256
Supported Token Verification ciphers: RSA1024_SHA1, ECCP521_SHA512
Supported Receipt Generation ciphers: DES_MAC
Supported DAP Verification ciphers: RSA1024_SHA1, ECCP521_SHA512
Supported ECC Key Parameters: 0102030405
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0020+2) (20ms) E012C00401FF8810C00402FF8810C00403FF8810 9000
Version: 255 (0xFF) ID:   1 (0x01) type: AES          length:  16 (AES-128, factory key)
Version: 255 (0xFF) ID:   2 (0x02) type: AES          length:  16 (AES-128, factory key)
Version: 255 (0xFF) ID:   3 (0x03) type: AES          length:  16 (AES-128, factory key)

Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
A>> T=1 (4+0008) 80500000 08 97ADB6BB81F0B0ED 00
A<< (0029+2) (95ms) 00008048004753073469FF030051ABA6305B606E7531149DA9A70614D4 9000
[DEBUG] GPSession - SSC: null
[DEBUG] GPSession - Host challenge: 97ADB6BB81F0B0ED
[DEBUG] GPSession - Card challenge: 51ABA6305B606E75
[DEBUG] GPSession - Card reports SCP03 with key version 255 (0xFF)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) MAC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) DEK=404142434445464748494A4B4C4D4E4F (KCV: 504A77) for SCP03
[INFO] GPSession - Session keys: ENC=55CF6EEA780505D77269685C28D2FBA2 MAC=AE5D5A8B664BE89BBA95D8545F540C11 RMAC=CCA97E422FC46EC9753754F3DB7B915D
[DEBUG] GPSession - Verified card cryptogram: 31149DA9A70614D4
[DEBUG] GPSession - Calculated host cryptogram: 533FBA65C2ABBB8C
A>> T=1 (4+0016) 84820100 10 533FBA65C2ABBB8C8C30561BCA69A433
A<< (0000+2) (145ms) 9000
CAP file (v2.1), contains: exports, applets for JavaCard 3.0.4
Package: secret 1122334455 v0.0
Applet:  secret.SecretApplet 112233445500
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620101                   v1.5 javacard.framework
Generated by Oracle Corporation converter  [v3.0.4]
On Sat Nov 14 11:31:12 CET 2020 with JDK 11.0.9.1 (Ubuntu)
Code size 285 bytes (461 with debug)
SHA-256 d6cc2848bf2ac2240f20cc63b9a11d01526f4866d9cc32d1883879532d07dbed
SHA-1   927dd9f441a0a975a5bb2fcd9edfffdc5d02fb9e
A>> T=1 (4+0010) 84F28002 0A 4F001C484ED39D4DDC2B 00
A<< (0044+2) (115ms) E32A4F08A0000001510000009F700107C5039EFE80C407A0000000620001CE020100CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F0089805CC478C25074 00
A<< (0044+2) (100ms) E32A4F08A0000001515350419F70010FC503E08000C407A0000001515350CE020100CC08A000000151000000 9000
A>> T=1 (4+0010) 84F21002 0A 4F00A04385A140D9D04C 00
A<< (0025+2) (100ms) E3174F07A00000015153509F7001018408A000000151535041 9000
A>> T=1 (4+0010) 84F22002 0A 4F00A7E4957369A1A06B 00
A<< (0015+2) (117ms) E30D4F07A00000015153509F700101 9000
A>> T=1 (4+0046) 84E60200 2E 05112233445508A00000015153504114927DD9F441A0A975A5BB2FCD9EDFFFDC5D02FB9E00000C1CF1261D6F446F
A<< (0000+2) (116ms) 6985
Applet loading not allowed. Are you sure the domain can accept it?
Error: INSTALL [for load] failed: 0x6985 (Conditions of use not satisfied)
pro.javacard.gp.GPException: INSTALL [for load] failed: 0x6985 (Conditions of use not satisfied)
	at pro.javacard.gp.GPException.check(GPException.java:64)
	at pro.javacard.gp.GPSession.loadCapFile(GPSession.java:579)
	at pro.javacard.gp.GPCommands.load(GPCommands.java:155)
	at pro.javacard.gp.GPTool.loadCAP(GPTool.java:824)
	at pro.javacard.gp.GPTool.run(GPTool.java:375)
	at pro.javacard.gp.GPTool.main(GPTool.java:107)
SCardDisconnect("HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00", true) tx:185/rx:406

9. Trying the same using --connect flag - returns error 0x6A80 (Wrong data/incorrect values in data):
   gp -d -i -v -c A000000151535041 -load applet.cap -key 404142434445464748494A4B4C4D4E4E

# GP_READER=HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00
# gp -d -i -v -c A000000151535041 -load applet.cap -key 404142434445464748494A4B4C4D4E4E
[DEBUG] TerminalManager - Matched JnaCardTerminal{scardHandle=SCardContext{5a05bc30}, name=HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00}
SCardConnect("HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00", T=*) -> T=1, 3BDC18FF8191FE1FC38073C821136605036351000250
# GlobalPlatformPro 325fe84
# Running on Linux 5.4.0-52-generic amd64, Java 11.0.9.1 by Ubuntu
[DEBUG] GPSession - (I)SD AID: A000000151535041
A>> T=1 (4+0008) 00A40400 08 A000000151535041 00
A<< (0018+2) (80ms) 6F108408A000000151535041A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected block size: 255
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0000+2) (14ms) 6A88
A>> T=1 (4+0000) 00CA9F7F 00 
A<< (0000+2) (15ms) 6A88
[DEBUG] GPData - GET DATA(CPLC): N/A
A>> T=1 (4+0000) 80CA0042 00 
A<< (0000+2) (15ms) 6A88
[DEBUG] GPData - GET DATA(IIN): N/A
A>> T=1 (4+0000) 80CA0045 00 
A<< (0000+2) (15ms) 6A88
[DEBUG] GPData - GET DATA(CIN): N/A
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0000+2) (14ms) 6A88
[DEBUG] GPData - GET DATA(Card Data): N/A
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0000+2) (14ms) 6A88
[DEBUG] GPData - GET DATA(Card Capabilities): N/A
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0028+2) (24ms) E01AC00401018810C00402018810C00403018810C0060173A180A003 9000
Version:   1 (0x01) ID:   1 (0x01) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   2 (0x02) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   3 (0x03) type: AES          length:  16 (AES-128)
Version: 115 (0x73) ID:   1 (0x01) type: RSA_PUB_N    length: 128 (RSA-1024 public, DAP Verification)

[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
A>> T=1 (4+0008) 80500000 08 29C1DA87638D7F7B 00
A<< (0029+2) (104ms) 50418048004753073469010300B8C878774EDAB0178D39E03D978E7DC7 9000
[DEBUG] GPSession - SSC: null
[DEBUG] GPSession - Host challenge: 29C1DA87638D7F7B
[DEBUG] GPSession - Card challenge: B8C878774EDAB017
[DEBUG] GPSession - Card reports SCP03 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4E (KCV: 943B35) MAC=404142434445464748494A4B4C4D4E4E (KCV: 943B35) DEK=404142434445464748494A4B4C4D4E4E (KCV: 943B35) for SCP03
[INFO] GPSession - Session keys: ENC=A61FED3B33EDD47DAEF29F99BAD93C2A MAC=ACCB8F90182FF1556A58B0ED5D3CFC07 RMAC=D123F445A5D5DCF60195A9D30027C298
[DEBUG] GPSession - Verified card cryptogram: 8D39E03D978E7DC7
[DEBUG] GPSession - Calculated host cryptogram: 2F7E5D0F4360694B
A>> T=1 (4+0016) 84820100 10 2F7E5D0F4360694BE5616054F4FD3554
A<< (0000+2) (148ms) 9000
CAP file (v2.1), contains: exports, applets for JavaCard 3.0.4
Package: secret 1122334455 v0.0
Applet:  secret.SecretApplet 112233445500
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620101                   v1.5 javacard.framework
Generated by Oracle Corporation converter  [v3.0.4]
On Sat Nov 14 11:31:12 CET 2020 with JDK 11.0.9.1 (Ubuntu)
Code size 285 bytes (461 with debug)
SHA-256 d6cc2848bf2ac2240f20cc63b9a11d01526f4866d9cc32d1883879532d07dbed
SHA-1   927dd9f441a0a975a5bb2fcd9edfffdc5d02fb9e
A>> T=1 (4+0010) 84F28002 0A 4F000C591A7A6F6D3C5B 00
A<< (0044+2) (110ms) E32A4F08A0000001510000009F700107C5039EFE80C407A0000000620001CE020100CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F00590C7625FE31CC5F 00
A<< (0044+2) (102ms) E32A4F08A0000001515350419F70010FC503E08000C407A0000001515350CE020100CC08A000000151000000 9000
A>> T=1 (4+0010) 84F21002 0A 4F006EF7050F8A60382B 00
A<< (0000+2) (119ms) 6A88
A>> T=1 (4+0010) 84F22002 0A 4F008E905ED25ED324CD 00
A<< (0000+2) (100ms) 6A88
A>> T=1 (4+0046) 84E60200 2E 05112233445508A00000015153504114927DD9F441A0A975A5BB2FCD9EDFFFDC5D02FB9E0000F21D908B8CF2A45C
A<< (0000+2) (122ms) 6A80
Applet loading failed. Are you sure the card can handle it?
Error: INSTALL [for load] failed: 0x6A80 (Wrong data/incorrect values in data)
pro.javacard.gp.GPException: INSTALL [for load] failed: 0x6A80 (Wrong data/incorrect values in data)
	at pro.javacard.gp.GPException.check(GPException.java:64)
	at pro.javacard.gp.GPSession.loadCapFile(GPSession.java:579)
	at pro.javacard.gp.GPCommands.load(GPCommands.java:155)
	at pro.javacard.gp.GPTool.loadCAP(GPTool.java:824)
	at pro.javacard.gp.GPTool.run(GPTool.java:375)
	at pro.javacard.gp.GPTool.main(GPTool.java:107)
SCardDisconnect("HID Global OMNIKEY 5422 Smartcard Reader [OMNIKEY 5422 Smartcard Reader] (KJ0I2A00EY10673763) 01 00", true) tx:199/rx:193

What am I missing?

[stepansnigirev]

Another thing I tried is to install the applet using my domain as a dap domain for verification, but I get an error:
Invalid argument: Specified DAP domain does not have (Mandated)DAPVerification privilege: A000000151535041
That's strange because when I list the applets I see that it has DAPVerification privilige there.

gp -d -i -v -load applet.cap --dap-domain A000000151535041 -to A000000151000000
# 
# gp -d -i -v -load applet.cap --dap-domain A000000151535041 -to A000000151000000
SCardConnect("Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00", T=*) -> T=1, 3BDC18FF8191FE1FC38073C821136605036351000250
# GlobalPlatformPro 325fe84
# Running on Linux 5.4.0-54-generic amd64, Java 11.0.9.1 by Ubuntu
A>> T=1 (4+0000) 00A40400 00 
A<< (0018+2) (22ms) 6F108408A000000151000000A5049F6501FF 9000
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0045+2) (19ms) 9F7F2A4790050382116351030280480094010734694E3050383037474D32313030393430311300011EFD175D98 9000
[WARN] GPData - Invalid CPLC date: 474D
[WARN] GPData - Invalid CPLC date: 011E
CPLC: ICFabricator=4790
      ICType=0503
      OperatingSystemID=8211
      OperatingSystemReleaseDate=6351 (2016-12-16)
      OperatingSystemReleaseLevel=0302
      ICFabricationDate=8048 (2018-02-17)
      ICSerialNumber=00940107
      ICBatchIdentifier=3469
      ICModuleFabricator=4E30
      ICModulePackagingDate=5038 (2015-02-07)
      ICCManufacturer=3037
      ICEmbeddingDate=474D (invalid date format)
      ICPrePersonalizer=3231
      ICPrePersonalizationEquipmentDate=3030 (2013-01-30)
      ICPrePersonalizationEquipmentID=39343031
      ICPersonalizer=1300
      ICPersonalizationDate=011E (invalid date format)
      ICPersonalizationEquipmentID=FD175D98

A>> T=1 (4+0000) 80CA0042 00 
A<< (0003+2) (14ms) 420100 9000
IIN: 420100
A>> T=1 (4+0000) 80CA0045 00 
A<< (0010+2) (15ms) 45080000000000000000 9000
CIN: 45080000000000000000
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0065+2) (23ms) 663F733D06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040300660C060A2B060104012A026E0102 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.1.1
-> GP Version: 2.1.1
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.3.0
-> GP SCP03 i=00
Tag 66: 1.3.6.1.4.1.42.2.110.1.2
-> JavaCard v2
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0060+2) (21ms) 673A6738A006800102810155A00A8001038102001082010781039EFE8082031E03008301028504010208408602040887040102084088050102030405 9000
[WARN] GPData - Bogus data detected, fixing double tag
Supports SCP02 i=55
Supports SCP03 i=00 i=10 with AES-128 AES-196 AES-256
Supported DOM privileges: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, FinalApplication, GlobalService
Supported LFDB hash: SHA-256
Supported Token Verification ciphers: RSA1024_SHA1, ECCP521_SHA512
Supported Receipt Generation ciphers: DES_MAC
Supported DAP Verification ciphers: RSA1024_SHA1, ECCP521_SHA512
Supported ECC Key Parameters: 0102030405
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0020+2) (21ms) E012C00401018810C00402018810C00403018810 9000
Version:   1 (0x01) ID:   1 (0x01) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   2 (0x02) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   3 (0x03) type: AES          length:  16 (AES-128)

Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
A>> T=1 (4+0008) 80500000 08 5FFAC63EC27A2C77 00
A<< (0029+2) (98ms) 000080480094010734690103001AB6824185382C998A35165B997988D9 9000
[DEBUG] GPSession - SSC: null
[DEBUG] GPSession - Host challenge: 5FFAC63EC27A2C77
[DEBUG] GPSession - Card challenge: 1AB6824185382C99
[DEBUG] GPSession - Card reports SCP03 with key version 1 (0x01)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) MAC=404142434445464748494A4B4C4D4E4F (KCV: 504A77) DEK=404142434445464748494A4B4C4D4E4F (KCV: 504A77) for SCP03
[INFO] GPSession - Session keys: ENC=EEF3879B88908E84385ED2265938758E MAC=F8A74AEF2C74F995D282B54BA516BA69 RMAC=1D8DD28F93F6340F019F80370664A800
[DEBUG] GPSession - Verified card cryptogram: 8A35165B997988D9
[DEBUG] GPSession - Calculated host cryptogram: 0066D18CDE71435E
A>> T=1 (4+0016) 84820100 10 0066D18CDE71435EE78E53F1E11A7A14
A<< (0000+2) (147ms) 9000
CAP file (v2.1), contains: exports, applets for JavaCard 3.0.4
Package: secret 1122334455 v0.0
Applet:  secret.SecretApplet 112233445500
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620101                   v1.5 javacard.framework
Generated by Oracle Corporation converter  [v3.0.4]
On Sat Nov 14 11:31:12 CET 2020 with JDK 11.0.9.1 (Ubuntu)
Code size 285 bytes (461 with debug)
SHA-256 d6cc2848bf2ac2240f20cc63b9a11d01526f4866d9cc32d1883879532d07dbed
SHA-1   927dd9f441a0a975a5bb2fcd9edfffdc5d02fb9e
A>> T=1 (4+0010) 84F28002 0A 4F0018F232980C3F4148 00
A<< (0044+2) (112ms) E32A4F08A0000001510000009F700107C5039EFE80C407A0000000620001CE020100CC08A000000151000000 9000
A>> T=1 (4+0010) 84F24002 0A 4F006DD3D79FE077904B 00
A<< (0044+2) (104ms) E32A4F08A0000001515350419F70010FC503C08000C407A0000001515350CE020100CC08A000000151535041 9000
A>> T=1 (4+0010) 84F21002 0A 4F00A623198EDAF503CB 00
A<< (0025+2) (101ms) E3174F07A00000015153509F7001018408A000000151535041 9000
A>> T=1 (4+0010) 84F22002 0A 4F00DABC4DF934A284AF 00
A<< (0015+2) (100ms) E30D4F07A00000015153509F700101 9000
Invalid argument: Specified DAP domain does not have (Mandated)DAPVerification privilege: A000000151535041
java.lang.IllegalArgumentException: Specified DAP domain does not have (Mandated)DAPVerification privilege: A000000151535041
	at pro.javacard.gp.GPCommands.load(GPCommands.java:128)
	at pro.javacard.gp.GPTool.loadCAP(GPTool.java:824)
	at pro.javacard.gp.GPTool.run(GPTool.java:375)
	at pro.javacard.gp.GPTool.main(GPTool.java:107)
SCardDisconnect("Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00", true) tx:134/rx:404

[RzyDS]

This problem would be fixed by changing the install parameters

[martinpaljak]

Sample test script added, to be part of next release: https://github.com/martinpaljak/GlobalPlatformPro/blob/next/tests/sce70.sh