[Muscle] load file DAP

Karsten Ohme widerstand at t-online.de
Thu Apr 17 17:05:36 PDT 2008 

Peter Williams schrieb:
> Guess I get to do it myself! If I recall the GP model, this is what I 
> need to do with GPShell
> 
> 1. use openssl lib to create PEM-era private/public key files (wow, it 
> 1985 I think I first hit PEM, learning it along with 
> RSA/DES/CBC/countermode from the person drafting PEM in IRTF (even 
> before it hit IETF!). Its been around a while!)
> 
> 2) 1. use GPSHELL load dm key of the openssl RSA keyfile into the app 
> domain applet, version=1 index=1
> 
> 3) create the muscle applet load file from the cap, affixing the 
> appropriate RSA 1024bit signature. Can gpshell do this, on the fly or 
> statically?

Not GPShell, the Global Platform library should be able to do this. But 
I never got a card working with the a security domain. Either the 
specification is not clear enough, the cards are buggy or I do something 
wrong over and over again.

Regards,
Karsten

> 
> 4) load and install the signed applet, where its security domain is the 
> APP security domain AID (not the more usual card issuer)
> 
> Doing all this, I think the load flow is: Upon detection of 1 or more 
> signature blocks in the load file, the card issuer is supposed to invoke 
> the app SD denote in the load for load APDU to verify the crypto - where 
> the AppSD knows the crypto is RSA and the key is RSA, the key index 1, 
> and the signature block has endian format X.
> 
> 
> --------------------------------------------------
> From: "Peter Williams" <home_pw at msn.com>
> Sent: Monday, April 14, 2008 11:04 AM
> To: "MUSCLE" <muscle at lists.musclecard.com>
> Subject: Re: [Muscle] load file DAP
> 
>> I've managed to locate (somewhat incredibly) 5 virgen USB tokens that 
>> - presumably as they are in their original static-proof bags - still 
>> have the manufacturer's app security domain applet on the card - in 
>> addition of the card issuers SD. (Typically, during post-manufacturing 
>> we removed the app SD , to free up space to load and init the muscle 
>> applet.)
>>
>> What I do not have is any technical documentation and all the my 
>> people contacts have long since left the javacard startup company for 
>> greener pastures.
>>
>> Anyone want to play with some of them, to test GPShell and ensure its 
>> 2.01 era delegated loading (via RSA) is solid?
>>
>> --------------------------------------------------
>> From: "Karsten Ohme" <widerstand at t-online.de>
>> Sent: Saturday, April 05, 2008 4:43 AM
>> To: "MUSCLE" <muscle at lists.musclecard.com>
>> Subject: Re: [Muscle] load file DAP
>>
>>> Peter Williams schrieb:
>>>> 1. Has anyone used GPShell to load an RSA public key into an 
>>>> _issuer's_ security domain of a 201 card, so one can use the GPShell 
>>>> to send a DAP hash and signature for the load file?
>>>
>>> I think this does not work. I have tried a lot with different cards, 
>>> but I had no success. So, there might be compatibility problems, the 
>>> cards do to support it after all or the specification is not clear 
>>> enough. You can play with the code base, would be very interesting to 
>>> me, if you get it working.
>>>
>>> Karsten
>>>>  2. has anyone tested the use of SHA1 by itself for a LOAD DAP?
>>>>  3  If I half remember right, only a security domain OTHER than the 
>>>> card manager SD can verify either a DESCBC or an RSA DAP (given its 
>>>> knows the verification key, and knowledge that the signature is 
>>>> either RSA or DESCBC).
>>>>  ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> _______________________________________________
>>>> Muscle mailing list
>>>> Muscle at lists.musclecard.com
>>>> http://lists.drizzle.com/mailman/listinfo/muscle
>>>
>>> _______________________________________________
>>> Muscle mailing list
>>> Muscle at lists.musclecard.com
>>> http://lists.drizzle.com/mailman/listinfo/muscle
>>>
>> _______________________________________________
>> Muscle mailing list
>> Muscle at lists.musclecard.com
>> http://lists.drizzle.com/mailman/listinfo/muscle
>>
> _______________________________________________
> Muscle mailing list
> Muscle at lists.musclecard.com
> http://lists.drizzle.com/mailman/listinfo/muscle
> 
>

More information about the Muscle mailing list