[Muscle] Cyberflex e-gate 32k install error 6A80

Thu May 28 15:37:57 PDT 2009

On Thu, May 28, 2009 at 11:32:39PM +0200, s.ferey wrote:
> Jakob Bohm a écrit :
> >>
> >>if the "-nvCodeLimit" parameter is supposed to build the
> >>load parameter field it is quite strange that it chooses
> >>to change 8500d to 8512d.
> >
> >In GlobalPlatform.c, get_load_data() adds the size of the padding
> >for DES CBC MAC (1..8 bytes 80 00... to make size multiple of 8)
> >and the size of the CBC MAC itself (8 more bytes).  The size
> >calculation is not commented, so I am guessing at the purpose... .
> 
> if you're right, it doesn't make sense! the MACs (one per LOAD APDU)
> are not stored by the JCRE as part of the CAP file, and that parameter
> defines the size of requested EEPROM used to store that CAP file
> (some - most of - components of that CAP file).

Ok, so maybe some GP cards want the extra space needed the MAC or
its calculation to be included in the EEPROM space allocation.

> 
> >But how do I determine if a card (any card) is supporting 2.1.0,
> >2.1.1 or 2.1.2, the JCSystem.getVersion() call only return the two
> >first parts of the version.
> 
> for "any" card it isn't possible, since GP and JVC does not define
> a mean to do so (both are welling to ... for a while, but...).
> some cards propose a proprietary GET DATA tag to list all available
> runtime packages.
> 

Bad move VISA/Sun...

> >Is CosmopolIC a 2.1.x card?
> 
> CosmopolIC is a familly brand name, so yes 'old' cosmo (v.3 & 4)
> were 2.1.x card, current ones cosmo v.7 (80 or 128k) are 2.2.2
> 
And the one you tested my CAP file on is which of those?

> >Does CosmopolIC have the on-card byte code verifier?
> 
> no; a very few number of cards include an on-card verifier,
> I would say it is definitively useless, my opinion ...

IF the on-card verifier actually prevents the execution of
dangerous non-standard byte code it actually closes a big
potential security hole in the JC architecture:  SOMETHING needs
to ensure that no applet can escape its sandbox.

> 
> >Well Cyberflex 32K is the easiest card to buy
> 
> you're definitively right, it is something I never understood,
> all other card suppliers seem to refuse to sell their cards.
> 
> >the highly certified Oberthur card has a dead US website
> 
> oberthurusa.com is closed, oberthur.com provides very generic
> info, oberthurcs.com / Identity Product Line / Corporate
> gives a "page under construction", they don't want to sell,
> or I'm missing something ?!
> 

My observation too...

> >Besides, Cyberflex e-gate 32K has been supported card #1 for the
> >CardEdge applet for years, so just dropping support when something
> >fails would be very bad for users who (like me) have already spent
> >money based on past recommendations.
> 
> (for commercial availabillity more than technical reasons).
> I agree with your point, my point was simply that I can't help
> you on for a Cyberflex specific issue (I don't know this card
> very well) so I just confirmed that your CAP file is OK.
> 

Well at least when used on a functionally different card, which is
why I ask about the detailed card differences to get a clue to the
cause.

-- 
This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.