--set-pre-perso and -set-perso not working because of wrong P1 in storeDGI in Infineon card.

[jo-bitsch]

First: Thanks for this really excellent tool! I really appreciate your work!

Describe the bug

Storing the PrePersonalization and Personalization Information running --set-pre-perso fails with 6A80 (Wrong data/incorrect values in data)

Checking with the GlobalPlatform Specification(https://globalplatform.org/wp-content/uploads/2018/05/GPC_CardSpecification_v2.3.1_PublicRelease_CC.pdf page 197, Table 11-89), the APDU for setting the information should be
84E288000b9F67081111111111111111, instead of 84E280000b9F67081111111111111111
the difference being P1=0x88 vs. P1=0x80, which is set in saveDGI(

GlobalPlatformPro/library/src/main/java/pro/javacard/gp/GPCommands.java

Line 42 in c03e879

CommandAPDU cmd = new CommandAPDU(GPSession.CLA_GP, GPSession.INS_STORE_DATA, 0x80, 0x00, payload);

)
P1 = 0x80 /*last block*/ | 0x08 /*DGI format of the command data field*/; // --> 0x88

Sending the corrected APDU by hand results in the expected behavior of the card setting the prepersonalization data.

Unfortunately, I don't have other cards available to check if this works on other cards as well.

Information about your card

As much information as you have:

1. Vendor
   Infineon

2. Product
   Secora ID S / SLJ 52GxxyyyzS

3. Version
   1.00

Expected behavior

The card should save the prepersonalization data and return 9000 instead of 6A80, like so

$ gp.jar --key $KEY -d -v -s 84E288000b9F67081111111111111111
[... excluding authentication and card information ..]
A>> T=1 (4+0019) 84E28800 13 9F670811111111111111119750E38E33A10AC7
A<< (0000+2) (41ms) 9000

and store the prepersonalization data accordingly, which it does with the corrected P1.

Full log of erroneous behavior

$ gp.jar --key $KEY -d -v -i  --set-pre-perso 1111111111111111
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Linux 5.19.0-35-generic amd64, Java 18.0.2-ea by Private Build
# Detected readers from JNA2PCSC
[*] Microchip SEC1110 [CCID Interface] (CDEA0414) 00 00
SCardConnect("Microchip SEC1110 [CCID Interface] (CDEA0414) 00 00", T=*) -> T=1, 3BB89600C00831FE45FFFF14423050230079
SCardBeginTransaction("Microchip SEC1110 [CCID Interface] (CDEA0414) 00 00")
Reader: Microchip SEC1110 [CCID Interface] (CDEA0414) 00 00
ATR: 3BB89600C00831FE45FFFF14423050230079
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3BB89600C00831FE45FFFF14423050230079

A>> T=1 (4+0000) 00A40400 00 
A<< (0096+2) (26ms) 6F5E8408A000000151000000A552734806072A864886FC6B01600B06092A864886FC6B020202630906072A864886FC6B03640B06092A864886FC6B040310650A06082A864886FC6B0505660C060A2B060104012A026E01039F6E010F9F6501FF 9000
[TRACE] GPSession -  [6F]
[TRACE] GPSession -      [84] A000000151000000
[TRACE] GPSession -      [A5]
[TRACE] GPSession -          [73]
[TRACE] GPSession -              [06] 2A864886FC6B01
[TRACE] GPSession -              [60]
[TRACE] GPSession -                  [06] 2A864886FC6B020202
[TRACE] GPSession -              [63]
[TRACE] GPSession -                  [06] 2A864886FC6B03
[TRACE] GPSession -              [64]
[TRACE] GPSession -                  [06] 2A864886FC6B040310
[TRACE] GPSession -              [65]
[TRACE] GPSession -                  [06] 2A864886FC6B0505
[TRACE] GPSession -              [66]
[TRACE] GPSession -                  [06] 2B060104012A026E0103
[TRACE] GPSession -          [9F6E] 0F
[TRACE] GPSession -          [9F65] FF
[DEBUG] GPSession - Auto-detected ISD: A000000151000000
[TRACE] GPData - GET DATA(CPLC)
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0045+2) (7ms) 9F7F2A409019154090032301009308A918583AAC10000000000000000000000000000000000000000000000000 9000
CPLC: ICFabricator=4090
      ICType=1915
      OperatingSystemID=4090
      OperatingSystemReleaseDate=0323 (2010-11-19)
      OperatingSystemReleaseLevel=0100
      ICFabricationDate=9308 (2019-11-04)
      ICSerialNumber=A918583A
      ICBatchIdentifier=AC10
      ICModuleFabricator=0000
      ICModulePackagingDate=0000 (2010-01-01)
      ICCManufacturer=0000
      ICEmbeddingDate=0000 (2010-01-01)
      ICPrePersonalizer=0000
      ICPrePersonalizationEquipmentDate=0000 (2010-01-01)
      ICPrePersonalizationEquipmentID=00000000
      ICPersonalizer=0000
      ICPersonalizationDate=0000 (2010-01-01)
      ICPersonalizationEquipmentID=00000000

[TRACE] GPData - GET DATA(IIN)
A>> T=1 (4+0000) 80CA0042 00 
A<< (0008+2) (5ms) 4206000000000000 9000
IIN: 4206000000000000
[TRACE] GPData - GET DATA(CIN)
A>> T=1 (4+0000) 80CA0045 00 
A<< (0010+2) (5ms) 45080000000000000000 9000
CIN: 45080000000000000000
Card Data: 
[TRACE] GPData - GET DATA(Card Data)
A>> T=1 (4+0000) 80CA0066 00 
A<< (0076+2) (9ms) 664A734806072A864886FC6B01600B06092A864886FC6B020202630906072A864886FC6B03640B06092A864886FC6B040310650A06082A864886FC6B0505660C060A2B060104012A026E0103 9000
[TRACE] GPData -  [66]
[TRACE] GPData -      [73]
[TRACE] GPData -          [06] 2A864886FC6B01
[TRACE] GPData -          [60]
[TRACE] GPData -              [06] 2A864886FC6B020202
[TRACE] GPData -          [63]
[TRACE] GPData -              [06] 2A864886FC6B03
[TRACE] GPData -          [64]
[TRACE] GPData -              [06] 2A864886FC6B040310
[TRACE] GPData -          [65]
[TRACE] GPData -              [06] 2A864886FC6B0505
[TRACE] GPData -          [66]
[TRACE] GPData -              [06] 2B060104012A026E0103
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.2
-> GP Version: 2.2
Tag 63: 1.2.840.114283.3
Tag 64: 1.2.840.114283.4.3.16
-> GP SCP03 i=10
Tag 65: 1.2.840.114283.5.5
Tag 66: 1.3.6.1.4.1.42.2.110.1.3
-> JavaCard v3
Card Capabilities: 
[TRACE] GPData - GET DATA(Card Capabilities)
A>> T=1 (4+0000) 80CA0067 00 
A<< (0045+2) (10ms) 672BA00A80010381020010820107A007800102810215558103FF8E0082031E860083010285010386013C870103 9000
[TRACE] GPData -  [67]
[TRACE] GPData -      [A0]
[TRACE] GPData -          [80] 03
[TRACE] GPData -          [81] 0010
[TRACE] GPData -          [82] 07
[TRACE] GPData -      [A0]
[TRACE] GPData -          [80] 02
[TRACE] GPData -          [81] 1555
[TRACE] GPData -      [81] FF8E00
[TRACE] GPData -      [82] 1E8600
[TRACE] GPData -      [83] 02
[TRACE] GPData -      [85] 03
[TRACE] GPData -      [86] 3C
[TRACE] GPData -      [87] 03
Supports: SCP03 i=00 i=10 with AES-128 AES-196 AES-256
Supports: SCP02 i=15 i=55
Supported DOM privileges: SecurityDomain, DelegatedManagement, CardLock, CardTerminate, CardReset, CVMManagement, MandatedDAPVerification, TrustedPath, GlobalLock, GlobalRegistry, FinalApplication
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, GlobalRegistry, FinalApplication
Supported LFDB hash: 02
Supported Token Verification ciphers: 03
Supported Receipt Generation ciphers: 3C
Supported DAP Verification ciphers: 03
[TRACE] GPData - GET DATA(Key Info Template)
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0020+2) (10ms) E012C00401028820C00402028820C00403028820 9000
[TRACE] GPKeyInfo -  [E0]
[TRACE] GPKeyInfo -      [C0] 01028820
[TRACE] GPKeyInfo -      [C0] 02028820
[TRACE] GPKeyInfo -      [C0] 03028820
Version:   2 (0x02) ID:   1 (0x01) type: AES  length:  32 (AES-256)
Version:   2 (0x02) ID:   2 (0x02) type: AES  length:  32 (AES-256)
Version:   2 (0x02) ID:   3 (0x03) type: AES  length:  32 (AES-256)
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP03
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP03
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP03
[... excluding authentication ...]
[DEBUG] GPSession - Verified card cryptogram: 6A7A9FEFFEFD5009
[DEBUG] GPSession - Calculated host cryptogram: 2AF5AD957B59A1C0
A>> T=1 (4+0016) 84820100 10 2AF5AD957B59A1C0065A430F7A7E67EE
A<< (0000+2) (21ms) 9000
A>> T=1 (4+0019) 84E28000 13 9F67081111111111111111F80CFC96FF8E8FE2
A<< (0000+2) (21ms) 6A80
STORE DATA failed: 0x6A80 (Wrong data/incorrect values in data)

[jo-bitsch]

This seems to also be related to #308

[jo-bitsch]

technically saveDGI should always have the 0x08 bit set (at least according to the spec), as it always saves DGI data (hence the name), but with the --store-p1 patch (#308) we could as a work around also save the prepersonalization data using --store-p1 0x88 --store-data 9F67081111111111111111 which I guess is ever so slightly better than sending the raw APDU via SCP using -s though that could be open to discussion.

What's completely open to me, is, if other cards might misbehave if you are using P1=0x88 (which is at least to the current spec) vs if you are using P1=0x80 (which is the current behavior of gp.jar and presumably extensively tested with other cards)

[martinpaljak]

Ideally I'd like to keep command line options reusable (#308). I doubt the command was heavily tested with many cards, so diffing specs and testing with a wider variety of cards is needed for this specific issue.

[martinpaljak]

The naming of the function is not correct, in fact the data is tlv-s no dgi-s.

Also, as there are no public definitions of this behaviour that I know of (if you have any I can link to, please let me know!).

Thus there is not a canonical reference for the "right thing" to do.

If you have any Secora S cards to send for testing, I could do some more experiments with it.