Unsupported framework produces unhelpful error message

[elipsion]

Describe the bug

When trying to load an applet built with a too recent version of GlobalPlatform, gp produces a less-than-stellar error message.

Information about your card

https://www.cardlogix.com/product/nxp-jcop3-j2h145-java-card-145k/

Expected behavior

Unsupported Framework

Full log

Using GPv1.7

PS C:\source\repos\IsoApplet> java -jar gp.jar -r "ACS APG8201-B2 0" --install .\IsoApplet.cap -v
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Windows 10 10.0 amd64, Java 11.0.8 by AdoptOpenJDK
Reader: ACS APG8201-B2 0
ATR: 3BDC18FF8191FE1FC38073C821136605036351000250
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3BDC18FF8191FE1FC38073C821136605036351000250

[DEBUG] GPSession - Auto-detected ISD: A000000151000000
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[INFO] GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[DEBUG] GPSession - Host challenge: 3CA14CAD6E40FEA1
[DEBUG] GPSession - Card challenge: 0004C7693B4FBA61
[DEBUG] GPSession - Card reports SCP02 with key version 255 (0xFF)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=A9875ADFB0F8402FB6F7DBF7F75FFAFA MAC=C8F6243ECF0DF436AF901514F65C7EF9 RMAC=D4DE6363159EBD4F89F99EF9ED7D5EF6, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[DEBUG] GPSession - Verified card cryptogram: A705CAA7028F7416
[DEBUG] GPSession - Calculated host cryptogram: 047AFEB30986A3AE
CAP file (v2.1), contains: applets for JavaCard 3.0.4/GlobalPlatform unknown: 1.7
Package: net.pwendland.javacard.pki.isoapplet F276A288BCFBA69D34F310 v1.0
Applet:  net.pwendland.javacard.pki.isoapplet.IsoApplet F276A288BCFBA69D34F31001
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620101                   v1.5 javacard.framework
Import:  A0000000620209                   v1.0 javacardx.apdu
Import:  A0000000620102                   v1.5 javacard.security
Import:  A0000000620201                   v1.5 javacardx.crypto
Import:  A00000015100                     v1.7 org.globalplatform
Generated by Oracle Corporation converter  [v3.0.5]
On Thu Aug 06 10:02:06 CEST 2020 with JDK 11.0.8 (AdoptOpenJDK)
Code size 19452 bytes (22171 with debug)
SHA-256 bb45e6eb25a69eb300af496421dac3ffdcba904d57c0eb0c384077f0ee8c6bc7
SHA-1   b240496a8f9746446f74cbe5f9872769e9105ffa
[DEBUG] GPRegistry - Registry already contains PKG: A0000001515350, 1
LOAD failed: 0x6438
PS C:\source\repos\IsoApplet>

Using GPv1.5 (aka 2.2.1)

PS C:\source\repos\IsoApplet> java -jar gp.jar -r "ACS APG8201-B2 0" --install .\IsoApplet.cap -v
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Windows 10 10.0 amd64, Java 11.0.8 by AdoptOpenJDK
Reader: ACS APG8201-B2 0
ATR: 3BDC18FF8191FE1FC38073C821136605036351000250
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3BDC18FF8191FE1FC38073C821136605036351000250

[DEBUG] GPSession - Auto-detected ISD: A000000151000000
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[INFO] GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[DEBUG] GPSession - Host challenge: 44DEF1DA12141A2C
[DEBUG] GPSession - Card challenge: 0005CE8E67158589
[DEBUG] GPSession - Card reports SCP02 with key version 255 (0xFF)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=114E70DD9FDAB543CE3BFCFD4C8531B8 MAC=9BC7F172011D9C5D5758BBA497E7B9E6 RMAC=F71D1EDB05931C7C007AA23F7E44F4DE, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[DEBUG] GPSession - Verified card cryptogram: 923CAB8A25119DBE
[DEBUG] GPSession - Calculated host cryptogram: 9D2C297F1DF1C365
CAP file (v2.1), contains: applets for JavaCard 3.0.4/GlobalPlatform 2.2.1
Package: net.pwendland.javacard.pki.isoapplet F276A288BCFBA69D34F310 v1.0
Applet:  net.pwendland.javacard.pki.isoapplet.IsoApplet F276A288BCFBA69D34F31001
Import:  A0000000620001                   v1.0 java.lang
Import:  A0000000620101                   v1.5 javacard.framework
Import:  A0000000620209                   v1.0 javacardx.apdu
Import:  A0000000620102                   v1.5 javacard.security
Import:  A0000000620201                   v1.5 javacardx.crypto
Import:  A00000015100                     v1.5 org.globalplatform
Generated by Oracle Corporation converter  [v3.0.5]
On Thu Aug 06 10:47:59 CEST 2020 with JDK 11.0.8 (AdoptOpenJDK)
Code size 19452 bytes (22171 with debug)
SHA-256 4ca60f25b44e8d9583e2c1c83b66934088d9ebb55d5d2daebc8f626cf7f74d52
SHA-1   8482c2e8bfa1fb48d2af6cc7e7c9ac3d0b057ed1
[DEBUG] GPRegistry - Registry already contains PKG: A0000001515350, 1
CAP loaded
[DEBUG] GPRegistry - Registry already contains PKG: A0000001515350, 1
[DEBUG] GPRegistry - Registry already contains PKG: F276A288BCFBA69D34F310, 1
PS C:\source\repos\IsoApplet>

Additional context

Full APDU-dump available upon request :)

[martinpaljak]

1. The only message here is the rightful CAP file (v2.1), contains: applets for JavaCard 3.0.4/GlobalPlatform unknown: 1.7 Where do you get the export files of GlobalPlatform with such version?
2. The error from the card (0x6438) is unknown to me. Yet the half-baked feature of card profiles could accommodate custom SW-message mappings, but those will by no means be "definitive", just might assist.

Please explain which error message would you like to get changed (and if possible, run sample logs "next" branch)

[elipsion]

Ah, look at that. It's only visible in the verbose output, and not indicative of whether the card will accept the software or not.
I just downloaded the most recent version from their webpage, since I hadn't found your repository yet.

I wonder if the supported frameworks can be gleaned from the package list on the card:

PS C:\source\repos\IsoApplet> java -jar gp.jar -r "ACS APG8201-B2 0" -l -v
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Windows 10 10.0 amd64, Java 11.0.8 by AdoptOpenJDK
Reader: ACS APG8201-B2 0
ATR: 3BDC18FF8191FE1FC38073C821136605036351000250
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3BDC18FF8191FE1FC38073C821136605036351000250

[DEBUG] GPSession - Auto-detected ISD: A000000151000000
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[WARN] PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02
[INFO] GPSession - Using card master keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for null
[DEBUG] GPSession - Host challenge: E7950C0AC481846A
[DEBUG] GPSession - Card challenge: 0016817262FE5F90
[DEBUG] GPSession - Card reports SCP02 with key version 255 (0xFF)
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[INFO] GPSession - Session keys: ENC=77A3C15AB440E2651B32577DB6C27505 MAC=303BB82519C6D717D86F391C506F852F RMAC=736B318928C93BEFAA58DCC4411D6142, card keys=ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
[DEBUG] GPSession - Verified card cryptogram: 63C239DCD28DCAE6
[DEBUG] GPSession - Calculated host cryptogram: 541D0829CF0EE947
[DEBUG] GPRegistry - Registry already contains PKG: A0000001515350, 1
ISD: A000000151000000 (SECURED)
     Parent:  A000000151000000
     From:    A0000000620001
     Privs:   SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

PKG: A0000001515350 (LOADED) (|....QSP|)
     Applet:  A000000151535041 (|....QSPA|)

PS C:\source\repos\IsoApplet>

In this case the error (probably) was the card rejecting a too recent library, but I don't know how specific the error code is and therefore not sure about how specific the associated message should be (Unsupported plattform version vs. Card no like package). But something about the software being actively rejected is probably a good start.

[martinpaljak]

• Did not know there's a new version of GP export files. Will add it (so that it would not be "unknown") in next release of capfile (and thus gppro). I doubt cards which support it would be publicly available any time this year. Building a sane javacard applet is not directly related to gppro, which just tries to load what you provide.
• The status from the card for this failing load command is proprietary (not described in GP specs, probably proprietary to the vendor/chip/version) so I can't really associate it with any message, unless you refer to some (public) documentation.
• There could be a myriad of other reasons why a command fails. While GPPro tries to give some (definitely not all) helpful hints on what could be wrong, there is no separate goal of trying to do the analysis for the user (with access to specific card documentation and best knowledge of the configuration settings of the card and its platform)
• Therefore, could you be more specific in what should be changed? As this is a UX issue, if possible, please run the command with either the latest pre-release (known to be buggy at this point) or if possible, the next branch, and indicate the output you'd like to be changed, given the constraints.

[elipsion]

I don't have any strong feelings in the matter; and since the error is proprietary I can totally agree that it's outside of the scope for this project to have a pretty textual waring for it.

From a UI/UX perspective; the error message could be clearer about that the error (in this case 0x6438) is something that was given to gp from the card/underlying driver stack, rather than something emitted from within gp itself.

[martinpaljak]

That sw-s come from the device should be prior knowledge of anyone working with gp. But working on the ux to make such messages clearer and better positioned would probably not hurt. Suggestions as CLI mockups would help!

[martinpaljak]

I consider this specific issue fixed by 338e53b