Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCP02: extended length APDUs cause an IllegalArgumentException #318

Open
max-lb opened this issue Jun 14, 2023 · 4 comments
Open

SCP02: extended length APDUs cause an IllegalArgumentException #318

max-lb opened this issue Jun 14, 2023 · 4 comments

Comments

@max-lb
Copy link

max-lb commented Jun 14, 2023

With SCP02, trying to send an extended length APDU (> 255 bytes) with GPSession.transmit() always results in IllegalArgumentException:

java.lang.IllegalArgumentException: Invalid APDU: length=261, b1=0, b2||b3=55810
        at apdu4j.CommandAPDU.parse(CommandAPDU.java:337)
        at apdu4j.CommandAPDU.<init>(CommandAPDU.java:92)
        at pro.javacard.gp.SCP02Wrapper.wrap(SCP02Wrapper.java:163)
        at pro.javacard.gp.GPSession.transmit(GPSession.java:514)

With SCP03 everything works fine.

It appears, that the SCP02Wrapper doesn't know how to deal with 3-byte lenghts (Nc) in APDUs. Both when composing a partial APDU for the MAC calculation, and when composing the final APDU, it does this:

            // Construct new APDU
            t.write(newCLA);
            t.write(origINS);
            t.write(origP1);
            t.write(origP2);
            if (newLc > 0) {
                t.write(newLc);            // <-- this works only with single-byte lengths
                t.write(newData);
            }

The code in SCP03Wrapper is aware of extended lengths:

                bo.write(command.getINS());
                bo.write(command.getP1());
                bo.write(command.getP2());
                bo.write(GPUtils.encodeLcLength(lc, command.getNe()));    // <-- encodes Lc properly
                bo.write(data);

Is there a reason to not support extended length APDUs with SCP02?
@martinpaljak
Copy link
Owner

Not really, other than GP explicitly declaring that all commands being not extended and SCP02 being obsolete as well. As this is supposedly not going to a card manager (which, as said, explicitly requires short apdu-s as per 11.1.5 APDU Message and Data Length) it would require support from on-card SecureChannel.unwrap().

Which card are you using, to be able to test it?

@max-lb
Copy link
Author

max-lb commented Jun 20, 2023

You are right - it's not with the card manager. We are communicating with one particular applet, which requires using extended APDUs.

The cards are NXP P71 with JCOP4. Do you need some specific details?

@martinpaljak
Copy link
Owner

That's a card that does SCP03 just fine - why on earth are you using SCP02 these days? :)

@max-lb
Copy link
Author

max-lb commented Jun 20, 2023

Most of them do work with SCP03 just fine... Unfortunately we've got some cards that come pre-personalized and "locked" to SCP02 (and we can't change this :( ).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@martinpaljak @max-lb