-
-
Notifications
You must be signed in to change notification settings - Fork 212
Lifecycle management
GlobalPlatformPro focuses on application management during development stage, but it is also a Swiss army knife for card lifecycle management.
Most of the preparations should be done in OP_READY state. The exact difference between OP_READY
and INITIALIZED
is not precisely defined and depends on specific cards and vendors. Features of the card, management keys and supplementary security domains should be fixed in this stage.
Use $ gp -i
(failsafe) and $ gp -lv
(requires keys) to get an overview of the card, before continuing.
NB! Some of these operations are only available ONCE and are irreversible!
Please note that not all features are available with all cards and actual usage restrictions vary depending on the card.
$ gp -i
shows CPLC information, if present on the card (only missing on older and some Chinese cards).
...
ICPrePersonalizer=0000
ICPrePersonalizationEquipmentDate=0000 (2010-01-01)
ICPrePersonalizationEquipmentID=00000000
ICPersonalizer=0000
ICPersonalizationDate=0000 (2010-01-01)
ICPersonalizationEquipmentID=00000000
The date format is not universally and reliably defined. To set the Pre-Personalization information, use $ gp -set-pre-perso XXXXXXXXXXXXXXXX
. To set Peronalization information, use $ gp -set-perso XXXXXXXXXXXXXXXX
. To automagically set the date portion (bytes on position 3 and 4) to current date, specify -today
.
$ gp -set-pre-perso 1111111111111111 -set-perso 2222222222222222 -today
would give as a result:
...
ICPrePersonalizer=1111
ICPrePersonalizationEquipmentDate=8075 (2018-03-16)
ICPrePersonalizationEquipmentID=11111111
ICPersonalizer=2222
ICPersonalizationDate=8075 (2018-03-16)
ICPersonalizationEquipmentID=22222222
NB! On some cards this can only be done ONCE!
The standard AID for Issuer Security Domain is A000000151000000
(or A000000003000000
on older cards). Actual AID can be checked with $ gp -l
:
ISD: A000000003000000 (OP_READY)
Privs: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement
...
This can be changed with $ gp -rename-isd XXXXXXXXXXXX
:
$ gp -l
ISD: A000000151000000 (INITIALIZED)
Privs: SecurityDomain, CardLock, CardTerminate, CardReset, ...
...
$ gp -rename-isd 112233445566
$ gp -l
ISD: 112233445566 (INITIALIZED)
Privs: SecurityDomain, CardLock, CardTerminate, CardReset, ...
...
Tip: do not change the ISD AID unless you know what and why.
Once preparations are done and before the card is put into use, it should be set to SECURED
state. The transition is OP_READY
-> INITIALIZED
-> SECURED
. This transition path is irreversible. To transition the card to INITIALIZED
state, use $ gp -initialize-card
. To transition the card to SECURED
state, use $ gp -secure-card
. You can automatically transition to SECURED
from whatever previous state by using force with -f
.
Note: some cards or card applications have restrictions based on current card state. For example, allowing certain initialization or personalization steps only in
INITIALIZED
state or refusing to execute certain functions normally unless the card is inSECURED
state.
This is the normal state of the card, once the card has been issued.
Administrator, the card itself or an application (with the CardLock
privilege) on the card can transition the card to CARD_LOCKED
state. To do this manually, use $ gp -lock-card
. If this has happened and the card should be unlocked, use $ gp -unlock-card
to transition the card back to the SECURED
state.
Similarly, an application can become LOCKED
if the administrator or card or the application itself decides so. To do this manually, use $ gp -lock-applet XXXXXXXXXXXX
. Use $ gp -unlock-applet XXXXXXXXXXXX
to transition the application back to whatever state it was before coming LOCKED
javacard.pro - custom JavaCard applet development services · Editing locked due to malicious SPAM, sorry :(
Basic usage
- Getting Started
- Support GlobalPlatformPro development
- Glossary
- Environment variables
- Keys
- Secure Channel Establishment
- Application management
- Frequently Asked Questions
- Support & Questions
Advanced topics
- Lifecycle management
- Supplementary security domains
- DAP Verification
- Delegated management & receipts
- PACE
Development
JavaCard ecosystem