GPSHELL(1) 2.0.0 | GPShell Documentation

NAME

gpshell - command line tool for the management of GlobalPlatform compliant smart cards

SYNOPSIS

gpshell scriptfile

DESCRIPTION

gpshell can manage applications on smart cards supporting the GlobalPlatform. This comprises the installation and deletion of applications, getting the applications status and card data. These applications are practical always Java Card applets. Additional key management commands are provided.

The most common way to use gpshell is a script file. But it is also possible to read the commands from stdin if no script file is provided.

Reading the commands from stdin allows to feed in the commands dynamically and use conditionals when using the Expect pattern. Tools are available for a variety of script languages, shells and programming languages. Example are to support environment variables and handle results and output conditionally.

There are several txt example scripts provided which gets installed into usr/local/share/docs or /home/linuxbrew/.linuxbrew/opt/globalplatform/share/doc/gpshell1/ or can be found online.

COMMANDS

mode_201: Set protocol mode to OpenPlatform 2.0.1. This is the default.
mode_211: Set protocol mode to GlobalPlatform 2.1.1 and later
visa_key_derivation: For cards which use the VISA key derivation scheme for the key calculation, like GemXpresso Pro, Palmera Protect or some JCOP cards this must be set.
emv_cps11_key_derivation: For cards which uses the EMV CPS 1.1 key derivation scheme for the key calculation, like a Sm@rtCafe Expert 3.0 this must be set.
enable_trace: Enable APDU trace

You will see the sent APDUs in clear text. The last two bytes of the response are the response code. A response code of 9000 means success, otherwise the response code indicates an error. This may be OK when deleting a non existing applet or package.

enable_timer: Enable the logging of the execution times of commands.
establish_context: Establish context. This must always be executed before connecting to a card.
card_connect -reader readerName -protocol protocol: Connect to card in the reader with readerName. By default protocol is 0 = T0.
card_connect -readerNumber x -protocol protocol: Connect to card in the x th reader in the system. By default protocol is 0 = T0.
open_sc -keyind x -keyver x -key key -mac_key mac-key -enc_key enc-key -kek_key kek-key -security securityLevel -scp protocol -scpimpl impl -keyDerivation derivation: Open a secure channel

For OpenPlatform 2.0.1’ cards only -keyind -keyver -mac_key and -enc_key are necessary.

For GlobalPlatform 2.1.1 and later cards -scp and -scpimpl should not be necessary to supply. You must also specify -kek_key.

If the card supports a Secure Channel Protocol Implementation with only one base key, specify this key with -key and omit the others.

If the card uses a key derivation mechanism you must enable the derivation mode with the -keyDerivation option and you must specify with -key the master (mother) key. -kek_key, -mac_key and -enc_key are not relevant is this case. See the section Options and Key Derivation. NOTE: If the secure channel is going to be opened when no security domain is selected then the command get_secure_channel_protocol_details must be executed before to be able to get the Secure Channel Protocol Implementation.

select -AID AID: Select AID instance
install -file appletFile -priv privilege -sdAID sdAID -AID AIDInPkg -pkgAID packageAID -instAID instanceAID -nvCodeLimit x -nvDataLimit y: Load and installs an applet in one step

The parameters -AID -instAID -pkgAID -nvCodeLimit can be detected automatically and the -AID and -instAID is set to the first applet in appletfile.

For the sdAID the AID selected with the select command is chosen if not given. Otherwise the default Card Manager / Security Issuer Domain AID is chosen. Usually you do not have to pass it.

install_for_load -pkgAID packageAID -sdAID sdAID -nvCodeLimit y: Applet load preparation

For the sdAID the AID selected with the select command is chosen if not given. Otherwise the default Card Manager / Security Issuer Domain AID is chosen. Usually you do not have to pass it.

This command may be needed if the combined install command does not work.

load -file appletFile: Load applet

This command may be needed if the combined install command does not work.

install_for_install -priv privilege -AID AIDInPkg -pkgAID pkgAID -instAID instanceAID -nvDataLimit x: Instantiate applet

This command may be needed if the combined install command does not work. Or you want to install a pre-installed Security Domain.

card_disconnect: Disconnect card
get_status -element e0: List applets and packages and security domains
get_status -element 20: List packages
get_status -element 40: List applets or security domains
get_status -element 80: List Card Manager / Security Issuer Domain
release_context: Release context
put_sc_key -keyver keyver -newkeyver newkeyver -mac_key new_MAC_key -enc_key new_ENC_key -kek_key new_KEK_key: Add or replace a key set version

If a new key set version is to be added keyver must be set to 0. If keyver equals newkeyver an existing key version is replaced. An existing key set version cannot be replaced with a key set version using a different key size.

put_sc_key -keyver keyver -newkeyver newkeyver -key key -keyDerivation “derivation”: Replace key set version keyver using key derivation derivation using the master (mother) key y
put_dm_keys -keyver keyver -newkeyver newkeyver -file public_rsa_key_file -pass password -key new_receipt_generation_key: Add a RSA delegated management key in version newkeyver
send_apdu -sc 0 -APDU apdu: Send APDU apdu without secure channel

The APDU is given as hex without spaces and without leading 0x.

get_data -identifier identifier: A GET DATA command returning the data for the given identifier. See the identifier options for details.
get_key_information_templates -keyTemplate index: A GET DATA command returning the key information templates in the selected security domain. NOTE: The security domain must be selected and this only works outside of a secure channel.
get_extended_card_resources_information: A GET DATA command returning the extended card resources information in the issuer security domain. NOTE: The security domain must be selected and this only works outside of a secure channel.
get_secure_channel_protocol_details: A GET DATA command returning the secure channel protocol details and remembering them for a later open_sc. NOTE: The security domain must be selected and this only works outside of a secure channel.
install_for_personalization -aid AID: Prepare a security domain for the personalization of an applet with following store_data commands. NOTE: The security domain must be selected and this only works outside of a secure channel.
store_data -dataFormat format -dataEncryption encryption -data data: Executes a STORE DATA command passing the data to the selected applet.
get_card_recognition_data: A GET DATA command returning the card recognition data. NOTE: The security domain must be selected.
delete_key -keyver keyver -keyind keyind: Deletes a key set version with a DELETE command. If only the keyver is passed the complete key set version is deleted. By default keyind is 0xFF to delete the complete key set version. If keyver is 0 all key set with the passed keyind are deleted.

OPTIONS

-keyind x: Key index x

-keyver x Key set version x

-newkeyver x: New key set version x
-key key: Key value in hex
-mac_key key: MAC key value in hex
-enc_key key: ENC key value in hex
-kek_key key: KEK key value in hex
-security x: 0: clear, 1: MAC, 3: MAC+ENC, 51: MAC+ENC+R-MAC+E-ENC (SCP03 only), 19: MAC+ENC-R-MAC (SCP02+SCP03 only), 17: MAC+R-MAC (SCP02+SCP03 only)
-reader readerName: Smart card reader name
-readerNumber x: Number of the reader in the system to connect to. If -reader is given this is ignored.
-protocol x: Protocol, 0:T=0, 1:T=1 Should not be necessary to be stated explicitly.
-AID aid: Applet ID
-sdAID aid: Security Domain AID
-pkgAID aid: Package AID
-instAID aid: Instance AID
-nvCodeLimit x: Non-volatile code size limit
-nvDataLimit x: Non-volatile data size limit
-vDataLimit x: Volatile data size limit
-file name: File name
-instParam param: Installation parameter
-element x: Element type to be listed in hex

80 - Card Manager / Card Issuer Security Domain only.
40 - Applications (and Security Domains only in GP211 and later).
20 - Executable Load Files only.
10 - Executable Load Files and their Executable Modules only (Only GP211 and later)

-format x: Sets the format of the response of the get_status command. This is only used for GlobalPlatform cards and required and only needed if the default is not supported by the smart card.
-dataFormat x: Sets the data format flag for store_data command. Default 0.

0 - No general encryption information or non - encrypted data
0x20 - Application dependent encryption of the data
0x40 - RFU(encryption indicator)
0x60 - Encrypted data. Must be encrypted with data encryption key.

-dataEncryption x: Sets the encryption format flag for store_data command. Note that this is just a flag and the data must be passed already in the correct encryption. Default 0.

0 - No general data structure information
0x08 - DGI format of the command data field
0x10 - BER-TLV format of the command data field
0x18 - RFU (data structure information)

-responseDataExpected x: Sets if response data is expected for store_data command. 1 for expecting response data. Default 0.
-keyTemplate x: Sets the key template index to return for the get_key_templates command. Default 0.

0 - Deprecated format
2 - New format (default)

-sc x: Secure Channel mode (0 off, 1 on)
-APDU apdu: APDU to be sent. Must be in hex format, e.g. 80CA00CF00.
-priv x: Privilege. E.g. 0x04 Default Selected
-scp x: Secure Channel Protocol (1 SCP01, 2 SCP02, 3 SCP03, default no set). Should not be necessary to be stated explicitly.
-scpimpl x: Secure Channel Implementation (default not set) Should not be necessary to be stated explicitly. See the get_secure_channel_protocol_details command to detect the Secure Channel Protocol Implementation.
-pass password: Password for key decryption
-identifier identifier: Identifier for the tag for the get_data command. Must be in hex format, e.g. 9F7F.

There are several identifiers available but in general not all cards are supporting them. The GlobalPlatform specification v2.3.1 lists a few in section 11.3.3.1. It is useful to use some ASN.1 parser to interpret these data, like asn1js

Some useful identifier are:

9F7F - CPLC (Card Production Life Cycle) Data
00E0 - Key Information Templates. Instead of the first byte 00 also 01, … can be used to get more key information templates if available. There is a dedicated command for getting this: get_key_information_templates
2F00 - List of applications
FF21 - Extended card resources. There is a dedicated command for getting this: get_extended_card_resources_information
0066 - Card Recogniti0on Data. There is a dedicated command for getting this: get_card_recognition_data

-data data: Data in hex format for the store_data command.
-noStop: Does not stop in case of an error

Format of CPLC data

You see the command trace of a GET DATA command and the interpreted result.

=> 80 CA 9F 7F 00 .....
(12102 usec)
<= 9F 7F 2A 47 90 50 40 47 91 81 02 31 00 83 58 00 ..*G.P@G...1..X.
11 68 91 45 81 48 12 83 65 00 00 00 00 01 2F 31 .h.E.H..e...../1
30 31 31 36 38 00 00 00 00 00 00 00 00 90 00 01168..........
Status: No Error
IC Fabricator : 4790
IC Type : 5040
Operating System ID : 4791
Operating System release date : 8102 (11.4.2008)
Operating System release level : 3100
IC Fabrication Date : 8358 (23.12.2008)
IC Serial Number : 00116891
IC Batch Identifier : 4581
IC Module Fabricator : 4812
IC Module Packaging Date : 8365 (30.12.2008)
ICC Manufacturer : 0000
IC Embedding Date : 0000
IC Pre-Personalizer : 012F
IC Pre-Perso. Equipment Date : 3130 (10.5.2003)
IC Pre-Perso. Equipment ID : 31313638
IC Personalizer : 0000
IC Personalization Date : 0000
IC Perso. Equipment ID : 00000000

Dates are stored as 2 bytes, the first specifying the year in the decade and the last 3 bytes the day within the year.

-keyDerivation derivation method: Possible values are none, visa2 or emvcps11

Choose visa2 if you have a card which uses the VISA key derivation scheme for the key calculation, like GemXpresso Pro or some JCOP cards you must set this.

Choose emvcps11 If you have a card which uses the EMV CPS 1.1 key derivation scheme for the key calculation, like a Sm@rtCafe Expert 3.0 and later you must set this. Also for put_sc_key this is necessary for Sm@rtcafe 5.0 (and earlier(?)) cards

ENVIRONMENT

GLOBALPLATFORM_DEBUG: Enables debugging output from the underlying GlobalPlatform library.
GLOBALPLATFORM_LOGFILE: Sets the log file name for the debugging output.

Key Derivation

visa2: For the VISA2 key derivation scheme, like used in a GemXpresso Pro or some JCOP cards.
emvcps11: For the key derivation according to EMV CPS 1.1 (CDK (CPG 2.04)), like Sm@rtCafe Expert 3.0 and later.

Known unsupported key derivation schemes are:

CDK (CPG 2.02)
ISK(D)

Tested Cards

Gemalto IDCore 3010
Oberthur CosmopoliC 32K (OP201)
CosmopoliC 64K V5.2 (GP211, SCP01, Impl05)
Axalto Cyberflex e-gate 32k (OP201)
GemXpresso R3.2 E64
IBM JCOP v2.2 41 (GP211)
IBM JCOP 31 (36k)
Palmera Protect V5
JTopV15
Nokia 6131 NFC Phone (GP211)
Axalto Cyberflex Access 64k
Gemalto Generations Flexible
Sm@rtCafe Expert 3.0
Tongfang420

Misc

About install_for_load and install

For CosmopoliC 64K (tested on V5.2), you need to specify the Security Domain AID. For example,

install -file helloworld.cap -sdAID A000000003000000 -nvCodeLimit 4000

For GemXpresso R3.2 E64, you need to specify the Security Domain AID (Card Manager AID). For example,

install -file helloworld.cap -sdAID A000000018434D00 -nvCodeLimit 4000

JCOP cards

If you cannot authenticate to your card it might be not fused. In this case you need the transport key from the vendor. Execute the JCOP IDENTIFY command.

select -aid A000000167413000FF Offset 14 (decimal) of the response has the pre-personalized state. 00h is not fused (not personalized), 01h is fused.

CyberFlex cards

For the Cyberflex you also need the CAP transformer (I believe this is a kind of obfuscator) which you must apply to the CAP file. Download it from http://www.trusted-logic.fr/down.php and use it.

BUGS

JCOP 10: install_for_load fails for unknown reason, so nothing can be installed.

Some cards are not supporting the GET DATA command. This command is used by GPShell for retrieving the secure channel parameters. So you have to pass -scp 2 -scpimpl 0x15 to open_sc command.

AUTHOR

Karsten Ohme k_o_@users.sourceforge.net Snit Mo snitmo@gmail.com

See the file AUTHORS for a complete list.