为什么Javacard阻止单个Javacard程序在AID .cap文件中上传不同的内容？

Question

This is a simple javacard program (It do nothing!) :

package testAID;

import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.ISOException;

public class TestAID extends Applet {

    private TestAID() {
    }

    public static void install(byte bArray[], short bOffset, byte bLength)
            throws ISOException {
        new TestAID().register();
    }

    public void process(APDU arg0) throws ISOException {
        // TODO Auto-generated method stub
    }

}

I convert it to three .cap file with different AIDs as follow :

1. File A: PkgAID= 0000000000 & AppAID= 000000000011
2. File B: PkgAID= 0000000000 & AppAID= 000000000022
3. File C: PkgAID= 000000000011 & AppAID= 00000000001111

As you see above, File A and File B are different only in AppAID . and AppAID of File C is equal to AppAID of File A .

Now I want to upload this files on my NXP JCOP v2.4.2 r3 smart card. First of all, let see the contents:

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)  

GP: 

OK, There is only the SD.

Step1: Installing File A :

GP: gp -install e:\TestAID\FileA.cap

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: 000000000011 (|......|)
     App SELECTABLE: (none)

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

Successfully Completed.

Step 2: Installing File B :

GP: gp -install e:\TestAID\FileB.cap
openkms.gp.GPException: STRICT WARNING: Package with AID 0000000000 is already p
resent on card
        at openkms.gp.GlobalPlatform.printStrictWarning(GlobalPlatform.java:159)

        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:572)
        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:565)
        at openkms.gp.GPTool.main(GPTool.java:330)

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: 000000000011 (|......|)
     App SELECTABLE: (none)

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

Failed in installing. gp -list command returns the same previous results.

Step 3: Installing File C :

GP: gp -install e:\TestAID\FileC.cap
openkms.gp.GPException: STRICT WARNING: Package with AID 000000000011 is already
 present on card
        at openkms.gp.GlobalPlatform.printStrictWarning(GlobalPlatform.java:159)

        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:572)
        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:565)
        at openkms.gp.GPTool.main(GPTool.java:330)

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: 000000000011 (|......|)
     App SELECTABLE: (none)

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

Failed in installing again and gp -list command returns the same previous results.

Questions:

1-What is the origin of first error? Is it illegal to upload two .cap file that are different in AID and have an equal PkgAID in two step?

2-What is the origin of second error? It returns that

Package with AID 000000000011 is already present on card

But there is not! It is an applet AID, not Package AID.

3-Are the gp prevented to install this applets or the origin of error is JCRE?

---

As I was thought it the GP tool that limited me in installing, I tried JCManager also. The result are different!

First of all I delete everything except SD:

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

GP:

The I repeat the same steps using JCManager :

Step 1: Installing File A :

....[Authenitication Procedure]...

Authenticated
************
UplaodCAP
*************
Get AID from header.cap file
FOR LOAD DATA: EF 04 C6 02 F4
AID:00 00 00 00 00
Applet AID:00 00 00 00 00 11
Try to delete if existing...
-> 84 E4 00 00 18 6D C3 FF 8F 54 97 BD 96 CC 57 91 5E 9F 2A 67 B9 8E 98 BA 6B 99 27 27 FB
<- 6A 88
-> 84 E4 00 00 10 43 CC 7D DB 96 C3 29 FD 31 A1 96 7E DE D8 4F 29
<- 6A 88
Loading cap file. Please wait...
Install for Load
-> 84 E6 02 00 18 52 4F 5C 69 37 7A 85 E4 57 D8 86 C8 EC 44 28 51 06 38 6C 14 BA 52 1B 1B
<- 00 90 00
Load CAP
-> 84 E8 00 00 D8 9A 2C 89 B4 2D F8 81 15 A9 CD 27 A0 61 9B ED 5A 4C B5 77 F6 EF 3C 54 9F ED BB E0 BC 9E 2D 41 A8 7E DA DA 64 7F 72 97 BF D6 55 3B E0 7C 50 86 90 42 BC 16 06 B3 5C 89 26 BF 3E 79 75 F8 A4 2D 5E 60 39 D2 B3 9C 69 C8 E7 06 02 AA 24 09 70 F6 52 7A 9E 1E F9 A7 2E 3E AD AF A0 41 EE 39 92 0D 7A 4B AA CC 2F 69 E7 2A A5 85 45 A1 80 DA 35 C7 5B A6 D5 CC 22 B5 32 D7 D2 91 1E C6 ED 9C 67 D9 33 18 B9 DA 00 06 DE 89 DC 24 A6 6D 32 9A BC 93 E4 4D 4A 73 E5 2E D0 A5 4B EF 22 21 C3 B5 61 47 7A FC 8A 55 E0 70 39 C9 8D AD D1 A7 E1 B3 7F 7E F3 E6 3A 13 EC 7B 3B 20 85 7C 3D B1 A1 4B FA EE B9 02 7D 94 BE 7C 3D 88 E1 9A 4A 32 55 23 6E 83 2B 2E 9C A8 1E A5 6B E6 C1
<- 00 90 00
-> 84 E8 80 01 38 BE 83 33 E7 A7 7E 99 59 B7 C9 A2 05 2E A3 35 0E 92 A4 47 CB C4 C5 73 F0 AD A1 1B 23 04 EC EE D1 A6 83 B4 B5 85 91 C4 C5 9C 3F 3A D9 A8 8B 0F 32 F2 1C 48 A7 FC C0 4E 28
<- 00 90 00
-> 84 E6 0C 00 28 0B 9A 13 70 1F 55 53 72 F9 B0 C4 20 62 B3 43 6D 11 C2 7D 68 8B 68 54 51 BC 0D 31 CB 13 42 CC DD D4 02 02 D2 7A 46 56 7A
<- 00 90 00
Applet loaded & registered

Result :

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: 000000000011 (|......|)
     App SELECTABLE: (none)

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

GP:

As you see above, it completed successfully like the GP

Step 2: Installing File B :

....[Authenitication Procedure]...
Authenticated
************
UplaodCAP
*************
Get AID from header.cap file
FOR LOAD DATA: EF 04 C6 02 F4
AID:00 00 00 00 00
Applet AID:00 00 00 00 00 22
Try to delete if existing...
-> 84 E4 00 00 18 29 1D 33 74 43 25 B0 AE 43 BE C4 9F 57 6A 43 3F 12 9B 23 09 F2 61 D1 95
<- 6A 88
-> 84 E4 00 00 10 6F 88 E7 64 AB 0F 04 0E EA F6 D4 80 C0 40 9D 00
<- 69 85
Loading cap file. Please wait...
Install for Load
-> 84 E6 02 00 18 1C CF 09 73 5D 1F FC 06 8F 3A DA 4D 3F 9E 1E 64 72 14 56 1D 25 44 A3 10
<- 69 85
Load CAP
-> 84 E8 00 00 D8 7A 2B 5B 1B 05 C3 D4 E3 DF 4D 1A DE 47 DD FA F9 3A A4 91 28 9F 3D 8D A4 D1 89 87 24 95 65 5A 60 C4 CD ED 41 81 99 D3 71 20 C5 CC 65 7E DB 79 21 FB 56 0D 93 2B 4F 12 28 A3 26 D0 88 16 14 26 96 AA CE C3 97 0A FE 1E 81 8C 84 AE 56 9E 68 01 26 78 AE 8E 88 99 11 67 C0 E7 CA A2 44 72 7A 77 1F 08 7C 74 07 45 5B 38 E4 9B 45 58 6F 61 7A 79 BC AD 58 71 4F D6 D6 0E 15 B8 16 CA 7F 37 5F B0 5C A4 AB 1F 0D 3C 25 81 E4 E0 21 6F B7 E5 AA 17 97 C3 4E 2A 82 87 DB A8 5E 84 C7 70 20 FF C9 CB 21 BA 36 73 15 3F 48 50 D7 C4 16 A4 BA A1 D6 7A 67 3A 9A 15 8C 63 7A 3A 22 97 D4 71 05 3B 3C 2D 3D 60 61 48 1F 3F 40 0C 04 4A 25 E7 FB 2F E6 CB 6E 0E 2A 5E 9A D0 64 7E 98
<- 69 85
-> 84 E6 0C 00 28 D7 ED 13 DB 14 E1 7B 46 1E 25 77 27 BB 12 D5 B5 3A 2D 53 C3 7C 81 9D 50 6F 96 45 DD 12 B8 FB 8B 48 1C 39 5F 53 4B 1E 88
<- 6A 88
Could not load applet. See debug for more info

Result :

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: 000000000011 (|......|)
     App SELECTABLE: (none)

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

GP:

It is also just like the step 2 of GP .

But take a look at step 3 :

Step 3: Installing File C :

Authenticated
************
UplaodCAP
*************
Get AID from header.cap file
FOR LOAD DATA: EF 04 C6 02 F6
AID:00 00 00 00 00 11
Applet AID:00 00 00 00 00 11 11
Try to delete if existing...
-> 84 E4 00 00 18 21 3A 7F DF 3A D3 00 31 B9 42 AD 6C 9A D0 0E EF D7 7F CD 16 54 E2 B8 9E
<- 6A 88
-> 84 E4 00 00 18 F6 B6 22 BB 64 BE B7 1D CF 71 E2 15 6E 18 E3 A7 20 51 B1 6A 29 1E BF 6C
<- 00 90 00
Loading cap file. Please wait...
Install for Load
-> 84 E6 02 00 18 C0 68 EE 33 BE E0 34 72 2C 8A 36 51 44 39 A1 A7 AC DF E2 11 BE B6 D4 3F
<- 69 85
Load CAP
-> 84 E8 00 00 D8 5B 5F 71 2E C2 B6 9A 11 90 33 F8 58 8D 5E 88 02 98 55 55 F0 B2 42 74 BA 40 ED 61 31 35 33 1D 5A 07 37 F5 D0 AF 5C A8 45 39 EE 4B B6 FF 32 D8 68 EC 81 24 6B 91 CE 12 34 0F FF B3 B0 C2 F3 E8 24 5B 2C 3D B4 91 8F 3F 06 15 DF C8 F3 4D 04 FD 09 D4 EA 67 4C 0C E7 70 11 24 28 0F 74 46 C8 A4 85 8F 5A 36 8E 03 26 FC 60 7C AE 28 2F 28 4F 9F 58 C1 59 29 A8 CF 9D 9F B8 AA 75 9D B2 B6 65 C1 63 1E 31 80 F8 38 1B FF 82 6D B9 78 44 B9 C7 35 67 03 6D 08 67 D4 B3 B5 48 3E 6C AD 41 C0 07 E6 54 CD DF 93 BC 1E 76 52 E1 4B 60 14 55 81 63 FD CA E4 6D 4F 5E ED 02 FA 67 0E 78 F0 57 B9 51 78 8D 1B BD 7D 8D DC EF 9C E0 93 F2 77 9F 80 0D 1E FD 4F 84 72 36 8D 76 2A B1
<- 69 85
-> 84 E6 0C 00 28 4B 38 10 41 D2 77 D3 B5 25 BD EB BD 55 A9 F0 1D 18 CD 76 CD 68 19 FC E2 52 3B 5B 38 11 1D 71 6F DF 53 7C 26 24 CF 48 08
<- 6A 88
Could not load applet. See debug for more info

Result :

GP: gp -list
AID: A000000151000000 (|....Q...|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected,
 CVM (PIN) management

AID: A0000001515350 (|....QSP|)
     ExM LOADED: (none)
     A000000151535041 (|....QSPA|)

AID: 0000000000 (|.....|)
     ExM LOADED: (none)
     000000000011 (|......|)

GP:

Did you see? JCManager deleted on of the Installed applets, but It can't upload File C!

In this case, I tried to install File C with GP, but I received a new error, not repetitive PkgAID or ... :

GP: gp -install e:\TestAID\FileC.cap
openkms.gp.GPException: Install for Load failed SW: 6985
        at openkms.gp.GlobalPlatform.check(GlobalPlatform.java:924)
        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:600)
        at openkms.gp.GlobalPlatform.loadCapFile(GlobalPlatform.java:565)
        at openkms.gp.GPTool.main(GPTool.java:330)

GP:

Can anyone shed any light on this issue?

What is the meaning of Status words that JCManager returns on case of errors?

Again,I asked more than one question in a single post, But I think these questions are chained to each other, and I couldn't break them to three or four posts!

Answer 1

1-What is the origin of first error? Is it illegal to upload two .cap file that are different in AID and have an equal PkgAID in two step?

Yes. You have uploaded that package. Therefore, it is forbidden to upload the same package again. Here, you have two options:

1. Directly instantiate the AppAID=000000000022
2. Delete the package, then install it again (assuming you want to install updated package)

2-What is the origin of second error? It returns that Package with AID 000000000011 is already present on card. But there is not! It is an applet AID, not Package AID.

Quoting from JavaCard222VMspec.pdf section 4.2. and highlighted the answer in bold

Each applet installed on a Java Card technology enabled device must also have a unique AID. This AID is constructed similarly to a package AID. It is a concatenation of the applet provider's RID and PIX for that applet. An applet AID must not have the same value as the AID of any package or the AID of any other applet. The RID of each applet in a package must be the same as the RID of the package.

3-Are the gp prevented to install this applets or the origin of error is JCRE?

It is not error. Instead, the JCRE must be implemented that way. Please refer to JavaCard222JCREspec.pdf section 11.1.5 Installer Behavior. Quoting from it:

The Java Card RE shall guarantee that an applet will not be deemed successfully installed in the following cases:

• The applet package as identified by the package AID is already resident on the card.
• The applet package contains an applet with the same Java Card platform name as that of another applet already resident on the card. The Java Card platform name of an applet identified by the AID item is described in Section 6.5 of the Virtual Machine Specification, Java Card Platform, Version 2.2.2.
• ...etc

Answer 2

According to Global Platform specification there are two phases: Card Content Loading and Card Content Installing.

Loading - this phase handles packages. AID of newly loaded package is checked in this phase:

On receipt of a load request (data contained in the INSTALL [for load] command), the OPEN shall:

• Check that the AID of the Load File is not already present in the GlobalPlatform Registry as an Executable Load File or Application

• ...

Installing - this phase handles applet instances (this is the moment your applet's install() method is called). AID of your applet instance is checked in this phase:

On receipt of the install request (data contained within the INSTALL [for install] command), the OPEN shall:

• Check that the Executable Module AID is present in the GlobalPlatform Registry,

• Check that the Instance AID (for future selection of the Application) is not already present in the GlobalPlatform Registry as an Application or Executable Load File,

• ...

I think your gp -install command tries to do both phases in one step. This is why you get error "Package with AID 0000000000 is already present on card" when installing File B, your tool fails in loading phase when trying to load a package which is already there.

When installing File C, you get an error because of collision of File A package AID and File C applet instance AID.

I do not know your JCManager tool, but it obviously tries to delete applets and packages before loading them again. Status word 6A88 means "referenced data not found" (package is not there), status word 6985 means "conditions not satisfied" (there is a package depending on the package you want to delete. You have to delete the depending package first.). This is why the JCManager's behaviour differs.