4

I have a .CAP file ( applet ) and I want to install it to my java card. I know that I can use tools like GPShell or apdutool (from JCDK) to do that but I want to replicate the installation process by myself.

The confusing thing is that in the GP standard the installation process is : APDU command INSTALL[for load] followed by multiple LOAD commands followed by INSTALL[for install] command.

While the oracle documentation proposes a different sequence of APDU commands for installing the .CAP file: Select( Issuer Security Domain? ) , CAP begin, Component ## Begin+Data+End ( for each component ), CAP End, Create Applet.

Are both methods of installing an applet equivalent?

What does the LOAD command DATA field contains? The GP standard does not specify that, and I know that sending the raw bytes from the .CAP file is wrong. I used the GPShell to successfully install the applet but the DATA field of the LOAD command made no sense to me. GPShell output

For the oracle method I used scriptgen from Java Card Developement Kit to genetate the APDU commands, but the INS byte from those commands ( B0,B2,B4,BC,BA) have no GP reference.scriptgen output

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
Sebastian
  • 43
  • 6
  • Could you point out the Oracle documentation? There are different ways of loading .cap files; officially GP doesn't have to be used. However, GP is used 99% of the time; it's more likely that this is a different way of describing the same process. – Maarten Bodewes Sep 19 '17 at 12:07
  • I've removed the [tag:applet] tag for the simple reason that Web applets are presumed when you use the tag. Just [tag:javacard] should suffice. – Maarten Bodewes Sep 19 '17 at 12:10
  • The link to oracle doc: https://docs.oracle.com/cd/E59935_01/guide/downloading_cap_files_and_creating_applets.htm#GUID-E07D5102-4DC0-4E25-B124-7FB474396C01. Most likely the GP standard doesn't cover this area of commands ( INS byte B0,B2,B4,BC,BA). I will however try to use the apdu command sequence from oracle platform and see if it works. – Sebastian Sep 19 '17 at 19:47

1 Answers1

7

While the oracle documentation proposes a different sequence of APDU commands for installing the .CAP file: Select( Issuer Security Domain? ) , CAP begin, Component ## Begin+Data+End ( for each component ), CAP End, Create Applet.

Selection of card manager (Issuer security domain - Root), is required before installing the applet because it is the responsible component for loading and installing an applet on the card. Also note, you will need to authenticate with card manager by establishing the secure channel (SCP02 preferably).

Perform the following sequence of APDU's to install the applet: -

  1. Select Issuer Security Domain (ISD). 00 a4 04 00 Lc AID_ISD

  2. Authenticate with ISD.

    Setup a SCP02 (refer command initialization update, external authenticate). Here, you will require 3DES keys of the card. Refer the documentation provided with the card.

  3. Send apdu, Install[for Load].

The confusing thing is that in the GP standard the installation process is : APDU command INSTALL[for load] followed by multiple LOAD commands followed by INSTALL[for install] command.

  1. Send apdu, Load Blocks.

    .cap file of applet which you will have is a zip of its constituent CAP's files(http://pfa12.free.fr/doc_java/javacard_specifications/specs/jcvm/html/JCVM06cap.html). So you need to send each CAP file one-by-one to the card.

    Load (Header.cap), Load(Directory.cap)... etc.

  2. Send apdu, Install[for Install]. Installation complete.

hsg
  • 656
  • 4
  • 10
  • 1
    The OP might want to have a look into [GlobalPlatformPro source](https://github.com/martinpaljak/GlobalPlatformPro/blob/67ee76e7f189fada318053b6daf2d55d92a1c89c/src/pro/javacard/gp/CapFile.java#L215) where the blocks for LOAD are prepared. – vlp Sep 20 '17 at 11:35