Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sourcing 3.04 Javacards #17

Open
ffries opened this issue Jul 2, 2019 · 32 comments
Open

Sourcing 3.04 Javacards #17

ffries opened this issue Jul 2, 2019 · 32 comments

Comments

@ffries
Copy link

ffries commented Jul 2, 2019

Please don't close this message, it is a real issue from users. We all have difficulties sourcing 3.04 smartcards, so we cannot participate in the development and testing of SmartPGP.

At the moment the only 3.04 smarcards available online are Chinese.

Therefore could someone (not from the ANSSI) explain us how to buy a 3.04 Javacard online and have it delivered in Europe (France). I understand developers from the ANSSI cannot reply this question.

Please leave this thread open until a solution comes.

Kind regards,
French Fries

@breard-r
Copy link
Contributor

breard-r commented Jul 2, 2019

The ACOS-J does support Java Card 3.0.4 and you can order some from smartcardfocus, they are based in the UK and deliver in France for a reasonable fee. The only thing to keep in mind is to use smartpgp-cli instead of gpg --card-edit if you wish to change the type of keys (see #15 for more details).

By the way, I highly recommend you to buy at least 3 of them (just to be sure I bought 4). I killed one while messing with it a little bit too much and you should always have a back-up, so 3 is a reasonable number.

I agree this in not the best card, but it's the only working one I have been able to by from France without a prohibitive delivery fee.

@ffries
Copy link
Author

ffries commented Jul 2, 2019

Thank you very much.
ACS is Chinese, right?

I want to work on OpenSC support and interoperability.
I am surprised, is 40k enough for the SmartPGP card ?

@breard-r
Copy link
Contributor

breard-r commented Jul 2, 2019

I am surprised, is 40k enough for the SmartPGP card ?

Yes it is. The README is quite explicit about it.

@dschuermann
Copy link
Contributor

You can also try NXP J3H145, works pretty okayish with SmartPGP (https://www.javacardos.com/store/products/10029).

@ffries
Copy link
Author

ffries commented Jul 6, 2019

Thanks a lot. I could also find the J3H145 here in Europe:
https://www.motechno.com/buy/j3h145-jcop3/
but too expensive

Finally, I bought 3 ACOS-J for testing.

I also found this information useful:

Supported algorithms:
https://www.fi.muni.cz/~xsvenda/jcalgtest/table.html

Martin Pajak buyer guide
https://github.com/martinpaljak/GlobalPlatformPro/tree/master/docs/JavaCardBuyersGuide#javacard-buyers-guide-of-2015

@bmunger
Copy link

bmunger commented Dec 21, 2019

Looks like the ACOS-J cards don't support RSA above 2048 which is disappointing. Would be nice to find something that could support 4096 at the same price point.

https://github.com/crocs-muni/JCAlgTest/blob/master/Profiles/results/ACS_ACOSJ_(Combi)_ALGSUPPORT__3b_69_00_02_41_43_4f_53_4a_76_31_30_31_(provided_by_Alexandre_Bouvier).csv

@breard-r
Copy link
Contributor

breard-r commented Jan 6, 2020

I just had some serious issues with the ACOS-J cards. At some point (after 12 and 3 month of use in my case), after a successful decryption, the card suddenly stop working. GnuPG can see all details on the card but cannot have it do any cryptographic operation. Uploading new keys and factory-reset the card does not work. Trying to delete the applet does not work either and may make the card non-responsive. Since this is the second card that have this issue, I think it is save to say this model is defunct and I will stop recommending it.

Since SmartPGP has a JavaCard 3.0.1 version, I think that, when my current and last ACOS-J card dies, I will test the J3D081.

@bmunger
Copy link

bmunger commented Jan 6, 2020

Good to to know. Also will be testing J3H145. It can be SIM cut and also found in a few different places. Currently also having an issue with ACOS-J, unusable from factory.

@rileyg98
Copy link

rileyg98 commented Jan 9, 2020

The J3H145 is good - but exercise care with install/uninstall.

@bmunger
Copy link

bmunger commented Jan 15, 2020

I have not been able to get RSA4096 working on the J3H145 card. It advertises support and I requested that support be enabled.

On gpg keytocard, I get this error:
gpg: KEYTOCARD failed: Hardware problem

On suspicion, I loaded JCAlgTest v1.7.1 (last one with GP 2.2.1 support) and ran the test. From the output I have this:

TYPE_RSA_PUBLIC LENGTH_RSA_4096;yes;0.042000
TYPE_RSA_PRIVATE LENGTH_RSA_4096;yes;0.051000
TYPE_RSA_CRT_PRIVATE LENGTH_RSA_4096;yes;0.103000
ALG_RSA LENGTH_RSA_4096;no;
ALG_RSA_CRT LENGTH_RSA_4096;no;

I don't know what to make of that. It looks like it's not fully supported. Can anyone with this card confirm if RSA4096 actually works?
Thanks.

@rileyg98
Copy link

Should be ok to load the latest JCAlgTest on a J3H145 - it runs JC3.0.4.

I believe RSA4096 support needs to be either ordered from NXP for the J3H145 or enabled during the initalisation (it's not by default - possibly due to ram usage?).

@bmunger
Copy link

bmunger commented Jan 15, 2020

I did attempt to load the GP 2.2.2 cap file and it did not load, but I know for a fact the card only supports GP 2.2.1 so JCAlgTest last supported it in v1.7.1 which loaded just fine.

When I ordered the card, I asked it to be initialized with RSA4096 support. I don't know if it was completely done. I need to know if it's a problem with this card in general, or an initialization issue.

@rileyg98
Copy link

rileyg98 commented Jan 15, 2020

from what I can tell you, it's an initialization issue. NXP must give you the commands to upgrade that to 4096 from 2048 default, and it's done during init. If you have the cards and didn't have to initialize them yourself, it's too late to do so.

@bmunger
Copy link

bmunger commented Jan 15, 2020

I had to order them initialized since they don't give the documentation without an NDA with NXP for the proprietary commands to set these things.

@rileyg98
Copy link

Unfortunately, yes. It's why I have to be so vague. NXP NDA's are very strict - it took me months to get basic user manuals for their recent chips.

@martinbeier
Copy link

@bmunger may I ask, where you bought J3H145 RSA4096 initialised? I'm searching for a shop/distributor in Europe :) (MoTechno is quite expensive)

@bmunger
Copy link

bmunger commented Jan 24, 2020

@martinbeier No problem. I got mine from JavaCardOS web store, they had a promotion last month and I got a few for the cost of shipping (https://www.javacardos.com/store/products/10029). It's pretty expensive individually, but I can say the seller is quite responsive and helpful. They can be found cheaper as samples from Alibaba stores (around $5), and much cheaper than that in bulk, with configuration and sim cut services as well. Keep in mind they are direct from factory so they are not like ordering from another store. It's likely where the suppliers in Europe and US get their cards for sale.

Also, forgot to add, the issue I had was resolved following the documentation changes made in commit f78db3e so as far as I know, I don't see any issues with J3H145, just be sure to use the 304 SDK, it will not work with 305.

@dogtopus
Copy link

dogtopus commented May 15, 2020

I just had some serious issues with the ACOS-J cards. At some point (after 12 and 3 month of use in my case), after a successful decryption, the card suddenly stop working. GnuPG can see all details on the card but cannot have it do any cryptographic operation. Uploading new keys and factory-reset the card does not work. Trying to delete the applet does not work either and may make the card non-responsive. Since this is the second card that have this issue, I think it is save to say this model is defunct and I will stop recommending it.

Since SmartPGP has a JavaCard 3.0.1 version, I think that, when my current and last ACOS-J card dies, I will test the J3D081.

I can confirm this personally. Mine just died the same way a few hours ago. Managed to brick it completely in the end when I tried to delete the applet and reinstantiate a new one. It won't respond to both NFC and contacted card reader. That card lasted about 9 month.

EDIT: LOL just bricked my second card. RIP in Pieces.

@vuori
Copy link

vuori commented Jul 27, 2020

FWIW I just ordered J3H145 from Smartcardfocus for ~€11/ea + €7 EU shipping + VAT before encountering this thread. I'll run jcalgtest on it when it arrives and report the result (if I remember).

@vuori
Copy link

vuori commented Aug 5, 2020

Smartcardfocus J3H145 arrived in a bit over a week with standard shipping and was initialized. Selected jcalgtest results:

javacard.security.KeyPair ALG_RSA on-card generation
ALG_RSA LENGTH_RSA_512;yes;1.281000
ALG_RSA LENGTH_RSA_736;yes;1.525000
ALG_RSA LENGTH_RSA_768;yes;1.274000
ALG_RSA LENGTH_RSA_896;yes;1.445000
ALG_RSA LENGTH_RSA_1024;yes;2.514000
ALG_RSA LENGTH_RSA_1280;yes;3.795000
ALG_RSA LENGTH_RSA_1536;yes;2.787000
ALG_RSA LENGTH_RSA_1984;yes;5.497000
ALG_RSA LENGTH_RSA_2048;yes;15.381000
ALG_RSA LENGTH_RSA_3072;yes;100.964000
ALG_RSA LENGTH_RSA_4096;no;

and

javacard.security.KeyPair ALG_EC_FP on-card generation
ALG_EC_FP LENGTH_EC_FP_112;no;
ALG_EC_FP LENGTH_EC_FP_128;no;
ALG_EC_FP LENGTH_EC_FP_160;yes;1.700000
ALG_EC_FP LENGTH_EC_FP_192;yes;1.904000
ALG_EC_FP LENGTH_EC_FP_224;yes;2.047000
ALG_EC_FP LENGTH_EC_FP_256;yes;2.175000
ALG_EC_FP LENGTH_EC_FP_384;yes;2.890000
ALG_EC_FP LENGTH_EC_FP_521;yes;3.915000

@NewRedsquare
Copy link

NewRedsquare commented Mar 23, 2021

Smartcardfocus J3H145 arrived in a bit over a week with standard shipping and was initialized. Selected jcalgtest results:

javacard.security.KeyPair ALG_RSA on-card generation
ALG_RSA LENGTH_RSA_512;yes;1.281000
ALG_RSA LENGTH_RSA_736;yes;1.525000
ALG_RSA LENGTH_RSA_768;yes;1.274000
ALG_RSA LENGTH_RSA_896;yes;1.445000
ALG_RSA LENGTH_RSA_1024;yes;2.514000
ALG_RSA LENGTH_RSA_1280;yes;3.795000
ALG_RSA LENGTH_RSA_1536;yes;2.787000
ALG_RSA LENGTH_RSA_1984;yes;5.497000
ALG_RSA LENGTH_RSA_2048;yes;15.381000
ALG_RSA LENGTH_RSA_3072;yes;100.964000
ALG_RSA LENGTH_RSA_4096;no;

and

javacard.security.KeyPair ALG_EC_FP on-card generation
ALG_EC_FP LENGTH_EC_FP_112;no;
ALG_EC_FP LENGTH_EC_FP_128;no;
ALG_EC_FP LENGTH_EC_FP_160;yes;1.700000
ALG_EC_FP LENGTH_EC_FP_192;yes;1.904000
ALG_EC_FP LENGTH_EC_FP_224;yes;2.047000
ALG_EC_FP LENGTH_EC_FP_256;yes;2.175000
ALG_EC_FP LENGTH_EC_FP_384;yes;2.890000
ALG_EC_FP LENGTH_EC_FP_521;yes;3.915000

image
This one ? it means that 4096bits support isn't available on this card ?

@bmunger
Copy link

bmunger commented Mar 23, 2021

J3H145 will support RSA 4096 just fine. I have tested it and it works. I think the test doesn't show correctly though. You have to make sure they configure it for 4096 since it's not a default enabled option it seems.

@NewRedsquare
Copy link

NewRedsquare commented Mar 23, 2021 via email

@af-anssi af-anssi pinned this issue Jun 9, 2021
@0xDRRB
Copy link

0xDRRB commented Nov 9, 2023

Additional information and confirmation.

Yes, the J3H145 from Smartcardfocus have RSA 4096 activated. I asked the question by e-mail and they replied that they had included this information in the product description to clarify this point.

The price of the cards is three times that of the ACOSJ Dual and UPS delivery to France increases the cost drastically (+24€), but I spent as much on very unreliable ACOSJs (4 bricked out of 6).

Note that Hitools Access in France sells ACOSJ that are supposedly 95k EEPROM (v2.04), but are actually 40k (v1.02). To be avoided.

@0xDRRB
Copy link

0xDRRB commented Nov 10, 2023

I found these J3R150 cards on AliExpress, cheap and apparently original : https://fr.aliexpress.com/item/1005005364667733.html

The keys installed are those of the seller. On receipt, we can list the installed packages as follows:

$ gp --key-enc 90379A3E7116D455E55F9398736A01CA --key-mac 473F36161A7F7F60CC3A766EA4BE5247 --key-dek D3749ED4FF42FD58B39EEB562B017CD9 -l
ISD: A000000151000000 (OP_READY)
     Parent:   A000000151000000
     From:     A0000001515350
     Privs:    SecurityDomain, CardLock, CardTerminate, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

APP: D276000085304A434F900001 (SELECTABLE)
     Parent:   A000000151000000
     From:     D276000085304A434F9000
     Privs:    CardReset

PKG: A0000001515350 (LOADED)
     Parent:   A000000151000000
     Version:  255.255
     Applet:   A000000151535041

PKG: D276000085304A434F9000 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   D276000085304A434F900001

PKG: A000000396545300000001000D0100 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A000000396545300000001000D000000

PKG: A00000039654530000000100040600 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000003965453000000010004000000

PKG: A00000039654530000000100060900 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000003965453000000010006000000
     Applet:   A0000003965453000000010006000010

PKG: A00000000310 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000000031056
     Applet:   A000000003104D

PKG: A00000000316 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000000031650

I deleted all the Visa and MIFARE applets (Proxmark3 initially detects the card as "MIFARE Plus SL0/SL3 or MIFARE DESFire"), keeping only A0000001515350 because I don't know what it is and I've had problems with a J2A081 deleting A0000000035350, and now have ~150k of EEPROM at my disposal.

I don't know where these cards came from or what they were used for. The AliExpress page shows 235 units currently in stock. The card is already listed by jcalgtest.

@dogtopus
Copy link

@0xDRRB I knew these cards existed on the Chinese marketplace for quite some time now. A bit surprised that they are actually pre-personalized. I might order some and give them a try.

Just curious: is Mifare emulation available through the standard javacard Memory API or do you need the proprietary applet installed on the card?

@0xDRRB
Copy link

0xDRRB commented Nov 11, 2023

@dogtopus I quickly tried a getMemoryAccessInstance(Memory.MEMORY_TYPE_MIFARE, null, (short)0) and got an ExternalException.NO_SUCH_SUBSYSTEM exception. I think that answers the question.

@dotfrankruan
Copy link

I live in mainland China and it seems that there are merchants online who sell J3R180 cards for cheap (¥38, roughly 6 USD). If you feel comfortable with that, I could buy some and mail them to you (just saying)

@farfalleflickan
Copy link

I found these J3R150 cards on AliExpress, cheap and apparently original : https://fr.aliexpress.com/item/1005005364667733.html

The keys installed are those of the seller. On receipt, we can list the installed packages as follows:

$ gp --key-enc 90379A3E7116D455E55F9398736A01CA --key-mac 473F36161A7F7F60CC3A766EA4BE5247 --key-dek D3749ED4FF42FD58B39EEB562B017CD9 -l
ISD: A000000151000000 (OP_READY)
     Parent:   A000000151000000
     From:     A0000001515350
     Privs:    SecurityDomain, CardLock, CardTerminate, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

APP: D276000085304A434F900001 (SELECTABLE)
     Parent:   A000000151000000
     From:     D276000085304A434F9000
     Privs:    CardReset

PKG: A0000001515350 (LOADED)
     Parent:   A000000151000000
     Version:  255.255
     Applet:   A000000151535041

PKG: D276000085304A434F9000 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   D276000085304A434F900001

PKG: A000000396545300000001000D0100 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A000000396545300000001000D000000

PKG: A00000039654530000000100040600 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000003965453000000010004000000

PKG: A00000039654530000000100060900 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000003965453000000010006000000
     Applet:   A0000003965453000000010006000010

PKG: A00000000310 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000000031056
     Applet:   A000000003104D

PKG: A00000000316 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000000031650

I deleted all the Visa and MIFARE applets (Proxmark3 initially detects the card as "MIFARE Plus SL0/SL3 or MIFARE DESFire"), keeping only A0000001515350 because I don't know what it is and I've had problems with a J2A081 deleting A0000000035350, and now have ~150k of EEPROM at my disposal.

I don't know where these cards came from or what they were used for. The AliExpress page shows 235 units currently in stock. The card is already listed by jcalgtest.

Have you managed to make it work with SmartPGP/GPG?

@kenkit
Copy link

kenkit commented Aug 13, 2024

I bought here uninitialized j3180 with default keys provided all applets I've tested worked.
https://www.aliexpress.com/item/1005006610737323.html?spm=a2g0o.order_list.order_list_main.5.2d79180268xZIj

@kenkit
Copy link

kenkit commented Aug 13, 2024

I found these J3R150 cards on AliExpress, cheap and apparently original : https://fr.aliexpress.com/item/1005005364667733.html

The keys installed are those of the seller. On receipt, we can list the installed packages as follows:

$ gp --key-enc 90379A3E7116D455E55F9398736A01CA --key-mac 473F36161A7F7F60CC3A766EA4BE5247 --key-dek D3749ED4FF42FD58B39EEB562B017CD9 -l
ISD: A000000151000000 (OP_READY)
     Parent:   A000000151000000
     From:     A0000001515350
     Privs:    SecurityDomain, CardLock, CardTerminate, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

APP: D276000085304A434F900001 (SELECTABLE)
     Parent:   A000000151000000
     From:     D276000085304A434F9000
     Privs:    CardReset

PKG: A0000001515350 (LOADED)
     Parent:   A000000151000000
     Version:  255.255
     Applet:   A000000151535041

PKG: D276000085304A434F9000 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   D276000085304A434F900001

PKG: A000000396545300000001000D0100 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A000000396545300000001000D000000

PKG: A00000039654530000000100040600 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000003965453000000010004000000

PKG: A00000039654530000000100060900 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000003965453000000010006000000
     Applet:   A0000003965453000000010006000010

PKG: A00000000310 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000000031056
     Applet:   A000000003104D

PKG: A00000000316 (LOADED)
     Parent:   A000000151000000
     Version:  1.0
     Applet:   A0000000031650

I deleted all the Visa and MIFARE applets (Proxmark3 initially detects the card as "MIFARE Plus SL0/SL3 or MIFARE DESFire"), keeping only A0000001515350 because I don't know what it is and I've had problems with a J2A081 deleting A0000000035350, and now have ~150k of EEPROM at my disposal.

I don't know where these cards came from or what they were used for. The AliExpress page shows 235 units currently in stock. The card is already listed by jcalgtest.

your card has not been initialized it's in OP_READY state, also had issues deleting applets from J3R180 in OP_READY, Had to initialize it with gp to be able to fully uninstall applets, you might have to try gpj with deletedeps option.

@martinpaljak
Copy link
Contributor

"gp -f -delete" (the -f) is equivalent to deletedeps, when applied to a package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests