GlobalPlatformPro, Gemalto IDPrime PIV 2.0 card, Gemalto IDBridge CL3000 Dual Interface Smart Card Reader, Ubuntu 14.4

Information on how to load your own applets onto a Gemalto PIV card are hard to come by, so below is a quick write up of how to do it. This also gets you GlobalPlatform access to the card, which is difficult to figure out due to little documentation available on the key diversification used. The spec sheet for the Gemalto IDPrime PIV 2.0 card can be found here.

Make sure your smart card reader is attached. If it isn't you may have to restart pcscd to get it to show up:

[email protected]:~$ opensc-tool -l
No smart card readers found.

[email protected]:~$ sudo service pcscd restart
[sudo] password for rchapman:
 * Restarting PCSC Lite resource manager pcscd                                                                                                 [ OK ]

[email protected]:~$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    No              Gemalto Prox-DU [Prox-DU HID_15100775] 00 00
1    Yes             Gemalto Prox-DU [Prox-DU HID_15100775] 00 01

Download GlobalPlatformPro

[email protected]:~$ wget https://github.com/martinpaljak/GlobalPlatformPro/releases/download/v0.3.6/gp.jar
--2016-02-10 06:06:51--  https://github.com/martinpaljak/GlobalPlatformPro/releases/download/v0.3.6/gp.jar
Resolving github.com (github.com)... 192.30.252.131
Connecting to github.com (github.com)|192.30.252.131|:443... connected.
[...]
HTTP request sent, awaiting response... 200 OK
Length: 995937 (973K) [application/octet-stream]
Saving to: ‘gp.jar’

100%[============================================================================================================>] 995,937      915KB/s   in 1.1s

2016-02-10 06:06:53 (915 KB/s) - ‘gp.jar’ saved [995937/995937]

Make sure you can list the applets on the card. Be careful, some cards will lock you out if you fail to authenticate to the card a certain number of times. From my experience with the Gemalto card I bought from the Gemalto WEB store, it didn't lock me out even though it took me over a hundred attempts to get the auth working. The key below works with the Gemalto IDPrime PIV 2.0 cards I purchased from the Gemalto WEB store as well as smartcardfocus.us.

[email protected]:~$ java -jar ~/gp.jar -visa2 -key 47454D5850524553534F53414D504C45 -mode clr --list
AID: A000000003000000 (|........|)
     ISD INITIALIZED: Security Domain, Card lock, Card terminate, CVM (PIN) management

AID: A000000308000010000100 (|...........|)
     App SELECTABLE: Default selected, CVM (PIN) management

AID: A000000308000010000200 (|...........|)
     App SELECTABLE: CVM (PIN) management

AID: A0000000620001 (|....b..|)
     ExM LOADED: (none)

AID: A0000000620002 (|....b..|)
     ExM LOADED: (none)

AID: A0000000620003 (|....b..|)
     ExM LOADED: (none)

AID: A0000000620101 (|....b..|)
     ExM LOADED: (none)

AID: A000000062010101 (|....b...|)
     ExM LOADED: (none)

AID: A0000000620102 (|....b..|)
     ExM LOADED: (none)

AID: A0000000620201 (|....b..|)
     ExM LOADED: (none)

AID: A0000000030000 (|.......|)
     ExM LOADED: (none)

AID: A0000000620202 (|....b..|)
     ExM LOADED: (none)

AID: A000000018100106 (|........|)
     ExM LOADED: (none)

AID: A000000018100201 (|........|)
     ExM LOADED: (none)

AID: A000000018100101 (|........|)
     ExM LOADED: (none)
     A000000018534441 (|.....SDA|)

AID: A00000015100 (|....Q.|)
     ExM LOADED: (none)

AID: A000000018100108 (|........|)
     ExM LOADED: (none)

AID: A000000018100109 (|........|)
     ExM LOADED: (none)

AID: A000000018100401 (|........|)
     ExM LOADED: (none)

AID: A000000018100402 (|........|)
     ExM LOADED: (none)

AID: A00000030800001000 (|.........|)
     ExM LOADED: (none)
     A000000308000010000100 (|...........|)
     A000000308000010000200 (|...........|)

[email protected]:~$

Download gpshell to obtain the hello world applet, already compiled into a cap file:

[email protected]:~$ curl -Lo gpshell.tar.gz 'http://downloads.sourceforge.net/project/globalplatform/GPShell/GPShell-1.4.4/gpshell-1.4.4.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fglobalplatform%2Ffiles%2FGPShell%2FGPShell-1.4.4%2F&ts=1455092038&use_mirror=superb-dca2'
[...]

[email protected]:~$ tar zxvf gpshell.tar.gz
[...]
gpshell-1.4.4/helloworld.cap
[...]

Install the hello world applet:

[email protected]:~$ java -jar ~/gp.jar -visa2 -key 47454D5850524553534F53414D504C45 -mode clr --install gpshell-1.4.4/helloworld.cap
CAP loaded

List applets again to find AID (applet ID) of hello world. It should be D0D1D2D3D4D501.

[email protected]:~$ java -jar ~/gp.jar -visa2 -key 47454D5850524553534F53414D504C45 -mode clr --list | grep -A 4 'AID: D0D1D2D3D4D501 '
AID: D0D1D2D3D4D501 (|.......|)
     ExM LOADED: (none)
     D0D1D2D3D4D50101 (|........|)

Run the applet on the card by selecting the AID D0D1D2D3D4D501, then send any valid APDU (doesn't matter what it is, the app will always return "Hello World!")

[email protected]:~$ opensc-tool -s "00 A4 04 00 07 D0 D1 D2 D3 D4 D5 01" -s "00:CB:3F:FF:05:5C:03:5F:C1:02:00"
Using reader with a card: Gemalto Prox-DU [Prox-DU HID_15100775] 00 01
Sending: 00 A4 04 00 07 D0 D1 D2 D3 D4 D5 01
Received (SW1=0x90, SW2=0x00)
Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00
Received (SW1=0x90, SW2=0x00):
48 65 6C 6C 6F 20 57 6F 72 6C 64 21 Hello World!

If you want to uninstall the applet from the card, run:

[email protected]:~$ java -jar ~/gp.jar -visa2 -key 47454D5850524553534F53414D504C45 -mode clr --delete D0D1D2D3D4D501 --deletedeps
[email protected]:~$