Fix #384, #386: PlaintextKeys are exported from gptool and live in a separate package

martinpaljak · martinpaljak · commit eab24add9b6b · 2025-05-11T12:17:44.000+03:00
diff --git a/tool/src/main/java/module-info.java b/tool/src/main/java/module-info.java
@@ -1,7 +1,7 @@
 // https://stackoverflow.com/a/67895919/44289
 @SuppressWarnings({"requires-automatic"})
 module gptool {
-    requires pro.javacard.globalplatform;
+    requires transitive pro.javacard.globalplatform;
     requires pro.javacard.pace;
     requires java.smartcardio;
     requires jopt.simple;
@@ -14,4 +14,6 @@
     requires org.bouncycastle.provider;
     requires org.bouncycastle.pkix;
     requires org.slf4j;
+
+    exports pro.javacard.gptool.keys;
 }
diff --git a/tool/src/main/java/pro/javacard/gptool/GPTool.java b/tool/src/main/java/pro/javacard/gptool/GPTool.java
@@ -36,6 +36,7 @@
 import pro.javacard.gp.*;
 import pro.javacard.gp.GPRegistryEntry.Privilege;
 import pro.javacard.gp.GPSession.APDUMode;
+import pro.javacard.gptool.keys.PlaintextKeys;
 import pro.javacard.pace.AESSecureChannel;
 import pro.javacard.pace.PACE;
 import pro.javacard.pace.PACEException;
@@ -340,7 +341,7 @@ public int run(BIBO bibo, String[] argv) {
                         System.err.println("Error: no keys given");
                         return 1;
                     } else
-                        System.err.println("# Warning: no keys given, defaulting to " + HexUtils.bin2hex(PlaintextKeys.defaultKeyBytes));
+                        System.err.println("# Warning: no keys given, defaulting to " + HexUtils.bin2hex(PlaintextKeys.DEFAULT_KEY()));
                 }
                 keys = cliKeys.or(() -> envKeys).orElse(PlaintextKeys.defaultKey());
             }
@@ -847,8 +848,8 @@ else if (keyver >= 0x30 && keyver <= 0x3F)
                         PlaintextKeys pk = (PlaintextKeys) newKeys;
                         if (pk.getMasterKey().isPresent())
                             System.out.println(gp.getAID() + " locked with: " + HexUtils.bin2hex(pk.getMasterKey().get()));
-                        if (pk.kdf_template != null)
-                            System.out.println("Keys were diversified with " + pk.kdf_template + " and " + HexUtils.bin2hex(kdd));
+                        if (pk.getTemplate() != null)
+                            System.out.println("Keys were diversified with " + pk.getTemplate() + " and " + HexUtils.bin2hex(kdd));
                         System.out.println("Write this down, DO NOT FORGET/LOSE IT!");
                     } else {
                         System.out.println("Card locked with new keys.");
diff --git a/tool/src/main/java/pro/javacard/gptool/PlaintextKeysProvider.java b/tool/src/main/java/pro/javacard/gptool/PlaintextKeysProvider.java
@@ -24,6 +24,7 @@
 import com.google.auto.service.AutoService;
 import pro.javacard.gp.CardKeysProvider;
 import pro.javacard.gp.GPCardKeys;
+import pro.javacard.gptool.keys.PlaintextKeys;
 
 import java.util.Map;
 import java.util.Optional;
@@ -59,7 +60,7 @@ public Optional<GPCardKeys> getCardKeys(String spec) {
 
     static byte[] hexOrDefault(String v) {
         if ("default".startsWith(v.toLowerCase()))
-            return PlaintextKeys.defaultKeyBytes;
+            return PlaintextKeys.DEFAULT_KEY();
         return HexUtils.stringToBin(v);
     }
 }
diff --git a/tool/src/main/java/pro/javacard/gptool/keys/PlaintextKeys.java b/tool/src/main/java/pro/javacard/gptool/keys/PlaintextKeys.java
@@ -17,7 +17,7 @@
  * License along with this library; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
-package pro.javacard.gptool;
+package pro.javacard.gptool.keys;
 
 import apdu4j.core.HexUtils;
 import org.slf4j.Logger;
@@ -33,11 +33,15 @@
 
 // Handles plaintext card keys.
 // Supports diversification of card keys with a few known algorithms.
-class PlaintextKeys extends GPCardKeys {
+public class PlaintextKeys extends GPCardKeys {
     private static final Logger logger = LoggerFactory.getLogger(PlaintextKeys.class);
 
     // After diversify() we know for which protocol we have keys for, unless known before
-    static final byte[] defaultKeyBytes = HexUtils.hex2bin("404142434445464748494A4B4C4D4E4F");
+    private static final byte[] defaultKeyBytes = HexUtils.hex2bin("404142434445464748494A4B4C4D4E4F");
+
+    public static byte[] DEFAULT_KEY() {
+        return defaultKeyBytes.clone();
+    }
 
     // Derivation constants for session keys
     public static final Map<KeyPurpose, byte[]> SCP02_CONSTANTS;
@@ -70,7 +74,11 @@ class PlaintextKeys extends GPCardKeys {
     }
 
     // If diverisification is to be used
-    String kdf_template;
+    private String kdf_template;
+
+    public String getTemplate() {
+        return kdf_template;
+    }
 
     // Keyset version
     private int version = 0x00;
@@ -202,8 +210,9 @@ public static Optional<PlaintextKeys> fromEnvironment(Map<String, String> env, S
         String kdd = env.get(prefix + "_KDD");
         String ver = env.get(prefix + "_VER");
         Optional<PlaintextKeys> r = fromStrings(enc, mac, dek, mk, div, kdd, ver);
-        if (r.isPresent())
+        if (r.isPresent()) {
             logger.debug("Got keys from environment, prefix=" + prefix);
+        }
         return r;
     }
 
diff --git a/tool/src/test/java/pro/javacard/gptool/TestPlaintextKeysProvider.java b/tool/src/test/java/pro/javacard/gptool/TestPlaintextKeysProvider.java
@@ -7,6 +7,7 @@
 import pro.javacard.gp.GPCardKeys;
 import pro.javacard.gp.GPCrypto;
 import pro.javacard.gp.GPSecureChannelVersion;
+import pro.javacard.gptool.keys.PlaintextKeys;
 
 import java.util.Optional;
 

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@`
`24`	`24`	`import com.google.auto.service.AutoService;`
`25`	`25`	`import pro.javacard.gp.CardKeysProvider;`
`26`	`26`	`import pro.javacard.gp.GPCardKeys;`
	`27`	`+import pro.javacard.gptool.keys.PlaintextKeys;`
`27`	`28`
`28`	`29`	`import java.util.Map;`
`29`	`30`	`import java.util.Optional;`
`@@ -59,7 +60,7 @@ public Optional<GPCardKeys> getCardKeys(String spec) {`
`59`	`60`
`60`	`61`	`static byte[] hexOrDefault(String v) {`
`61`	`62`	`if ("default".startsWith(v.toLowerCase()))`
`62`		`- return PlaintextKeys.defaultKeyBytes;`
	`63`	`+ return PlaintextKeys.DEFAULT_KEY();`
`63`	`64`	`return HexUtils.stringToBin(v);`
`64`	`65`	`}`
`65`	`66`	`}`