Skip to content

Locking SecDoms: Invalid argument: Can not lock without keys #402

New issue
New issue
Open
Open
Locking SecDoms: Invalid argument: Can not lock without keys#402
@butteronarchbtw

Description

@butteronarchbtw
butteronarchbtw
opened on Dec 2, 2025

Describe the bug

Trying to lock a security domain (to bring it into PERSONALIZED) in v25.12.01 does not do the same thing as the latest release v25.10.20.
When issuing -lock default or -lock <somekey>, it complains about keys missing as an input (Invalid argument: Can not lock without keys :)), when the same command in v25.10.20 worked fine.

Information about your card and used reader

Oracle Java Card Simulator

Expected behavior

After creating a domain $DOM, calling gp -c $DOM -lock $SOMEKEY should transition the security domain to PERSONALIZED if the keys are valid.
If $SOMEKEY is "default", this should work too.

The simplest output should look like:

0101010101 locked with: 404142434445464748494A4B4C4D4E4F
Write this down, DO NOT FORGET/LOSE IT!

Full log

# gp -domain 0101010101 -dvi
# GlobalPlatformPro unsupported
# Running on Linux 6.12.57 amd64, Java 21.0.9 by N/A
# SCardConnect("Oracle Simulator 00 00", T=*) -> T=1, 3B9F968131FE454F52434C2D4A43332E324750322E3323
# SCardBeginTransaction("Oracle Simulator 00 00")
A>> T=1 (4+0000) 00A40400 00 
A<< (0099+2) (2ms) 6F618408A000000151000000A555734B06072A864886FC6B01600B06092A864886FC6B020202630906072A864886FC6B03640B06092A864886FC6B040370650D060B2A864886FC6B0507020100660C060A2B060104012A026E01039F6E01019F6501FE 9000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0045+2) (1ms) 9F7F2A000000000000000000000000000000000000000000000000000000000000000000000000000000000000 9000
CPLC: ICFabricator=0000
      ICType=0000
      OperatingSystemID=0000
      OperatingSystemReleaseDate=0000 (invalid date format)
      OperatingSystemReleaseLevel=0000
      ICFabricationDate=0000 (invalid date format)
      ICSerialNumber=00000000
      ICBatchIdentifier=0000
      ICModuleFabricator=0000
      ICModulePackagingDate=0000 (invalid date format)
      ICCManufacturer=0000
      ICEmbeddingDate=0000 (invalid date format)
      ICPrePersonalizer=0000
      ICPrePersonalizationEquipmentDate=0000 (invalid date format)
      ICPrePersonalizationEquipmentID=00000000
      ICPersonalizer=0000
      ICPersonalizationDate=0000 (invalid date format)
      ICPersonalizationEquipmentID=00000000

A>> T=1 (4+0000) 80CA0042 00 
A<< (0009+2) (0ms) 42074953445F49494E 9000
IIN: 42074953445F49494E
A>> T=1 (4+0000) 80CA0045 00 
A<< (0009+2) (0ms) 45074953445F43494E 9000
CIN: 45074953445F43494E
A>> T=1 (4+0000) 80CA00CF 00 
A<< (0012+2) (1ms) CF0A56020000000000000000 9000
KDD: CF0A56020000000000000000
A>> T=1 (4+0000) 80CA00C1 00 
A<< (0005+2) (1ms) C103000000 9000
SSC: C103000000
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0079+2) (0ms) 664D734B06072A864886FC6B01600B06092A864886FC6B020202630906072A864886FC6B03640B06092A864886FC6B040370650D060B2A864886FC6B0507020100660C060A2B060104012A026E0103 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.2
-> GP Version: 2.2
Tag 63: 1.2.840.114283.3
-> GP card is uniquely identified by the Issuer Identification Number (IIN) and Card Image Number (CIN)
Tag 6: 1.2.840.114283.4.3.112
-> GP SCP03 (i=70)
Tag 66: 1.3.6.1.4.1.42.2.110.1.3
-> JavaCard v3
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0055+2) (0ms) 6735A00C8001038104102060708201078103FFFFC082031E8E008302010284018E8501388602FB03870DFB038800000102030405060708 9000
Supports SCP03 i=10 i=20 i=60 i=70 with AES-128 AES-196 AES-256
Supported DOM privileges: SecurityDomain, DAPVerification, DelegatedManagement, CardLock, CardTerminate, CardReset, CVMManagement, MandatedDAPVerification, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, GlobalService, ReceiptGeneration, CipheredLoadFileDataBlock
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, GlobalLock, GlobalRegistry, FinalApplication
Supported LFDB hash: SHA-1, SHA-256
Supported Token Verification ciphers: CMAC_AES128, CMAC_AES192, CMAC_AES256
Supported Receipt Generation ciphers: RSA1024_SHA1, RSAPSS_SHA256, CMAC_AES128, CMAC_AES192, CMAC_AES256, ECCP256_SHA256, ECCP384_SHA384, ECCP512_SHA512, ECCP521_SHA512
Supported DAP Verification ciphers: RSA1024_SHA1, RSAPSS_SHA256, CMAC_AES128, CMAC_AES192, CMAC_AES256, ECCP256_SHA256, ECCP384_SHA384, ECCP512_SHA512, ECCP521_SHA512
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0020+2) (1ms) E012C00401018810C00402018810C00403018810 9000
Version:   1 (0x01) ID:   1 (0x01) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   2 (0x02) type: AES          length:  16 (AES-128)
Version:   1 (0x01) ID:   3 (0x03) type: AES          length:  16 (AES-128)

A>> T=1 (4+0008) 80500000 08 95D9D7C014C16DB0 00
A<< (0032+2) (0ms) 5602000000000000000001037086C8BD65FA1044EE1A44C69507CD9EDE000001 9000
A>> T=1 (4+0016) 84820100 10 5246DAD81A421BA63E01A0A62B28908E 00
A<< (0000+2) (1ms) 9000
A>> T=1 (4+0010) 84F28002 0A 4F00C5787BEDA8DB00CF 00
A<< (0021+2) (1ms) E3134F08A0000001510000009F700101C5039EFE80 9000
A>> T=1 (4+0010) 84F24002 0A 4F0048C9669C34FB649B 00
A<< (0000+2) (0ms) 6A88
A>> T=1 (4+0010) 84F21002 0A 4F00034FEA997F89D94C 00
A<< (0250+2) (0ms) E30D4F07A00000006200019F700101E30D4F07A00000006200029F700101E30D4F07A00000006201019F700101E30D4F07A00000006201029F700101E30D4F07A00000006202099F700101E30E4F08A0000000620209019F700101E30D4F07A00000006202019F700101E30E4F08A0000000620208029F700101E30E4F08A0000000620208049F700101E30E4F08A0000000620208059F700101E30E4F08A0000000620208069F700101E30E4F08A0000000620208079F700101E30E4F08A0000000620208039F700101E30E4F08A0000000620208019F700101E30F4F09A000000062020801019F700101E30D4F07A00000006202059F700101 6310
A>> T=1 (4+0010) 84F21003 0A 4F003D65D1BBB431D2FE 00
A<< (0104+2) (0ms) E30E4F08A0000000620205019F700101E30E4F08A0000000620205029F700101E30E4F08A0000000620205039F700101E30F4F09A00000006203010F019F700101E30C4F06A000000151009F700101E3174F07A00000015153509F7001018408A000000151535041 9000
A>> T=1 (4+0010) 84F22002 0A 4F00A93DC37FA4361C59 00
A<< (0250+2) (1ms) E30D4F07A00000006200019F700101E30D4F07A00000006200029F700101E30D4F07A00000006201019F700101E30D4F07A00000006201029F700101E30D4F07A00000006202099F700101E30E4F08A0000000620209019F700101E30D4F07A00000006202019F700101E30E4F08A0000000620208029F700101E30E4F08A0000000620208049F700101E30E4F08A0000000620208059F700101E30E4F08A0000000620208069F700101E30E4F08A0000000620208079F700101E30E4F08A0000000620208039F700101E30E4F08A0000000620208019F700101E30F4F09A000000062020801019F700101E30D4F07A00000006202059F700101 6310
A>> T=1 (4+0010) 84F22003 0A 4F0078F1520051EA7C71 00
A<< (0094+2) (0ms) E30E4F08A0000000620205019F700101E30E4F08A0000000620205029F700101E30E4F08A0000000620205039F700101E30F4F09A00000006203010F019F700101E30C4F06A000000151009F700101E30D4F07A00000015153509F700101 9000
# Note: using detected default AID-s for SSD instantiation: A000000151535041 from A0000001515350
# Final parameters: 81020370
A>> T=1 (4+0043) 84E60C00 2B 07A000000151535008A0000001515350410501010101010380000006C9048102037000D3D46B94C5B9E541 00
A<< (0001+2) (1ms) 00 9000
# SCardEndTransaction("Oracle Simulator 00 00") in 78ms
# SCardDisconnect("Oracle Simulator 00 00", false) tx:226/rx:1121 in 86ms
# gp -c 0101010101 -lock default -dvi
# GlobalPlatformPro unsupported
# Running on Linux 6.12.57 amd64, Java 21.0.9 by N/A
# SCardConnect("Oracle Simulator 00 00", T=*) -> T=1, 3B9F968131FE454F52434C2D4A43332E324750322E3323
# SCardBeginTransaction("Oracle Simulator 00 00")
A>> T=1 (4+0005) 00A40400 05 0101010101 00
A<< (0096+2) (1ms) 6F5E84050101010101A555734B06072A864886FC6B01600B06092A864886FC6B020202630906072A864886FC6B03640B06092A864886FC6B040370650D060B2A864886FC6B0507020100660C060A2B060104012A026E01039F6E01079F6501FE 9000
A>> T=1 (4+0000) 80CA9F7F 00 
A<< (0045+2) (1ms) 9F7F2A000000000000000000000000000000000000000000000000000000000000000000000000000000000000 9000
CPLC: ICFabricator=0000
      ICType=0000
      OperatingSystemID=0000
      OperatingSystemReleaseDate=0000 (invalid date format)
      OperatingSystemReleaseLevel=0000
      ICFabricationDate=0000 (invalid date format)
      ICSerialNumber=00000000
      ICBatchIdentifier=0000
      ICModuleFabricator=0000
      ICModulePackagingDate=0000 (invalid date format)
      ICCManufacturer=0000
      ICEmbeddingDate=0000 (invalid date format)
      ICPrePersonalizer=0000
      ICPrePersonalizationEquipmentDate=0000 (invalid date format)
      ICPrePersonalizationEquipmentID=00000000
      ICPersonalizer=0000
      ICPersonalizationDate=0000 (invalid date format)
      ICPersonalizationEquipmentID=00000000

A>> T=1 (4+0000) 80CA0042 00 
A<< (0000+2) (1ms) 6A88
A>> T=1 (4+0000) 80CA0045 00 
A<< (0000+2) (1ms) 6A88
A>> T=1 (4+0000) 80CA00CF 00 
A<< (0012+2) (1ms) CF0A56320000000000000000 9000
KDD: CF0A56320000000000000000
A>> T=1 (4+0000) 80CA00C1 00 
A<< (0005+2) (0ms) C103000001 9000
SSC: C103000001
Card Data: 
A>> T=1 (4+0000) 80CA0066 00 
A<< (0079+2) (0ms) 664D734B06072A864886FC6B01600B06092A864886FC6B020202630906072A864886FC6B03640B06092A864886FC6B040370650D060B2A864886FC6B0507020100660C060A2B060104012A026E0103 9000
Tag 6: 1.2.840.114283.1
-> Global Platform card
Tag 60: 1.2.840.114283.2.2.2
-> GP Version: 2.2
Tag 63: 1.2.840.114283.3
-> GP card is uniquely identified by the Issuer Identification Number (IIN) and Card Image Number (CIN)
Tag 6: 1.2.840.114283.4.3.112
-> GP SCP03 (i=70)
Tag 66: 1.3.6.1.4.1.42.2.110.1.3
-> JavaCard v3
Card Capabilities: 
A>> T=1 (4+0000) 80CA0067 00 
A<< (0055+2) (0ms) 6735A00C8001038104102060708201078103FFFFC082031E8E008302010284018E8501388602FB03870DFB038800000102030405060708 9000
Supports SCP03 i=10 i=20 i=60 i=70 with AES-128 AES-196 AES-256
Supported DOM privileges: SecurityDomain, DAPVerification, DelegatedManagement, CardLock, CardTerminate, CardReset, CVMManagement, MandatedDAPVerification, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, GlobalService, ReceiptGeneration, CipheredLoadFileDataBlock
Supported APP privileges: CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, GlobalLock, GlobalRegistry, FinalApplication
Supported LFDB hash: SHA-1, SHA-256
Supported Token Verification ciphers: CMAC_AES128, CMAC_AES192, CMAC_AES256
Supported Receipt Generation ciphers: RSA1024_SHA1, RSAPSS_SHA256, CMAC_AES128, CMAC_AES192, CMAC_AES256, ECCP256_SHA256, ECCP384_SHA384, ECCP512_SHA512, ECCP521_SHA512
Supported DAP Verification ciphers: RSA1024_SHA1, RSAPSS_SHA256, CMAC_AES128, CMAC_AES192, CMAC_AES256, ECCP256_SHA256, ECCP384_SHA384, ECCP512_SHA512, ECCP521_SHA512
A>> T=1 (4+0000) 80CA00E0 00 
A<< (0002+2) (1ms) E000 9000

A>> T=1 (4+0008) 80500000 08 58E5B465F23436F0 00
A<< (0032+2) (1ms) 01010000000000000000010370C9F1AD7C5D6D18E10FAB0173644109CC000002 9000
A>> T=1 (4+0016) 84820100 10 5380A0E93500AB9400461B786A318D14 00
A<< (0000+2) (1ms) 9000
# SCardEndTransaction("Oracle Simulator 00 00") in 69ms
# SCardDisconnect("Oracle Simulator 00 00", false) tx:87/rx:348 in 76ms

Additional context

This was also tested with gp version v25.10.20 and below, which worked fine.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions