I have a Javacard which contains a SSD (Supplementary Security Domain) and I want to delete it. Normally when I want to delete an applet or a package from my card, I send the following DELETE APDU command after a successful Mutual Authentication process (No MAC or data field encryption is required and Security Level == 0
is enough for DELETE APDU command):
--> 80 E4 00 00 LC 4F <AID Len> <AID>
<-- 90 00
The command above works fine for normal applets. But when I put the AID of my SSD in it, then the card responds with 69 85 status words, which means "Conditions of use not satisfied.".
Since Delegated Management feature is enabled in my card and a Public Token key and a Receipt key are loaded in the ISD, I thought maybe the mentioned error is due to not using the Delete Token in the DELETE APDU command. So I calculated the Delete Token as below:
Global Platform Card Specification 2.2.0.7 : Figure C-8: Delete Token Calculation
DeleteToken = RSA_Sign("00 00 LC 4F <SSD AID Len> <SSD AID>", TokenPrivateKey)
And then I tried to delete the SSD using the follwing command:
--> 80 E4 00 00 <LC+Len(DeleteToken)> 4F <SSD AID Len> <SSD AID> 9E <Len(DeleteToken> <DeleteToken>
<-- 69 85
But I got the 6985 status words again. Does anyone have any idea where the problem is and how I can solve it?
Update:
I even tried the DELETE APDU command with P2 = 0x80
to delete the SSD with all the related objects. But it failed too:
--> 80 E4 00 80 09 4F <SSD AID Len> <SSD AID>
<-- 6A 86 (= Incorrect P1 or P2 parameter)
Update2:
I even tried to send the DELETE APDU command in a secure channel (SecLevel = 03). But again, I received 6985 status words. Which hash algorithm am I need to use to generate the Delete Token? As far as I know, The GP Specification doesn't specify the hash algorithm.
Update3:
The mentioned SSD is instanciated from the card's ISD package with 0E
privilege, which means:
Security Domain + Delegated Management + DAP verification
Update4:
I think I found the issue!
Quouted from 2.1.1_Mapping_guidelines_v1.0.1-Final.pdf:
6.1. DELETE
6.1.2. Recommendation
Data Field Sent in the Command Message
(blah blah)
On an implementation supporting Supplementary Security Domains, if an attempt is being made to delete an instance of a Supplementary Security Domain and the Supplementary Security Domain has the DAP Verification privilege (bit 7 of the privileges byte set), the Security Domain is not deleted and a response of '6985' is returned.
Question1: Any idea why it is implemented/recommended like this? What is the purpose of making this type of SSD (SSD with DAP Verification privilege) non-removable?
Update5:
I've tried to change the priveleges of my SSD to remove DAP Verification privelege from it using INSTALL For REGISTRY UPDATE and then delete the SSD. But it failed with 6A 80
status words (Which means "The parameters in the data field are incorrect").
--> 00 A4 04 00 08 A0 00 00 00 03 00 00 00
<-- 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
--> 80 50 00 00 08 DF 4B 4B B7 15 35 5A 93
<-- 00 00 41 89 00 24 94 97 41 21 01 02 00 77 5C 2B 50 27 5A F4 8A 18 C0 8B 2D C2 20 50 90 00
--> 84 82 00 00 10 30 AD 04 C4 60 A2 80 8B 5A 61 7E 49 3A 39 B6 C6
<-- 90 00
--> 80 E6 40 00 16 08 A0 00 00 00 03 00 00 00 00 07 <SSD AID> 01 80 00 00
<-- 6A 80
Question2: What's wrong with the INSTALL For Registry Update command?