-
-
Notifications
You must be signed in to change notification settings - Fork 212
Delegated Management
Note
Currently only RSA delegated management tokens are supported.
Delegated Management permission for a security domain means that a controlling authority (the one holding the delegated management key) needs to authorize card management operations (loading, installing, deleting, extradition) executed by the SSD.
GlobalPlatformPro can generate delegated management tokens on the fly, or use a token provided by a 3rd party.
When issuing a command to a security domain with DelegatedManagement privilege, the security domain with the TokenVerification privilege will verify the signature given over the command parameters.
For this, the verifying security domain (by default the ISD) needs to have the TokenVerification (public) key provisioned, with the key version number 0x70.
$ gp -connect 112233445566 -put-key path/to/private-or-public.pem -new-keyver 0x70To authorize a command (like -load/-install/-domain/-create/-delete) with a delegated management token, either specify path to the private key with -dm-key or the exact token with -dm-token. As a token only applies to a single operation, only one global platform operation can be executed with a static token. Having access to the delegated managemenet (private) key allows to run more than one operation in one GPPro execution.
Note
Currently only AES-CMAC receipts are supported.
To enable receipt verification when using delegated management authorized operations, specify the receipt key with --receipt-key. If the receipt verification fails, gp will exit with a non-null exit code. To ignore receipt verification (while still providing the receipt key as an argument), use the --force.
A security domain with the ReceiptGeneration privilege is responsible for generating the receipts for executed operations. By default it is the Issuer Security Domain (ISD). To create a different domain, use:
$ gp -domain 112233445566 -privs ReceiptGenerationTo enable ReceiptGeneration, key with version number 0x71 must be loaded into the security domain with ReceiptGeneration privilege.
$ gp -connect 112233445566 -put-key aes:404142434445464748494a4b4c4d4e4f -new-keyver 0x71javacard.pro - custom JavaCard applet development services · Editing locked due to malicious SPAM, sorry :(
Basic usage
- Getting Started
- Support GlobalPlatformPro development
- Glossary
- Environment variables
- Keys
- Secure Channel Establishment
- Application management
- Frequently Asked Questions
- Support & Questions
Advanced topics
- Lifecycle management
- Supplementary security domains
- DAP Verification
- Delegated management & receipts
- PACE
Development
JavaCard ecosystem