Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Native Development

Reply
New Contributor
DE_GSMA_seeker
Posts: 3
Registered: ‎06-07-2013
My Device: BB Z10

OS10: Signing an application (BAR-file) to access applet on secure element SIM fails

Hello,

 

I want to sign an application which should have access to an applet on secure element SIM (UICC). On SIM GPAC compliant access control rule files (PKCS#15) are installed, allowing access for certain hash values to certain applets (AIDs).

 

If I try to sign a BAR file (for secure element access) as it is described in the documentation here

http://developer.blackberry.com/native/documentation/bb10/com.qnx.doc.nfc/topic/manual/t_nfcdevguide...

 

"blackberry-signer -keystore selfsign.p12 -sigfile GPACACF -sigalg SHA512withRSA –storepass YOUR_PASSWORD -verbose YOUR_BAR_FILE.bar REAL_ALIAS"

(I replaced p12-filename, YOUR_PASSWORD, YOUR_BAR_FILE.bar and REAL_ALIAS by the correct values)

 

But I always get the error:
Error: -sigfile cannot be used when signing with more than one key at a time

 

Any idea what I am doing wrong?

 

 

Even if I try the same without using -sigfile GPACACF, but the following error occurs:

Error: Failed to decrypt keystore, invalid store password or store password not supplied.
Exception in thread "main" java.lang.RuntimeException: Failed to decrypt keystore, invalid store password or store password not supplied.
        at net.rim.device.codesigning.barsigner.BarSigner.for(Unknown Source)
        at net.rim.device.codesigning.barsigner.BarSigner.if(Unknown Source)
        at net.rim.device.codesigning.barsigner.BarSigner.main(Unknown Source)

 

COD signing for accessing SIM cards for BB OS 7.1 worked fine.

 

Retired
robbieDubya
Posts: 418
Registered: ‎07-18-2012
My Device: Q10

Re: OS10: Signing an application (BAR-file) to access applet on secure element SIM fails

Hi,

 

A magical non ASCII minus has snuck back into that page - please try your command again with a "-" (45) before storepass instead of a "–" (8211).

 

I will chase up with the docs team.

 

The argument ordering from above works for with 10.1.0.1020 and 10.1.0.2345.

 

Thank you.

 

 

--
Rob is no longer associated with BlackBerry.
New Contributor
DE_GSMA_seeker
Posts: 3
Registered: ‎06-07-2013
My Device: BB Z10

Re: OS10: Signing an application (BAR-file) to access applet on secure element SIM fails

[ Edited ]

Thanks for your help.

Now I know why copy and paste is not always a good thing.

 

I still have problems to sign the application with the existing certificate, as its SHA1 hash is already provisioned on customer's SIM cards.

 

Here Java Keystore is tried to be used (only p12 seems to be supported):

Error: Keystore load: Unexpected tag found: [Private 30]  != Sequence  [Decoding
 class: com.trustpoint.pkcs.pkcs12.PFX]
Exception in thread "main" java.lang.RuntimeException: Keystore load: Unexpected
 tag found: [Private 30]  != Sequence  [Decoding class: com.trustpoint.pkcs.pkcs
12.PFX]
        at net.rim.device.codesigning.barsigner.BarSigner.for(Unknown Source)
        at net.rim.device.codesigning.barsigner.BarSigner.if(Unknown Source)
        at net.rim.device.codesigning.barsigner.BarSigner.main(Unknown Source)

 

With equivalent P12 file, the following error appears:

Error: Keystore load: Unexpected tag found: [Private 30]  != Sequence  [Decoding
 class: com.trustpoint.pkcs.pkcs12.PFX]
Exception in thread "main" java.lang.RuntimeException: Keystore load: Unexpected
 tag found: [Private 30]  != Sequence  [Decoding class: com.trustpoint.pkcs.pkcs
12.PFX]
        at net.rim.device.codesigning.barsigner.BarSigner.for(Unknown Source)
        at net.rim.device.codesigning.barsigner.BarSigner.if(Unknown Source)
        at net.rim.device.codesigning.barsigner.BarSigner.main(Unknown Source)

 

The issue seems to be related to the new mandatory signature algorithm (sha512withRSA) as previously for BB OS7 sha1withRSA was used.

 

Well, it works with a new signature created as described in the document, so I think the access conditions file in PKCS#15 file system on UICC has to be updated with the new SHA1 hash.

 

Kind regards and thanks,

DE_GSMA_seeker

Retired
robbieDubya
Posts: 418
Registered: ‎07-18-2012
My Device: Q10

Re: OS10: Signing an application (BAR-file) to access applet on secure element SIM fails

Hi,

 

You shouldn't need to use a different certificate. That would be a deployment pain for multiple platforms...

 

P12 is the preferred input type - can you try a fresh conversion from JKS to P12 please?

 

keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12

Does your existing p12 work with 3rd party tools like openssl?

 

The trustpoint exception message happens when unexpected ASN.1 structures are in the file. If you're reading a non P12 or if you're reading a base64 (PEM) encoding (my tests indicate it expects binary encoded only) you should see slightly different variations of these errors.

 

The SHA is used by blackberry-signer itself - the alg used in the certificate doesn't matter - it just takes your RSA key and performs a SHA512withRSA on the .bar contents. (If you had a very small RSA key - the SHA512 would not be possible - but there's no sign of that here)

 

Thanks.

--
Rob is no longer associated with BlackBerry.
New Contributor
DE_GSMA_seeker
Posts: 3
Registered: ‎06-07-2013
My Device: BB Z10

Re: OS10: Signing an application (BAR-file) to access applet on secure element SIM fails

Thanks for your help. I made another conversion and now it works. No changes to SIM cards necessary.

Retired
robbieDubya
Posts: 418
Registered: ‎07-18-2012
My Device: Q10

Re: OS10: Signing an application (BAR-file) to access applet on secure element SIM fails

Great! Glad to hear that it's working!

--
Rob is no longer associated with BlackBerry.
Developer
alishaik786
Posts: 285
Registered: ‎08-26-2011
My Device: 9900

Re: OS10: Signing an application (BAR-file) to access applet on secure element SIM fails

Hi,

 

Can you please let me know, which changes applied. I am getting same error with my mac.

 

It will be glade. I am only struck for this process

=================================================================================
Feel free to click LIKE button if the solution helps you;
--
Regards,

ALI SHAIK.