PIN still verified after reset / select?

[josecastillo]

I think I've run across a bug in jCardSim. Working on a test case, I discovered that if I verified a PIN, then reset the simulator with simulator.reset(), the PIN remained verified once the applet was re-selected. I made a simple applet and test case to demonstrate the issue. This test applet has two commands: VERIFY and GET DATA:

• The VERIFY command verifies the submitted PIN against a hard-coded value of 123456, using the standard OwnerPIN.check() method.
• The GET DATA command requires a verified PIN. It returns a test data object when presented with its identifier in P1P2.

The test case implements three tests:

1. GET DATA should fail before the PIN is submitted.
2. GET DATA should succeed after the PIN is submitted.
3. GET DATA should fail after the card is reset, but before the PIN has been resubmitted.

On a real Java Card, the following (abbreviated) transcript shows each case succeeding:

/select A00000FFFE0102030405
/send 00CA010000
 => 00 CA 01 00 00                                     .....
 <= 69 82                                              i.
/send 0020000006313233343536
 => 00 20 00 00 06 31 32 33 34 35 36                   . ...123456
 <= 90 00                                              ..
/send 00CA010000
 => 00 CA 01 00 00                                     .....
 <= 74 65 73 74 64 61 74 61 90 00                      testdata..
/atr
/select A00000FFFE0102030405
/send 00CA010000
 => 00 CA 01 00 00                                     .....
 <= 69 82                                              i.

The same test, executed on the jcardsim simulator, succeeds in cases 1 and 2, but in case 3, it fails:

[junit] ------------- Standard Output ---------------
[junit] Test 1: GET DATA should fail before PIN is presented.
[junit]  => 00 ca 01 00 
[junit]  <= 69 82 
[junit] 
[junit] Test 2: After successful presentation of PIN, GET DATA should succeed.
[junit]  => 00 20 00 00 06 31 32 33 34 35 36 
[junit]  <= 90 00 
[junit]  => 00 ca 01 00 
[junit]  <= 74 65 73 74 64 61 74 61 90 00 
[junit] 
[junit] Test 3: After a reset, but before PIN is presented, GET DATA command should fail.
[junit]  => 00 ca 01 00 
[junit]  <= 74 65 73 74 64 61 74 61 90 00 
[junit] ------------- ---------------- ---------------

The data object is returned despite the fact that the PIN has not been submitted. Is this a bug in jCardSim, or am I doing something wrong?

[licel]

Hi Joey,
Thank you very much for your report. You are right, jCardSim does not clean transient memory in OwnerPin. We will try to fix the problem asap.

[robertbachmann]

Hi @josecastillo,

The bug is present in jcardsim 2.2.2.
It was fixed in master. I've uploaded a SNAPSHOT of master to bintray.
See https://github.com/robertbachmann/PinDemo

[josecastillo]

Great! Two things though: one, I don't see the commit in master that fixed the issue. And two, do you know if this will be incorporated into an official release at some point?

[robertbachmann]

I don't see the commit in master that fixed the issue.

See commit 132be8d.

And two, do you know if this will be incorporated into an official release at some point?

The commit is on master, and should also be part of https://github.com/licel/jcardsim/blob/master/jcardsim-3.0.4-SNAPSHOT.jar

I don't know when 3.0.4 will be released.

[robertbachmann]

@licel, please close this issue.

[jonathancross]

Was there ever an official release for 3.0.4?