How to install applets on SSD?

Question

I am trying to install a simple Javacard applet on a SSD in my card. But I receive 6985 (Condition of use not satisfied).

D:\CardTools> python install_on_ssd.py

Connected to Card. ATR: <Censored>

***** STEP 01: Mutual Auth with ISD
---> 00 A4 04 00 08 A0 00 00 01 51 00 00 00
<--- 90 00
---> 80 50 00 00 08 07 95 E3 6B 7C 2B 96 0B
<--- 00 00 12 81 18 38 33 20 19 73 01 02 00 37 59 40 AE F9 C1 36 A6 0D 5B 09 E0 8D 2E D1 90 00
---> 84 82 00 00 10 C2 BA 4C 00 80 78 96 5B 54 C1 2B A7 F4 C1 71 84
<--- 90 00

***** STEP 02 : Install SSD
---> 80 E6 0C 00 1E 07 A0 00 00 01 51 53 50 08 A0 00 00 01 51 53 50 41 06 11 22 33 44 55 66 01 84 02 C9 00 00
<--- 00 90 00

**** STEP 03 : Mutual Auth with SSD
---> 00 A4 04 00 06 11 22 33 44 55 66
<--- 90 00
---> 80 50 00 00 08 A3 AC D2 73 A3 98 1E A5
<--- 00 00 12 81 18 38 33 20 19 73 01 02 00 38 A1 10 A3 9D 71 D0 67 E2 0D 85 2F 7B 0B 5E 90 00
---> 84 82 03 00 10 96 F3 83 9A B6 E4 46 DA 5A 04 CA 54 CD EE 22 B2
<--- 90 00

**** STEP 04 : Update SSD GP Keys
---> 84 D8 00 81 50 D2 F8 63 2B CF 26 4C 32 65 B0 BD EF 67 B8 4B 5F 62 CA BD 63 8E 77 EE FB EB BC 88 54 15 4A 85 C8 9A CA CA C0 9F 9D 0C B8 77 41 0C A3 8A 00 41 5A CC E9 47 FA D8 46 9B EB FC C8 5A FE 4C 5A 78 C2 2D 97 CC B6 6A DC 18 04 BC DA 60 4C 94 23 9A 34
<--- 01 A4 B7 D6 A4 B7 D6 A4 B7 D6 90 00

***** STEP 05 : Mutual Auth with SSD
---> 00 A4 04 00 06 11 22 33 44 55 66
<--- 90 00
---> 80 50 00 00 08 AB ED 75 BE EE 42 24 DF
<--- 55 66 12 81 18 38 33 20 19 73 01 02 00 00 89 FF 49 11 CD A8 AA 11 09 4D 7D 1E 86 C1 90 00
---> 84 82 03 00 10 12 AA 56 F4 26 87 F6 43 A0 F1 9C A2 AD C4 CB AC
<--- 90 00

***** STEP 06 : Install Applet.
---> 84 E6 02 00 20 55 3D 9B F7 00 AC 2F 21 C7 0D 81 28 55 3D 83 F0 7C 1E CF 51 0F F0 78 57 BF 98 1C F5 9A 58 EF 0B
<--- **Fail** 69 85
Failed to install applet. INSTALL for LOAD returns 6985

Note that

1. I have tried different installation parameters and privileges in the STEP 02 (SSD installation), but in all cases I received the same SW in the applet installation step.
2. The sample applet which I want to install, does not import any special package. It only returns 9000 to all APDUs.

Answer 1

Please check if your SSD is able to manage its own contents. The privilege Authorized Management should be set for this. Also Delegated Management can be used for this. GP specification v2.3.1, sect. 9.3.2 defines these requirements.

Authorized Management can manage the whole card, Delegated Management needs a signed token. This token permits the installation of a single application. This signed token could be provided by the card issuer giving away part of the control to a different SSD to install an applet.

If none of these permissions is given, the SSD is a security container isolating the data from other SDs, but the SSD is not able to manage the contents. The SSD is still useful without this feature, e.g. to be able to isolate data so that the SSD cannot access shared data from the ISD or vice versa. Or to fulfill other GlobalPlatform tasks like DAP verification, Token Verification, ...