id: a513d136d3bf4f2dba8529b58f84057c
parent_id: e1b86b15c63643eeae519a63b65d7e4f
item_type: 1
item_id: 445891dba8674cae8b865a6fd2a3faf1
item_updated_time: 1781538236961
title_diff: "[]"
body_diff: "[{\"diffs\":[[0,\"15, rev \"],[-1,\"2\"],[1,\"3 — committed\"],[0,\")\\\n\\\nA 7-c\"]],\"start1\":601,\"start2\":601,\"length1\":17,\"length2\":29},{\"diffs\":[[0,\"let. **6\"],[-1,\"3\"],[1,\"4\"],[0,\" unit te\"]],\"start1\":733,\"start2\":733,\"length1\":17,\"length2\":17},{\"diffs\":[[0,\"ipeline \"],[-1,\"now \"],[0,\"mirrors \"]],\"start1\":808,\"start2\":808,\"length1\":20,\"length2\":16},{\"diffs\":[[0,\"nsition)\"],[1,\" and the container parser handles both available fixture packages\"],[0,\".\\\n\\\n### W\"]],\"start1\":903,\"start2\":903,\"length1\":16,\"length2\":81},{\"diffs\":[[0,\"ource`**\"],[1,\" + **`StaticCertificates`**\"],[0,\" | ✅ Don\"]],\"start1\":1659,\"start2\":1659,\"length1\":16,\"length2\":43},{\"diffs\":[[0,\"Input`.\\\n\"],[1,\"- **Static factory certificates** (`StaticCertificates`): ICA cert (DGI A004, `CN=FMC-NFC-ICA`) and CMS/Root cert (DGI A005, Ford Motor Company KeyFob CA) are loaded from shared files and verified identical across both fixture containers.\\\n\"],[0,\"- Simula\"]],\"start1\":2602,\"start2\":2602,\"length1\":16,\"length2\":255},{\"diffs\":[[0,\" data (6\"],[-1,\"3\"],[1,\"4\"],[0,\" tests, \"]],\"start1\":3032,\"start2\":3032,\"length1\":17,\"length2\":17},{\"diffs\":[[0,\"ard-fail\"],[1,\", **TX audit entries redacted** (no secrets in audit record), **empty personalization_items rejected**, **DGI tag length validated before indexing**.\\\n\\\n### Code Review Status\\\nTwo review passes completed. All CRITICAL findings fixed (panic on short DGI, silent empty-success, audit secret leak). All WARNING findings fixed (applet auth bypass on empty-data STORE DATA, SPID parser fragility, dead `max_block_data` config). Remaining SUGGESTION-level items: orphaned `handle_set_status`/`ins::SET_STATUS`, unused `lifecycle()`/`is_factory()` accessors\"],[0,\".\\\n\\\n### S\"]],\"start1\":3169,\"start2\":3169,\"length1\":16,\"length2\":564},{\"diffs\":[[0,\"are.\"],[-1,\"\\\n- **ICA/Root certificates (DGI A004/A005)** — not in per-fob container; need source (fixed config or DLL/SO).\"],[0,\"\\\n\\\n##\"]],\"start1\":4038,\"start2\":4038,\"length1\":118,\"length2\":8},{\"diffs\":[[0,\"\\\"** for \"],[-1,\"the \"],[0,\"findings\"]],\"start1\":4269,\"start2\":4269,\"length1\":20,\"length2\":16},{\"diffs\":[[0,\"ngs \"],[-1,\"from the code analysis and the items deferred to the real-card / JCShell step\"],[1,\"and open questions\"],[0,\".\\\n\\\n#\"]],\"start1\":4282,\"start2\":4282,\"length1\":85,\"length2\":26},{\"diffs\":[[0,\".\\\n2.\"],[-1,\" **ICA/Root cert source** — determine where DGI A004/A005 certificates come from (factory-wide constants, DLL/SO, or KLMS).\\\n3.\"],[0,\" **D\"]],\"start1\":4452,\"start2\":4452,\"length1\":134,\"length2\":8},{\"diffs\":[[0,\"ilable.\\\n\"],[-1,\"4\"],[1,\"3\"],[0,\". **KLMS\"]],\"start1\":4527,\"start2\":4527,\"length1\":17,\"length2\":17},{\"diffs\":[[0,\"nalized.\"],[1,\"\\\n4. **Key Version strategy** — confirm KVN=255 vs production value with KLMS.\"],[0,\"\\\n\\\n---\\\n\\\n#\"]],\"start1\":4598,\"start2\":4598,\"length1\":16,\"length2\":93},{\"diffs\":[[0,\"rypted |\"],[-1,\"\\\n\"],[1,\" Per-fob? |\\\n|---\"],[0,\"|---|---\"]],\"start1\":5146,\"start2\":5146,\"length1\":17,\"length2\":32},{\"diffs\":[[0,\"S-DEK) |\"],[1,\" Yes |\"],[0,\"\\\n| `A001\"]],\"start1\":5280,\"start2\":5280,\"length1\":16,\"length2\":22},{\"diffs\":[[0,\"text) | No |\"],[1,\" Yes |\"],[0,\"\\\n| `A002` | \"]],\"start1\":5358,\"start2\":5358,\"length1\":24,\"length2\":30},{\"diffs\":[[0,\"icate | DER (424\"],[1,\"/422\"],[0,\" bytes) | No |\\\n|\"]],\"start1\":5401,\"start2\":5401,\"length1\":32,\"length2\":36},{\"diffs\":[[0,\"ytes) | No |\"],[1,\" Yes |\"],[0,\"\\\n| `A004` | \"]],\"start1\":5423,\"start2\":5423,\"length1\":24,\"length2\":30},{\"diffs\":[[0,\" | DER (\"],[-1,\"~\"],[0,\"435 byte\"]],\"start1\":5468,\"start2\":5468,\"length1\":17,\"length2\":16},{\"diffs\":[[0,\"ytes) | No |\"],[1,\" **No** (static) |\"],[0,\"\\\n| `A005` | \"]],\"start1\":5481,\"start2\":5481,\"length1\":24,\"length2\":42},{\"diffs\":[[0,\" | DER (\"],[-1,\"~\"],[0,\"722 byte\"]],\"start1\":5543,\"start2\":5543,\"length1\":17,\"length2\":16},{\"diffs\":[[0,\") | No |\"],[1,\" **No** (static) |\"],[0,\"\\\n| `A006\"]],\"start1\":5560,\"start2\":5560,\"length1\":16,\"length2\":34},{\"diffs\":[[0,\"s | No |\"],[1,\" Yes |\"],[0,\"\\\n\\\n### DG\"]],\"start1\":5615,\"start2\":5615,\"length1\":16,\"length2\":22},{\"diffs\":[[0,\" | DER (\"],[1,\"422-\"],[0,\"424 byte\"]],\"start1\":7206,\"start2\":7206,\"length1\":16,\"length2\":20},{\"diffs\":[[0,\"\\\n\\\n**\"],[-1,\"Private key scalar extraction**: In PKCS#8 DER, the 32-byte scalar appears as `OCTET STRING(04) || length(20) || 32 bytes`. We scan for the `04 20` byte pair, unique in this encoding.\\\n\\\n**IRK decoding**: Base64 standard alphabet → 16 raw bytes.\"],[1,\"Static factory certificates** (shared across all fobs):\\\n\\\n| File | Content | DGI |\\\n|---|---|---|\\\n| `ica_cert.der` | ICA intermediate CA cert (`CN=FMC-NFC-ICA`, issuer `CN=FMC-NFC-ROOT`, 435 bytes) | `A004` |\\\n| `cms_root_cert.der` | CMS/Root CA cert (Ford Motor Company KeyFob Pair ECC Issuing CA, 722 bytes) | `A005` |\\\n\\\nThese are loaded via `StaticCertificates::from_dir()` and are **byte-for-byte identical** across both fixture containers (verified).\\\n\\\n**Private key scalar extraction**: In PKCS#8 DER, the 32-byte scalar appears as `OCTET STRING(04) || length(20) || 32 bytes`. We scan for the `04 20` byte pair, which appears in the private key OCTET STRING before the public key BIT STRING in DER ordering.\\\n\\\n**IRK decoding**: Base64 standard alphabet → 16 raw bytes.\\\n\\\n### Fixture Packages Available\\\n\\\n| FESN | SPID Hash | Device Cert CN | Cert Size |\\\n|---|---|---|---|\\\n| `1KM0001E` | `59918C0096F859EC8BF6DA454E2E554A14DD4BD1` | `CN=1KM0001E` | 424 bytes |\\\n| `1KM0001F` | `95F12CA4718013F85A5F7C1F02C1382E2F03C7AB` | `CN=1KM0001F` | 422 bytes |\"],[0,\"\\\n\\\n--\"]],\"start1\":7423,\"start2\":7423,\"length1\":251,\"length2\":1054},{\"diffs\":[[0,\"--\\\n\\\n\"],[-1,\"## KLMS API Contract\\\n\\\n### Request (EoL → Clypeum)\\\n```json\\\n{\\\n  \\\"fob_uid\\\": \\\"112233445566778899AA\\\",\\\n  \\\"reader_id\\\": \\\"LINE_04_READER_01\\\"\\\n}\\\n```\\\n\\\n### Response (Clypeum → EoL)\\\n```json\\\n{\\\n  \\\"transaction_id\\\": \\\"trx_889900\\\",\\\n  \\\"key_version\\\": 3,\\\n  \\\"scp03_static_keys\\\": {\\\n    \\\"enc\\\": \\\"A1B2C3D4E5F600A1B2C3D4E5F60011\\\",\\\n    \\\"mac\\\": \\\"A1B2C3D4E5F600A1B2C3D4E5F60022\\\",\\\n    \\\"dek\\\": \\\"A1B2C3D4E5F600A1B2C3D4E5F60033\\\"\\\n  },\\\n  \\\"personalization_items\\\": [\\\n    {\\\"dgi\\\": \\\"a003\\\", \\\"data\\\": \\\"EE0783A0...\\\", \\\"encrypt_with_dek\\\": true},\\\n    {\\\"dgi\\\": \\\"a001\\\", \\\"data\\\": \\\"3539393138...\\\", \\\"encrypt_with_dek\\\": false}\\\n  ],\\\n  \\\"post_perso_commands\\\": [\\\n    {\\\"cla\\\": 0, \\\"ins\\\": 219, \\\"p1\\\": 0, \\\"p2\\\": 0, \\\"data\\\": \\\"0A0101\\\"}\\\n  ]\\\n}\\\n```\\\n\\\n### Audit Response (EoL → Clypeum)\\\n```json\\\n{\\\n  \\\"transaction_id\\\": \\\"trx_889900\\\",\\\n  \\\"fob_uid\\\": \\\"11223344556677\\\",\\\n  \\\"timestamp_iso8601\\\": \\\"2026-06-15T14:32:01Z\\\",\\\n  \\\"overall_result\\\": \\\"SUCCESS\\\",\\\n  \\\"stage_reached\\\": \\\"POST_PERSONALIZATION\\\",\\\n  \\\"apdu_trace\\\": [\\\n    {\\\"direction\\\": \\\"TX\\\", \\\"apdu_hex\\\": \\\"8050000008000300000000\\\"},\\\n    {\\\"direction\\\": \\\"RX\\\", \\\"apdu_hex\\\": \\\"0000314A2B3C...9000\\\", \\\"sw1\\\": \\\"90\\\", \\\"sw2\\\": \\\"00\\\"}\\\n  ],\\\n  \\\"eol_station_id\\\": \\\"LINE-04-PC-12\\\"\\\n}\\\n```\\\n\\\n---\\\n\\\n\"],[0,\"## P\"]],\"start1\":10864,\"start2\":10864,\"length1\":1131,\"length2\":8},{\"diffs\":[[0,\"nnel\"],[-1,\"\\\n- Use these samples for:\\\n  - Validating INITIALIZE UPDATE / EXTERNAL AUTHENTICATE flow\\\n  - Testing secure messaging wrap/unwrap\\\n  - Verifying APDU construction before production key infrastructure is ready\"],[0,\"\\\n\\\n--\"]],\"start1\":11976,\"start2\":11976,\"length1\":214,\"length2\":8},{\"diffs\":[[0,\" |\\\n\\\n\"],[-1,\"Ford has **no involvement** in card management keys.\\\n\\\n\"],[0,\"---\\\n\"]],\"start1\":12404,\"start2\":12404,\"length1\":62,\"length2\":8},{\"diffs\":[[0,\"``\\\n\\\n\"],[-1,\"The 10-byte UID from JCOP is only part of the diversification data. Remaining bytes are **issuer-defined** (Ford/security policy) and can include random nonces, batch IDs, or system constants. Must be consistent between KLMS and card.\\\n\\\n\"],[0,\"---\\\n\"]],\"start1\":12817,\"start2\":12817,\"length1\":244,\"length2\":8},{\"diffs\":[[0,\"/A005) —\"],[1,\" resolved:\"],[0,\" factory\"]],\"start1\":14658,\"start2\":14658,\"length1\":16,\"length2\":26},{\"diffs\":[[0,\"ide \"],[-1,\"or per-fob?\"],[1,\"static, loaded from shared dir\\\n- [ ] SPID derivation — verified: NOT SHA-1 of FESN; comes from external source (directory name)\"],[0,\"\\\n\\\n--\"]],\"start1\":14686,\"start2\":14686,\"length1\":19,\"length2\":135},{\"diffs\":[[0,\"-15 rev \"],[-1,\"2\"],[1,\"3\"],[0,\" with JC\"]],\"start1\":14880,\"start2\":14880,\"length1\":17,\"length2\":17},{\"diffs\":[[0,\"r parser\"],[1,\" + static certs + dual-fixture validation + code review fixes\"],[0,\".*\"]],\"start1\":14949,\"start2\":14949,\"length1\":10,\"length2\":71}]"
metadata_diff: {"new":{},"deleted":[]}
encryption_cipher_text: 
encryption_applied: 0
updated_time: 2026-06-15T15:46:56.912Z
created_time: 2026-06-15T15:46:56.912Z
type_: 13