tem_ruby 0.9.2 → 0.10.0

data/CHANGELOG

@@ -1,3 +1,5 @@
+v0.10.0. New transport code, allowing for multiple readers and TEM proxying.
+
 v0.9.2. Changed exec-SECpack calling sequence for fw 1.9.1(fire, the released version).
 
 v0.9.1. Cleaner names for the pstore data types and opcode arguments. "Bound" instead of "sealed" SECpack. 

data/Manifest

@@ -1,45 +1,56 @@
-bin/tem_stat
+bin/tem_bench
 bin/tem_ca
 bin/tem_irb
-bin/tem_bench
-Manifest
-LICENSE
-test/test_driver.rb
-test/test_tem.rb
-test/test_exceptions.rb
-test/_test_cert.rb
-timings/vm_perf.rb
-timings/devchip_decrypt.rb
-timings/simple_apdu.rb
-timings/post_buffer.rb
-timings/blank_bound_secpack.rb
-timings/vm_perf_bound.rb
-timings/timings.rb
-timings/blank_sec.rb
-lib/scard/java_card.rb
-lib/scard/jcop_remote_terminal.rb
-lib/scard/pcsc_terminal.rb
-lib/tem_ruby.rb
-lib/tem/tag.rb
-lib/tem/keys.rb
-lib/tem/sec_opcodes.rb
+bin/tem_proxy
+bin/tem_stat
+CHANGELOG
+dev_ca/ca_cert.cer
+dev_ca/ca_cert.pem
+dev_ca/ca_key.pem
+dev_ca/config.yml
 lib/tem/_cert.rb
-lib/tem/buffers.rb
-lib/tem/toolkit.rb
-lib/tem/tem.rb
 lib/tem/abi.rb
-lib/tem/crypto_abi.rb
+lib/tem/auto_conf.rb
+lib/tem/buffers.rb
 lib/tem/ca.rb
-lib/tem/secpack.rb
-lib/tem/sec_exec_error.rb
-lib/tem/sec_assembler.rb
-lib/tem/lifecycle.rb
+lib/tem/crypto_abi.rb
 lib/tem/ecert.rb
 lib/tem/hive.rb
+lib/tem/keys.rb
+lib/tem/lifecycle.rb
+lib/tem/sec_assembler.rb
+lib/tem/sec_exec_error.rb
+lib/tem/sec_opcodes.rb
 lib/tem/seclosures.rb
+lib/tem/secpack.rb
+lib/tem/tag.rb
+lib/tem/tem.rb
+lib/tem/toolkit.rb
+lib/tem/transport/auto_configurator.rb
+lib/tem/transport/java_card_mixin.rb
+lib/tem/transport/jcop_remote_protocol.rb
+lib/tem/transport/jcop_remote_server.rb
+lib/tem/transport/jcop_remote_transport.rb
+lib/tem/transport/pcsc_transport.rb
+lib/tem/transport/transport.rb
+lib/tem_ruby.rb
+LICENSE
+Manifest
+Rakefile
 README
-CHANGELOG
-dev_ca/ca_cert.cer
-dev_ca/ca_cert.pem
-dev_ca/ca_key.pem
-dev_ca/config.yml
+test/_test_cert.rb
+test/tem_test_case.rb
+test/test_driver.rb
+test/test_exceptions.rb
+test/test_tem.rb
+test/transport/test_auto_configurator.rb
+test/transport/test_java_card_mixin.rb
+test/transport/test_jcop_remote.rb
+timings/blank_bound_secpack.rb
+timings/blank_sec.rb
+timings/devchip_decrypt.rb
+timings/post_buffer.rb
+timings/simple_apdu.rb
+timings/timings.rb
+timings/vm_perf.rb
+timings/vm_perf_bound.rb

data/Rakefile

@@ -0,0 +1,23 @@
+require 'rubygems'
+gem 'echoe'
+require 'echoe'
+
+Echoe.new('tem_ruby') do |p|
+  p.project = 'tem' # rubyforge project
+  p.docs_host = "costan@rubyforge.org:/var/www/gforge-projects/tem/rdoc/"
+  
+  p.author = 'Victor Costan'
+  p.email = 'victor@costan.us'
+  p.summary = 'TEM (Trusted Execution Module) driver, written in and for ruby.'
+  p.url = 'http://tem.rubyforge.org'
+  p.dependencies = ['smartcard >=0.3.0']
+  
+  p.need_tar_gz = !Platform.windows?
+  p.need_zip = !Platform.windows?
+  p.rdoc_pattern = /^(lib|bin|tasks|ext)|^BUILD|^README|^CHANGELOG|^TODO|^LICENSE|^COPYING$/  
+end
+
+if $0 == __FILE__
+  Rake.application = Rake::Application.new
+  Rake.application.run
+end

data/bin/tem_irb

@@ -6,13 +6,6 @@ require 'tem_ruby'
 
 require 'irb'
 
-$terminal = Tem::SCard::JCOPRemoteTerminal.new
-unless $terminal.connect
-  $terminal.disconnect
-  $terminal = Tem::SCard::PCSCTerminal.new
-  $terminal.connect
-end
-$javacard = Tem::SCard::JavaCard.new($terminal)
-$tem = Tem::Session.new($javacard)
+Tem.auto_conf
 
 IRB.start __FILE__

data/bin/tem_proxy

@@ -0,0 +1,65 @@
+#!/usr/bin/env ruby
+
+# TEM transport-level proxy.
+# Serves a TCP connection
+
+require 'logger'
+
+require 'rubygems'
+require 'tem_ruby'
+
+# JCOP remote serving logic implementing a proxy to another transport. 
+class ServingLogic
+  include Tem::Transport::JcopRemoteServingStubs
+  def initialize(serving_transport, logging = false)
+    @serving = serving_transport
+    @logger = Logger.new STDERR
+    @logger.level = logging ? Logger::DEBUG : Logger::FATAL
+    @connected = true
+  end
+  def connection_start
+    @logger.info "Connection start"
+    unless @connected
+    	@serving.connect 
+    	@connected = true
+    end
+  end
+  def connection_end
+    @logger.info "Connection end"
+    @serving.disconnect if @connected
+    @connected = false
+  end
+  def exchange_apdu(apdu)
+    @logger.info "APDU request: #{apdu.map { |n| '%02x' % n }.join(' ')}"
+    response = @serving.exchange_apdu apdu
+    @logger.info "APDU response: #{response.map { |n| '%02x' % n }.join(' ')}"
+    response
+  end
+end
+
+# Indefinitely runs a JCOP remove serving loop that proxies to another TEM
+# transport.
+#
+# The TEM transport is automatically configured based on environment information
+# and defaults. 
+#
+def serve(options)
+  @logger = Logger.new STDERR
+  @logger.level = options[:logging] ? Logger::DEBUG : Logger::FATAL
+
+  serving_transport = Tem::Transport.auto_transport
+  @logger.info "Proxying to #{serving_transport.inspect}\n"
+  @logger.info "Serving with #{options.inspect}\n"
+  serving_logic = ServingLogic.new serving_transport, options[:logging]
+  Tem::Transport::JcopRemoteServer.new(options, serving_logic).run
+end
+
+# Parses the commmand-line arguments into an options hash suitable for #serve.
+def parse_args
+  { :ip => ARGV[1] || '0.0.0.0', :port => (ARGV[0] || '9000').to_i,
+    :logging => !(ENV['DEBUG'] &&
+                  ['0', 'no', 'false'].include?(ENV['DEBUG'].downcase)) }
+end
+
+options = parse_args
+serve options

data/bin/tem_stat

@@ -5,35 +5,31 @@ require 'rubygems'
 require 'tem_ruby'
 require 'pp'
 
-$terminal = Tem::SCard::JCOPRemoteTerminal.new
-unless $terminal.connect
-  $terminal.disconnect
-  $terminal = Tem::SCard::PCSCTerminal.new
-  $terminal.connect
-end
-$javacard = Tem::SCard::JavaCard.new($terminal)
-$tem = Tem::Session.new($javacard)
+Tem.auto_conf
 
-print "Connected to TEM using #{$terminal.to_s}\n"
+print "Connected to TEM using #{$tem.transport.inspect}\n"
 begin
 	fw_ver = $tem.tk_firmware_ver
 	print "TEM firmware version: #{fw_ver[:major]}.#{fw_ver[:minor]}\n"
-rescue
+rescue Exception => e
 	print "Could not read TEM firmware version. Is the TEM emitted?\n"
+	print "#{e.class.name}: #{e}\n#{e.backtrace.join("\n")}\n"
 end
 
 begin
 	b_stat = $tem.stat_buffers
 	print "TEM memory stat:\n"
 	pp b_stat
-rescue
+rescue Exception => e
 	print "Could not retrieve TEM memory stat. Is the TEM activated?\n"
+	print "#{e.class.name}: #{e}\n#{e.backtrace.join("\n")}\n"
 end
 
 begin
 	k_stat = $tem.stat_keys
 	print "TEM crypto stat:\n"
 	pp k_stat
-rescue
+rescue Exception => e
 	print "Could not retrieve TEM crypto stat. Is the TEM activated?\n"
+	print "#{e.class.name}: #{e}\n#{e.backtrace.join("\n")}\n"
 end

data/dev_ca/config.yml

@@ -1,4 +1,5 @@
 --- 
+# the development CA is valid for 10 years
 :ca_validity_days: 3652
 :issuer: 
   CN: Trusted Execution Module Development CA
@@ -7,6 +8,7 @@
   C: US
   O: Massachusetts Insitute of Technology
   OU: Computer Science and Artificial Intelligence Laboratory
+# a TEM is valid for two days
 :ecert_validity_days: 730
 :subject: 
   CN: Trusted Execution Module DevChip

data/lib/tem/auto_conf.rb

@@ -0,0 +1,25 @@
+module Tem
+  # Automatically configures a TEM.
+  #
+  # In case of success, the $tem global variable is set to a Tem::Session that
+  # can be used to talk to some TEM. An exception will be raised if the session
+  # creation fails.
+  #
+  # It is safe to call auto_conf multiple times. A single session will be open.
+  def self.auto_conf
+    return $tem if $tem
+    $tem = auto_tem
+  end
+
+  # Creates a new session to a TEM, using an automatically-configured transport.
+  # :call-seq:
+  #   Tem.auto_tem -> Tem::Session
+  #
+  # In case of success, returns a Tem::Session that can be used to talk to some
+  # TEM. An exception will be raised if the session creation fails. 
+  def self.auto_tem
+    transport = Tem::Transport.auto_transport
+    raise 'No suitable TEM was found' unless transport
+    Tem::Session.new transport
+  end
+end

data/lib/tem/buffers.rb

@@ -1,77 +1,64 @@
 module Tem::Buffers
   def alloc_buffer(length)
-    apdu = [0x00, 0x20, to_tem_short(length), 0x00].flatten
-    response = issue_apdu apdu
-    tem_error(response) if failure_code(response)
+    response = @transport.applet_apdu! :ins => 0x20,
+                                       :p12 => to_tem_short(length)
     return read_tem_byte(response, 0)
   end
   
   def release_buffer(buffer_id)
-    apdu = [0x00, 0x21, to_tem_byte(buffer_id), 0x00, 0x00].flatten
-    response = issue_apdu apdu
-    tem_error(response) if failure_code(response)
-    return true
+    @transport.applet_apdu! :ins => 0x21, :p1 => buffer_id
   end
 
   def flush_buffers
-    apdu = [0x00, 0x26, 0x00, 0x00, 0x00].flatten
-    response = issue_apdu apdu
-    tem_error(response) if failure_code(response)
-    return true
+    @transport.applet_apdu! :ins => 0x26
   end
   
   def get_buffer_length(buffer_id)
-    apdu = [0x00, 0x22, to_tem_byte(buffer_id), 0x00, 0x00].flatten
-    response = issue_apdu apdu
-    tem_error(response) if failure_code(response)
+    response = @transport.applet_apdu! :ins => 0x22, :p1 => buffer_id
     return read_tem_short(response, 0)
   end
   
   def read_buffer(buffer_id)
-    @buffer_chunk_size = guess_buffer_chunk_size unless defined? @buffer_chunk_size
+    guess_buffer_chunk_size
     
     buffer = []
     chunk_id = 0
     while true do
-      apdu = [0x00, 0x23, to_tem_byte(buffer_id), to_tem_byte(chunk_id), 0x00].flatten
-      response = issue_apdu apdu
-      tem_error(response) if failure_code(response)
-      buffer += response[0...(response.length - 2)]
-      break if response.length != @buffer_chunk_size + 2
+      response = @transport.applet_apdu! :ins => 0x23, :p1 => buffer_id,
+                                        :p2 => chunk_id
+      buffer += response
+      break if response.length != @buffer_chunk_size
       chunk_id += 1
     end
     return buffer
   end
   
   def write_buffer(buffer_id, data)
-    @buffer_chunk_size = guess_buffer_chunk_size unless defined? @buffer_chunk_size
+    guess_buffer_chunk_size
     
     chunk_id, offset = 0, 0
     while offset < data.length do
       write_size = (data.length - offset < @buffer_chunk_size) ?
           data.length - offset : @buffer_chunk_size
-      apdu = [0x00, 0x24, to_tem_byte(buffer_id), to_tem_byte(chunk_id), to_tem_ubyte(write_size),
-              data.values_at(offset...(offset+write_size))].flatten
-      response = issue_apdu apdu
-      tem_error(response) if failure_code(response)
-
+      @transport.applet_apdu! :ins => 0x24, :p1 => buffer_id, :p2 => chunk_id,
+                              :data => data[offset, write_size]
       chunk_id += 1
       offset += write_size
     end
   end
   
   def guess_buffer_chunk_size
-    apdu = [0x00, 0x25, 0x00, 0x00, 0x00].flatten
-    response = issue_apdu apdu
-    tem_error(response) if failure_code(response)
+    @buffer_chunk_size ||= guess_buffer_chunk_size!
+  end
+  
+  def guess_buffer_chunk_size!
+    response = @transport.applet_apdu! :ins => 0x25
     return read_tem_short(response, 0)
   end
   
   def stat_buffers
-    apdu = [0x00, 0x27, 0x00, 0x00, 0x00].flatten
-    response = issue_apdu apdu
-    tem_error(response) if failure_code(response)
-    response = reply_data(response)
+    response = @transport.applet_apdu! :ins => 0x27
+    
     memory_types = [:persistent, :clear_on_reset, :clear_on_deselect]
     stat = {:free => {}, :buffers => []}
     memory_types.each_with_index { |mt, i| stat[:free][mt] = read_tem_short(response, i * 2) }
@@ -91,7 +78,7 @@ module Tem::Buffers
   end
   
   def post_buffer(data)
-    buffer_id = alloc_buffer(data.length)
+    buffer_id = alloc_buffer data.length
     write_buffer buffer_id, data
     return buffer_id
   end

data/lib/tem/crypto_abi.rb

@@ -5,12 +5,16 @@ require 'yaml'
 module Tem::CryptoAbi
   include Tem::Abi
   
-  # contains the methods  
+  # The methods that will be mixed into the TEM module
   module MixedMethods
+    # Reads a TEM-encoded big number.
     def read_tem_bignum(buffer, offset, length)
-      return buffer[offset...(offset+length)].inject(0) { |num, digit| num = (num << 8) | digit }
+      return buffer[offset...(offset+length)].inject(0) do |num, digit|
+        num = (num << 8) | digit
+      end
     end
-    
+
+    # Returns the TEM encoding for a big number.
     def to_tem_bignum(n)
       if n.kind_of? OpenSSL::BN
         len = n.num_bytes
@@ -33,19 +37,30 @@ module Tem::CryptoAbi
         return q.reverse
       end
     end
-    
+
     def load_tem_key_material(key, syms, buffer, offset)
-      lengths = (0...syms.length).map { |i| read_tem_short(buffer, offset + i * 2)}
+      lengths = (0...syms.length).map do |i|
+        read_tem_short buffer, offset + i * 2
+      end
       offsets = [offset + syms.length * 2]
-      1.upto(syms.length - 1) { |i| offsets[i] = offsets[i - 1] + lengths[i - 1] }
-      0.upto(syms.length - 1) do |i|
-        key.send((syms[i].to_s + '=').to_sym, read_tem_bignum(buffer, offsets[i], lengths[i]))
-      end    
+      syms.each_index { |i| offsets[i + 1] = offsets[i] + lengths[i] }
+      syms.each_index do |i|
+        key.send((syms[i].to_s + '=').to_sym,
+                 read_tem_bignum(buffer, offsets[i], lengths[i]))
+      end
     end
-        
+    
+    # The length of a TEM symmetric key.
+    def tem_symmetric_key_length
+      16 # 128 bits
+    end
+            
     def read_tem_key(buffer, offset)
       key_type = read_tem_ubyte buffer, offset
-      if key_type == 0xAA || key_type == 0x55
+      case key_type
+      when 0x99
+        key = buffer[offset, tem_symmetric_key_length]                
+      when 0xAA, 0x55
         key = OpenSSL::PKey::RSA.new
         syms = (key_type == 0xAA) ? [:e, :n] : [:p, :q, :dmp1, :dmq1, :iqmp]
         load_tem_key_material key, syms, buffer, offset + 1
@@ -61,10 +76,10 @@ module Tem::CryptoAbi
           key.e = (emp1 < emq1) ? emp1 : emq1
           key.d = key.e.mod_inverse(p1q1)
         end
-        return new_key_from_ssl(key, (key_type == 0xAA)) 
       else
         raise "Invalid key type #{'%02x' % key_type}"
       end
+      return new_key_from_ssl(key, (key_type == 0xAA)) 
     end
     
     def to_tem_key(ssl_key, type)
@@ -78,18 +93,19 @@ module Tem::CryptoAbi
       end
     end
     
+    # Creates a new TEM key wrapper from a SSL key
     def new_key_from_ssl(ssl_key, is_public)
-      AsymmetricKey.new(ssl_key, is_public, :pkcs1)
+      if ssl_key.kind_of? OpenSSL::PKey::RSA
+        AsymmetricKey.new ssl_key, is_public, :pkcs1
+      else
+        SymmetricKey.new ssl_key
+      end
     end
     
+    # Compute a cryptographic hash in the same way that the TEM does.
     def hash_for_tem(data)
-      if data.kind_of? String
-        data_string = data
-      else
-        data_string = data.pack('C*')
-      end
-      digest_string = Digest::SHA1.digest(data_string)
-      return digest_string.unpack('C*')
+      data = data.pack 'C*' unless data.kind_of? String
+      Digest::SHA1.digest(data).unpack 'C*'
     end
   end
   
@@ -104,13 +120,19 @@ module Tem::CryptoAbi
   end
 
   def self.load_ssl(ssl_key)
-    return {:pubkey => AsymmetricKey.new(ssl_key, true, :pkcs1), :privkey => AsymmetricKey.new(ssl_key, false, :pkcs1) }      
+    return { :pubkey => AsymmetricKey.new(ssl_key, true, :pkcs1),
+             :privkey => AsymmetricKey.new(ssl_key, false, :pkcs1) }
   end
   
   def self.generate_ssl_kp
     return Tem::CryptoAbi::AsymmetricKey.generate_ssl_kp
   end
   
+  def self.generate_ssl_sk
+    return Tem::CryptoAbi::SymmetricKey.generate_ssl_sk
+  end
+
+  # Wraps a TEM asymmetric key.
   class AsymmetricKey
     attr_reader :ssl_key
     
@@ -131,9 +153,11 @@ module Tem::CryptoAbi
       self.to_array.to_yaml.to_s
     end       
     
+    # Generate an asymmetric OpenSSL key pair
     def self.generate_ssl_kp
       return OpenSSL::PKey::RSA.generate(2048, 65537)
     end
+        
     def initialize(ssl_key, is_public, padding_type)
       @ssl_key = ssl_key
       @is_public = is_public ? true : false
@@ -188,29 +212,53 @@ module Tem::CryptoAbi
     end
       
     def encrypt(data)
-      encrypt_decrypt(data, @size - @padding_bytes, @is_public ? :public_encrypt : :private_encrypt)      
+      encrypt_decrypt data, @size - @padding_bytes,
+                      @is_public ? :public_encrypt : :private_encrypt      
     end
     
     def decrypt(data)
-      encrypt_decrypt(data, @size, @is_public ? :public_decrypt : :private_decrypt)      
+      encrypt_decrypt data, @size,
+                      @is_public ? :public_decrypt : :private_decrypt      
     end
     
     def sign(data)
-      in_data = if data.kind_of? String then data else data.pack('C*') end
+      data = data.pack 'C*' if data.respond_to? :pack
       # PKCS1-padding is forced in by openssl... sigh!
-      out_data = @ssl_key.sign OpenSSL::Digest::SHA1.new, in_data
-      if data.kind_of? String then out_data else out_data.unpack('C*') end
+      out_data = @ssl_key.sign OpenSSL::Digest::SHA1.new, data
+      data.respond_to?(:pack) ? out_data : out_data.unpack('C*')
     end
     
     def verify(data, signature)
-      in_data = if data.kind_of? String then data else data.pack('C*') end
-      in_signature = if signature.kind_of? String then signature else signature.pack('C*') end
+      data = data.pack 'C*' if data.respond_to? :pack
+      signature = signature.pack 'C*' if signature.respond_to? :pack
       # PKCS1-padding is forced in by openssl... sigh!
-      @ssl_key.verify OpenSSL::Digest::SHA1.new, in_signature, in_data
+      @ssl_key.verify OpenSSL::Digest::SHA1.new, signature, data
     end
     
     def is_public?
       @is_public
     end
-  end  
+  end
+  
+  # Wraps a TEM symmetric key
+  def SymmetricKey
+    def initialize(ssl_key)
+      @key = ssl_key
+      @cipher = OpenSSL::Cipher::Cipher.new 'aes-128-ecb'
+      @cipher.key = @key
+      @cipher.iv = "\0" * 16
+    end
+    
+    def encrypt(data)
+    end
+  
+    def decrypt(data)
+    end
+  
+    def sign(data)
+    end
+  
+    def verify(data)
+    end
+  end
 end

data/lib/tem/keys.rb

@@ -1,21 +1,19 @@
 module Tem::Keys
   def devchip_generate_key_pair
-    response = issue_apdu [0x00, 0x40, 0x00, 0x00, 0x00].flatten
-    tem_error(response) if failure_code(response)
-    return { :privkey_id => read_tem_byte(response, 0), :pubkey_id => read_tem_byte(response, 1) }    
+    response = @transport.applet_apdu! :ins => 0x40
+    return { :privkey_id => read_tem_byte(response, 0),
+             :pubkey_id => read_tem_byte(response, 1) }    
   end
   
   def devchip_release_key(key_id)
-    response = issue_apdu [0x00, 0x41, to_tem_byte(key_id), 0x00, 0x00].flatten
-    tem_error(response) if failure_code(response)
+    @transport.applet_apdu! :ins => 0x41, :p1 => key_id
     return true
   end
   
   def devchip_save_key(key_id)
-    response = issue_apdu [0x00, 0x43, to_tem_byte(key_id), 0x00, 0x00].flatten
-    tem_error(response) if failure_code(response)
-    
-    buffer_id, buffer_length = read_tem_byte(response, 0), read_tem_short(response, 1)
+    response = @transport.applet_apdu! :ins => 0x43, :p1 => key_id    
+    buffer_id = read_tem_byte response, 0 
+    buffer_length = read_tem_short response, 1
     key_buffer = read_buffer buffer_id
     release_buffer buffer_id
     
@@ -24,35 +22,36 @@ module Tem::Keys
   
   def devchip_encrypt_decrypt(data, key_id, opcode)
     buffer_id = post_buffer data
-    response = issue_apdu [0x00, opcode, to_tem_byte(key_id), to_tem_byte(buffer_id), 0x00].flatten
-    release_buffer buffer_id
-    tem_error(response) if failure_code(response)
+    begin
+      response = @transport.applet_apdu! :ins => opcode, :p1 => key_id,
+                                         :p2 => buffer_id
+    ensure
+      release_buffer buffer_id
+    end
 
-    buffer_id, buffer_length = read_tem_byte(response, 0), read_tem_short(response, 1)
+    buffer_id = read_tem_byte response, 0
+    buffer_length = read_tem_short response, 1
     data_buffer = read_buffer buffer_id
     release_buffer buffer_id
     
     return data_buffer[0...buffer_length]
   end
   def devchip_encrypt(data, key_id)
-    devchip_encrypt_decrypt(data, key_id, 0x44)
+    devchip_encrypt_decrypt data, key_id, 0x44
   end
   def devchip_decrypt(data, key_id)
-    devchip_encrypt_decrypt(data, key_id, 0x45)
+    devchip_encrypt_decrypt data, key_id, 0x45
   end
   
   def stat_keys
-    apdu = [0x00, 0x27, 0x01, 0x00, 0x00].flatten
-    response = issue_apdu apdu
-    tem_error(response) if failure_code(response)
-    response = reply_data(response)
-    key_types = {0x99 => :symmetric, 0x55 => :private, 0xAA => :public}
+    response = @transport.applet_apdu! :ins => 0x27, :p1 => 0x01
+    key_types = { 0x99 => :symmetric, 0x55 => :private, 0xAA => :public }
     stat = {:keys => {}}
     offset = 0
     while offset < response.length do
       stat[:keys][read_tem_ubyte(response, offset)] =
-        {:type => key_types[read_tem_ubyte(response, offset + 1)],
-        :bits => read_tem_ushort(response, offset + 2)}
+        { :type => key_types[read_tem_ubyte(response, offset + 1)],
+          :bits => read_tem_ushort(response, offset + 2) }
       offset += 4
     end
     return stat