Why I fail to delete or replace inserted Receipt Key with KeyVersion=0x70 in the Javacard?

Question

I have a clean Kona112 Javacard and I'm going to a put a Receipt key into it and then I want to delete it from the card or replace its value.

Step 1: I tried to create a new key on the card with Key Version == 0x71 (Quoted from GP UICC Configuration v1.0.1: "Key Version number '71' with Key Identifier '01' is reserved for the Receipt Key, which is a DES key"):

[Select ISD]

[Successful Mutual Authentication]

-->  84 D8 00 01 1F 71 80 10 B5 75 C3 8D 89 DC F9 B1 74 CC 1E 93 C4 45 C8 2C 03 CD 80 0F EC EA 8D 6F 8F BF 7D D0 // PUT KEY
<--  6A 80 

==> Quoted from GP UICC Configuration v1.0.1: "6A80 = ISO compliant standard status word for Algorithm not supported"

Step 2: As I received "Algorithm not supported" error, I enabled Delegated Management on my card and retried step #1:

[Select ISD]

[Successful Mutual Authentication]

[Proprietary APDU command to enable Delegated Management]

-->  84 D8 00 01 1F 71 80 10 1A F6 96 45 2A ED 66 86 75 DF FC 8B 59 55 6D 0B 03 CD 80 0F 87 03 E4 1A 8D AB 90 EC
<--  71 CD 80 0F 90 00

Good! I successfully put the Receipt key in the card.

Step 3: Now, I want to delete it:

[Select ISD]

[Successful Mutual Authentication]

-->  80 E4 00 00 06 D0 01 01 D2 01 71 // Delete APDU Command to delete a key with Key ID = 01 and Key Version = 71
<--  6A 80

As you see above, I received 6A 80 error status words. It is mentioned in the answer of my other question (and also in GP UICC Configuration v1.0.1) that the Key Deletion feature is optional.

So in step #4 I tried to replace the key with another value.

Step 4: I changed P1 in PUT Key APDU command from 0x00 (create key) to 0x71 (overwrite):

[Select ISD]

[Successful Mutual Authentication]

-->  84 D8 71 01 1F 71 80 10 E9 06 6B 8E D8 05 50 34 D5 A7 71 3B 81 CB BE 7A 03 CD 80 0F 91 0D BC E9 96 25 7E 89
<--  6A 88
==> Quoted from GP UICC Configuration v1.0.1: "6A88 = Referenced data not found"

Well, that's weird, I received "Referenced data not found". So I tried the PUT Key command with P1 = 0X00 (Create Key) again:

[Select ISD]

[Successful Mutual Authentication]

-->  84 D8 00 01 1F 71 80 10 31 35 5C 0C E3 27 FD D5 8B 6B AE 37 56 CA 0D F2 03 CD 80 0F 0B EB 16 CF FF CE 4C 09
<--  69 85 // Conditions of used not satisfied.

Well, I tried both cases of step #3 (P1 = 0x00 and P1 = 0x71) with disabled Delegated Management too, but nothing changed and I respectively received 0x6A80 and 0x6A88.

What's wrong? How can I fix the delete or modify this key?

Note that I tried all the steps in secure channel with SecurityLevel = 0x03 too. Nothing changed.

Update:

I tried to list the available keys in the card using GET DATA APDU command with Key Info Template tag, but I only can see ISD ENC, MAC and KEK keys in the APDU Response (For both DM enabled and DM Disabled.

--> 80 CA 00 E0 00
<-- E0 12 C0 04 01 01 80 10 C0 04 02 01 80 10 C0 04 03 01 80 10 90 00

Answer 1

One idea: The receipt key (and you also have to store a token key) might be linked to a application security domain. Select the Security Domain with Token Verification privilege and the Security Domain with Receipt Generation privilege, maybe they are different from the ISD. I assume also that during [Proprietary APDU command to enable Delegated Management] a new application security domain (ASP) was created. Try the select these new security domains and list there all the keys using the key template flag and execute then your PUT KEY operations against one of these security domains. GET STATUSis the command to be used for listing the SDs. All the existing OS tools like GPShell and GlobalPlatformPro can do this.