Re: [Opensc-devel] Initializing a Oberthur ID-One PIV (Type A)

[Charlie B. <cha...@gm...>]

After some discussion with Douglas I was able to find a workable solution.
 The piece of information I was missing when trying to set all of this up
was the Card Management key.  Once I had it, it was a simple matter to
actually unlock the card and get identities loaded onto it.

The first step I had to take was to patch the gpshell program to not crash
and burn when a card comes back as locked.  The patch applied is:
    Index: gpshell.c


    ===================================================================


    diff --git a/trunk/gpshell/src/gpshell.c b/trunk/gpshell/src/gpshell.c


    --- a/trunk/gpshell/src/gpshell.c   (revision 419)


    +++ b/trunk/gpshell/src/gpshell.c   (working copy)


    @@ -935,8 +935,13 @@


                     {


                         _tprintf (_T("select_application() returns 0x%08lX
(%s)\n"),

                                   status.errorCode, status.errorMessage);


    -                    rv = EXIT_FAILURE;


    -                    goto end;


    +


    +                    /* 6283 is warning  we want to continue  and
unlock */

    +                    if (status.errorCode !=
OPGP_ISO7816_WARNING_CM_LOCKED)


    +                    {


    +                        rv = EXIT_FAILURE;


    +                        goto end;


    +                    }


    +                    status.errorStatus =  OPGP_ERROR_STATUS_SUCCESS;


                     }


                     memcpy(selectedAID, optionStr.AID, optionStr.AIDLen);


                     selectedAIDLength = optionStr.AIDLen;

Once that was compiled and working, the following gpshell script was used
to unlock the card:
    mode_211


    enable_trace


    establish_context


    card_connect


    select -AID A0000001510000
    #Replace the key with your vendors Card Management key.




    open_sc -security 1 -keyind 0 -keyver 0 -keyDerivation emvcps11
-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    get_status -element 80


    send_apdu -sc 1 -APDU 80F0800F07A0000001510000


    card_disconnect


    release_context

After running the script, the card is unlocked and you are free to use the
normal OpenSC tools to load data onto the card.

I just wanted to say thanks again to Douglas for all his help.  The script
and the patch were contributed by him, with some slight modifications to
make things work for my particular card.


Charles Bancroft
Software Engineer
Raytheon BBN Technologies


On Thu, Apr 11, 2013 at 2:25 PM, Douglas E. Engert <dee...@an...> wrote:

>
>
> On 4/11/2013 12:15 PM, Charlie Bancroft wrote:
> > Hello,
> > I was wondering if there was a way to initialize/personalize an Oberthur
> ID-One PIV (Type A) using opensc?
>
> The intent of the OpenSC modifications was to implement NIST 800-73-3 for
> the client.
> The PIV card is not designed to be updated by a user, and card vendors
> can implement their own card management commands.
>
> The piv-tool was created to allow for testing of cards using what was
> defined
> in NIST 800-73-3. It was not intended to be used as a card management
> system.
> Additional commands may be needed that are vendor specific to finalize
> the card. For example NIST 800-73-3 only defines how to generate a key on
> the
> card. It does not define how to write a key to the.
>
> That said the piv-tool has the -A and -s options that can be used to
> authenticate to the card. The put_cert.sh uses this.
>
> If you have the Oberthur documentation you should have the 9B keys, any
> GlobaPlatform
> keys and additional commands needed to initialize/personalize the cards.
>
> > I have blank (just the PIV applet) cards that I have been fighting with
> trying to initialize
> > to no avail.  I have seen that some people have been able to initialize
> the card with piv-tool but I have not seen any detailed instruction as to
> how it was done.
>
> If I recall those Obether ID-ONE cards are based on Globlaplatform 2.1.1.
> NIST insists that the cards be sent with ISD status SECURED and locked.
> Two mods were made to gpshell to not stop on a select with return of
> card locked, and to globalplatform.c to use the different bytes
> of the ISD and keyDerivationData returned from the card. The vendor
> document would indicate the changes needed.
>
> I can send you these mods, but you have to get the keys and documentation
> from
> the vendor.
>
> >
> > Thanks,
> > Charles Bancroft
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Precog is a next-generation analytics platform capable of advanced
> > analytics on semi-structured data. The platform includes APIs for
> building
> > apps and a phenomenal toolset for data science. Developers can use
> > our toolset for easy data analysis & visualization. Get a free account!
> > http://www2.precog.com/precogplatform/slashdotnewsletter
> >
> >
> >
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
>
> --
>
>   Douglas E. Engert  <DEE...@an...>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>