Re: [Opensc-devel] Issues verifying PIV signatures

[Douglas E. E. <dee...@an...>]

On 8/26/2013 10:38 AM, Charlie Bancroft wrote:
> Ok, I finally tracked down the source of the issue.  Markus, you were dead on.  Thank you!  It turns out that the APDU on the wiki to erase the previous certificate was being rejected by the card when
> I provisioned it.  The response was swallowed by my provisioning script and never reported to me.  Because I reprovisioned the card without deleting the old cert, the public key was never updated for
> the new private key which caused all of these signing issues to pop up.
>
> My solution was to change the PUT DATA APDU for the 9A key to the following:
>   piv-tool -A A:9B:03 -s 00:DB:3F:FF:07:5C:03:5F:C1:05:53:00
>
> It seemed to like the 1 byte NULL instead of the 3 byte.  I am not sure if that happens to be a quirk of the card I am using or if that is something that is seen everywhere and the documentation needs
> to be updated.

NIST 800-73 does not specify how to delete an object on the card.
It only specifies there is a PUT DATA command.
Each vendor may have a different way to do it, and each vendor
may require different authentication before allowing a PUT DATA
command. That is why the piv-tool -A [A|M]:key:ref -s
is used to do it.

Some cards I have worked with required -s 00:DB:3F:FF:09:5C:03:5F:C1:05:53:00:00:00

Consult the card vendor's documentation as to how to delete
an object or replace the contents of an object.




>
> Thanks again for helping out with this Markus and Douglas

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444