Menu
▾
▴
Re: [Opensc-devel] Generating keypairs on PIV cards
|
From: William R. <bil...@gm...> - 2014-07-29 15:43:58
|
Thanks Doug, no the part I was missing was that the card signs the csr. I now notice that general AUTH can also be used to encrypt data. On Jul 29, 2014 7:01 AM, "Douglas E Engert" <dee...@gm...> wrote: > > > On 7/28/2014 1:59 PM, William Roberts wrote: > > Suppose you had a blank card in this state: > > 1. Most of the private keys are empty (9A, 9C, 9D, 9E) > > 2. The Card Management Key (9B) is set > > 3. The containers (5FC105, 5FC10A, 5FC10B, 5FC101) are empty > > > > What commands would run using piv-tool to take the card into an > > initialized state? > > > > My best guess is some combination of GENERATE ASYMMETRIC KEY PAIR and > > PUT DATA commands. Im not quite clear what the GENERATE KEY PAIR > > command should do on the card side, does it actually update the > > corresponding x509. > > > No. Its a multi-step process defined in: > > https://github.com/OpenSC/OpenSC/wiki/PivTool > > to generate a key pair, save the pubkey, get the card to sign > certificate request containing the pubkey, have the CA sign the request > creating the certificate then load the certificate onto the card. > > > https://github.com/OpenSC/OpenSC/wiki/PivTool#generate-a-key-pair > > the piv-tool -o option says where to write out the public key, to a file. > This is the only time the public key can be retrieved from the card. > > > > https://github.com/OpenSC/OpenSC/wiki/PivTool#clear-a-certificate-on-the-card > > Make sure there is no old certificate on the card that has a public key > for a previous run of this multi-step process. See why in the last > paragraph > in this section. > > > https://github.com/OpenSC/OpenSC/wiki/PivTool#generate-a-certificate-request > > If no certificate is on the card, the card-piv.c will use the env PIV_*_KEY > to find the matching public key saved by piv-tool -o. > > https://github.com/OpenSC/OpenSC/wiki/PivTool#signing-the-request > > Have your CA sign the request to create a certificate. Before I retired, > we would use the Microsoft Enterprise CA, making the card usable for > Windows smart card login, (which is also Kerberos PKINIT for unix logins) > We used AD as the Kerberos KDC. > > NIST only defines some of the commands that would be used in a true card > management system, leaving up to the card vendor to provide any additional > commands, > such as: writing a private key to the card, reading a private key > (both could be used for key escrow), changing the 9B key, locking the card > Global Platform operations, etc. > > NIST defined just enough commands to create test cards. > > The OpenSC code was designed to support the user client using only the > NIST defined commands, and be able to create test cards to test the client > code. > > The piv-tool -s option was added to allow one to write scripts to implement > in a simple way any additional commands needed to personalize the card > using > the vendors private commands. > > If you need to add additional non-NIST defined commands in the OPenSC code, > lets talk first. > > Ie does a generate request on '9A' update the x509 > > in 5FC105? > > No, but in the examples, PIV_9A_KEY, ID=1 and 5FC105 all refer to the key > and tag > of matching certificate. Change as needed to refer to other key > referenced, IDs and > tags. > > > > > > > -- > > Douglas E. Engert <DEE...@gm...> > > > > ------------------------------------------------------------------------------ > Infragistics Professional > Build stunning WinForms apps today! > Reboot your WinForms applications with our WinForms controls. > Build a bridge from your legacy apps to the future. > > http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
