[Opensc-devel] Example to write signed CHUID?

[Ryan C. <ry...@rc...>]

Hi,

I'm trying to get an asymmetric CHUID signature on a PIV card, in this case
a Yubikey NEO.  The FIPS 201 standard requires it, but yubkey-piv-tool only
supports writing a random chuid to the card.
The basic question is... does someone have an example program that, given a
signing certificate and associated private key, can write the asymmetric
key to a PIV card??

I'm close, but am stuck on long CHUIDs.  I can write a short length one
successfully, but the longer one required for the asymmetric key is failing.

Now a little more detail on what I've got so far, if anyone cares...
I've using the piv-tool program to write a short CHUID like so:

# Check current CHUID
$ piv-tool -A A:9B:03 -s "00:CB:3F:FF:05:5C:03:5F:C1:02:00"
Using reader with a card: Yubico Yubikey NEO CCID
Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00
Received (SW1=0x90, SW2=0x00):
53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 S;0...9.s..9.s..
68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 78 hX!.B..!8B...4.x
E1 97 B4 5A CA C0 1A 82 64 63 A9 92 3B 56 26 35 ...Z....dc..;V&5
08 32 30 33 30 30 31 30 31 3E 00 FE 00          .20300101>...

# Write desired CHUID to file 'chuid'
$
X="53:3B:30:19:D4:E7:39:DA:73:9C:ED:39:CE:73:9D:83:68:58:21:08:42:10:84:21:38:42:10:C3:F5:34:10:37:6F:92:E6:EA:92:65:85:0B:AB:D6:9D:73:8B:15:F0:35:08:32:30:33:30:30:31:30:31:3E:00:FE:00"

$ (OLDIFS=$IFS; IFS=:; for x in $X; do echo 0x$x | awk '{printf "%c", $1}';
done; IFS=$OLDIFS ) > chuid

# Write chuid file to the Yubikey
$ piv-tool -A A:9B:03 -O 3000 -i chuid
Using reader with a card: Yubico Yubikey NEO CCID

# Verify it worked... appears to have worked
$ piv-tool -A A:9B:03 -s "00:CB:3F:FF:05:5C:03:5F:C1:02:00"
Using reader with a card: Yubico Yubikey NEO CCID
Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00
Received (SW1=0x90, SW2=0x00):
53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 S;0...9.s..9.s..
68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 37 hX!.B..!8B...4.7
6F 92 E6 EA 92 65 85 0B AB D6 9D 73 8B 15 F0 35 o....e.....s...5
08 32 30 33 30 30 31 30 31 3E 00 FE 00          .20300101>...

TLV '3E' is where the asymmetric signature goes.  Above, look at the last
four bytes '3E 00 FE 00'; the '3E 00' signifies a null asymmetric signature.

I loaded my cert authority's pub/private keypair in the java keystore, then
used the library at https://code.google.com/p/keysupport-java-api/ to
generate the CHUID signature, which ends up being 2077 (0x81D) bytes, a
little strange, but ok.

I then try the same thing as before, but encode the '3E' TLV as such:
3E 82 08 1D .. .. <total of 2077 bytes for CHUID asymmetric signature
payload> .. ..
82 08 1D is BER-TLV to indicate 2077 bytes

What ended up in the 'chuid' file:
53 3b 30 19 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08 42 10 84 21 38
42 10 c3 f5 34 10 05 9b 23 97 21 6e ee b0 2d b8 d6 01 0a 69 99 3c 35 08 32
30 33 30 30 31 30 31 3e 82 08 1d .. .. <2077 bytes for asymm signature> ..
.. fe 00

When I attempt to write the 'chuid' file using piv-tools, I get this error:

$ piv-tool -A A:9B:03 -O 3000 -i chuid
Using reader with a card: Yubico Yubikey NEO CCID
object tag or length not valid

I'm hoping I missed something elementary.  Any ideas?

Thanks

Ryan