Menu
▾
▴
Re: [Opensc-devel] Example to write signed CHUID?
|
From: Douglas E E. <dee...@gm...> - 2015-12-07 17:52:37
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
looking at keysupport/nist80073/datamodel/PIVCardHolderUniqueID.java
<br>
it looks like getEncoded() <br>
does an encode(). <br>
<br>
Bit the encode() line 203 does:<br>
this.chuid = baos.toByteArray();<br>
<br>
but this does not have the PIV_DATA TLV that piv-tool is
expecting. <br>
<br>
./nist80073/cardedge/PIVDataTempl.java encode will add this:<br>
<br>
111 TLV _data = BERTLVFactory.encodeTLV(new
Tag(Tag.PIV_DATA), this.data);<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 12/7/2015 1:42 AM, Ryan Chapman
wrote:<br>
</div>
<blockquote
cite="mid:CAE...@ma..."
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I'm trying to get an asymmetric CHUID signature on a PIV
card, in this case a Yubikey NEO. The FIPS 201 standard
requires it, but yubkey-piv-tool only supports writing a
random chuid to the card.</div>
<div>The basic question is... does someone have an example
program that, given a signing certificate and associated
private key, can write the asymmetric key to a PIV card??</div>
<div><br>
</div>
<div>I'm close, but am stuck on long CHUIDs. I can write a
short length one successfully, but the longer one required for
the asymmetric key is failing.</div>
<div><br>
</div>
<div>Now a little more detail on what I've got so far, if anyone
cares...</div>
<div>I've using the piv-tool program to write a short CHUID like
so:</div>
<div><br>
</div>
<div># Check current CHUID</div>
<div>
<div>$ piv-tool -A A:9B:03 -s
"00:CB:3F:FF:05:5C:03:5F:C1:02:00"</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div>Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00</div>
<div>Received (SW1=0x90, SW2=0x00):</div>
<div>53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83
S;0...9.s..9.s..</div>
<div>68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 78
hX!.B..!8B...4.x</div>
<div>E1 97 B4 5A CA C0 1A 82 64 63 A9 92 3B 56 26 35
...Z....dc..;V&5</div>
<div>08 32 30 33 30 30 31 30 31 3E 00 FE 00
.20300101>...</div>
<div><br>
</div>
<div># Write desired CHUID to file 'chuid'</div>
<div>$
X="53:3B:30:19:D4:E7:39:DA:73:9C:ED:39:CE:73:9D:83:68:58:21:08:42:10:84:21:38:42:10:C3:F5:34:10:37:6F:92:E6:EA:92:65:85:0B:AB:D6:9D:73:8B:15:F0:35:08:32:30:33:30:30:31:30:31:3E:00:FE:00"</div>
<div><br>
</div>
<div>$ (OLDIFS=$IFS; IFS=:; for x in $X; do echo 0x$x | awk
'{printf "%c", $1}'; done; IFS=$OLDIFS ) > chuid<br>
</div>
<div><br>
</div>
<div># Write chuid file to the Yubikey</div>
<div>$ piv-tool -A A:9B:03 -O 3000 -i chuid</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div><br>
</div>
<div># Verify it worked... appears to have worked</div>
<div>$ piv-tool -A A:9B:03 -s
"00:CB:3F:FF:05:5C:03:5F:C1:02:00"</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div>Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00</div>
<div>Received (SW1=0x90, SW2=0x00):</div>
<div>53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83
S;0...9.s..9.s..</div>
<div>68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 37
hX!.B..!8B...4.7</div>
<div>6F 92 E6 EA 92 65 85 0B AB D6 9D 73 8B 15 F0 35
o....e.....s...5</div>
<div>08 32 30 33 30 30 31 30 31 3E 00 FE 00
.20300101>...</div>
</div>
<div><br>
</div>
<div>TLV '3E' is where the asymmetric signature goes. Above,
look at the last four bytes '3E 00 FE 00'; the '3E 00'
signifies a null asymmetric signature.</div>
<div><br>
</div>
<div>I loaded my cert authority's pub/private keypair in the
java keystore, then used the library at <a
moz-do-not-send="true"
href="https://code.google.com/p/keysupport-java-api/"><a class="moz-txt-link-freetext" href="https://code.google.com/p/keysupport-java-api/">https://code.google.com/p/keysupport-java-api/</a></a>
to generate the CHUID signature, which ends up being 2077
(0x81D) bytes, a little strange, but ok.</div>
<div><br>
</div>
<div>I then try the same thing as before, but encode the '3E'
TLV as such:</div>
<div>3E 82 08 1D .. .. <total of 2077 bytes for CHUID
asymmetric signature payload> .. ..</div>
<div>82 08 1D is BER-TLV to indicate 2077 bytes</div>
<div><br>
</div>
<div>What ended up in the 'chuid' file:</div>
<div>53 3b 30 19 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08
42 10 84 21 38 42 10 c3 f5 34 10 05 9b 23 97 21 6e ee b0 2d b8
d6 01 0a 69 99 3c 35 08 32 30 33 30 30 31 30 31 3e 82 08 1d ..
.. <2077 bytes for asymm signature> .. .. fe 00<br>
</div>
<div><br>
</div>
<div>When I attempt to write the 'chuid' file using piv-tools, I
get this error:</div>
<div><br>
</div>
<div>
<div>$ piv-tool -A A:9B:03 -O 3000 -i chuid</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div>object tag or length not valid</div>
</div>
<div><br>
</div>
<div>I'm hoping I missed something elementary. Any ideas?</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Ryan</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
<a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140">http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
