Menu
▾
▴
Re: [Opensc-devel] Example to write signed CHUID?
|
From: Ryan C. <ry...@rc...> - 2015-12-12 07:52:14
|
Thanks for the pointers Douglas. You were right--the size of the CHUID object was incorrect (53 <length> xx xx xx). I was able to use the function you suggested in PIVDataTempl.java to encode the signed CHUID and then use piv-tool to load it successfully.
On Dec 7, 2015, at 10:44 AM, Douglas E Engert <dee...@gm...> wrote:
> looking at keysupport/nist80073/datamodel/PIVCardHolderUniqueID.java
> it looks like getEncoded()
> does an encode().
>
> Bit the encode() line 203 does:
> this.chuid = baos.toByteArray();
>
> but this does not have the PIV_DATA TLV that piv-tool is expecting.
>
> ./nist80073/cardedge/PIVDataTempl.java encode will add this:
>
> 111 TLV _data = BERTLVFactory.encodeTLV(new Tag(Tag.PIV_DATA), this.data);
>
>
>
> On 12/7/2015 1:42 AM, Ryan Chapman wrote:
>> Hi,
>>
>> I'm trying to get an asymmetric CHUID signature on a PIV card, in this case a Yubikey NEO. The FIPS 201 standard requires it, but yubkey-piv-tool only supports writing a random chuid to the card.
>> The basic question is... does someone have an example program that, given a signing certificate and associated private key, can write the asymmetric key to a PIV card??
>>
>> I'm close, but am stuck on long CHUIDs. I can write a short length one successfully, but the longer one required for the asymmetric key is failing.
>>
>> Now a little more detail on what I've got so far, if anyone cares...
>> I've using the piv-tool program to write a short CHUID like so:
>>
>> # Check current CHUID
>> $ piv-tool -A A:9B:03 -s "00:CB:3F:FF:05:5C:03:5F:C1:02:00"
>> Using reader with a card: Yubico Yubikey NEO CCID
>> Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00
>> Received (SW1=0x90, SW2=0x00):
>> 53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 S;0...9.s..9.s..
>> 68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 78 hX!.B..!8B...4.x
>> E1 97 B4 5A CA C0 1A 82 64 63 A9 92 3B 56 26 35 ...Z....dc..;V&5
>> 08 32 30 33 30 30 31 30 31 3E 00 FE 00 .20300101>...
>>
>> # Write desired CHUID to file 'chuid'
>> $ X="53:3B:30:19:D4:E7:39:DA:73:9C:ED:39:CE:73:9D:83:68:58:21:08:42:10:84:21:38:42:10:C3:F5:34:10:37:6F:92:E6:EA:92:65:85:0B:AB:D6:9D:73:8B:15:F0:35:08:32:30:33:30:30:31:30:31:3E:00:FE:00"
>>
>> $ (OLDIFS=$IFS; IFS=:; for x in $X; do echo 0x$x | awk '{printf "%c", $1}'; done; IFS=$OLDIFS ) > chuid
>>
>> # Write chuid file to the Yubikey
>> $ piv-tool -A A:9B:03 -O 3000 -i chuid
>> Using reader with a card: Yubico Yubikey NEO CCID
>>
>> # Verify it worked... appears to have worked
>> $ piv-tool -A A:9B:03 -s "00:CB:3F:FF:05:5C:03:5F:C1:02:00"
>> Using reader with a card: Yubico Yubikey NEO CCID
>> Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00
>> Received (SW1=0x90, SW2=0x00):
>> 53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 S;0...9.s..9.s..
>> 68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 37 hX!.B..!8B...4.7
>> 6F 92 E6 EA 92 65 85 0B AB D6 9D 73 8B 15 F0 35 o....e.....s...5
>> 08 32 30 33 30 30 31 30 31 3E 00 FE 00 .20300101>...
>>
>> TLV '3E' is where the asymmetric signature goes. Above, look at the last four bytes '3E 00 FE 00'; the '3E 00' signifies a null asymmetric signature.
>>
>> I loaded my cert authority's pub/private keypair in the java keystore, then used the library at https://code.google.com/p/keysupport-java-api/ to generate the CHUID signature, which ends up being 2077 (0x81D) bytes, a little strange, but ok.
>>
>> I then try the same thing as before, but encode the '3E' TLV as such:
>> 3E 82 08 1D .. .. <total of 2077 bytes for CHUID asymmetric signature payload> .. ..
>> 82 08 1D is BER-TLV to indicate 2077 bytes
>>
>> What ended up in the 'chuid' file:
>> 53 3b 30 19 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08 42 10 84 21 38 42 10 c3 f5 34 10 05 9b 23 97 21 6e ee b0 2d b8 d6 01 0a 69 99 3c 35 08 32 30 33 30 30 31 30 31 3e 82 08 1d .. .. <2077 bytes for asymm signature> .. .. fe 00
>>
>> When I attempt to write the 'chuid' file using piv-tools, I get this error:
>>
>> $ piv-tool -A A:9B:03 -O 3000 -i chuid
>> Using reader with a card: Yubico Yubikey NEO CCID
>> object tag or length not valid
>>
>> I'm hoping I missed something elementary. Any ideas?
>>
>> Thanks
>>
>> Ryan
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> --
>
> Douglas E. Engert <DEE...@gm...>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
|
