Menu
▾
▴
opensc-devel
|
From: Ryan C. <ry...@rc...> - 2015-12-07 08:07:24
|
Hi,
I'm trying to get an asymmetric CHUID signature on a PIV card, in this case
a Yubikey NEO. The FIPS 201 standard requires it, but yubkey-piv-tool only
supports writing a random chuid to the card.
The basic question is... does someone have an example program that, given a
signing certificate and associated private key, can write the asymmetric
key to a PIV card??
I'm close, but am stuck on long CHUIDs. I can write a short length one
successfully, but the longer one required for the asymmetric key is failing.
Now a little more detail on what I've got so far, if anyone cares...
I've using the piv-tool program to write a short CHUID like so:
# Check current CHUID
$ piv-tool -A A:9B:03 -s "00:CB:3F:FF:05:5C:03:5F:C1:02:00"
Using reader with a card: Yubico Yubikey NEO CCID
Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00
Received (SW1=0x90, SW2=0x00):
53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 S;0...9.s..9.s..
68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 78 hX!.B..!8B...4.x
E1 97 B4 5A CA C0 1A 82 64 63 A9 92 3B 56 26 35 ...Z....dc..;V&5
08 32 30 33 30 30 31 30 31 3E 00 FE 00 .20300101>...
# Write desired CHUID to file 'chuid'
$
X="53:3B:30:19:D4:E7:39:DA:73:9C:ED:39:CE:73:9D:83:68:58:21:08:42:10:84:21:38:42:10:C3:F5:34:10:37:6F:92:E6:EA:92:65:85:0B:AB:D6:9D:73:8B:15:F0:35:08:32:30:33:30:30:31:30:31:3E:00:FE:00"
$ (OLDIFS=$IFS; IFS=:; for x in $X; do echo 0x$x | awk '{printf "%c", $1}';
done; IFS=$OLDIFS ) > chuid
# Write chuid file to the Yubikey
$ piv-tool -A A:9B:03 -O 3000 -i chuid
Using reader with a card: Yubico Yubikey NEO CCID
# Verify it worked... appears to have worked
$ piv-tool -A A:9B:03 -s "00:CB:3F:FF:05:5C:03:5F:C1:02:00"
Using reader with a card: Yubico Yubikey NEO CCID
Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00
Received (SW1=0x90, SW2=0x00):
53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 S;0...9.s..9.s..
68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 37 hX!.B..!8B...4.7
6F 92 E6 EA 92 65 85 0B AB D6 9D 73 8B 15 F0 35 o....e.....s...5
08 32 30 33 30 30 31 30 31 3E 00 FE 00 .20300101>...
TLV '3E' is where the asymmetric signature goes. Above, look at the last
four bytes '3E 00 FE 00'; the '3E 00' signifies a null asymmetric signature.
I loaded my cert authority's pub/private keypair in the java keystore, then
used the library at https://code.google.com/p/keysupport-java-api/ to
generate the CHUID signature, which ends up being 2077 (0x81D) bytes, a
little strange, but ok.
I then try the same thing as before, but encode the '3E' TLV as such:
3E 82 08 1D .. .. <total of 2077 bytes for CHUID asymmetric signature
payload> .. ..
82 08 1D is BER-TLV to indicate 2077 bytes
What ended up in the 'chuid' file:
53 3b 30 19 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08 42 10 84 21 38
42 10 c3 f5 34 10 05 9b 23 97 21 6e ee b0 2d b8 d6 01 0a 69 99 3c 35 08 32
30 33 30 30 31 30 31 3e 82 08 1d .. .. <2077 bytes for asymm signature> ..
.. fe 00
When I attempt to write the 'chuid' file using piv-tools, I get this error:
$ piv-tool -A A:9B:03 -O 3000 -i chuid
Using reader with a card: Yubico Yubikey NEO CCID
object tag or length not valid
I'm hoping I missed something elementary. Any ideas?
Thanks
Ryan
|
|
From: Douglas E E. <dee...@gm...> - 2015-12-07 13:29:07
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
The encoding does not look correct. The 53 tab should be followed by
length of the rest of the object including the signature. and FE:00
on the end. <br>
An example from the NIST demo card 1 where this is in the CHUID:<br>
Expiration: 20301231<br>
FASCN: ;3201=0295=759494=1=1=6464979587132011?8<br>
FASCN-HEX: D6501858289D6DCACC9325A16859A46927C9D45C86501843E2<br>
GUID: 00000000000000000000000000000000<br>
<br>
The chuid is of length 2315 0x090b<br>
The tag 53 has length 82 (two byte length following)<br>
0907 is the length of the rest of the data <br>
0907 + 4 (length of (tag and length bytes)) = 2315<br>
<br>
<br>
$ od -t x1 < chuid<br>
0000000 53 82 09 07 30 19 d6 50 18 58 28 9d 6d ca cc 93<br>
0000020 25 a1 68 59 a4 69 27 c9 d4 5c 86 50 18 43 e2 34<br>
0000040 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br>
0000060 00 35 08 32 30 33 30 31 32 33 31 3e 82 08 ca 30<br>
0000100 82 08 c6 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82<br>
0000120 08 b7 30 82 08 b3 02 01 03 31 0f 30 0d 06 09 60<br>
0000140 86 48 01 65 03 04 02 01 05 00 30 0a 06 08 60 86<br>
0000160 48 01 65 03 06 01 a0 82 06 09 30 82 06 05 30 82<br>
0000200 04 ed a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86<br>
0000220 48 86 f7 0d 01 01 0b 05 00 30 72 31 0b 30 09 06<br>
0000240 03 55 04 06 13 02 55 53 31 1f 30 1d 06 03 55 04<br>
0000260 0a 13 16 54 65 73 74 20 43 65 72 74 69 66 69 63<br>
0000300 61 74 65 73 20 32 30 31 30 31 10 30 0e 06 03 55<br>
0000320 04 0b 13 07 54 65 73 74 20 43 41 31 30 30 2e 06<br>
0000340 03 55 04 03 13 27 54 65 73 74 20 52 53 41 20 32<br>
0000360 30 34 38 2d 62 69 74 20 43 41 20 66 6f 72 20 54<br>
...<br>
0004340 55 8d af 92 94 3d 16 b3 b3 60 32 f5 12 16 53 db<br>
0004360 39 68 b7 3c fd 45 1f aa 31 f0 4a 31 d5 47 a1 36<br>
0004400 22 d5 53 dd 5a c2 6c a7 53 fe 00<br>
0004413<br>
<br>
Note NEO may have length restrictions on objects. At least the NEO
3 did. <br>
The NEO 4 may not, I have not tried this yet. <br>
<br>
<br>
<div class="moz-cite-prefix">On 12/7/2015 1:42 AM, Ryan Chapman
wrote:<br>
</div>
<blockquote
cite="mid:CAE...@ma..."
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I'm trying to get an asymmetric CHUID signature on a PIV
card, in this case a Yubikey NEO. The FIPS 201 standard
requires it, but yubkey-piv-tool only supports writing a
random chuid to the card.</div>
<div>The basic question is... does someone have an example
program that, given a signing certificate and associated
private key, can write the asymmetric key to a PIV card??</div>
<div><br>
</div>
<div>I'm close, but am stuck on long CHUIDs. I can write a
short length one successfully, but the longer one required for
the asymmetric key is failing.</div>
<div><br>
</div>
<div>Now a little more detail on what I've got so far, if anyone
cares...</div>
<div>I've using the piv-tool program to write a short CHUID like
so:</div>
<div><br>
</div>
<div># Check current CHUID</div>
<div>
<div>$ piv-tool -A A:9B:03 -s
"00:CB:3F:FF:05:5C:03:5F:C1:02:00"</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div>Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00</div>
<div>Received (SW1=0x90, SW2=0x00):</div>
<div>53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83
S;0...9.s..9.s..</div>
<div>68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 78
hX!.B..!8B...4.x</div>
<div>E1 97 B4 5A CA C0 1A 82 64 63 A9 92 3B 56 26 35
...Z....dc..;V&5</div>
<div>08 32 30 33 30 30 31 30 31 3E 00 FE 00
.20300101>...</div>
<div><br>
</div>
<div># Write desired CHUID to file 'chuid'</div>
<div>$
X="53:3B:30:19:D4:E7:39:DA:73:9C:ED:39:CE:73:9D:83:68:58:21:08:42:10:84:21:38:42:10:C3:F5:34:10:37:6F:92:E6:EA:92:65:85:0B:AB:D6:9D:73:8B:15:F0:35:08:32:30:33:30:30:31:30:31:3E:00:FE:00"</div>
<div><br>
</div>
<div>$ (OLDIFS=$IFS; IFS=:; for x in $X; do echo 0x$x | awk
'{printf "%c", $1}'; done; IFS=$OLDIFS ) > chuid<br>
</div>
<div><br>
</div>
<div># Write chuid file to the Yubikey</div>
<div>$ piv-tool -A A:9B:03 -O 3000 -i chuid</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div><br>
</div>
<div># Verify it worked... appears to have worked</div>
<div>$ piv-tool -A A:9B:03 -s
"00:CB:3F:FF:05:5C:03:5F:C1:02:00"</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div>Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00</div>
<div>Received (SW1=0x90, SW2=0x00):</div>
<div>53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83
S;0...9.s..9.s..</div>
<div>68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 37
hX!.B..!8B...4.7</div>
<div>6F 92 E6 EA 92 65 85 0B AB D6 9D 73 8B 15 F0 35
o....e.....s...5</div>
<div>08 32 30 33 30 30 31 30 31 3E 00 FE 00
.20300101>...</div>
</div>
<div><br>
</div>
<div>TLV '3E' is where the asymmetric signature goes. Above,
look at the last four bytes '3E 00 FE 00'; the '3E 00'
signifies a null asymmetric signature.</div>
<div><br>
</div>
<div>I loaded my cert authority's pub/private keypair in the
java keystore, then used the library at <a
moz-do-not-send="true"
href="https://code.google.com/p/keysupport-java-api/"><a class="moz-txt-link-freetext" href="https://code.google.com/p/keysupport-java-api/">https://code.google.com/p/keysupport-java-api/</a></a>
to generate the CHUID signature, which ends up being 2077
(0x81D) bytes, a little strange, but ok.</div>
<div><br>
</div>
<div>I then try the same thing as before, but encode the '3E'
TLV as such:</div>
<div>3E 82 08 1D .. .. <total of 2077 bytes for CHUID
asymmetric signature payload> .. ..</div>
<div>82 08 1D is BER-TLV to indicate 2077 bytes</div>
<div><br>
</div>
<div>What ended up in the 'chuid' file:</div>
<div>53 3b 30 19 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08
42 10 84 21 38 42 10 c3 f5 34 10 05 9b 23 97 21 6e ee b0 2d b8
d6 01 0a 69 99 3c 35 08 32 30 33 30 30 31 30 31 3e 82 08 1d ..
.. <2077 bytes for asymm signature> .. .. fe 00<br>
</div>
<div><br>
</div>
<div>When I attempt to write the 'chuid' file using piv-tools, I
get this error:</div>
<div><br>
</div>
<div>
<div>$ piv-tool -A A:9B:03 -O 3000 -i chuid</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div>object tag or length not valid</div>
</div>
<div><br>
</div>
<div>I'm hoping I missed something elementary. Any ideas?</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Ryan</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
<a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140">http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
|
From: Douglas E E. <dee...@gm...> - 2015-12-07 17:52:37
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
looking at keysupport/nist80073/datamodel/PIVCardHolderUniqueID.java
<br>
it looks like getEncoded() <br>
does an encode(). <br>
<br>
Bit the encode() line 203 does:<br>
this.chuid = baos.toByteArray();<br>
<br>
but this does not have the PIV_DATA TLV that piv-tool is
expecting. <br>
<br>
./nist80073/cardedge/PIVDataTempl.java encode will add this:<br>
<br>
111 TLV _data = BERTLVFactory.encodeTLV(new
Tag(Tag.PIV_DATA), this.data);<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 12/7/2015 1:42 AM, Ryan Chapman
wrote:<br>
</div>
<blockquote
cite="mid:CAE...@ma..."
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I'm trying to get an asymmetric CHUID signature on a PIV
card, in this case a Yubikey NEO. The FIPS 201 standard
requires it, but yubkey-piv-tool only supports writing a
random chuid to the card.</div>
<div>The basic question is... does someone have an example
program that, given a signing certificate and associated
private key, can write the asymmetric key to a PIV card??</div>
<div><br>
</div>
<div>I'm close, but am stuck on long CHUIDs. I can write a
short length one successfully, but the longer one required for
the asymmetric key is failing.</div>
<div><br>
</div>
<div>Now a little more detail on what I've got so far, if anyone
cares...</div>
<div>I've using the piv-tool program to write a short CHUID like
so:</div>
<div><br>
</div>
<div># Check current CHUID</div>
<div>
<div>$ piv-tool -A A:9B:03 -s
"00:CB:3F:FF:05:5C:03:5F:C1:02:00"</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div>Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00</div>
<div>Received (SW1=0x90, SW2=0x00):</div>
<div>53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83
S;0...9.s..9.s..</div>
<div>68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 78
hX!.B..!8B...4.x</div>
<div>E1 97 B4 5A CA C0 1A 82 64 63 A9 92 3B 56 26 35
...Z....dc..;V&5</div>
<div>08 32 30 33 30 30 31 30 31 3E 00 FE 00
.20300101>...</div>
<div><br>
</div>
<div># Write desired CHUID to file 'chuid'</div>
<div>$
X="53:3B:30:19:D4:E7:39:DA:73:9C:ED:39:CE:73:9D:83:68:58:21:08:42:10:84:21:38:42:10:C3:F5:34:10:37:6F:92:E6:EA:92:65:85:0B:AB:D6:9D:73:8B:15:F0:35:08:32:30:33:30:30:31:30:31:3E:00:FE:00"</div>
<div><br>
</div>
<div>$ (OLDIFS=$IFS; IFS=:; for x in $X; do echo 0x$x | awk
'{printf "%c", $1}'; done; IFS=$OLDIFS ) > chuid<br>
</div>
<div><br>
</div>
<div># Write chuid file to the Yubikey</div>
<div>$ piv-tool -A A:9B:03 -O 3000 -i chuid</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div><br>
</div>
<div># Verify it worked... appears to have worked</div>
<div>$ piv-tool -A A:9B:03 -s
"00:CB:3F:FF:05:5C:03:5F:C1:02:00"</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div>Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00</div>
<div>Received (SW1=0x90, SW2=0x00):</div>
<div>53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83
S;0...9.s..9.s..</div>
<div>68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 37
hX!.B..!8B...4.7</div>
<div>6F 92 E6 EA 92 65 85 0B AB D6 9D 73 8B 15 F0 35
o....e.....s...5</div>
<div>08 32 30 33 30 30 31 30 31 3E 00 FE 00
.20300101>...</div>
</div>
<div><br>
</div>
<div>TLV '3E' is where the asymmetric signature goes. Above,
look at the last four bytes '3E 00 FE 00'; the '3E 00'
signifies a null asymmetric signature.</div>
<div><br>
</div>
<div>I loaded my cert authority's pub/private keypair in the
java keystore, then used the library at <a
moz-do-not-send="true"
href="https://code.google.com/p/keysupport-java-api/"><a class="moz-txt-link-freetext" href="https://code.google.com/p/keysupport-java-api/">https://code.google.com/p/keysupport-java-api/</a></a>
to generate the CHUID signature, which ends up being 2077
(0x81D) bytes, a little strange, but ok.</div>
<div><br>
</div>
<div>I then try the same thing as before, but encode the '3E'
TLV as such:</div>
<div>3E 82 08 1D .. .. <total of 2077 bytes for CHUID
asymmetric signature payload> .. ..</div>
<div>82 08 1D is BER-TLV to indicate 2077 bytes</div>
<div><br>
</div>
<div>What ended up in the 'chuid' file:</div>
<div>53 3b 30 19 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08
42 10 84 21 38 42 10 c3 f5 34 10 05 9b 23 97 21 6e ee b0 2d b8
d6 01 0a 69 99 3c 35 08 32 30 33 30 30 31 30 31 3e 82 08 1d ..
.. <2077 bytes for asymm signature> .. .. fe 00<br>
</div>
<div><br>
</div>
<div>When I attempt to write the 'chuid' file using piv-tools, I
get this error:</div>
<div><br>
</div>
<div>
<div>$ piv-tool -A A:9B:03 -O 3000 -i chuid</div>
<div>Using reader with a card: Yubico Yubikey NEO CCID</div>
<div>object tag or length not valid</div>
</div>
<div><br>
</div>
<div>I'm hoping I missed something elementary. Any ideas?</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Ryan</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
<a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140">http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
|
From: Ryan C. <ry...@rc...> - 2015-12-12 07:52:14
|
Thanks for the pointers Douglas. You were right--the size of the CHUID object was incorrect (53 <length> xx xx xx). I was able to use the function you suggested in PIVDataTempl.java to encode the signed CHUID and then use piv-tool to load it successfully.
On Dec 7, 2015, at 10:44 AM, Douglas E Engert <dee...@gm...> wrote:
> looking at keysupport/nist80073/datamodel/PIVCardHolderUniqueID.java
> it looks like getEncoded()
> does an encode().
>
> Bit the encode() line 203 does:
> this.chuid = baos.toByteArray();
>
> but this does not have the PIV_DATA TLV that piv-tool is expecting.
>
> ./nist80073/cardedge/PIVDataTempl.java encode will add this:
>
> 111 TLV _data = BERTLVFactory.encodeTLV(new Tag(Tag.PIV_DATA), this.data);
>
>
>
> On 12/7/2015 1:42 AM, Ryan Chapman wrote:
>> Hi,
>>
>> I'm trying to get an asymmetric CHUID signature on a PIV card, in this case a Yubikey NEO. The FIPS 201 standard requires it, but yubkey-piv-tool only supports writing a random chuid to the card.
>> The basic question is... does someone have an example program that, given a signing certificate and associated private key, can write the asymmetric key to a PIV card??
>>
>> I'm close, but am stuck on long CHUIDs. I can write a short length one successfully, but the longer one required for the asymmetric key is failing.
>>
>> Now a little more detail on what I've got so far, if anyone cares...
>> I've using the piv-tool program to write a short CHUID like so:
>>
>> # Check current CHUID
>> $ piv-tool -A A:9B:03 -s "00:CB:3F:FF:05:5C:03:5F:C1:02:00"
>> Using reader with a card: Yubico Yubikey NEO CCID
>> Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00
>> Received (SW1=0x90, SW2=0x00):
>> 53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 S;0...9.s..9.s..
>> 68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 78 hX!.B..!8B...4.x
>> E1 97 B4 5A CA C0 1A 82 64 63 A9 92 3B 56 26 35 ...Z....dc..;V&5
>> 08 32 30 33 30 30 31 30 31 3E 00 FE 00 .20300101>...
>>
>> # Write desired CHUID to file 'chuid'
>> $ X="53:3B:30:19:D4:E7:39:DA:73:9C:ED:39:CE:73:9D:83:68:58:21:08:42:10:84:21:38:42:10:C3:F5:34:10:37:6F:92:E6:EA:92:65:85:0B:AB:D6:9D:73:8B:15:F0:35:08:32:30:33:30:30:31:30:31:3E:00:FE:00"
>>
>> $ (OLDIFS=$IFS; IFS=:; for x in $X; do echo 0x$x | awk '{printf "%c", $1}'; done; IFS=$OLDIFS ) > chuid
>>
>> # Write chuid file to the Yubikey
>> $ piv-tool -A A:9B:03 -O 3000 -i chuid
>> Using reader with a card: Yubico Yubikey NEO CCID
>>
>> # Verify it worked... appears to have worked
>> $ piv-tool -A A:9B:03 -s "00:CB:3F:FF:05:5C:03:5F:C1:02:00"
>> Using reader with a card: Yubico Yubikey NEO CCID
>> Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00
>> Received (SW1=0x90, SW2=0x00):
>> 53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 S;0...9.s..9.s..
>> 68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 37 hX!.B..!8B...4.7
>> 6F 92 E6 EA 92 65 85 0B AB D6 9D 73 8B 15 F0 35 o....e.....s...5
>> 08 32 30 33 30 30 31 30 31 3E 00 FE 00 .20300101>...
>>
>> TLV '3E' is where the asymmetric signature goes. Above, look at the last four bytes '3E 00 FE 00'; the '3E 00' signifies a null asymmetric signature.
>>
>> I loaded my cert authority's pub/private keypair in the java keystore, then used the library at https://code.google.com/p/keysupport-java-api/ to generate the CHUID signature, which ends up being 2077 (0x81D) bytes, a little strange, but ok.
>>
>> I then try the same thing as before, but encode the '3E' TLV as such:
>> 3E 82 08 1D .. .. <total of 2077 bytes for CHUID asymmetric signature payload> .. ..
>> 82 08 1D is BER-TLV to indicate 2077 bytes
>>
>> What ended up in the 'chuid' file:
>> 53 3b 30 19 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08 42 10 84 21 38 42 10 c3 f5 34 10 05 9b 23 97 21 6e ee b0 2d b8 d6 01 0a 69 99 3c 35 08 32 30 33 30 30 31 30 31 3e 82 08 1d .. .. <2077 bytes for asymm signature> .. .. fe 00
>>
>> When I attempt to write the 'chuid' file using piv-tools, I get this error:
>>
>> $ piv-tool -A A:9B:03 -O 3000 -i chuid
>> Using reader with a card: Yubico Yubikey NEO CCID
>> object tag or length not valid
>>
>> I'm hoping I missed something elementary. Any ideas?
>>
>> Thanks
>>
>> Ryan
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> --
>
> Douglas E. Engert <DEE...@gm...>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X