On 4/22/2012 6:38 AM, Marc Boorshtein wrote:
All,
I'm trying to get my PIV card to work on a Fedora Core 15 box running opensc:
opensc 0.12.2 [gcc 4.6.0 20110530 (Red Hat 4.6.0-9)]
Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
I can insert the card, and authenticate to it using my pin. I can add
the device to firefox and "login" but no certs show up. When I run
pkcs15-tool -D -v I get the following output:
Using reader with a card: Generic CCID Reader 00 00
Connecting to card in reader Generic CCID Reader 00 00...
Using card driver PIV-II for multiple cards.
Trying to find a PKCS#15 compatible card...
Found PIV_II!
PKCS#15 Card [PIV_II]:
Version : 0
Serial number : d42610d8210c2d5af08815836858210842108421842610d7e4
Manufacturer ID: piv_II
Flags :
Card has 2 PIN code(s).
PIN [PIV Card Holder pin]
Object Flags : [0x1], private
ID : 01
Flags : [0x22], local, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 128
Type : ascii-numeric
PIN [PIV PUK]
Object Flags : [0x1], private
ID : 02
Flags : [0xE2], local, needs-padding, unblockingPin, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 129
Type : ascii-numeric
Card has 0 private key(s).
Card has 0 public key(s).
Card has 0 certificate(s).
Reading data object<0>
applicationName: Card Capability Container
Label: Card Capability Container
applicationOID: 2.16.840.1.101.3.7.1.219.0
Path: db00
Data Object (179 bytes):<Removed>
Reading data object<1>
applicationName: Card Holder Unique Identifier
Label: Card Holder Unique Identifier
applicationOID: 2.16.840.1.101.3.7.2.48.0
Path: 3000
Data Object (59 bytes):< removed>
Reading data object<2>
applicationName: Unsigned Card Holder Unique Identifier
Label: Unsigned Card Holder Unique Identifier
applicationOID: 2.16.840.1.101.3.7.2.48.2
Path: 3010
Data object read failed: File not found
Reading data object<3>
applicationName: X.509 Certificate for PIV Authentication
Label: X.509 Certificate for PIV Authentication
applicationOID: 2.16.840.1.101.3.7.2.1.1
Path: 0101
Data object read failed: File not found
Reading data object<4>
applicationName: Cardholder Fingerprints
Label: Cardholder Fingerprints
applicationOID: 2.16.840.1.101.3.7.2.96.16
Path: 6010
Auth ID: 01
Reading data object<5>
applicationName: Printed Information
Label: Printed Information
applicationOID: 2.16.840.1.101.3.7.2.48.1
Path: 3001
Auth ID: 01
Reading data object<6>
applicationName: Cardholder Facial Image
Label: Cardholder Facial Image
applicationOID: 2.16.840.1.101.3.7.2.96.48
Path: 6030
Auth ID: 01
Reading data object<7>
applicationName: X.509 Certificate for Digital Signature
Label: X.509 Certificate for Digital Signature
applicationOID: 2.16.840.1.101.3.7.2.1.0
Path: 0100
Data object read failed: File not found
Reading data object<8>
applicationName: X.509 Certificate for Key Management
Label: X.509 Certificate for Key Management
applicationOID: 2.16.840.1.101.3.7.2.1.2
Path: 0102
Data object read failed: File not found
Reading data object<9>
applicationName: X.509 Certificate for Card Authentication
Label: X.509 Certificate for Card Authentication
applicationOID: 2.16.840.1.101.3.7.2.5.0
Path: 0500
Data object read failed: File not found
Reading data object<10>
applicationName: Security Object
Label: Security Object
applicationOID: 2.16.840.1.101.3.7.2.144.0
Path: 9000
Data Object (12 bytes):< 53 0A BA 06 05 30 01 01 DB 00 FE 00>
Reading data object<11>
applicationName: Discovery Object
Label: Discovery Object
applicationOID: 2.16.840.1.101.3.7.2.96.80
Path: 6050
Data Object (20 bytes):< 7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00
5F 2F 02 40 00>
Reading data object<12>
applicationName: Cardholder Iris Image
Label: Cardholder Iris Image
applicationOID: 2.16.840.1.101.3.7.2.16.21
Path: 1015
Data object read failed: File not found
Any thoughts as to why the certs aren't loading?
Where did you get the card. Has it been issued to you by some U.S. gov agency?
The chuid is only 59 bytes, which would indicate is has not been signed, as
with a signature it would be more like 2310 bytes.
It may not have certificates.
Based on what I see above, it could also be that the card reader
may be CCID, but can't do more then 240 bytes at a time, and is failing
to read any object over 240 bytes. See:
http://fips201ep.cio.gov/apl.php
I see many "File not found" errors...
The PIV card does not have a directory of what is present on the card. Normally
it has 4 certificates, 4 keys, and other required objects.The assumption is
made that there are present on the card, and only when an attempt is made to
read the object, will it not be found. This is a big performance improvement
for the normal case.
I am attaching a pivdump.sh script that can by used to dump objects from the
card to files,
that can then be processed at a later time.
If you send me the CHUID, I can decode it.
Thanks
Marc
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
#!/bin/bash
# Dump the objects on a PIV card in the reader.
# to the current directory.
# Although pkcs15-tool -C can do this, it dumps
# to the printer.
#
export LD_LIBRARY_PATH=/opt/smartcard/lib
export PATH=/opt/smartcard/bin:$PATH
export MODULE=/opt/smartcard/lib/opensc-pkcs11.so
SLOT=1
P11="pkcs11-tool --slot $SLOT --module $MODULE"
PDA="$P11 -r -y data --application-id"
PDC="pkcs15-tool -r"
echo "dumping ccc"
$PDA 2.16.840.1.101.3.7.1.219.0 > ccc
echo "dumping chuid"
$PDA 2.16.840.1.101.3.7.2.48.0 > chuid
#$PDA 2.16.840.1.101.3.7.2.48.2 > uchuid
echo "dumping cert objects"
# X.509 Certificate for PIV Authentication
$PDA 2.16.840.1.101.3.7.2.1.1 > cert.01.object
#X.509 Certificate for Digital Signature
$PDA 2.16.840.1.101.3.7.2.1.0 > cert.02.object
#X.509 Certificate for Key Management
$PDA 2.16.840.1.101.3.7.2.1.2 > cert.03.object
#X.509 Certificate for Card Authentication
$PDA 2.16.840.1.101.3.7.2.5.0 > cert.04.object
echo "dumping security, history, discovery"
$PDA 2.16.840.1.101.3.7.2.144.0 > security.object
$PDA 2.16.840.1.101.3.7.2.96.80 > discovery.object
$PDA 2.16.840.1.101.3.7.2.96.96 > history.object
URL=`piv-history -u < history.object`
if [ "X$URL" != "X" ] ; then
FN=`echo "$URL" | sed -e 's?^.*/??'`
if [ -f "$FN" ] ; then
echo "using existing $FN"
else
echo "retrieve $URL"
wget $URL
fi
if [ -f "$FN" ] ; then
# save in user's .eid.cache (OpenSC needs better way.)
rm $HOME/.eid/cache/$FN
ln -s `pwd`/$FN $HOME/.eid/cache/$FN
fi
fi
# Not that we have retrieved offline certs to .eid.cache.$FN
# get all the certs, including the history and offline
for ID in `pkcs15-tool -c | grep "^[ ]ID.*:" | sed -e 's/^.*://'` ; do
echo "dumping x509 cert $ID"
$PDC $ID > cert.$ID.pem
done
# next 3 need PIN
echo Will read PIN 3 times: fingerprints printedinfo and facialimage
$PDA 2.16.840.1.101.3.7.2.96.16 --login -o fingerprints
$PDA 2.16.840.1.101.3.7.2.48.1 --login -o printedinfo
$PDA 2.16.840.1.101.3.7.2.96.48 --login -o facialimage
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
