Yes, it's a us gov agency card. I can use it to get into the building using multi factor so I would be shocked if it didn't have a certificate. The reader is a omnikey 3021.
I'll run the script tonight. Thanks Marc Sent from my iPhone On Apr 23, 2012, at 10:14 AM, "Douglas E. Engert" <deeng...@anl.gov> wrote: > > > On 4/22/2012 6:38 AM, Marc Boorshtein wrote: >> All, >> >> I'm trying to get my PIV card to work on a Fedora Core 15 box running opensc: >> >> opensc 0.12.2 [gcc 4.6.0 20110530 (Red Hat 4.6.0-9)] >> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1) >> >> I can insert the card, and authenticate to it using my pin. I can add >> the device to firefox and "login" but no certs show up. When I run >> pkcs15-tool -D -v I get the following output: >> >> Using reader with a card: Generic CCID Reader 00 00 >> Connecting to card in reader Generic CCID Reader 00 00... >> Using card driver PIV-II for multiple cards. >> Trying to find a PKCS#15 compatible card... >> Found PIV_II! >> PKCS#15 Card [PIV_II]: >> Version : 0 >> Serial number : d42610d8210c2d5af08815836858210842108421842610d7e4 >> Manufacturer ID: piv_II >> Flags : >> >> Card has 2 PIN code(s). >> >> PIN [PIV Card Holder pin] >> Object Flags : [0x1], private >> ID : 01 >> Flags : [0x22], local, needs-padding >> Length : min_len:4, max_len:8, stored_len:8 >> Pad char : 0xFF >> Reference : 128 >> Type : ascii-numeric >> >> PIN [PIV PUK] >> Object Flags : [0x1], private >> ID : 02 >> Flags : [0xE2], local, needs-padding, unblockingPin, soPin >> Length : min_len:4, max_len:8, stored_len:8 >> Pad char : 0xFF >> Reference : 129 >> Type : ascii-numeric >> >> Card has 0 private key(s). >> >> Card has 0 public key(s). >> >> Card has 0 certificate(s). >> >> Reading data object<0> >> applicationName: Card Capability Container >> Label: Card Capability Container >> applicationOID: 2.16.840.1.101.3.7.1.219.0 >> Path: db00 >> Data Object (179 bytes):<Removed> >> Reading data object<1> >> applicationName: Card Holder Unique Identifier >> Label: Card Holder Unique Identifier >> applicationOID: 2.16.840.1.101.3.7.2.48.0 >> Path: 3000 >> Data Object (59 bytes):< removed> >> Reading data object<2> >> applicationName: Unsigned Card Holder Unique Identifier >> Label: Unsigned Card Holder Unique Identifier >> applicationOID: 2.16.840.1.101.3.7.2.48.2 >> Path: 3010 >> Data object read failed: File not found >> Reading data object<3> >> applicationName: X.509 Certificate for PIV Authentication >> Label: X.509 Certificate for PIV Authentication >> applicationOID: 2.16.840.1.101.3.7.2.1.1 >> Path: 0101 >> Data object read failed: File not found >> Reading data object<4> >> applicationName: Cardholder Fingerprints >> Label: Cardholder Fingerprints >> applicationOID: 2.16.840.1.101.3.7.2.96.16 >> Path: 6010 >> Auth ID: 01 >> Reading data object<5> >> applicationName: Printed Information >> Label: Printed Information >> applicationOID: 2.16.840.1.101.3.7.2.48.1 >> Path: 3001 >> Auth ID: 01 >> Reading data object<6> >> applicationName: Cardholder Facial Image >> Label: Cardholder Facial Image >> applicationOID: 2.16.840.1.101.3.7.2.96.48 >> Path: 6030 >> Auth ID: 01 >> Reading data object<7> >> applicationName: X.509 Certificate for Digital Signature >> Label: X.509 Certificate for Digital Signature >> applicationOID: 2.16.840.1.101.3.7.2.1.0 >> Path: 0100 >> Data object read failed: File not found >> Reading data object<8> >> applicationName: X.509 Certificate for Key Management >> Label: X.509 Certificate for Key Management >> applicationOID: 2.16.840.1.101.3.7.2.1.2 >> Path: 0102 >> Data object read failed: File not found >> Reading data object<9> >> applicationName: X.509 Certificate for Card Authentication >> Label: X.509 Certificate for Card Authentication >> applicationOID: 2.16.840.1.101.3.7.2.5.0 >> Path: 0500 >> Data object read failed: File not found >> Reading data object<10> >> applicationName: Security Object >> Label: Security Object >> applicationOID: 2.16.840.1.101.3.7.2.144.0 >> Path: 9000 >> Data Object (12 bytes):< 53 0A BA 06 05 30 01 01 DB 00 FE 00> >> Reading data object<11> >> applicationName: Discovery Object >> Label: Discovery Object >> applicationOID: 2.16.840.1.101.3.7.2.96.80 >> Path: 6050 >> Data Object (20 bytes):< 7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00 >> 5F 2F 02 40 00> >> Reading data object<12> >> applicationName: Cardholder Iris Image >> Label: Cardholder Iris Image >> applicationOID: 2.16.840.1.101.3.7.2.16.21 >> Path: 1015 >> Data object read failed: File not found >> >> Any thoughts as to why the certs aren't loading? > > Where did you get the card. Has it been issued to you by some U.S. gov agency? > The chuid is only 59 bytes, which would indicate is has not been signed, as > with a signature it would be more like 2310 bytes. > It may not have certificates. > > Based on what I see above, it could also be that the card reader > may be CCID, but can't do more then 240 bytes at a time, and is failing > to read any object over 240 bytes. See: > http://fips201ep.cio.gov/apl.php > > > I see many "File not found" errors... > > The PIV card does not have a directory of what is present on the card. > Normally > it has 4 certificates, 4 keys, and other required objects.The assumption is > made that there are present on the card, and only when an attempt is made to > read the object, will it not be found. This is a big performance improvement > for the normal case. > > I am attaching a pivdump.sh script that can by used to dump objects from the > card to files, > that can then be processed at a later time. > > If you send me the CHUID, I can decode it. > >> >> Thanks >> Marc >> _______________________________________________ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> >> > > -- > > Douglas E. Engert <deeng...@anl.gov> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > <pivdump.sh> > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
