Replies: 10 comments 31 replies
-
To kick this discussion off, here is a copy of the NIST bulk pre-perso script. Bulk commands don't yet have good examples on the wiki and these will eventually go there, but for now here they are.
PUT DATA - CONFIGURATION
PUT DATA - BULK ADD DATA OBJECTS
PUT DATA - BULK ADD DATA OBJECTS
PUT DATA - BULK ADD KEYS
PUT DATA - BULK ADD KEYS
PUT DATA - BULK ADD KEYS
PUT DATA - BULK ADD KEYS
|
Beta Was this translation helpful? Give feedback.
-
Can we have an example of generating a key pair using global platform. I end up just getting a 6A80 every time. |
Beta Was this translation helpful? Give feedback.
-
The NIST Standards for PIV, NIST 800-73-4 But they did leave two commands in: "Part 2: 3.3 PIV Card Application Card Commands for Credential Initialization and Administration" PUT_DATA and GENERATE ASYMMETRIC KEY PAIR. The also left "Appendix A—Examples of the Use of the GENERAL AUTHENTICATE Command" But some vendors implement this, but others may not. Note: NIST do not define how to load a private key on to card - only how to generate a key pair on the card. This made it possible in the early days to do some testing using PUT_DATA and GENERATE ASYMMETRIC KEY PAIR and GENERAL AUTHENTICATE. Yubico and others, like makinako can chose how to do card administration. |
Beta Was this translation helpful? Give feedback.
-
They don't give a example of key generation but do have: You can also look at OpenSC https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-piv.c#L2689-L2801 which is indirectly called from https://github.com/OpenSC/OpenSC/blob/master/src/tools/piv-tool.c#L284-L547 You will note that at one time RSA 1024 and RSA 3072 where in earlier 800-73 versions but not in 800-73-4. RSA 3072 might be back in the next version of 800-73. |
Beta Was this translation helpful? Give feedback.
-
NIST 800-73-4 defines the optional Secure Messaging "Part 1 - 5.4 Secure Messaging 800-73-4 "Part 2 - 4.1 The Key Establishment Protocol OpenSC 0.24.0 can be built with configuration option If you have such a card or makinako was to implement PIV SM, You could use "python pkcs11" with OpenSC PKCS11 with SM to the device. The use of Global Platform SM used by makinako (and some other vendors) is not part of the PIV standards and as noted above shall not be used for "non-card-management operations". @makinako are you interested in adding PIV SM? |
Beta Was this translation helpful? Give feedback.
-
What do you get if you run OpenSC I am not familiar with the card initialization process used above. But it looks like all that does is define the possible keys and objects that can be written to the card, it does not look like it generates any keys. NIST 800-73 -* does not actually store the public key on the card but rather if there is a certificate with the SubjectPublicKeyInfo any middleware can read the certificate, extract the SPKI and determine the key type RSA/EC and key size. If you used the Yubikey piv-tool when you generate a key, it also writes a dummy certificate with the pubkey in the SPKI to the card.
6A80 is SC_ERROR_INCORRECT_PARAMETERS The That APDU looks correct when done without GlobalPlatform, I don't know if it will work with GP. |
Beta Was this translation helpful? Give feedback.
-
How did you do it? The PIV middleware can only find a key if there is a certificate on the card with the matching public key. The OpenSC piv-tool will save the public key as a disk file as returned by the generate key. This is the only time the public key is returned from the card. As I said earlier Yubico " 800-73-4 - Part 1 - C.1 PIV Algorithm Identifier Discovery for Asymmetric Cryptographic Authentication" Both OpenSC and Yubico need to read the certificate to find the key type "and Step 1: Algorithm Type Discovery:" and key size or curve "Step 2: Key Size Discovery:" OpenSC pkcs15-piv.c |
Beta Was this translation helpful? Give feedback.
-
Lets take a step back. What are you really trying to do here? Are you doing this for yourself or are you trying to develop a card management system for your employer? I see you have forked https://github.com/scj643/yubikey-openssl-ca Have you got anywhere with it? You said you where interested in using python. You said you where trying to use Secure Messaging, is that a real requirement? Myself: I have not been interested in card management as we would be using gov issued cards. I only need to develop Since then there are multiple PIV card vendors, and multiple card vendors with "PIV-like" applets preinstalled on their cards designed to let an end user create certificates and keys. Yubico is one of these. Before I retired, we were required to use gov issued PIV cards which is also their ID badge and I did develop a simple CMS used to issue temporary PIV cards for new users waiting to receive their official gov issued cards, if their card broke or they left it at home! PIV can be used (or is required in some cases) for login to AD, Linux or Shibboleth https://www.shibboleth.net/ I am now retired, but still contribute to OpenSC. I added the 800-73-4 Secure Messaging to OpenSC as it is designed to be used over NFC connections. Idemia was kind enough to give me some demo cards that support PIV SM. I am not interested in python, writing card management systems or using GP or GP SM. OpenSC does have a test script that uses another PIV applet loaded into Java, and uaes Yubico piv-tool to generate keys to run tests on the OpenSC PIV card driver: https://github.com/OpenSC/OpenSC/blob/master/.github/test-piv.sh this might be helpful. |
Beta Was this translation helpful? Give feedback.
-
From my phone.
Can you print out the file in hex.
…On Tue, Feb 6, 2024, 9:34 AM Chloe Surett ***@***.***> wrote:
Yes I'm aware of that. The part that I'm stuck on is I have the key on the
card (using OpenFIPS201) in slot 9a and have the public key. I just can't
seem to get OpenSSL to find the private key on the card.
—
Reply to this email directly, view it on GitHub
<#52 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGTIMPFWZ4TKAI3Y4BRZUDYSJERBAVCNFSM6AAAAAAQFAXMI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DGOBUGIYDI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Can you send me a copy of the pen file
…On Tue, Feb 6, 2024, 10:29 AM Chloe Surett ***@***.***> wrote:
The file I have is the pen encoded public key that is secp256r1
—
Reply to this email directly, view it on GitHub
<#52 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGTIMN3JWXG6OHLEX7RENTYSJK5VAVCNFSM6AAAAAAQFAXMI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DGOBUHAZDK>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
This is the place to discuss all things administrative, including general issuance, pre-perso, perso, data population, key management, etc etc.
Beta Was this translation helpful? Give feedback.
All reactions