Getting Facial image and Biometrics off Piv Card

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting Facial image and Biometrics off Piv Card

Harry Anuszewski

Hello,

 

I am using openSC-java and want to pull data off a Fips 201 piv card. The things I’m interested in getting are the facial image and biometric information. Basically sending some adpu commands and getting byte arrays back. I know openSC is a very extensive library and have used the basic functions of openSC-java for a few programs. I was wondering if there was a way to use OpenSC to return the facial image and biometrics of a person? This information is saved to the card. If this is not yet possible I wouldn’t mind designing support for new features with a little help of course. Basically what files would I need to modify?

 

Thanks for any help

 

Harry


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Getting Facial image and Biometrics off Piv Card

Jim Rees
Harry Anuszewski wrote:

  I am using openSC-java and want to pull data off a Fips 201 piv card.

Doug Engert helped me with this.  Once you have the app-id for the object
you want, you can fetch it like this:

pkcs11-tool -r -y data --login --application-id <app-id>

The app-id for the facial image is 2.16.840.1.101.3.7.2.96.48, fingerprint
is 2.16.840.1.101.3.7.2.96.16.  The others should be listed in NIST
800-73-2.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Getting Facial image and Biometrics off Piv Card

Douglas E. Engert
In reply to this post by Harry Anuszewski


Harry Anuszewski wrote:

> Hello,
>
>  
>
> I am using openSC-java and want to pull data off a Fips 201 piv card.
> The things I’m interested in getting are the facial image and biometric
> information. Basically sending some adpu commands and getting byte
> arrays back. I know openSC is a very extensive library and have used the
> basic functions of openSC-java for a few programs. I was wondering if
> there was a way to use OpenSC to return the facial image and biometrics
> of a person?
Yes, you can use pkcs11-tool and pkcs15-tool to do this. Note to read the
fingerprints, printed info or facial image requires the user PIN.

Attached is a simple script to copy all the objects off the card
into to the current directory. The certificates are dumped in two forms,
as the object (so may also be gzipped), and in PEM  format as OpenSC can
extracting the certificate from the object.

The objects are in binary as defined in NIST 800-73-2 part 1.
which for the Facial Image just says there is a tag 0xBC length and data
of the "Image for Visual Verification" which is defined in other documents.
Decoding not cert objects is really out of scope of the OpenSC project.

I did write a test program to display the picture, and get some of the
other info from it. Send me some more e-mail on this.

> This information is saved to the card. If this is not yet
> possible I wouldn’t mind designing support for new features with a
> little help of course. Basically what files would I need to modify?

No modifications are needed...

>
>  
>
> Thanks for any help
>
>  
>
> Harry
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

#!/bin/bash
# Dump the objects on a PIV card in the reader.
# to the current directory.
# Although pkcs15-tool -C can do this, it dumps
# to the printer.
#

export LD_LIBRARY_PATH=/opt/smartcard/lib
export PATH=/opt/smartcard/bin:$PATH
PDA="pkcs11-tool -r -y data --application-id"
PDC="pkcs15-tool -r"

$PDA 2.16.840.1.101.3.7.1.219.0 > ccc
$PDA 2.16.840.1.101.3.7.2.48.0 > chuid
$PDA 2.16.840.1.101.3.7.2.48.2 > uchuid

# X.509 Certificate for PIV Authentication
$PDA 2.16.840.1.101.3.7.2.1.1 > cert.1.object

#X.509 Certificate for Digital Signature
$PDA 2.16.840.1.101.3.7.2.1.0 > cert.2.object

#X.509 Certificate for Key Management
$PDA 2.16.840.1.101.3.7.2.1.2 > cert.3.object

#X.509 Certificate for Card Authentication
$PDA 2.16.840.1.101.3.7.2.5.0 > cert.4.object

$PDA 2.16.840.1.101.3.7.2.144.0 > security.object

$PDC 01 > cert.1.txt
$PDC 02 > cert.2.txt
$PDC 03 > cert.3.txt
$PDC 04 > cert.4.txt

# next 3 need PIN
echo Will read PIN 3 times: fingerprints printedinfo and facialimage
$PDA 2.16.840.1.101.3.7.2.96.16 --login > fingerprints
$PDA 2.16.840.1.101.3.7.2.48.1  --login > printedinfo
$PDA 2.16.840.1.101.3.7.2.96.48 --login > facialimage
 

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Getting Facial image and Biometrics off Piv Card

Harry Anuszewski
Hello,
Thanks for the information. I am glad that this has been done before. I am
working with Java in windows xp and newer.

The java program is just a standalone app. Users with a piv card will be
able to launch the app select a reader and type in the pin. From there a
window opens and it has the picture from the card and printed info then tabs
that contain the certs, and biometric information. For now I am able to get
the Certs with no problem since it is standard in OpenSC-java. I am working
on getting the fingerprints and facial image and printed info. I know I can
do this using the pkcs11-tool and a command line but is there a way to do it
inside of a java program using standard native functions?

Harry

-----Original Message-----
From: Douglas E. Engert [mailto:[hidden email]]
Sent: Monday, April 05, 2010 6:01 PM
To: Harry Anuszewski
Cc: [hidden email]
Subject: Re: [opensc-devel] Getting Facial image and Biometrics off Piv Card



Harry Anuszewski wrote:

> Hello,
>
>  
>
> I am using openSC-java and want to pull data off a Fips 201 piv card.
> The things I'm interested in getting are the facial image and biometric
> information. Basically sending some adpu commands and getting byte
> arrays back. I know openSC is a very extensive library and have used the
> basic functions of openSC-java for a few programs. I was wondering if
> there was a way to use OpenSC to return the facial image and biometrics
> of a person?

Yes, you can use pkcs11-tool and pkcs15-tool to do this. Note to read the
fingerprints, printed info or facial image requires the user PIN.

Attached is a simple script to copy all the objects off the card
into to the current directory. The certificates are dumped in two forms,
as the object (so may also be gzipped), and in PEM  format as OpenSC can
extracting the certificate from the object.

The objects are in binary as defined in NIST 800-73-2 part 1.
which for the Facial Image just says there is a tag 0xBC length and data
of the "Image for Visual Verification" which is defined in other documents.
Decoding not cert objects is really out of scope of the OpenSC project.

I did write a test program to display the picture, and get some of the
other info from it. Send me some more e-mail on this.

> This information is saved to the card. If this is not yet
> possible I wouldn't mind designing support for new features with a
> little help of course. Basically what files would I need to modify?

No modifications are needed...

>
>  
>
> Thanks for any help
>
>  
>
> Harry
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.800 / Virus Database: 271.1.1/2792 - Release Date: 04/05/10
14:32:00

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Getting Facial image and Biometrics off Piv Card

Douglas E. Engert


Harry Anuszewski wrote:
> Hello,
> Thanks for the information. I am glad that this has been done before. I am
> working with Java in windows xp and newer.
>
> The java program is just a standalone app. Users with a piv card will be
> able to launch the app select a reader and type in the pin. From there a
> window opens and it has the picture from the card and printed info then tabs
> that contain the certs, and biometric information. For now I am able to get
> the Certs with no problem since it is standard in OpenSC-java.

I am not much of a java programmer, and have not used the opensc-java,
but the pkcs11-tool uses the standard PKCS#11 commands to read objects.

But looking at the
opensc-java/trunk/pkcs11/java/src/org/opensc/pkcs11/wrap/PKCS11Object.java
defines CKO_CERTIFICATE, CKO_PUBLIC_KEY, CKO_PRIVATE_KEY and CKO_SECRET_KEY,
but does not define CKO_DATA. There are calls to enumRawObjects() for
CKO_CERTIFICATE, CKO_PUBLIC_KEY, CKO_PRIVATE_KEY but not for CKO_DATA.
It might not be hard to add support for data objects.

An alternative to the OpenSC-java might be:
http://java.sun.com/javase/7/docs/technotes/guides/security/p11guide.html
Does talk about how to use PKCS#11 shared library or dll, which could be the
opensc-pkcs11.dll.


> I am working
> on getting the fingerprints and facial image and printed info. I know I can
> do this using the pkcs11-tool and a command line but is there a way to do it
> inside of a java program using standard native functions?
>
> Harry
>
> -----Original Message-----
> From: Douglas E. Engert [mailto:[hidden email]]
> Sent: Monday, April 05, 2010 6:01 PM
> To: Harry Anuszewski
> Cc: [hidden email]
> Subject: Re: [opensc-devel] Getting Facial image and Biometrics off Piv Card
>
>
>
> Harry Anuszewski wrote:
>> Hello,
>>
>>  
>>
>> I am using openSC-java and want to pull data off a Fips 201 piv card.
>> The things I'm interested in getting are the facial image and biometric
>> information. Basically sending some adpu commands and getting byte
>> arrays back. I know openSC is a very extensive library and have used the
>> basic functions of openSC-java for a few programs. I was wondering if
>> there was a way to use OpenSC to return the facial image and biometrics
>> of a person?
>
> Yes, you can use pkcs11-tool and pkcs15-tool to do this. Note to read the
> fingerprints, printed info or facial image requires the user PIN.
>
> Attached is a simple script to copy all the objects off the card
> into to the current directory. The certificates are dumped in two forms,
> as the object (so may also be gzipped), and in PEM  format as OpenSC can
> extracting the certificate from the object.
>
> The objects are in binary as defined in NIST 800-73-2 part 1.
> which for the Facial Image just says there is a tag 0xBC length and data
> of the "Image for Visual Verification" which is defined in other documents.
> Decoding not cert objects is really out of scope of the OpenSC project.
>
> I did write a test program to display the picture, and get some of the
> other info from it. Send me some more e-mail on this.
>
>> This information is saved to the card. If this is not yet
>> possible I wouldn't mind designing support for new features with a
>> little help of course. Basically what files would I need to modify?
>
> No modifications are needed...
>
>>  
>>
>> Thanks for any help
>>
>>  
>>
>> Harry
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel