PIV Select APT issues

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

PIV Select APT issues

William Roberts
In the NIST PIV Spec
(http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART2_piv-card-applic-card-common-interface.pdf)

We see that on a select we should return the Application Property
Template. Looking at the reference implementation in files
PIV_Card_Application.h we see:

static Octet PIVCardApplicationProperties [ ] = {
    APT_TEMPLATE, 0x6C,
                  APT_AID, 0x0B, 0xA0, 0x00, 0x00, 0x03, 0x08, 0x00,
0x00, 0x10, 0x00, 0x01, 0x00,
                  APT_TAG_AUTHORITY, 0x07, APT_TAG_AID, 0x05, 0xA0,
0x00, 0x00, 0x03, 0x08,
                  APT_APPLICATION_LABEL, 0x14,
                                 'P','I','V',' ','C','a','r','d','
','A','p','p','l','i','c','a','t','i','o','n',
                  APT_URL, 0x3D,
'c','s','r','c','.','n','i','s','t','.','g','o','v','/',

'p','u','b','l','i','c','a','t','i','o','n','s','/',

'n','i','s','t','p','u','b','s','/','8','0','0','-','7','3','/',

'S','P','8','0','0','-','7','3','-','F','i','n','a','l','.','p','d','f'};

And the defines for the relevant bits from tags.h
//
// Application Property Template
//
#define APT_TEMPLATE                0x61
#define APT_AID                     0x4F
#define APT_TAG_AUTHORITY           0x79
#define APT_APPLICATION_LABEL       0x50
#define APT_URL                     0x5F,0x50
#define APT_TAG_AID                 0x4F

I generated an APT off of this information that excludes the URL and I
am returning bytes:
616C4F0BA00000030800001000010079074F05A00000030850145049562043617264204170706C69636174696F6E9000

Windows handles this well, and I sniffed some PIV cards and some just
return 9000 (open sc seems to be ok with these as well)

However, when trying my card I get:
piv-tool -c piv -n
Using reader with a card: ACS ACR122U PICC Interface 00 00
Failed to connect to card: Card does not support the requested operation

Any ideas (I am getting the select and returning the bytes)?

Is this command tied to the attrs of the card?

--
Respectfully,

William C Roberts

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PIV Select APT issues

William Roberts
On Mon, Jun 30, 2014 at 5:19 PM, William Roberts
<[hidden email]> wrote:

> In the NIST PIV Spec
> (http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART2_piv-card-applic-card-common-interface.pdf)
>
> We see that on a select we should return the Application Property
> Template. Looking at the reference implementation in files
> PIV_Card_Application.h we see:
>
> static Octet PIVCardApplicationProperties [ ] = {
>     APT_TEMPLATE, 0x6C,
>                   APT_AID, 0x0B, 0xA0, 0x00, 0x00, 0x03, 0x08, 0x00,
> 0x00, 0x10, 0x00, 0x01, 0x00,
>                   APT_TAG_AUTHORITY, 0x07, APT_TAG_AID, 0x05, 0xA0,
> 0x00, 0x00, 0x03, 0x08,
>                   APT_APPLICATION_LABEL, 0x14,
>                                  'P','I','V',' ','C','a','r','d','
> ','A','p','p','l','i','c','a','t','i','o','n',
>                   APT_URL, 0x3D,
> 'c','s','r','c','.','n','i','s','t','.','g','o','v','/',
>
> 'p','u','b','l','i','c','a','t','i','o','n','s','/',
>
> 'n','i','s','t','p','u','b','s','/','8','0','0','-','7','3','/',
>
> 'S','P','8','0','0','-','7','3','-','F','i','n','a','l','.','p','d','f'};
>
> And the defines for the relevant bits from tags.h
> //
> // Application Property Template
> //
> #define APT_TEMPLATE                0x61
> #define APT_AID                     0x4F
> #define APT_TAG_AUTHORITY           0x79
> #define APT_APPLICATION_LABEL       0x50
> #define APT_URL                     0x5F,0x50
> #define APT_TAG_AID                 0x4F
>
> I generated an APT off of this information that excludes the URL and I
> am returning bytes:
> 616C4F0BA00000030800001000010079074F05A00000030850145049562043617264204170706C69636174696F6E9000
>
> Windows handles this well, and I sniffed some PIV cards and some just
> return 9000 (open sc seems to be ok with these as well)
>
> However, when trying my card I get:
> piv-tool -c piv -n
> Using reader with a card: ACS ACR122U PICC Interface 00 00
> Failed to connect to card: Card does not support the requested operation
>
> Any ideas (I am getting the select and returning the bytes)?
>
> Is this command tied to the attrs of the card?


Sorry for the noise, I finally found it, it was malformed APT... This
byte string works:
61274F0BA000000308000010000100790D4F0BA000000308000010000100500942696C6C204E6973749000



--
Respectfully,

William C Roberts

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PIV Select APT issues

Douglas E Engert
In reply to this post by William Roberts


On 6/30/2014 7:19 PM, William Roberts wrote:
> In the NIST PIV Spec
> (http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART2_piv-card-applic-card-common-interface.pdf)
>
> We see that on a select we should return the Application Property
> Template.

Where does it say that?

> Looking at the reference implementation in files
> PIV_Card_Application.h we see:


Section 3.1.1 from above says:
The PIV Card Application shall be selected by providing its application identifier (see Part 1, Section 2.2)

http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART1_piv-card-applic-namespace-date-model-rep.pdf

Section 2.2 says to return 'A0 00 00 03 08   00 00 10 00   01 00'

Only the APT_AID is actually read.

>
> static Octet PIVCardApplicationProperties [ ] = {
>      APT_TEMPLATE, 0x6C,
>                    APT_AID, 0x0B, 0xA0, 0x00, 0x00, 0x03, 0x08, 0x00,
> 0x00, 0x10, 0x00, 0x01, 0x00,
>                    APT_TAG_AUTHORITY, 0x07, APT_TAG_AID, 0x05, 0xA0,
> 0x00, 0x00, 0x03, 0x08,
>                    APT_APPLICATION_LABEL, 0x14,
>                                   'P','I','V',' ','C','a','r','d','
> ','A','p','p','l','i','c','a','t','i','o','n',
>                    APT_URL, 0x3D,
> 'c','s','r','c','.','n','i','s','t','.','g','o','v','/',
>
> 'p','u','b','l','i','c','a','t','i','o','n','s','/',
>
> 'n','i','s','t','p','u','b','s','/','8','0','0','-','7','3','/',
>
> 'S','P','8','0','0','-','7','3','-','F','i','n','a','l','.','p','d','f'};
>
> And the defines for the relevant bits from tags.h
> //
> // Application Property Template
> //
> #define APT_TEMPLATE                0x61
> #define APT_AID                     0x4F
> #define APT_TAG_AUTHORITY           0x79
> #define APT_APPLICATION_LABEL       0x50
> #define APT_URL                     0x5F,0x50
> #define APT_TAG_AID                 0x4F
>
> I generated an APT off of this information that excludes the URL and I
> am returning bytes:
> 616C4F0BA00000030800001000010079074F05A00000030850145049562043617264204170706C69636174696F6E9000
>
> Windows handles this well, and I sniffed some PIV cards and some just
> return 9000 (open sc seems to be ok with these as well)
>
> However, when trying my card I get:
> piv-tool -c piv -n

You should not need to specify the -c piv

> Using reader with a card: ACS ACR122U PICC Interface 00 00
> Failed to connect to card: Card does not support the requested operation
>
> Any ideas (I am getting the select and returning the bytes)?

A debugging trace would verify helpfull.
See the opensc.conf  someting like:

  debug = 9; debug_file = /tmp/opensc.debug.txt;

>
> Is this command tied to the attrs of the card?
>


I saw you followup note. Good to see you got it to work.



--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel