PIV card not loading certificates on Fedora 15

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

PIV card not loading certificates on Fedora 15

Marc Boorshtein-2
All,

I'm trying to get my PIV card to work on a Fedora Core 15 box running opensc:

opensc 0.12.2 [gcc  4.6.0 20110530 (Red Hat 4.6.0-9)]
Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)

I can insert the card, and authenticate to it using my pin.  I can add
the device to firefox and "login" but no certs show up.  When I run
pkcs15-tool -D -v I get the following output:

Using reader with a card: Generic CCID Reader 00 00
Connecting to card in reader Generic CCID Reader 00 00...
Using card driver PIV-II  for multiple cards.
Trying to find a PKCS#15 compatible card...
Found PIV_II!
PKCS#15 Card [PIV_II]:
        Version        : 0
        Serial number  : d42610d8210c2d5af08815836858210842108421842610d7e4
        Manufacturer ID: piv_II
        Flags          :

Card has 2 PIN code(s).

PIN [PIV Card Holder pin]
        Object Flags   : [0x1], private
        ID             : 01
        Flags          : [0x22], local, needs-padding
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 128
        Type           : ascii-numeric

PIN [PIV PUK]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0xE2], local, needs-padding, unblockingPin, soPin
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 129
        Type           : ascii-numeric

Card has 0 private key(s).

Card has 0 public key(s).

Card has 0 certificate(s).

Reading data object <0>
applicationName: Card Capability Container
Label:           Card Capability Container
applicationOID:  2.16.840.1.101.3.7.1.219.0
Path:            db00
Data Object (179 bytes): <Removed >
Reading data object <1>
applicationName: Card Holder Unique Identifier
Label:           Card Holder Unique Identifier
applicationOID:  2.16.840.1.101.3.7.2.48.0
Path:            3000
Data Object (59 bytes): < removed >
Reading data object <2>
applicationName: Unsigned Card Holder Unique Identifier
Label:           Unsigned Card Holder Unique Identifier
applicationOID:  2.16.840.1.101.3.7.2.48.2
Path:            3010
Data object read failed: File not found
Reading data object <3>
applicationName: X.509 Certificate for PIV Authentication
Label:           X.509 Certificate for PIV Authentication
applicationOID:  2.16.840.1.101.3.7.2.1.1
Path:            0101
Data object read failed: File not found
Reading data object <4>
applicationName: Cardholder Fingerprints
Label:           Cardholder Fingerprints
applicationOID:  2.16.840.1.101.3.7.2.96.16
Path:            6010
Auth ID:         01
Reading data object <5>
applicationName: Printed Information
Label:           Printed Information
applicationOID:  2.16.840.1.101.3.7.2.48.1
Path:            3001
Auth ID:         01
Reading data object <6>
applicationName: Cardholder Facial Image
Label:           Cardholder Facial Image
applicationOID:  2.16.840.1.101.3.7.2.96.48
Path:            6030
Auth ID:         01
Reading data object <7>
applicationName: X.509 Certificate for Digital Signature
Label:           X.509 Certificate for Digital Signature
applicationOID:  2.16.840.1.101.3.7.2.1.0
Path:            0100
Data object read failed: File not found
Reading data object <8>
applicationName: X.509 Certificate for Key Management
Label:           X.509 Certificate for Key Management
applicationOID:  2.16.840.1.101.3.7.2.1.2
Path:            0102
Data object read failed: File not found
Reading data object <9>
applicationName: X.509 Certificate for Card Authentication
Label:           X.509 Certificate for Card Authentication
applicationOID:  2.16.840.1.101.3.7.2.5.0
Path:            0500
Data object read failed: File not found
Reading data object <10>
applicationName: Security Object
Label:           Security Object
applicationOID:  2.16.840.1.101.3.7.2.144.0
Path:            9000
Data Object (12 bytes): < 53 0A BA 06 05 30 01 01 DB 00 FE 00 >
Reading data object <11>
applicationName: Discovery Object
Label:           Discovery Object
applicationOID:  2.16.840.1.101.3.7.2.96.80
Path:            6050
Data Object (20 bytes): < 7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00
5F 2F 02 40 00 >
Reading data object <12>
applicationName: Cardholder Iris Image
Label:           Cardholder Iris Image
applicationOID:  2.16.840.1.101.3.7.2.16.21
Path:            1015
Data object read failed: File not found

Any thoughts as to why the certs aren't loading?  I see many "File not
found" errors...

Thanks
Marc
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PIV card not loading certificates on Fedora 15

Douglas E. Engert


On 4/22/2012 6:38 AM, Marc Boorshtein wrote:

> All,
>
> I'm trying to get my PIV card to work on a Fedora Core 15 box running opensc:
>
> opensc 0.12.2 [gcc  4.6.0 20110530 (Red Hat 4.6.0-9)]
> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
>
> I can insert the card, and authenticate to it using my pin.  I can add
> the device to firefox and "login" but no certs show up.  When I run
> pkcs15-tool -D -v I get the following output:
>
> Using reader with a card: Generic CCID Reader 00 00
> Connecting to card in reader Generic CCID Reader 00 00...
> Using card driver PIV-II  for multiple cards.
> Trying to find a PKCS#15 compatible card...
> Found PIV_II!
> PKCS#15 Card [PIV_II]:
> Version        : 0
> Serial number  : d42610d8210c2d5af08815836858210842108421842610d7e4
> Manufacturer ID: piv_II
> Flags          :
>
> Card has 2 PIN code(s).
>
> PIN [PIV Card Holder pin]
> Object Flags   : [0x1], private
> ID             : 01
> Flags          : [0x22], local, needs-padding
> Length         : min_len:4, max_len:8, stored_len:8
> Pad char       : 0xFF
> Reference      : 128
> Type           : ascii-numeric
>
> PIN [PIV PUK]
> Object Flags   : [0x1], private
> ID             : 02
> Flags          : [0xE2], local, needs-padding, unblockingPin, soPin
> Length         : min_len:4, max_len:8, stored_len:8
> Pad char       : 0xFF
> Reference      : 129
> Type           : ascii-numeric
>
> Card has 0 private key(s).
>
> Card has 0 public key(s).
>
> Card has 0 certificate(s).
>
> Reading data object<0>
> applicationName: Card Capability Container
> Label:           Card Capability Container
> applicationOID:  2.16.840.1.101.3.7.1.219.0
> Path:            db00
> Data Object (179 bytes):<Removed>
> Reading data object<1>
> applicationName: Card Holder Unique Identifier
> Label:           Card Holder Unique Identifier
> applicationOID:  2.16.840.1.101.3.7.2.48.0
> Path:            3000
> Data Object (59 bytes):<  removed>
> Reading data object<2>
> applicationName: Unsigned Card Holder Unique Identifier
> Label:           Unsigned Card Holder Unique Identifier
> applicationOID:  2.16.840.1.101.3.7.2.48.2
> Path:            3010
> Data object read failed: File not found
> Reading data object<3>
> applicationName: X.509 Certificate for PIV Authentication
> Label:           X.509 Certificate for PIV Authentication
> applicationOID:  2.16.840.1.101.3.7.2.1.1
> Path:            0101
> Data object read failed: File not found
> Reading data object<4>
> applicationName: Cardholder Fingerprints
> Label:           Cardholder Fingerprints
> applicationOID:  2.16.840.1.101.3.7.2.96.16
> Path:            6010
> Auth ID:         01
> Reading data object<5>
> applicationName: Printed Information
> Label:           Printed Information
> applicationOID:  2.16.840.1.101.3.7.2.48.1
> Path:            3001
> Auth ID:         01
> Reading data object<6>
> applicationName: Cardholder Facial Image
> Label:           Cardholder Facial Image
> applicationOID:  2.16.840.1.101.3.7.2.96.48
> Path:            6030
> Auth ID:         01
> Reading data object<7>
> applicationName: X.509 Certificate for Digital Signature
> Label:           X.509 Certificate for Digital Signature
> applicationOID:  2.16.840.1.101.3.7.2.1.0
> Path:            0100
> Data object read failed: File not found
> Reading data object<8>
> applicationName: X.509 Certificate for Key Management
> Label:           X.509 Certificate for Key Management
> applicationOID:  2.16.840.1.101.3.7.2.1.2
> Path:            0102
> Data object read failed: File not found
> Reading data object<9>
> applicationName: X.509 Certificate for Card Authentication
> Label:           X.509 Certificate for Card Authentication
> applicationOID:  2.16.840.1.101.3.7.2.5.0
> Path:            0500
> Data object read failed: File not found
> Reading data object<10>
> applicationName: Security Object
> Label:           Security Object
> applicationOID:  2.16.840.1.101.3.7.2.144.0
> Path:            9000
> Data Object (12 bytes):<  53 0A BA 06 05 30 01 01 DB 00 FE 00>
> Reading data object<11>
> applicationName: Discovery Object
> Label:           Discovery Object
> applicationOID:  2.16.840.1.101.3.7.2.96.80
> Path:            6050
> Data Object (20 bytes):<  7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00
> 5F 2F 02 40 00>
> Reading data object<12>
> applicationName: Cardholder Iris Image
> Label:           Cardholder Iris Image
> applicationOID:  2.16.840.1.101.3.7.2.16.21
> Path:            1015
> Data object read failed: File not found
>
> Any thoughts as to why the certs aren't loading?
Where did you get the card. Has it been issued to you by some U.S. gov agency?
The chuid is only 59 bytes, which would indicate is has not been signed, as
with a signature it would be more like 2310 bytes.
It may not have certificates.

Based on what I see above, it could also be that the card reader
may be CCID, but can't do more then 240 bytes at a time, and is failing
to read any object over 240 bytes. See:
   http://fips201ep.cio.gov/apl.php


I see many "File not found" errors...

The PIV card does not have a directory of what is present on the card. Normally
it has 4 certificates, 4 keys, and other required objects.The assumption is
made that there are present on the card, and only when an attempt is made to
read the object, will it not be found. This is a big performance improvement
for the normal case.

I am attaching a pivdump.sh script that can by used to dump objects from the card to files,
that can then be processed at a later time.

If you send me the CHUID, I can decode it.

>
> Thanks
> Marc
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

pivdump.sh (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PIV card not loading certificates on Fedora 15

Marc Boorshtein-2
Yes, it's a us gov agency card. I can use it to get into the building using multi factor so I would be shocked if it didn't have a certificate. The reader is a omnikey 3021.

I'll run the script tonight.

Thanks
Marc

Sent from my iPhone

On Apr 23, 2012, at 10:14 AM, "Douglas E. Engert" <[hidden email]> wrote:

>
>
> On 4/22/2012 6:38 AM, Marc Boorshtein wrote:
>> All,
>>
>> I'm trying to get my PIV card to work on a Fedora Core 15 box running opensc:
>>
>> opensc 0.12.2 [gcc  4.6.0 20110530 (Red Hat 4.6.0-9)]
>> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
>>
>> I can insert the card, and authenticate to it using my pin.  I can add
>> the device to firefox and "login" but no certs show up.  When I run
>> pkcs15-tool -D -v I get the following output:
>>
>> Using reader with a card: Generic CCID Reader 00 00
>> Connecting to card in reader Generic CCID Reader 00 00...
>> Using card driver PIV-II  for multiple cards.
>> Trying to find a PKCS#15 compatible card...
>> Found PIV_II!
>> PKCS#15 Card [PIV_II]:
>>    Version        : 0
>>    Serial number  : d42610d8210c2d5af08815836858210842108421842610d7e4
>>    Manufacturer ID: piv_II
>>    Flags          :
>>
>> Card has 2 PIN code(s).
>>
>> PIN [PIV Card Holder pin]
>>    Object Flags   : [0x1], private
>>    ID             : 01
>>    Flags          : [0x22], local, needs-padding
>>    Length         : min_len:4, max_len:8, stored_len:8
>>    Pad char       : 0xFF
>>    Reference      : 128
>>    Type           : ascii-numeric
>>
>> PIN [PIV PUK]
>>    Object Flags   : [0x1], private
>>    ID             : 02
>>    Flags          : [0xE2], local, needs-padding, unblockingPin, soPin
>>    Length         : min_len:4, max_len:8, stored_len:8
>>    Pad char       : 0xFF
>>    Reference      : 129
>>    Type           : ascii-numeric
>>
>> Card has 0 private key(s).
>>
>> Card has 0 public key(s).
>>
>> Card has 0 certificate(s).
>>
>> Reading data object<0>
>> applicationName: Card Capability Container
>> Label:           Card Capability Container
>> applicationOID:  2.16.840.1.101.3.7.1.219.0
>> Path:            db00
>> Data Object (179 bytes):<Removed>
>> Reading data object<1>
>> applicationName: Card Holder Unique Identifier
>> Label:           Card Holder Unique Identifier
>> applicationOID:  2.16.840.1.101.3.7.2.48.0
>> Path:            3000
>> Data Object (59 bytes):<  removed>
>> Reading data object<2>
>> applicationName: Unsigned Card Holder Unique Identifier
>> Label:           Unsigned Card Holder Unique Identifier
>> applicationOID:  2.16.840.1.101.3.7.2.48.2
>> Path:            3010
>> Data object read failed: File not found
>> Reading data object<3>
>> applicationName: X.509 Certificate for PIV Authentication
>> Label:           X.509 Certificate for PIV Authentication
>> applicationOID:  2.16.840.1.101.3.7.2.1.1
>> Path:            0101
>> Data object read failed: File not found
>> Reading data object<4>
>> applicationName: Cardholder Fingerprints
>> Label:           Cardholder Fingerprints
>> applicationOID:  2.16.840.1.101.3.7.2.96.16
>> Path:            6010
>> Auth ID:         01
>> Reading data object<5>
>> applicationName: Printed Information
>> Label:           Printed Information
>> applicationOID:  2.16.840.1.101.3.7.2.48.1
>> Path:            3001
>> Auth ID:         01
>> Reading data object<6>
>> applicationName: Cardholder Facial Image
>> Label:           Cardholder Facial Image
>> applicationOID:  2.16.840.1.101.3.7.2.96.48
>> Path:            6030
>> Auth ID:         01
>> Reading data object<7>
>> applicationName: X.509 Certificate for Digital Signature
>> Label:           X.509 Certificate for Digital Signature
>> applicationOID:  2.16.840.1.101.3.7.2.1.0
>> Path:            0100
>> Data object read failed: File not found
>> Reading data object<8>
>> applicationName: X.509 Certificate for Key Management
>> Label:           X.509 Certificate for Key Management
>> applicationOID:  2.16.840.1.101.3.7.2.1.2
>> Path:            0102
>> Data object read failed: File not found
>> Reading data object<9>
>> applicationName: X.509 Certificate for Card Authentication
>> Label:           X.509 Certificate for Card Authentication
>> applicationOID:  2.16.840.1.101.3.7.2.5.0
>> Path:            0500
>> Data object read failed: File not found
>> Reading data object<10>
>> applicationName: Security Object
>> Label:           Security Object
>> applicationOID:  2.16.840.1.101.3.7.2.144.0
>> Path:            9000
>> Data Object (12 bytes):<  53 0A BA 06 05 30 01 01 DB 00 FE 00>
>> Reading data object<11>
>> applicationName: Discovery Object
>> Label:           Discovery Object
>> applicationOID:  2.16.840.1.101.3.7.2.96.80
>> Path:            6050
>> Data Object (20 bytes):<  7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00
>> 5F 2F 02 40 00>
>> Reading data object<12>
>> applicationName: Cardholder Iris Image
>> Label:           Cardholder Iris Image
>> applicationOID:  2.16.840.1.101.3.7.2.16.21
>> Path:            1015
>> Data object read failed: File not found
>>
>> Any thoughts as to why the certs aren't loading?
>
> Where did you get the card. Has it been issued to you by some U.S. gov agency?
> The chuid is only 59 bytes, which would indicate is has not been signed, as
> with a signature it would be more like 2310 bytes.
> It may not have certificates.
>
> Based on what I see above, it could also be that the card reader
> may be CCID, but can't do more then 240 bytes at a time, and is failing
> to read any object over 240 bytes. See:
>  http://fips201ep.cio.gov/apl.php
>
>
> I see many "File not found" errors...
>
> The PIV card does not have a directory of what is present on the card. Normally
> it has 4 certificates, 4 keys, and other required objects.The assumption is
> made that there are present on the card, and only when an attempt is made to
> read the object, will it not be found. This is a big performance improvement
> for the normal case.
>
> I am attaching a pivdump.sh script that can by used to dump objects from the card to files,
> that can then be processed at a later time.
>
> If you send me the CHUID, I can decode it.
>
>>
>> Thanks
>> Marc
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
>>
>
> --
>
> Douglas E. Engert  <[hidden email]>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois  60439
> (630) 252-5444
> <pivdump.sh>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel