piv-tool CHUID

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

piv-tool CHUID

Florian Bruckner (3kraft)
Hi,

I am just starting to work with Gemalto PIV cards, and have made some good progress so far when it
comes to creating certificates and storing them on the card using piv-tool. I am going to use it for
a demo where I just need certificates stored on a smart card for use in client SSL with a browser
and PIV seemed to have the broadest support in the various OS.

One part where I am currently stuck and where I hope to find some helping hand on this list is
setting/generating the CHUID. I read that piv-tool can write CHUID objects, and there even is a
pointer in the man page of piv-tool to this ("Load an object on to the card. The ContainerID is as
defined in NIST 800-73-n without leading 0x. Example: CHUID object is 3000"). But it does not
elaborate further on what the input would be and in what format it would require it.

Can you point me to a sample script/code/documentation that shows how to write a CHUID using piv-tool?

Thanks and regards,

Florian

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: piv-tool CHUID

Douglas E Engert


On 12/1/2014 1:04 AM, Florian Bruckner (3kraft) wrote:

> Hi,
>
> I am just starting to work with Gemalto PIV cards, and have made some good progress so far when it
> comes to creating certificates and storing them on the card using piv-tool. I am going to use it for
> a demo where I just need certificates stored on a smart card for use in client SSL with a browser
> and PIV seemed to have the broadest support in the various OS.
>
> One part where I am currently stuck and where I hope to find some helping hand on this list is
> setting/generating the CHUID. I read that piv-tool can write CHUID objects, and there even is a
> pointer in the man page of piv-tool to this ("Load an object on to the card. The ContainerID is as
> defined in NIST 800-73-n without leading 0x. Example: CHUID object is 3000"). But it does not
> elaborate further on what the input would be and in what format it would require it.
>
> Can you point me to a sample script/code/documentation that shows how to write a CHUID using piv-tool?

See this thread:

http://opensc.1086184.n5.nabble.com/Reading-PIV-II-CHUID-amp-Printed-Information-td13916.html

I will send you by separate e-mail a program(s) to look at or create some of the objects on the card.


>
> Thanks and regards,
>
> Florian
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: piv-tool CHUID

Douglas E Engert
In reply to this post by Florian Bruckner (3kraft)


On 12/1/2014 1:04 AM, Florian Bruckner (3kraft) wrote:

> Hi,
>
> I am just starting to work with Gemalto PIV cards, and have made some good progress so far when it
> comes to creating certificates and storing them on the card using piv-tool. I am going to use it for
> a demo where I just need certificates stored on a smart card for use in client SSL with a browser
> and PIV seemed to have the broadest support in the various OS.
>
> One part where I am currently stuck and where I hope to find some helping hand on this list is
> setting/generating the CHUID. I read that piv-tool can write CHUID objects, and there even is a
> pointer in the man page of piv-tool to this ("Load an object on to the card. The ContainerID is as
> defined in NIST 800-73-n without leading 0x. Example: CHUID object is 3000"). But it does not
> elaborate further on what the input would be and in what format it would require it.
>
> Can you point me to a sample script/code/documentation that shows how to write a CHUID using piv-tool?



P.S. and you would then need a command something like this, similar to the one used to write a certificte.

    piv-tool -A "$PIV_AUTH" -O 3000 -i cards/$1.chuid.der

The -O "Container ID" are defined in NIST 800-73-3 part 1 table 1

NIST 800-116 talks about the use of the CHUID.

https://www.idmanagement.gov/sites/default/files/documents/PACS.pdf

See section 2.1 and the use of 9999 for agency codes. i.e. non federal issuer.

The Microsoft builtin PIV driver requires a CHUID, to derive a serial number for the card
as does OpenSC's minidriver. The CHUID does not need to be signed for this purpose.

The Yubico-piv-tool also can create a CHUID, and write it to the NEO PIV applet.

https://developers.yubico.com/yubico-piv-tool/
https://github.com/Yubico/yubico-piv-tool


>
> Thanks and regards,
>
> Florian
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: piv-tool CHUID

Florian Bruckner (3kraft)
Hi Douglas,

thanks a lot for your support - it worked very well.

regards,

Florian

On 01/12/14 14:57, Douglas E Engert wrote:

>
> On 12/1/2014 1:04 AM, Florian Bruckner (3kraft) wrote:
>> Hi,
>>
>> I am just starting to work with Gemalto PIV cards, and have made some good progress so far when it
>> comes to creating certificates and storing them on the card using piv-tool. I am going to use it for
>> a demo where I just need certificates stored on a smart card for use in client SSL with a browser
>> and PIV seemed to have the broadest support in the various OS.
>>
>> One part where I am currently stuck and where I hope to find some helping hand on this list is
>> setting/generating the CHUID. I read that piv-tool can write CHUID objects, and there even is a
>> pointer in the man page of piv-tool to this ("Load an object on to the card. The ContainerID is as
>> defined in NIST 800-73-n without leading 0x. Example: CHUID object is 3000"). But it does not
>> elaborate further on what the input would be and in what format it would require it.
>>
>> Can you point me to a sample script/code/documentation that shows how to write a CHUID using piv-tool?
>
>
> P.S. and you would then need a command something like this, similar to the one used to write a certificte.
>
>      piv-tool -A "$PIV_AUTH" -O 3000 -i cards/$1.chuid.der
>
> The -O "Container ID" are defined in NIST 800-73-3 part 1 table 1
>
> NIST 800-116 talks about the use of the CHUID.
>
> https://www.idmanagement.gov/sites/default/files/documents/PACS.pdf
>
> See section 2.1 and the use of 9999 for agency codes. i.e. non federal issuer.
>
> The Microsoft builtin PIV driver requires a CHUID, to derive a serial number for the card
> as does OpenSC's minidriver. The CHUID does not need to be signed for this purpose.
>
> The Yubico-piv-tool also can create a CHUID, and write it to the NEO PIV applet.
>
> https://developers.yubico.com/yubico-piv-tool/
> https://github.com/Yubico/yubico-piv-tool
>
>
>> Thanks and regards,
>>
>> Florian
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel