Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SW 6984 and 6985 when attempting to use RSA key contactless #63

Open
mistial-dev opened this issue Aug 24, 2023 · 7 comments
Open

SW 6984 and 6985 when attempting to use RSA key contactless #63

mistial-dev opened this issue Aug 24, 2023 · 7 comments
Labels
duplicate

Comments

@mistial-dev
Copy link

mistial-dev commented Aug 24, 2023
edited

I'm attempting to provision the GSA ICAM golden PIV card to OpenFIPS201. I can successfully enroll to the PIVClass Workstation software (which is generally fairly picky), but the PIVClass reader/PAM is rejecting the use of my imported contactless card authentication (9e) key.

Sniffing the transaction, I get the following:

[usb] pm3 --> hf 14a list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 1139 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        576 | Tag |0f(3)                                                                    |     | 
     120092 |     121084 | Rdr |52(7)                                                                    |     | WUPA
     125520 |     126608 | Tag |fc!                                                                      |     | 
     159776 |     160480 | Tag |1f(4)                                                                    |     | 
   28600044 |   28601036 | Rdr |52(7)                                                                    |     | WUPA
   28602288 |   28604656 | Tag |48  00                                                                   |     | 
   28611372 |   28613836 | Rdr |93  20                                                                   |     | ANTICOLL
   28615024 |   28620912 | Tag |88  04  6f  22  c1                                                       |     | 
   28628716 |   28639180 | Rdr |93  70  88  04  6f  22  c1  89  f3                                       |  ok | SELECT_UID
   28640432 |   28643952 | Tag |24  d8  36                                                               |     | 
   28651148 |   28653612 | Rdr |95  20                                                                   |     | ANTICOLL-2
   28654816 |   28660704 | Tag |b2  97  14  90  a1                                                       |     | 
   28668524 |   28679052 | Rdr |95  70  b2  97  14  90  a1  99  3b                                       |  ok | SELECT_UID-2
   28680256 |   28683840 | Tag |20  fc  70                                                               |     | 
   28691260 |   28696028 | Rdr |e0  80  31  73                                                           |  ok | RATS
   28697472 |   28711360 | Tag |0a  78  77  91  02  80  73  c8  21  10  56  4d                           |  ok | 
   28727804 |   28733660 | Rdr |d0  11  00  52  a6                                                       |  ok | PPS
   28735552 |   28739072 | Tag |d0  73  87                                                               |     | 
   30053228 |   30075276 | Rdr |0a  00  00  a4  04  00  09  a0  00  00  03  08  00  00  10  00  00  a4    |     | 
            |            |     |c8                                                                                    |  ok | 
   31136336 |   31136336 | Tag |0a  00  61  81  8f  4f  0b  a0  00  00  03  08  00  00  10  00  01  00            |     | 
            |            |     |79  07  4f  05  a0  00  00  03  08  50  0b  4f  70  65  6e  46  49  50            |     | 
            |            |     |53  32  30  31  5f  50  49  68  74  74  70  3a  2f  2f  6e  76  6c  70            |     | 
            |            |     |75  62  73  2e  6e  69  73  74  2e  67  6f  76  2f  6e  69  73  74  70            |     | 
            |            |     |75  62  73  2f  53  70  65  63  69  61  6c  50  75  62  6c  69  63  61            |     | 
            |            |     |74  69  6f  6e  73  2f  4e  49  53  54  2e  53  50  2e  38  30  30  2d            |     | 
            |            |     |37  33  2d  34  2e  70  64  66  ac  1e  80  01  00  80  01  03  80  01            |     | 
            |            |     |08  80  01  0a  80  01  0c  80  01  06  80  01  07  80  01  11  80  01            |     | 
            |            |     |14  06  01  00  90  00  d2  72                                           |  ok | 
   32720348 |   32737788 | Rdr |0b  00  00  cb  3f  ff  05  5c  03  5f  c1  02  00  25  1a               |  ok | 
   33125040 |   33125232 | Tag |01(0)                                                                    |     | 
   33141232 |   33141232 | Tag |1b  00  53  82  08  63  30  19  d1  38  10  d8  28  ab  6c  10  c3  39            |     | 
            |            |     |e5  a1  68  5a  08  c9  2a  de  0a  61  84  e7  39  c3  e7  32  04  31            |     | 
            |            |     |32  33  34  34  10  7b  13  d0  e6  1f  6e  47  8e  a0  aa  be  0f  9a            |     | 
            |            |     |d6  4a  6c  35  08  32  30  33  32  31  32  30  32  36  10  db  17  53            |     | 
            |            |     |91  47  49  4a  32  97  7d  7a  38  43  77  5e  8a  3e  82  08  0e  30            |     | 
            |            |     |82  08  0a  06  09  2a  86  48  86  f7  0d  01  07  02  a0  82  07  fb            |     | 
            |            |     |30  82  07  f7  02  01  03  31  0f  30  0d  06  09  60  86  48  01  65            |     | 
            |            |     |03  04  02  01  05  00  30  0a  06  08  60  86  48  01  65  03  06  01            |     | 
            |            |     |a0  82  05  55  30  82  05  51  30  82  03  b9  a0  03  02  01  02  02            |     | 
            |            |     |0a  58  53  cc  e2  52  18  01  41  20  10  30  0d  06  09  2a  86  48            |     | 
            |            |     |86  f7  0d  01  01  0b  05  00  30  65  31  0b  30  09  06  03  55  04            |     | 
            |            |     |06  13  02  55  53  31  00                                               |  !! | 
   33468908 |   33473676 | Rdr |aa  00  2f  4c                                                           |  ok | 
   33569696 |   33581344 | Tag |0a  00  73  31  22  30  61  ff  7e  26                                   |  ok | 
   39627196 |   39627196 | Rdr |0b  00  10  87  07  9e  f0  7c  82  01  06  82  00  81  82  01  00  00                |     | 
            |            |     |7a  0e  53  fe  2b  04  c3  df  43  72  2d  8c  27  e1  71  53  e4  8f                |     | 
            |            |     |a8  a8  ba  2c  ce  ee  b7  8a  2c  e7  fb  e4  ab  02  86  9f  71  98                |     | 
            |            |     |db  c4  bd  08  a2  1f  7e  db  29  bc  4b  e1  fe  a7  e7  de  17  67                |     | 
            |            |     |ce  29  62  4f  0b  42  16  5c  ba  c7  fd  a7  b3  17  63  7c  db  d3                |     | 
            |            |     |ed  b5  04  4a  c4  ee  0d  db  48  00  84  b8  d6  83  e5  3f  76  93                |     | 
            |            |     |bd  0f  3f  0a  63  6e  b6  61  48  69  57  3b  e0  ca  fa  96  65  6f                |     | 
            |            |     |e0  bf  9a  ee  32  39  6a  ff  0b  28  7a  4d  d1  40  1d  92  1d  ea                |     | 
            |            |     |be  57  37  00  e7  28  0e  9f  21  4e  6d  95  a8  15  4a  9e  41  b7                |     | 
            |            |     |aa  5e  15  13  b2  dc  27  39  6b  a7  a6  09  c0  e9  99  87  3a  10                |     | 
            |            |     |d0  c5  c2  4e  b4  9c  2b  06  97  be  4b  25  2b  9e  51  c8  f5  cd                |     | 
            |            |     |98  bd  de  39  cb  12  dc  d5  c8  3b  97  01  83  8b  9c  a2  8f  aa                |     | 
            |            |     |07  35  11  73  14  5a  74  da  23  16  7f  55  33  3b  90  81  4a  30                |     | 
            |            |     |d4  01  70  d4  1c  2c  7c  65  aa  09  ed  95  26  00  eb  64           |  ok | 
   40053888 |   40054144 | Tag |00(1)                                                                    |     | 
   40182496 |   40189536 | Tag |0b  00  69  85  fd  f7                                                   |  ok | 
   40742652 |   40784284 | Rdr |0a  00  00  87  07  9e  1a  fc  4e  f4  0d  45  2e  29  0a  ed  e1  e4                |     | 
            |            |     |33  67  4d  15  e2  4a  3e  e5  63  4c  49  08  99  0c  80  00  6d  d5   |  ok | 
   41143200 |   41143392 | Tag |01(0)                                                                    |     | 
   41187472 |   41194448 | Tag |0a  00  69  84  cf  fa                                                   |  ok |

I am using the attached configuration script, card objects, and keys:

configure.txt
golden_piv.txt

The objects themselves can be found here: https://github.com/GSA/gsa-icam-card-builder/tree/master/cards/ICAM_Card_Objects/01_Golden_PIV

The configuration script and card provisioning seems to succeed just fine, and some PIV software I have seems to verify. 9E should work from what I see:

print CREATE KEY - 9E - Card Authentication Key (RSA2048)
send_apdu -sc 1 -APDU 00DB3F001466128B019E8C017F8D017F8E01078F0104900110
#                     00 DB 3F 00 14 
#                        66 12
#                           8B 01 9E -- slot 9E
#                           8C 01 7F -- Contact Always
#                           8D 01 7F -- Contactless Always
#                           8E 01 07 -- Key Mechanism (RSA-2048)
#                           8F 01 04 -- Key Role = Authenticate
#                           90 01 10 -- Key Attribute = importable

This should be the private key in use:

openssl pkcs12 -in "6 - ICAM_PIV_Card_Auth_SP_800-73-4.p12" -nodes -nocerts -passin pass: | openssl rsa -inform PEM -text -noout
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:c1:82:9e:4e:ae:15:56:82:2c:8e:6a:97:e3:bb:
    10:25:5b:5e:f2:44:96:b4:e5:56:29:bb:42:6f:38:
    10:fb:d3:25:12:73:29:90:8d:98:26:8d:7f:9b:f9:
    61:81:9d:63:8a:8d:dc:9e:14:a2:35:5b:8e:85:f7:
    e1:78:a7:a5:2b:3e:fb:71:24:5b:6a:35:4c:21:da:
    0c:de:99:6d:a3:c9:8a:65:97:91:f3:4e:e9:1a:d2:
    24:f0:b7:a7:bb:f6:f5:3b:e8:b6:09:ab:8b:dc:4f:
    a0:b4:e1:42:2b:6f:a7:4d:b1:6c:e7:d5:53:cf:a2:
    7f:8b:53:d4:f1:e7:8b:9e:10:13:2d:5d:2d:ae:f8:
    0b:c6:4a:94:0c:4f:6b:92:cf:ec:60:94:c8:a0:bf:
    61:3c:7b:57:0c:50:d7:62:2e:9d:ab:ab:1b:c5:3d:
    b6:07:ba:d4:5c:b0:3b:d0:fb:85:19:ef:0d:fa:ea:
    6d:80:df:88:6e:a0:78:9b:b6:49:9f:29:51:ee:ad:
    63:d1:18:04:13:30:b7:85:80:37:71:ff:b3:02:b0:
    a1:cc:b1:8a:71:b7:4d:08:50:a7:17:cc:32:31:08:
    10:5c:2b:22:be:91:01:63:23:b2:e2:b5:a2:d3:4e:
    6d:a7:12:9c:88:a9:3c:13:09:a8:93:2e:96:c5:c0:
    79:87
publicExponent: 65537 (0x10001)
privateExponent:
    10:74:90:0b:b6:c7:ff:bc:40:17:b8:3e:c4:51:d2:
    f4:aa:49:6f:a6:9f:7e:30:86:5c:34:1d:59:21:d6:
    67:e3:b3:a2:57:02:b0:d5:29:9c:15:aa:45:54:36:
    93:74:13:d3:e3:6e:60:4e:f6:e0:3c:b1:e8:f8:84:
    46:e3:52:ab:53:c6:c3:ff:48:7a:c6:9f:7b:bd:74:
    1c:b5:c5:5a:09:38:68:9d:33:ff:11:b5:c6:df:19:
    df:12:6f:04:0f:e3:18:be:18:44:c8:3e:b3:74:5e:
    01:23:aa:a1:d0:f3:d4:2a:83:4d:4f:99:b9:ed:62:
    95:31:82:c9:33:5c:6f:0b:5f:0a:0f:79:25:a8:27:
    81:ff:74:13:87:8b:bb:41:3f:ab:d0:ce:83:cb:26:
    2d:0a:c6:36:58:20:c7:ad:06:4b:b3:3a:d3:fb:33:
    9b:3d:f3:55:b5:2a:49:49:db:59:e7:2d:8e:e9:c8:
    d4:7b:42:e2:c1:9d:cc:53:93:80:c6:17:a2:2f:5c:
    53:a0:67:49:15:75:a2:c0:30:f6:7e:06:fa:f5:02:
    b3:a4:f6:aa:db:3b:27:b8:1a:ba:97:6f:7d:99:1d:
    c0:79:d6:a2:ed:46:d8:9b:9f:06:15:2e:79:42:88:
    9f:d9:58:d6:df:40:d0:1b:5e:1e:ac:e8:dc:f5:b8:
    59
prime1:
    00:e2:71:1e:23:c3:cc:99:a1:94:c5:48:26:e8:ff:
    c2:66:54:fb:4c:fb:f9:01:57:bf:39:b8:91:4a:cc:
    83:9d:34:0e:ea:a7:f8:4d:b5:57:45:da:6e:f1:28:
    7a:2a:c6:82:44:e5:9e:49:78:30:d7:df:6f:ef:b9:
    f4:a7:fd:34:60:f9:bd:e2:31:e6:4b:bc:89:e7:9c:
    a2:e3:1e:2d:50:2d:e5:76:15:fd:38:87:97:ea:36:
    05:27:48:f2:6e:fa:c7:a1:b8:28:2b:10:5e:1b:fc:
    7a:b6:30:6e:04:6e:f8:ed:43:b2:e9:28:e2:32:1a:
    92:b7:97:2b:26:85:45:45:f3
prime2:
    00:da:c5:0a:d8:9f:a3:31:5d:f2:ab:4d:fb:9e:6b:
    af:d1:6c:45:ba:16:b6:05:d9:c2:2a:98:dd:ad:64:
    4b:c7:3e:71:20:33:45:e2:c4:25:6c:ce:c2:d4:ac:
    a2:07:9b:4a:44:3b:97:94:3e:25:bd:01:d2:7a:8d:
    72:72:2a:38:8a:3b:4f:36:84:78:d5:29:ec:01:18:
    e0:19:44:c1:5e:3d:05:b5:66:25:ff:25:85:af:37:
    05:26:a9:21:3c:1d:01:4c:e5:88:e9:38:b2:f9:b5:
    bd:72:07:aa:37:9d:04:b4:b1:01:af:3a:d7:44:cc:
    38:5d:cd:e4:7f:bc:fc:7f:1d
exponent1:
    00:a5:71:b6:6e:b5:21:28:e2:78:bb:07:73:7e:6b:
    57:92:c2:e6:75:21:e8:95:c5:91:ae:cf:9e:40:43:
    5a:aa:22:1d:ff:ee:c7:a9:a7:23:e3:a2:ab:ca:41:
    23:b9:5b:1e:54:ce:5b:af:1c:44:bb:84:c1:d9:2a:
    49:89:ef:a3:34:73:63:fb:ff:2f:5f:08:9a:cd:81:
    91:35:55:98:0f:eb:e8:aa:35:78:b4:b3:c5:17:d7:
    6e:3e:7c:ba:bc:c1:37:d8:7d:9f:c3:8f:0a:e3:71:
    be:0a:9d:29:d4:cd:6b:cc:96:d9:02:27:df:d4:71:
    bb:de:ad:71:56:8c:aa:c7:67
exponent2:
    00:b9:eb:5b:1c:5e:0e:c2:95:a4:f6:10:80:16:52:
    4e:49:1c:4a:e5:ab:07:66:51:79:c1:d9:c8:0a:e3:
    81:c3:02:3e:01:af:91:64:f6:6d:17:db:5f:98:7e:
    5d:f5:38:f4:14:a8:d0:59:1b:b7:d6:b9:05:b7:41:
    1e:52:07:af:a5:4a:62:37:62:bd:8d:ea:e2:b6:cb:
    fd:27:7c:57:19:4f:a2:da:56:c5:53:e0:ff:8b:b8:
    a6:98:04:84:4a:22:1c:48:cd:89:5d:2a:e2:6f:75:
    14:5b:24:48:74:9a:ec:b4:e2:f9:1b:82:56:10:11:
    be:95:79:b5:07:1a:05:3b:c1
coefficient:
    77:e8:39:4a:0a:b8:b4:65:03:ec:ee:fa:91:05:57:
    c4:eb:48:68:09:17:30:17:70:30:de:b0:39:c9:0d:
    82:3e:06:8c:4b:ec:81:06:48:d7:b4:46:28:48:a1:
    55:e0:c5:7c:c1:42:b3:98:e1:59:e5:13:50:1f:0b:
    07:ea:6a:d8:30:5e:a3:b5:e3:16:0a:ff:7d:6b:b9:
    88:1f:00:38:55:b7:05:7e:37:a3:af:d1:7b:97:a5:
    85:53:00:bb:e0:93:fb:e3:ec:d5:63:b4:b0:24:02:
    2b:45:a5:cb:fc:88:54:7f:f5:be:41:14:6a:b7:fb:
    4b:02:95:68:9a:8f:30:66

Pairing with MacOS works, so that should mean that the 9A and 9D RSA keys are working over contact.
@mistial-dev
Copy link
Author

When I generate the key on card and issue a certificate based around that key, it seems to work.

@dengert
Copy link

dengert commented Aug 24, 2023

Just looking at the logs, it looks like you are creating both an RSA and EC key for the 9A and 9E keys. Does this actually create two keys for each,
or do the RSA keys get replaced by the EC keys or are the creates for the EC keys ignored.

Then the last two "47" commands create the keys and return the public key. Are they RSA or EC?

NIST PIV specs say end user can determine the type and size of a key
from the certificate SPKI field. There can only be one certificate for 9A and one for 9E.

@mistial-dev
Copy link
Author

Just looking at the logs, it looks like you are creating both an RSA and EC key for the 9A and 9E keys.

I shouldn't be. I was previously doing EC keys, but that's commented out.

# print CREATE KEY - 9A - PIV Authentication Key (ECC256)
# send_apdu -sc 1 -APDU 00DB3F001466128B019A8C01018D01008E01118F0104900110

# print CREATE KEY - 9E - Card Authentication Key (ECC256)
# send_apdu -sc 1 -APDU 00DB3F001466128B019E8C017F8D017F8E01118F0104900110

# print GENERATE ASYMMETRIC KEYPAIR (9A)
# send_apdu -sc 1 -APDU 0047009A05AC0380011100

# print GENERATE ASYMMETRIC KEYPAIR (9E)
# send_apdu -sc 1 -APDU 0047009E05AC0380011100

Then the last two "47" commands create the keys and return the public key. Are they RSA or EC?

They were EC, but they are commented out. Remnants from my issuance work, but the applet has been completely uninstalled and reinstalled since then, so there aren't any lingering EC keys defined.

@mistial-dev
Copy link
Author

mistial-dev commented Aug 24, 2023
edited

It's HID, so I'd expect the length to be correct.

The operation that's failing seems to be chained 10 87 07 9e (0x6985) and 00 87 07 9e (0x6984). These aren't in the PIV manual, but should be SW_CONDITIONS_NOT_SATISFIED followed by SW_DATA_INVALID if I'm not mistaken.

The configuration APDU is taken from the wiki, and appears to be correct. I incorrectly labeled sign as authenticate, but the value appears to be correct to me.

The APDU itself is a GENERAL AUTHENTiCATE (as expected), called with algorithm reference 07 (RSA-2048) (as expected), and a 9e key reference (as expected for contactless). The actual data, with the framing removed, seems to be:

7c 82 01 06 
   82 00 
   81 82 01 00 
      00 7a 0e 53 fe 2b 04 c3 df 43 72 2d 8c 27 e1 71 53 e4 8f a8 a8 ba 2c ce ee 
      b7 8a 2c e7 fb e4 ab 02 86 9f 71 98 db c4 bd 08 a2 1f 7e db 29 bc 4b e1 fe
      a7 e7 de 17 67 ce 29 62 4f 0b 42 16 5c ba c7 fd a7 b3 17 63 7c db d3 ed b5 
      04 4a c4 ee 0d db 48 00 84 b8 d6 83 e5 3f 76 93 bd 0f 3f 0a 63 6e b6 61 48
      69 57 3b e0 ca fa 96 65 6f e0 bf 9a ee 32 39 6a ff 0b 28 7a 4d d1 40 1d 92 
      1d ea be 57 37 00 e7 28 0e 9f 21 4e 6d 95 a8 15 4a 9e 41 b7 aa 5e 15 13 b2 
      dc 27 39 6b a7 a6 09 c0 e9 99 87 3a 10 d0 c5 c2 4e b4 9c 2b 06 97 be 4b 25
      2b 9e 51 c8 f5 cd 98 bd de 39 cb 12 dc d5 c8 3b 97 01 83 8b 9c a2 8f aa 07
      35 11 73 14 5a 74 da 23 16 7f 55 33 3b 90 81 4a 30 d4 01 70 d4 1c 2c 7c 65 
      aa 09 ed 95 26 fc 4e f4 0d 45 2e 29 0a ed e1 e4 33 67 4d 15 e2 4a 3e e5 63 
      4c 49 08 99 0c 80

Valid ASN.1, and I'm not seeing anything wrong with the APDU being sent.

@mistial-dev
Copy link
Author

Sanity checking the 9e CHANGE REFERENCE DATA ADMIN APDUs:

print Change Reference Data 9E
send_apdu -sc 1 -APDU 1024079EC83082010481820100C1829E4EAE1556822C8E6A97E3BB10255B5EF24496B4E55629BB426F3810FBD325127329908D98268D7F9BF961819D638A8DDC9E14A2355B8E85F7E178A7A52B3EFB71245B6A354C21DA0CDE996DA3C98A659791F34EE91AD224F0B7A7BBF6F53BE8B609AB8BDC4FA0B4E1422B6FA74DB16CE7D553CFA27F8B53D4F1E78B9E10132D5D2DAEF80BC64A940C4F6B92CFEC6094C8A0BF613C7B570C50D7622E9DABAB1BC53DB607BAD45CB03BD0FB8519EF0DFAEA6D80DF886EA0789BB6499F2951
send_apdu -sc 1 -APDU 0024079E40EEAD63D118041330B785803771FFB302B0A1CCB18A71B74D0850A717CC323108105C2B22BE91016323B2E2B5A2D34E6DA7129C88A93C1309A8932E96C5C07987

send_apdu -sc 1 -APDU 0024079E0730058203010001

send_apdu -sc 1 -APDU 1024079EC830820104838201001074900BB6C7FFBC4017B83EC451D2F4AA496FA69F7E30865C341D5921D667E3B3A25702B0D5299C15AA455436937413D3E36E604EF6E03CB1E8F88446E352AB53C6C3FF487AC69F7BBD741CB5C55A0938689D33FF11B5C6DF19DF126F040FE318BE1844C83EB3745E0123AAA1D0F3D42A834D4F99B9ED62953182C9335C6F0B5F0A0F7925A82781FF7413878BBB413FABD0CE83CB262D0AC6365820C7AD064BB33AD3FB339B3DF355B52A4949DB59E72D8EE9C8D47B42E2C19DCC539380C617
send_apdu -sc 1 -APDU 0024079E40A22F5C53A067491575A2C030F67E06FAF502B3A4F6AADB3B27B81ABA976F7D991DC079D6A2ED46D89B9F06152E7942889FD958D6DF40D01B5E1EACE8DCF5B859

Unchaining the APDUs gets:

3082010481820100C1829E4EAE1556822C8E6A97E3BB10255B5EF24496B4E55629BB426F3810FBD325127329908D98268D7F9BF961819D638A8DDC9E14A2355B8E85F7E178A7A52B3EFB71245B6A354C21DA0CDE996DA3C98A659791F34EE91AD224F0B7A7BBF6F53BE8B609AB8BDC4FA0B4E1422B6FA74DB16CE7D553CFA27F8B53D4F1E78B9E10132D5D2DAEF80BC64A940C4F6B92CFEC6094C8A0BF613C7B570C50D7622E9DABAB1BC53DB607BAD45CB03BD0FB8519EF0DFAEA6D80DF886EA0789BB6499F2951EEAD63D118041330B785803771FFB302B0A1CCB18A71B74D0850A717CC323108105C2B22BE91016323B2E2B5A2D34E6DA7129C88A93C1309A8932E96C5C07987

Valid ASN.1, tag 81 (rsaN - public modulus). Identical to the OpenSSL output except for a missing leading 00.

30058203010001

Valid ASN.1, tag 82 (rsaE - public exponent). Value 010001, matching OpenSSL.

30820104838201001074900BB6C7FFBC4017B83EC451D2F4AA496FA69F7E30865C341D5921D667E3B3A25702B0D5299C15AA455436937413D3E36E604EF6E03CB1E8F88446E352AB53C6C3FF487AC69F7BBD741CB5C55A0938689D33FF11B5C6DF19DF126F040FE318BE1844C83EB3745E0123AAA1D0F3D42A834D4F99B9ED62953182C9335C6F0B5F0A0F7925A82781FF7413878BBB413FABD0CE83CB262D0AC6365820C7AD064BB33AD3FB339B3DF355B52A4949DB59E72D8EE9C8D47B42E2C19DCC539380C617A22F5C53A067491575A2C030F67E06FAF502B3A4F6AADB3B27B81ABA976F7D991DC079D6A2ED46D89B9F06152E7942889FD958D6DF40D01B5E1EACE8DCF5B859

Valid ASN.1, tag 83 (rsaD - private exponent). Identical to openSSL.

Just to see if it would help, I tried with a leading zero. It gives me a length error, so that shouldn't be the format OpenFIPS201 wants.

# Change Reference Data 9E

command time: 0 ms
send_apdu -sc 1 -APDU 1024079EC9308201058182010100C1829E4EAE1556822C8E6A97E3BB10255B5EF24496B4E55629BB426F3810FBD325127329908D98268D7F9BF961819D638A8DDC9E14A2355B8E85F7E178A7A52B3EFB71245B6A354C21DA0CDE996DA3C98A659791F34EE91AD224F0B7A7BBF6F53BE8B609AB8BDC4FA0B4E1422B6FA74DB16CE7D553CFA27F8B53D4F1E78B9E10132D5D2DAEF80BC64A940C4F6B92CFEC6094C8A0BF613C7B570C50D7622E9DABAB1BC53DB607BAD45CB03BD0FB8519EF0DFAEA6D80DF886EA0789BB6499F2951
...
Unwrapped response <-- 9000
command time: 36 ms
send_apdu -sc 1 -APDU 0024079E40EEAD63D118041330B785803771FFB302B0A1CCB18A71B74D0850A717CC323108105C2B22BE91016323B2E2B5A2D34E6DA7129C88A93C1309A8932E96C5C07987
Unwrapped response <-- 6700

@mistial-dev
Copy link
Author

The card works fine on a gallagher reader, over contactless. I think this may be a duplicate of #55 .

@makinako
Copy link
Owner

Hi @mistial-dev yes this is issue #55 appearing, with the CHUID read being interrupted half-way.
Even though this is already patched in the FIPS build, I think it's worthy of a patch version, so I've created a branch for it.

I'm happy to patch it in or you can make a pull request if you want the contributor cred :) It's basically just removing ChainBuffer.java:223 (leaving resetAbort() there).

@mistial-dev mistial-dev mentioned this issue Aug 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dengert @makinako @mistial-dev