New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SW 6984 and 6985 when attempting to use RSA key contactless #63
Comments
When I generate the key on card and issue a certificate based around that key, it seems to work. |
Just looking at the logs, it looks like you are creating both an RSA and EC key for the 9A and 9E keys. Does this actually create two keys for each, Then the last two "47" commands create the keys and return the public key. Are they RSA or EC? NIST PIV specs say end user can determine the type and size of a key |
I shouldn't be. I was previously doing EC keys, but that's commented out.
They were EC, but they are commented out. Remnants from my issuance work, but the applet has been completely uninstalled and reinstalled since then, so there aren't any lingering EC keys defined. |
It's HID, so I'd expect the length to be correct. The operation that's failing seems to be chained The configuration APDU is taken from the wiki, and appears to be correct. I incorrectly labeled sign as authenticate, but the value appears to be correct to me. The APDU itself is a GENERAL AUTHENTiCATE (as expected), called with algorithm reference 07 (RSA-2048) (as expected), and a 9e key reference (as expected for contactless). The actual data, with the framing removed, seems to be:
Valid ASN.1, and I'm not seeing anything wrong with the APDU being sent. |
Sanity checking the 9e CHANGE REFERENCE DATA ADMIN APDUs:
Unchaining the APDUs gets:
Valid ASN.1, tag 81 (rsaN - public modulus). Identical to the OpenSSL output except for a missing leading 00.
Valid ASN.1, tag 82 (rsaE - public exponent). Value
Valid ASN.1, tag 83 (rsaD - private exponent). Identical to openSSL. Just to see if it would help, I tried with a leading zero. It gives me a length error, so that shouldn't be the format OpenFIPS201 wants.
|
The card works fine on a gallagher reader, over contactless. I think this may be a duplicate of #55 . |
Hi @mistial-dev yes this is issue #55 appearing, with the CHUID read being interrupted half-way. I'm happy to patch it in or you can make a pull request if you want the contributor cred :) It's basically just removing ChainBuffer.java:223 (leaving resetAbort() there). |
I'm attempting to provision the GSA ICAM golden PIV card to OpenFIPS201. I can successfully enroll to the PIVClass Workstation software (which is generally fairly picky), but the PIVClass reader/PAM is rejecting the use of my imported contactless card authentication (9e) key.
Sniffing the transaction, I get the following:
I am using the attached configuration script, card objects, and keys:
configure.txt
golden_piv.txt
The objects themselves can be found here: https://github.com/GSA/gsa-icam-card-builder/tree/master/cards/ICAM_Card_Objects/01_Golden_PIV
The configuration script and card provisioning seems to succeed just fine, and some PIV software I have seems to verify. 9E should work from what I see:
This should be the private key in use:
Pairing with MacOS works, so that should mean that the 9A and 9D RSA keys are working over contact.
The text was updated successfully, but these errors were encountered: