Ryan Chapman | 25 Jan 06:26 2016

Unblock PUK on PIV card

Hi,

Does anyone know if there is a way to unblock a PUK on a PIV card or re-initialize the PIV applet?  

The card is a Gemalto IDPrime PIV Card v2.0 using SCP01
ATR: 3b:7d:96:00:00:80:31:80:65:b0:83:11:11:e5:83:00:90:00

I know the admin key for the card, but even when I authenticate to the card (which still works), I am unable to change the state of the PUK lockout. The PIN is also blocked, but I know how to unblock that if the PUK is unblocked (for anyone who wants to know, if your PUK is 12345 and you want to unblock the PIN and set the PIN to 1234, do: piv-tool -A M:9B:03 -s 00:2c:00:80:10:31:32:33:34:35:ff:ff:ff:31:32:33:34:ff:ff:ff:ff)

This command is used to change the PUK if the current one is known (it's 1234).  However, I'm told 0x6983, which according to ISO7816-4 means "Authentication method blocked"

$ piv-tool -A M:9B:03 -s 00:24:00:81:10:31:32:33:34:ff:ff:ff:ff:31:32:33:34:ff:ff:ff:ff
Using reader with a card: Gemalto Prox Dual USB PC Link Reader(2)
Sending: 00 24 00 81 10 31 32 33 34 FF FF FF FF 31 32 33 34 FF FF FF FF
Received (SW1=0x69, SW2=0x83)

According to the data sheet, the PUK is stored in the internal object tag 0xFF8101, but I am not sure if it is possible to write to that tag.

What got me here was that I was unable to generate a keypair on the card and thought I might be able to reset the PIV application like Yubikey NEO does it.  With their card, the PIN and PUK must be blocked, then you send "00 fb 00 00 00" and the PIV applet is reset with retry counters set at 3 again.  Not such much with Gemalto.  And I can't find anyone at Gemalto that will provide documentation, even if I am willing to pay for it.

Thought I would check here before I toss the card in the drawer and get a new one.

Thanks in advance

Ryan
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Douglas E Engert | 22 Jan 23:52 2016
Picon

Testing Libp11, engine and OpenSC with OpenSSL-1.1-pre2

If anyone wants to do any testing of opensc libp11 and engine with OpenSSL-1.1  the patches applied to libp11
for use with OpenSSL-1.1 are based on the tag-OpenSSL_1_1_0-pre2.
  OpenSSL developers are  continuing to update the github version which introduces new issues.  (I am trying
to follow them.)

There is still https://github.com/OpenSC/engine_pkcs11/pull/39
that adds the engine side of the patch.

$ /opt/smartcard/bin/openssl version
OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016

To test the engine with ECDH, I have been using PIV cards that have a key management cert and key.

To encrypt a message, $2 is the key management certificate of the recipient of the message.

No  card is need to send.  The sender's key is not used here because the method  cms uses only requires the
recipient's certificate.
echo "Hello World!" > /tmp/ml.txt
openssl cms -encrypt -out  /tmp/cms.encrypted.mail.msg -from deengert <at> gmail.com -to
DEEngert <at> gmail.com -aes256 -in /tmp/ml.txt $2

Then to use the recipient's card and key management key:

# write out the recipient's cert from the card.
pkcs15-tool -r 03 > /tmp/mycert.pem
myeckey="slot_01-id_03"

openssl cms -decrypt -out  /tmp/cms.decrypted.mail.msg -engine pkcs11 -inkey $myeckey -keyform e
-recip /tmp/mycert.pem -in /tmp/cms.encrypted.mail.msg

The above should work with OpenSSL-1.1.0-pre2.
Attached are two patches to tag-OpenSSL_1_1_0-pre2 to get openssl cms and openssl req to sign a message
using the engine.

https://github.com/OpenSC/engine_pkcs11/pull/39
src/engine_pkcs11.c has some code  to find the pkcs#11 module that needs to be looked at.-- Douglas E.
Engert <DEEngert <at> gmail.com>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
David Sills | 19 Jan 10:11 2016

FW: Question about OpenSC

I emailed this by mistake to the wrong address, I think.

 

From: David Sills
Sent: Monday, January 18, 2016 10:22 AM
To: 'Jaroslav Imrich'
Subject: RE: [Opensc-devel] Question about OpenSC

 

Jaroslav:

 

Thanks so much for your prompt reply. I pretty much started there. Of course, the Sun class is just a wrapper around a native provider (in my case, the OpenSC provider), so I was hoping to get some useful tips. However, perhaps there are not developers who have made this work.

 

We have a client who wants to “smart-card-enable” their application. Essentially, they want to identify the user from the smart card (not something I immediately see how to do, either from Sun or OpenSC) and find whether or not their certificate (and the question of “which certificate?” is a valid one) is valid, possibly checking whether their PIN is correctly entered. That would substitute for their logging on to the application with a username and password.

 

I know of no application that actually does this, so I am skeptical, but that is my charge for the moment.

 

Thanks for trying to help!

 

David

 

From: Jaroslav Imrich [mailto:jaroslav.imrich <at> gmail.com]
Sent: Monday, January 18, 2016 10:14 AM
To: David Sills
Cc: opensc-devel <at> lists.sourceforge.net
Subject: Re: [Opensc-devel] Question about OpenSC

 

Hello David,

seems like your primary problem is behaviour of SunPKCS11 provider so IMO you should take a look at "Java PKCS#11 Reference Guide" [0] which describes in detail how this provider operates. I remember that values of CKA_LABEL and CKA_ID attributes were very important and that SunPKCS11 provider didn't "show" private key which were not associated with the certificate.

[0] http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html


Kind Regards / S pozdravom

Jaroslav Imrich
http://www.jimrich.sk
jaroslav.imrich <at> gmail.com

 

On Mon, Jan 18, 2016 at 3:40 PM, David Sills <DSills <at> datasourceinc.com> wrote:

To whom it may concern:

 

This is apparently not a mailing list for users, but I am a (potential) user with many questions. Is there a mailing list for me?

 

I have successfully (more or less) got OpenSC working on my Windows 7 machine with a Dell Smart Card Reader Keyboard and pkcs11-tool seems to be able to detect keys (and thus certificates, I assume) on the card, but when I go through the Sun API (SunPKCS11) I get no aliases in the Keystore I generate, which makes it, of course, impossible to get at the data. (What I really want to know is, is the certificate expired?) Is this a common occurrence, and has anyone any kind of solution for it?

 

Please redirect me if I am in the wrong list. Many thanks for your work in creating OpenSC.

 

Thanks!

 

David

 


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel

 

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Douglas E Engert | 19 Jan 03:05 2016
Picon

Status of OpenSC, libp11, engine using OpenSSL-1.1-pre2

I have OpenSC, libp11, engine-pkcs11, working with OpenSSL-1.1-pre2

This includes ECDH support in libp11, engine-pkcs11. There is still a lot of cleanup to be done to get the
ECDH  code in shape.
I was able to use the OpenSSL cms -encrypt  using the certificate for the  recipient. Then used the cms
-decrypt with the smart card of the
recipient to do a ECDH operation to get the AES key to decrypt the message.

OpenSSL is still not stable, but they have been fixing bugs.

One issue with OpenSC is that  src/common/simclist.h  does:
#   define inline           /* inline */

OpenSSL  e_os2.h does:
# if !defined(inline) && !defined(__cplusplus)

So depending on the order of header files, things work fine, or you get pages of errors
because  ossl_inline is not  not changed.

The line above should have been:
# if !defined(ossl_inline) && !defined(__cplusplus)
See: https://rt.openssl.org/Ticket/Display.html?id=4245

I hope to have the libp11 and engine changes cleaned up in the next few days.

--

-- 

  Douglas E. Engert  <DEEngert <at> gmail.com>

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
David Sills | 18 Jan 15:40 2016

Question about OpenSC

To whom it may concern:

 

This is apparently not a mailing list for users, but I am a (potential) user with many questions. Is there a mailing list for me?

 

I have successfully (more or less) got OpenSC working on my Windows 7 machine with a Dell Smart Card Reader Keyboard and pkcs11-tool seems to be able to detect keys (and thus certificates, I assume) on the card, but when I go through the Sun API (SunPKCS11) I get no aliases in the Keystore I generate, which makes it, of course, impossible to get at the data. (What I really want to know is, is the certificate expired?) Is this a common occurrence, and has anyone any kind of solution for it?

 

Please redirect me if I am in the wrong list. Many thanks for your work in creating OpenSC.

 

Thanks!

 

David

 

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Anders Rundgren | 14 Jan 10:41 2016
Picon

Signed JavaScript/JSON

The samples below should be comparable with respect to securing the integrity of the payload and the
signature parameters, but they obviously differ a lot in the way they get the work done.

JCS was developed to match information-rich, multi-signature schemes like
https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/SCAI#The_SCAI_line
and similar.  JCS has recently been upgraded to match ECMAScript revision 6.

JSON Cleartext Signature (JCS): https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#ECMAScript_Compatibility_Mode

var signedObject = {
      // The data
      statement: "Hello signed world!",
      otherProperties: [2000, true],
      // The signature
      signature: {
          algorithm: "ES256",
          publicKey: {
              type: "EC",
              curve: "P-256",
              x: "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs",
              y: "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM"
          },
          value: "2H__TkcV28QpGWPkyVbR1CW0I8L4xARrVGL0LjOeHJLOPozdzRqCTyYfmAippJXqdzgNAonnFPVCSI5A6novMQ"
      }
};

JSON Web Signature (JWS): https://tools.ietf.org/rfc/rfc7515.txt

var signedObject = {
      "payload": "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
      "protected": "eyJhbGciOiJFUzI1NiJ9",
      "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS lSApmWQxfKTUJqPP3-Kg6NU1Q"
};

Anders

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Ryan Chapman | 12 Jan 23:15 2016

Oberthur PIV card

Hi,

Does anyone know of a source to obtain a Oberthur ID-One Piv on Cosmo card (preferably their newest, the Cosmo V8) or a Cosmo V8 eval kit?  Of course I'm willing to pay for it, but haven't been able to find a supplier.  My attempts to contact Oberthur directly have gone unanswered.

Best regards,
Ryan
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Daniel Pocock | 12 Jan 23:08 2016

Smartcard HSM built-in root CA?


Hi all,

I was looking at the specs for Smartcard HSM:

http://www.smartcard-hsm.com/features.html#devaut

and it suggests that a "Scheme Root CA maintained by CardContact issues
certificates for Device Issuer CAs, which in turn issue an unique device
certificate for each SmartCard-HSM produced."

Does this mean the card has some dependency on the manufacturer/vendor?
 Is this typical?

Regards,

Daniel

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Daniel Pocock | 12 Jan 23:08 2016

cards that only do SHA-1


Hi,

I've got a few cards in my drawer that I'm trying to identify.

Spec sheets for some versions of these cards only mention SHA-1 while
I've come across other spec sheets that mention SHA-256, I'm not sure if
there are different versions of the same card, software updates or
something else.

The cards in question are Athena "ASECard Crypto" and the "CryptoFlex
for Windows 32k"

Can opensc tell me definitively if these cards have anything better than
SHA-1 capability?

With SHA-1 being considered insecure, is there any practical use for
cards that don't have SHA-256 built-in already?  Can they be upgraded
somehow to support newer hashes and/or adding ECC support?

Regards,

Daniel

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Nikos Mavrogiannopoulos | 29 Dec 17:57 2015
Picon
Gravatar

libp11 and engine_pkcs11

Hi,
 I'm lately quite busy and cannot keep up with maintaining libp11 and
engine_pkcs11; for that I'd like to recommend to give the
maintainership of libp11 and engine_pkcs11 to Michal Trojnara (the
author of stunnel). He has already provided few merged (and unmerged)
patches [0], and most importantly he uses these projects and is
willing to plan and make the next releases.

regards,
Nikos

[0]. https://github.com/opensc/libp11/pulls

------------------------------------------------------------------------------
Evan Anderson | 14 Dec 13:00 2015

Nitrokey HSM - Details of DKEK/key-wrapping algorithm, or key import

I recently acquired a Nitrokey HSM for testing for one of my Customers. The 
feature-set of the SmartCard-HSM software appears to be quite good and a 
nearly perfect fit for my Customer's needs.

My Customer will be signing firmware for a series of embedded control 
devices w/ RSA keys. These devices have a planned 15-20 year lifetime in the 
field/market (embedded devices attached to very large, very expensive pieces 
of machinery with long service lifetimes). Losing access to the firmware 
signing key during the device's supported lifetime would be quite bad 
(physically recalling the devices and replacing secure SoC devices w/ public 
keys stored in on-chip fuse-protected bootloader flash).

While the built-in key backup/restore functionality in SmartCard-HSM looks 
quite good, I'm concerned that without details of the 
key-wrapping/unwrapping algorithm my Customer could find themselves, in the 
future, in a situation where SmartCard-HSM is no longer available for 
purchase. I am reticent to simply recommend assuming that the Customer 
purchase extra devices to hold in storage and hope that they will remain 
functional for 10+ years. My Customer is already accustomed to supporting 
devices in the field w/ 15+ year lifetimes, so this concern is a very real 
one to them.

Are there details of the DKEK key-wrapping/unwrapping algorithm available 
(under NDA and/or for a fee, if necessary) that would enable my Customer to 
have confidence that, even if the SmartCard-HSM product were discontinued 
and no longer available, they would be able to bring the DKEK shares and 
key-backup together to reconstruct their key to load into some new device?

As an alternative to understanding the DKEK key-wrapping/unwrapping 
algorithm, is there functionality to import an externally-generated key into 
the SmartCard-HSM product? I see a reference here 
<http://www.smartcard-hsm.com/features.html#keyimport> but I've reviewed all 
the materials I can find publicly, and on the CardContact Developer Network 
website, and I am not finding any examples or documentation showing how to 
perform this import. On this mailing list, as recently as October 2015 
(under the thread "Cannot delete imported private key from SmartCard-HSM") I 
am seeing statements that make me think that this import functionality may 
have difficulties.

Thank you,
Evan Anderson
Wellbury LLC
Troy, OH, US

------------------------------------------------------------------------------

Gmane