Yubico Forum

Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set

2014-02-20T12:45:40+01:00

Right now we don't provide an upgrade path for the applet.

Most functions should work fine with that applet version, but you're limited to the RSA-2048 algorithm.

/klas

Statistics: Posted by Klas — Thu Feb 20, 2014 12:45 pm

Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set

2014-02-20T11:26:05+01:00

Yes, I have the version 0.0.3. Is there a way to upgrade it or ?

BTW, the way to change PIN/PUK with yubico-piv-tool seems slightly buggy in this version.

But anyway thanks for the help.

Statistics: Posted by guyome — Thu Feb 20, 2014 11:26 am

Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set

2014-02-17T08:36:12+01:00

Hello,

You've probably got a slightly older version of the PIV applet, not supporting ECC. I didn't give the tool any knowledge about versions (yet?) to keep it simple.

If you give the tool the flag -a version it will tell you what version of the applet is running, I'm guessing on 0.0.3 for you, ecc functionality was added in 0.1.0. RSA-2048 should work fine though.

The admin key (also called management key) is used to authenticate to the card for administrative functions like generating and importing keys.

/klas

Statistics: Posted by Klas — Mon Feb 17, 2014 8:36 am

Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set

2014-02-15T17:46:44+01:00

Hello,

Thank a lot for the PIV-tool. I successed to import on the yubikey a certificate from CaCert and it works smoothly with opensc/pkcs11 on ubuntu a least.

But I can't generate any key on the last ubuntu with Yubico PPA.

Code:

yubico-piv-tool -s 9a -A ECCP256 -a generate --verbose=2
parsed key: 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08 
using reader 'Yubico Yubikey NEO OTP+CCID 00 00' matching 'Yubikey'.
> 00 a4 04 00 05 a0 00 00 03 08 
< 61 11 4f 06 00 00 10 00 01 00 79 07 4f 05 a0 00 00 03 08 90 00 
> 00 87 03 9b 04 7c 02 80 00 
< 7c 0a 80 08 de 8c d3 49 4b d6 85 cc 90 00 
> 00 87 03 9b 0c 7c 0a 80 08 63 f4 87 37 d3 a2 75 58 
< 90 00 
Successful applet authentication.
Now processing for action 1.
Going to send 5 bytes in this go.
> 00 47 00 9a 05 ac 03 80 01 11 
< 6a 80 
Failed to generate new key.

Any idea how fix that ?

Besides, what is the meaning of admin key ?

Statistics: Posted by guyome — Sat Feb 15, 2014 5:46 pm

Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set

2014-02-14T05:58:25+01:00

Thanks Klas, I have updated to fix the CHUID bug.

I still need to experiment, but it sounds like I won't need the CHUID signed, I just need Windows to use the Smart Card functionality.

Statistics: Posted by air — Fri Feb 14, 2014 5:58 am

Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set

2014-02-13T08:54:14+01:00

Good. I just discovered (and fixed) a bug with how the chuid is generated in the yubico-piv-tool, you might want to run newer code there.

The chuid generated by the yubico-piv-tool isn't signed, but that doesn't seem to be an issue for any system I've run into. If you need a signed chuid we get into more complex issues..

/klas

Statistics: Posted by Klas — Thu Feb 13, 2014 8:54 am

Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set

2014-02-13T03:13:54+01:00

Thank you for the update. I got the default admin key from Yubico earlier via email, with some rough instructions. I managed to create a key pair on the device, with the public key extracted, to create the CSR and sign it, and load the certificate onto the card/applet. The part I wasn't sure about was generating unique CHUIDs as it seemed that the was surrounding data, and I had read that it is meant to be signed.

I have compiled the yubico-piv-tool from GitHub sources. I will experiment, with it, but it looks like it will make the process flow much easier, and it supports generating a unique CHUID, which one of the last road-blocks for me. Thanks!

Statistics: Posted by air — Thu Feb 13, 2014 3:13 am

Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set

2014-02-12T08:05:46+01:00

Hello,

Sorry for a late reply here.. You've noticed some of this but I'll go over it again:
default pin: 123456
default unblock pin: 12345678
default admin key (3des key): 010203040506070801020304050607080102030405060708

We've just published a little tool that can be used to do some of the administrative tasks with the piv applet: http://opensource.yubico.com/yubico-piv-tool/

If you're using ubuntu binaries of it is available in our PPA at: https://launchpad.net/~yubico/+archive/stable binaries for windows and osX is available at the opensource.yubico.com site.

/klas

Statistics: Posted by Klas — Wed Feb 12, 2014 8:05 am

[QUESTION] Yubikey NEO with PIV Applet - How to Init/Setup?

2014-01-14T05:10:04+01:00

Hi All,

I purchased several Yubikey NEOs with the PIV applet (beta). I am not sure how to set it up or initialise it though. I am using Linux and OpenSC, although later I will be supporting other operating systems such as Windows and Mac OS X.

Code:

$ ykneomgr -a
a0000000035350
a0000005272001
a000000308
a0000005272101
d27600012401

AID a000000308 is the PIV applet, which appears to be ID-ONE by Oberthur Technologies - "Personal Identity Verification (PIV) / ID-ONE PIV BIO".

I haven't found any good documentation available on the Internet yet from Oberthur regarding the setup and initialisation.

Using OpenSC tools, such as piv-tool, pkcs15-tool, and pkcs11-tool, I can see that the certificates etc. have not yet been initialised.

Code:

$ piv-tool -n
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
PIV-II card

Code:

$ pcsc_scan 
PC/SC device scanner
V 1.4.21 (c) 2001-2011, Ludovic Rousseau 
Compiled with PC/SC lite version: 1.8.8
Using reader plug'n play mechanism
Scanning present readers...
0: Yubico Yubikey NEO OTP+CCID 00 00

Tue Jan 14 14:48:31 2014
Reader 0: Yubico Yubikey NEO OTP+CCID 00 00
  Card state: Card inserted, 
  ATR: 3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6

ATR: 3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6
+ TS = 3B --> Direct Convention
+ T0 = FA, Y(1): 1111, K: 10 (historical bytes)
  TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F
  Category indicator byte: 59 (proprietary format)
+ TCK = A6 (correct checksum)

Possibly identified card (using /home/eh/.cache/smartcard_list.txt):
3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6
        Yubikey NEO

Code:

$ pkcs15-tool --list-data-objects
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
Reading data object <0>
applicationName: Card Capability Container
Label:           Card Capability Container
applicationOID:  2.16.840.1.101.3.7.1.219.0
Path:            db00
Data object read failed: File not found
Reading data object <1>
applicationName: Card Holder Unique Identifier
Label:           Card Holder Unique Identifier
applicationOID:  2.16.840.1.101.3.7.2.48.0
Path:            3000
Data object read failed: File not found
Reading data object <2>
applicationName: Unsigned Card Holder Unique Identifier
Label:           Unsigned Card Holder Unique Identifier
applicationOID:  2.16.840.1.101.3.7.2.48.2
Path:            3010
Data object read failed: File not found
Reading data object <3>
applicationName: X.509 Certificate for PIV Authentication
Label:           X.509 Certificate for PIV Authentication
applicationOID:  2.16.840.1.101.3.7.2.1.1
Path:            0101
Data object read failed: File not found
Reading data object <4>
applicationName: Cardholder Fingerprints
Label:           Cardholder Fingerprints
applicationOID:  2.16.840.1.101.3.7.2.96.16
Path:            6010
Auth ID:         01
Reading data object <5>
applicationName: Printed Information
Label:           Printed Information
applicationOID:  2.16.840.1.101.3.7.2.48.1
Path:            3001
Auth ID:         01
Reading data object <6>
applicationName: Cardholder Facial Image
Label:           Cardholder Facial Image
applicationOID:  2.16.840.1.101.3.7.2.96.48
Path:            6030
Auth ID:         01
Reading data object <7>
applicationName: X.509 Certificate for Digital Signature
Label:           X.509 Certificate for Digital Signature
applicationOID:  2.16.840.1.101.3.7.2.1.0
Path:            0100
Data object read failed: File not found
Reading data object <8>
applicationName: X.509 Certificate for Key Management
Label:           X.509 Certificate for Key Management
applicationOID:  2.16.840.1.101.3.7.2.1.2
Path:            0102
Data object read failed: File not found
Reading data object <9>
applicationName: X.509 Certificate for Card Authentication
Label:           X.509 Certificate for Card Authentication
applicationOID:  2.16.840.1.101.3.7.2.5.0
Path:            0500
Data object read failed: File not found
Reading data object <10>
applicationName: Security Object
Label:           Security Object
applicationOID:  2.16.840.1.101.3.7.2.144.0
Path:            9000
Data object read failed: File not found
Reading data object <11>
applicationName: Discovery Object
Label:           Discovery Object
applicationOID:  2.16.840.1.101.3.7.2.96.80
Path:            6050
Data Object (20 bytes): < 7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00 5F 2F 02 40 00 >
Reading data object <12>
applicationName: Cardholder Iris Image
Label:           Cardholder Iris Image
applicationOID:  2.16.840.1.101.3.7.2.16.21
Path:            1015
Data object read failed: File not found

Code:

$ pkcs15-tool --list-pins
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
PIN [PIV Card Holder pin]
        Object Flags   : [0x1], private
        ID             : 01
        Flags          : [0x22], local, needs-padding
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 128
        Type           : ascii-numeric

PIN [PIV PUK]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0xE2], local, needs-padding, unblockingPin, soPin
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 129
        Type           : ascii-numeric

Code:

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --show-info
Cryptoki version 2.20
Manufacturer     OpenSC (www.opensc-project.org)
Library          Smart card PKCS#11 API (ver 0.0)
Using slot 1 with a present token (0x1)

Code:

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): Yubico Yubikey NEO OTP+CCID 00 00
  token label:   PIV_II (PIV Card Holder pin)
  token manuf:   piv_II
  token model:   PKCS#15 emulated
  token flags:   rng, readonly, login required, PIN initialized, token initialized
  serial num  :  00000000

Code:

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-mechanisms
Using slot 1 with a present token (0x1)
Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000
  ECDSA-SHA1, keySize={256,384}, hw, sign, other flags=0x1800000
  ECDSA-KEY-PAIR-GEN, keySize={256,384}, hw, generate_key_pair, other flags=0x1800000
  RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
  RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
  SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
  MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify
  RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, generate_key_pair

Code:

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-objects
Using slot 1 with a present token (0x1)
Data object 877800048
  label:          'Card Capability Container'
  application:    'Card Capability Container'
  app_id:         2.16.840.1.101.3.7.1.219.0
  flags:          
Data object 877806224
  label:          'Card Holder Unique Identifier'
  application:    'Card Holder Unique Identifier'
  app_id:         2.16.840.1.101.3.7.2.48.0
  flags:          
Data object 877806320
  label:          'Unsigned Card Holder Unique Identifier'
  application:    'Unsigned Card Holder Unique Identifier'
  app_id:         2.16.840.1.101.3.7.2.48.2
  flags:          
Data object 877806416
  label:          'X.509 Certificate for PIV Authentication'
  application:    'X.509 Certificate for PIV Authentication'
  app_id:         2.16.840.1.101.3.7.2.1.1
  flags:          
Data object 877806800
  label:          'X.509 Certificate for Digital Signature'
  application:    'X.509 Certificate for Digital Signature'
  app_id:         2.16.840.1.101.3.7.2.1.0
  flags:          
Data object 877806896
  label:          'X.509 Certificate for Key Management'
  application:    'X.509 Certificate for Key Management'
  app_id:         2.16.840.1.101.3.7.2.1.2
  flags:          
Data object 877806992
  label:          'X.509 Certificate for Card Authentication'
  application:    'X.509 Certificate for Card Authentication'
  app_id:         2.16.840.1.101.3.7.2.5.0
  flags:          
Data object 877807088
  label:          'Security Object'
  application:    'Security Object'
  app_id:         2.16.840.1.101.3.7.2.144.0
  flags:          
Data object 877807184
  label:          'Discovery Object'
  application:    'Discovery Object'
  app_id:         2.16.840.1.101.3.7.2.96.80
  flags:          

piv-tool cannot read the serial, even as root:

Code:

# piv-tool --serial
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed -1201

But pkcs15-tool will print the serial when dumping:

Code:

$ pkcs15-tool --dump
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
PKCS#15 Card [PIV_II]:
        Version        : 0
        Serial number  : 00000000
        Manufacturer ID: piv_II 
        Flags          : 

PIN [PIV Card Holder pin]
        Object Flags   : [0x1], private
        ID             : 01
        Flags          : [0x22], local, needs-padding
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 128
        Type           : ascii-numeric

PIN [PIV PUK]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0xE2], local, needs-padding, unblockingPin, soPin
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 129
        Type           : ascii-numeric

Reading data object <0>
applicationName: Card Capability Container
Label:           Card Capability Container
applicationOID:  2.16.840.1.101.3.7.1.219.0
Path:            db00
Data object read failed: File not found
Reading data object <1>
applicationName: Card Holder Unique Identifier
Label:           Card Holder Unique Identifier
applicationOID:  2.16.840.1.101.3.7.2.48.0
Path:            3000
Data object read failed: File not found
Reading data object <2>
applicationName: Unsigned Card Holder Unique Identifier
Label:           Unsigned Card Holder Unique Identifier
applicationOID:  2.16.840.1.101.3.7.2.48.2
Path:            3010
Data object read failed: File not found
Reading data object <3>
applicationName: X.509 Certificate for PIV Authentication
Label:           X.509 Certificate for PIV Authentication
applicationOID:  2.16.840.1.101.3.7.2.1.1
Path:            0101
Data object read failed: File not found
Reading data object <4>
applicationName: Cardholder Fingerprints
Label:           Cardholder Fingerprints
applicationOID:  2.16.840.1.101.3.7.2.96.16
Path:            6010
Auth ID:         01
Reading data object <5>
applicationName: Printed Information
Label:           Printed Information
applicationOID:  2.16.840.1.101.3.7.2.48.1
Path:            3001
Auth ID:         01
Reading data object <6>
applicationName: Cardholder Facial Image
Label:           Cardholder Facial Image
applicationOID:  2.16.840.1.101.3.7.2.96.48
Path:            6030
Auth ID:         01
Reading data object <7>
applicationName: X.509 Certificate for Digital Signature
Label:           X.509 Certificate for Digital Signature
applicationOID:  2.16.840.1.101.3.7.2.1.0
Path:            0100
Data object read failed: File not found
Reading data object <8>
applicationName: X.509 Certificate for Key Management
Label:           X.509 Certificate for Key Management
applicationOID:  2.16.840.1.101.3.7.2.1.2
Path:            0102
Data object read failed: File not found
Reading data object <9>
applicationName: X.509 Certificate for Card Authentication
Label:           X.509 Certificate for Card Authentication
applicationOID:  2.16.840.1.101.3.7.2.5.0
Path:            0500
Data object read failed: File not found
Reading data object <10>
applicationName: Security Object
Label:           Security Object
applicationOID:  2.16.840.1.101.3.7.2.144.0
Path:            9000
Data object read failed: File not found
Reading data object <11>
applicationName: Discovery Object
Label:           Discovery Object
applicationOID:  2.16.840.1.101.3.7.2.96.80
Path:            6050
Data Object (20 bytes): < 7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00 5F 2F 02 40 00 >
Reading data object <12>
applicationName: Cardholder Iris Image
Label:           Cardholder Iris Image
applicationOID:  2.16.840.1.101.3.7.2.16.21
Path:            1015
Data object read failed: File not found

piv-tool has a --admin parameter that uses a PIV_EXT_AUTH_KEY environment variable that points to a file that contains the key in hexadecimal format. However I was not supplied with they key nor documentation.

Searching the forum and the Internet I found a reference to https://github.com/berkmanmd/yubikey-neo-osx however it has since been removed from GitHub. Mike Berkman if you are reading this would you mind sharing the details again, please?

There is also pki-tool in easy-rsa.

I have not tried ./pki-tool --pkcs11-init, pkcs11-tool --init-token, nor pkcs15-init, yet as I do not want to delete/erase/wreck the applet by not supplying the correct key if it is needed.

Can anyone clarify if the key is needed, or is only the PIN needed?
Some commands have prompted for a PIN, I used 123456 which worked. Same default and the OpenPGP user PIN.

Any help will be appreciated.

Thanks,
air

Statistics: Posted by air — Tue Jan 14, 2014 5:10 am