Yubico Forum :: View topic - [QUESTION] Yubikey NEO with PIV Applet

$ pcsc_scan
PC/SC device scanner
V 1.4.21 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.8
Using reader plug'n play mechanism
Scanning present readers...
0: Yubico Yubikey NEO OTP+CCID 00 00

Tue Jan 14 14:48:31 2014
Reader 0: Yubico Yubikey NEO OTP+CCID 00 00
Card state: Card inserted,
ATR: 3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6

ATR: 3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6
+ TS = 3B --> Direct Convention
+ T0 = FA, Y(1): 1111, K: 10 (historical bytes)
TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
TB(1) = 00 --> VPP is not electrically connected
TC(1) = 00 --> Extra guard time: 0
TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
-----
TA(3) = FE --> IFSC: 254
TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F
Category indicator byte: 59 (proprietary format)
+ TCK = A6 (correct checksum)

Possibly identified card (using /home/eh/.cache/smartcard_list.txt):
3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6
Yubikey NEO

$ pkcs15-tool --list-data-objects
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
Reading data object <0>
applicationName: Card Capability Container
Label: Card Capability Container
applicationOID: 2.16.840.1.101.3.7.1.219.0
Path: db00
Data object read failed: File not found
Reading data object <1>
applicationName: Card Holder Unique Identifier
Label: Card Holder Unique Identifier
applicationOID: 2.16.840.1.101.3.7.2.48.0
Path: 3000
Data object read failed: File not found
Reading data object <2>
applicationName: Unsigned Card Holder Unique Identifier
Label: Unsigned Card Holder Unique Identifier
applicationOID: 2.16.840.1.101.3.7.2.48.2
Path: 3010
Data object read failed: File not found
Reading data object <3>
applicationName: X.509 Certificate for PIV Authentication
Label: X.509 Certificate for PIV Authentication
applicationOID: 2.16.840.1.101.3.7.2.1.1
Path: 0101
Data object read failed: File not found
Reading data object <4>
applicationName: Cardholder Fingerprints
Label: Cardholder Fingerprints
applicationOID: 2.16.840.1.101.3.7.2.96.16
Path: 6010
Auth ID: 01
Reading data object <5>
applicationName: Printed Information
Label: Printed Information
applicationOID: 2.16.840.1.101.3.7.2.48.1
Path: 3001
Auth ID: 01
Reading data object <6>
applicationName: Cardholder Facial Image
Label: Cardholder Facial Image
applicationOID: 2.16.840.1.101.3.7.2.96.48
Path: 6030
Auth ID: 01
Reading data object <7>
applicationName: X.509 Certificate for Digital Signature
Label: X.509 Certificate for Digital Signature
applicationOID: 2.16.840.1.101.3.7.2.1.0
Path: 0100
Data object read failed: File not found
Reading data object <8>
applicationName: X.509 Certificate for Key Management
Label: X.509 Certificate for Key Management
applicationOID: 2.16.840.1.101.3.7.2.1.2
Path: 0102
Data object read failed: File not found
Reading data object <9>
applicationName: X.509 Certificate for Card Authentication
Label: X.509 Certificate for Card Authentication
applicationOID: 2.16.840.1.101.3.7.2.5.0
Path: 0500
Data object read failed: File not found
Reading data object <10>
applicationName: Security Object
Label: Security Object
applicationOID: 2.16.840.1.101.3.7.2.144.0
Path: 9000
Data object read failed: File not found
Reading data object <11>
applicationName: Discovery Object
Label: Discovery Object
applicationOID: 2.16.840.1.101.3.7.2.96.80
Path: 6050
Data Object (20 bytes): < 7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00 5F 2F 02 40 00 >
Reading data object <12>
applicationName: Cardholder Iris Image
Label: Cardholder Iris Image
applicationOID: 2.16.840.1.101.3.7.2.16.21
Path: 1015
Data object read failed: File not found

$ pkcs15-tool --list-pins
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
PIN [PIV Card Holder pin]
Object Flags : [0x1], private
ID : 01
Flags : [0x22], local, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 128
Type : ascii-numeric

PIN [PIV PUK]
Object Flags : [0x1], private
ID : 02
Flags : [0xE2], local, needs-padding, unblockingPin, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 129
Type : ascii-numeric

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --show-info
Cryptoki version 2.20
Manufacturer OpenSC (www.opensc-project.org)
Library Smart card PKCS#11 API (ver 0.0)
Using slot 1 with a present token (0x1)

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
(empty)
Slot 1 (0x1): Yubico Yubikey NEO OTP+CCID 00 00
token label: PIV_II (PIV Card Holder pin)
token manuf: piv_II
token model: PKCS#15 emulated
token flags: rng, readonly, login required, PIN initialized, token initialized
serial num : 00000000

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-mechanisms
Using slot 1 with a present token (0x1)
Supported mechanisms:
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000
ECDSA-SHA1, keySize={256,384}, hw, sign, other flags=0x1800000
ECDSA-KEY-PAIR-GEN, keySize={256,384}, hw, generate_key_pair, other flags=0x1800000
RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify
RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, generate_key_pair

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-objects
Using slot 1 with a present token (0x1)
Data object 877800048
label: 'Card Capability Container'
application: 'Card Capability Container'
app_id: 2.16.840.1.101.3.7.1.219.0
flags:
Data object 877806224
label: 'Card Holder Unique Identifier'
application: 'Card Holder Unique Identifier'
app_id: 2.16.840.1.101.3.7.2.48.0
flags:
Data object 877806320
label: 'Unsigned Card Holder Unique Identifier'
application: 'Unsigned Card Holder Unique Identifier'
app_id: 2.16.840.1.101.3.7.2.48.2
flags:
Data object 877806416
label: 'X.509 Certificate for PIV Authentication'
application: 'X.509 Certificate for PIV Authentication'
app_id: 2.16.840.1.101.3.7.2.1.1
flags:
Data object 877806800
label: 'X.509 Certificate for Digital Signature'
application: 'X.509 Certificate for Digital Signature'
app_id: 2.16.840.1.101.3.7.2.1.0
flags:
Data object 877806896
label: 'X.509 Certificate for Key Management'
application: 'X.509 Certificate for Key Management'
app_id: 2.16.840.1.101.3.7.2.1.2
flags:
Data object 877806992
label: 'X.509 Certificate for Card Authentication'
application: 'X.509 Certificate for Card Authentication'
app_id: 2.16.840.1.101.3.7.2.5.0
flags:
Data object 877807088
label: 'Security Object'
application: 'Security Object'
app_id: 2.16.840.1.101.3.7.2.144.0
flags:
Data object 877807184
label: 'Discovery Object'
application: 'Discovery Object'
app_id: 2.16.840.1.101.3.7.2.96.80
flags:

# piv-tool --serial
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed -1201

$ pkcs15-tool --dump
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
PKCS#15 Card [PIV_II]:
Version : 0
Serial number : 00000000
Manufacturer ID: piv_II
Flags :

PIN [PIV Card Holder pin]
Object Flags : [0x1], private
ID : 01
Flags : [0x22], local, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 128
Type : ascii-numeric

PIN [PIV PUK]
Object Flags : [0x1], private
ID : 02
Flags : [0xE2], local, needs-padding, unblockingPin, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 129
Type : ascii-numeric

Reading data object <0>
applicationName: Card Capability Container
Label: Card Capability Container
applicationOID: 2.16.840.1.101.3.7.1.219.0
Path: db00
Data object read failed: File not found
Reading data object <1>
applicationName: Card Holder Unique Identifier
Label: Card Holder Unique Identifier
applicationOID: 2.16.840.1.101.3.7.2.48.0
Path: 3000
Data object read failed: File not found
Reading data object <2>
applicationName: Unsigned Card Holder Unique Identifier
Label: Unsigned Card Holder Unique Identifier
applicationOID: 2.16.840.1.101.3.7.2.48.2
Path: 3010
Data object read failed: File not found
Reading data object <3>
applicationName: X.509 Certificate for PIV Authentication
Label: X.509 Certificate for PIV Authentication
applicationOID: 2.16.840.1.101.3.7.2.1.1
Path: 0101
Data object read failed: File not found
Reading data object <4>
applicationName: Cardholder Fingerprints
Label: Cardholder Fingerprints
applicationOID: 2.16.840.1.101.3.7.2.96.16
Path: 6010
Auth ID: 01
Reading data object <5>
applicationName: Printed Information
Label: Printed Information
applicationOID: 2.16.840.1.101.3.7.2.48.1
Path: 3001
Auth ID: 01
Reading data object <6>
applicationName: Cardholder Facial Image
Label: Cardholder Facial Image
applicationOID: 2.16.840.1.101.3.7.2.96.48
Path: 6030
Auth ID: 01
Reading data object <7>
applicationName: X.509 Certificate for Digital Signature
Label: X.509 Certificate for Digital Signature
applicationOID: 2.16.840.1.101.3.7.2.1.0
Path: 0100
Data object read failed: File not found
Reading data object <8>
applicationName: X.509 Certificate for Key Management
Label: X.509 Certificate for Key Management
applicationOID: 2.16.840.1.101.3.7.2.1.2
Path: 0102
Data object read failed: File not found
Reading data object <9>
applicationName: X.509 Certificate for Card Authentication
Label: X.509 Certificate for Card Authentication
applicationOID: 2.16.840.1.101.3.7.2.5.0
Path: 0500
Data object read failed: File not found
Reading data object <10>
applicationName: Security Object
Label: Security Object
applicationOID: 2.16.840.1.101.3.7.2.144.0
Path: 9000
Data object read failed: File not found
Reading data object <11>
applicationName: Discovery Object
Label: Discovery Object
applicationOID: 2.16.840.1.101.3.7.2.96.80
Path: 6050
Data Object (20 bytes): < 7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00 5F 2F 02 40 00 >
Reading data object <12>
applicationName: Cardholder Iris Image
Label: Cardholder Iris Image
applicationOID: 2.16.840.1.101.3.7.2.16.21
Path: 1015
Data object read failed: File not found

Author:	air [ Tue Jan 14, 2014 5:10 am ]
Post subject:	[QUESTION] Yubikey NEO with PIV Applet - How to Init/Setup?
Hi All, I purchased several Yubikey NEOs with the PIV applet (beta). I am not sure how to set it up or initialise it though. I am using Linux and OpenSC, although later I will be supporting other operating systems such as Windows and Mac OS X. Code: $ ykneomgr -a 0: a0000000035350 1: a0000005272001 2: a000000308 3: a0000005272101 4: d27600012401 AID a000000308 is the PIV applet, which appears to be ID-ONE by Oberthur Technologies - "Personal Identity Verification (PIV) / ID-ONE PIV BIO". I haven't found any good documentation available on the Internet yet from Oberthur regarding the setup and initialisation. Using OpenSC tools, such as piv-tool, pkcs15-tool, and pkcs11-tool, I can see that the certificates etc. have not yet been initialised. Code: $ piv-tool -n Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00 PIV-II card Code: $ pcsc_scan PC/SC device scanner V 1.4.21 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr> Compiled with PC/SC lite version: 1.8.8 Using reader plug'n play mechanism Scanning present readers... 0: Yubico Yubikey NEO OTP+CCID 00 00 Tue Jan 14 14:48:31 2014 Reader 0: Yubico Yubikey NEO OTP+CCID 00 00 Card state: Card inserted, ATR: 3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6 ATR: 3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6 + TS = 3B --> Direct Convention + T0 = FA, Y(1): 1111, K: 10 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 ----- TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 + Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F Category indicator byte: 59 (proprietary format) + TCK = A6 (correct checksum) Possibly identified card (using /home/eh/.cache/smartcard_list.txt): 3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6 Yubikey NEO Code: $ pkcs15-tool --list-data-objects Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00 Reading data object <0> applicationName: Card Capability Container Label: Card Capability Container applicationOID: 2.16.840.1.101.3.7.1.219.0 Path: db00 Data object read failed: File not found Reading data object <1> applicationName: Card Holder Unique Identifier Label: Card Holder Unique Identifier applicationOID: 2.16.840.1.101.3.7.2.48.0 Path: 3000 Data object read failed: File not found Reading data object <2> applicationName: Unsigned Card Holder Unique Identifier Label: Unsigned Card Holder Unique Identifier applicationOID: 2.16.840.1.101.3.7.2.48.2 Path: 3010 Data object read failed: File not found Reading data object <3> applicationName: X.509 Certificate for PIV Authentication Label: X.509 Certificate for PIV Authentication applicationOID: 2.16.840.1.101.3.7.2.1.1 Path: 0101 Data object read failed: File not found Reading data object <4> applicationName: Cardholder Fingerprints Label: Cardholder Fingerprints applicationOID: 2.16.840.1.101.3.7.2.96.16 Path: 6010 Auth ID: 01 Reading data object <5> applicationName: Printed Information Label: Printed Information applicationOID: 2.16.840.1.101.3.7.2.48.1 Path: 3001 Auth ID: 01 Reading data object <6> applicationName: Cardholder Facial Image Label: Cardholder Facial Image applicationOID: 2.16.840.1.101.3.7.2.96.48 Path: 6030 Auth ID: 01 Reading data object <7> applicationName: X.509 Certificate for Digital Signature Label: X.509 Certificate for Digital Signature applicationOID: 2.16.840.1.101.3.7.2.1.0 Path: 0100 Data object read failed: File not found Reading data object <8> applicationName: X.509 Certificate for Key Management Label: X.509 Certificate for Key Management applicationOID: 2.16.840.1.101.3.7.2.1.2 Path: 0102 Data object read failed: File not found Reading data object <9> applicationName: X.509 Certificate for Card Authentication Label: X.509 Certificate for Card Authentication applicationOID: 2.16.840.1.101.3.7.2.5.0 Path: 0500 Data object read failed: File not found Reading data object <10> applicationName: Security Object Label: Security Object applicationOID: 2.16.840.1.101.3.7.2.144.0 Path: 9000 Data object read failed: File not found Reading data object <11> applicationName: Discovery Object Label: Discovery Object applicationOID: 2.16.840.1.101.3.7.2.96.80 Path: 6050 Data Object (20 bytes): < 7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00 5F 2F 02 40 00 > Reading data object <12> applicationName: Cardholder Iris Image Label: Cardholder Iris Image applicationOID: 2.16.840.1.101.3.7.2.16.21 Path: 1015 Data object read failed: File not found Code: $ pkcs15-tool --list-pins Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00 PIN [PIV Card Holder pin] Object Flags : [0x1], private ID : 01 Flags : [0x22], local, needs-padding Length : min_len:4, max_len:8, stored_len:8 Pad char : 0xFF Reference : 128 Type : ascii-numeric PIN [PIV PUK] Object Flags : [0x1], private ID : 02 Flags : [0xE2], local, needs-padding, unblockingPin, soPin Length : min_len:4, max_len:8, stored_len:8 Pad char : 0xFF Reference : 129 Type : ascii-numeric Code: $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --show-info Cryptoki version 2.20 Manufacturer OpenSC (www.opensc-project.org) Library Smart card PKCS#11 API (ver 0.0) Using slot 1 with a present token (0x1) Code: $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots Available slots: Slot 0 (0xffffffffffffffff): Virtual hotplug slot (empty) Slot 1 (0x1): Yubico Yubikey NEO OTP+CCID 00 00 token label: PIV_II (PIV Card Holder pin) token manuf: piv_II token model: PKCS#15 emulated token flags: rng, readonly, login required, PIN initialized, token initialized serial num : 00000000 Code: $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-mechanisms Using slot 1 with a present token (0x1) Supported mechanisms: SHA-1, digest SHA256, digest SHA384, digest SHA512, digest MD5, digest RIPEMD160, digest GOSTR3411, digest ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000 ECDSA-SHA1, keySize={256,384}, hw, sign, other flags=0x1800000 ECDSA-KEY-PAIR-GEN, keySize={256,384}, hw, generate_key_pair, other flags=0x1800000 RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify MD5-RSA-PKCS, keySize={1024,3072}, sign, verify RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, generate_key_pair Code: $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-objects Using slot 1 with a present token (0x1) Data object 877800048 label: 'Card Capability Container' application: 'Card Capability Container' app_id: 2.16.840.1.101.3.7.1.219.0 flags: Data object 877806224 label: 'Card Holder Unique Identifier' application: 'Card Holder Unique Identifier' app_id: 2.16.840.1.101.3.7.2.48.0 flags: Data object 877806320 label: 'Unsigned Card Holder Unique Identifier' application: 'Unsigned Card Holder Unique Identifier' app_id: 2.16.840.1.101.3.7.2.48.2 flags: Data object 877806416 label: 'X.509 Certificate for PIV Authentication' application: 'X.509 Certificate for PIV Authentication' app_id: 2.16.840.1.101.3.7.2.1.1 flags: Data object 877806800 label: 'X.509 Certificate for Digital Signature' application: 'X.509 Certificate for Digital Signature' app_id: 2.16.840.1.101.3.7.2.1.0 flags: Data object 877806896 label: 'X.509 Certificate for Key Management' application: 'X.509 Certificate for Key Management' app_id: 2.16.840.1.101.3.7.2.1.2 flags: Data object 877806992 label: 'X.509 Certificate for Card Authentication' application: 'X.509 Certificate for Card Authentication' app_id: 2.16.840.1.101.3.7.2.5.0 flags: Data object 877807088 label: 'Security Object' application: 'Security Object' app_id: 2.16.840.1.101.3.7.2.144.0 flags: Data object 877807184 label: 'Discovery Object' application: 'Discovery Object' app_id: 2.16.840.1.101.3.7.2.96.80 flags: piv-tool cannot read the serial, even as root: Code: # piv-tool --serial Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00 sc_card_ctl(, SC_CARDCTL_GET_SERIALNR, ) failed -1201 But pkcs15-tool will print the serial when dumping: Code: $ pkcs15-tool --dump Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00 PKCS#15 Card [PIV_II]: Version : 0 Serial number : 00000000 Manufacturer ID: piv_II Flags : PIN [PIV Card Holder pin] Object Flags : [0x1], private ID : 01 Flags : [0x22], local, needs-padding Length : min_len:4, max_len:8, stored_len:8 Pad char : 0xFF Reference : 128 Type : ascii-numeric PIN [PIV PUK] Object Flags : [0x1], private ID : 02 Flags : [0xE2], local, needs-padding, unblockingPin, soPin Length : min_len:4, max_len:8, stored_len:8 Pad char : 0xFF Reference : 129 Type : ascii-numeric Reading data object <0> applicationName: Card Capability Container Label: Card Capability Container applicationOID: 2.16.840.1.101.3.7.1.219.0 Path: db00 Data object read failed: File not found Reading data object <1> applicationName: Card Holder Unique Identifier Label: Card Holder Unique Identifier applicationOID: 2.16.840.1.101.3.7.2.48.0 Path: 3000 Data object read failed: File not found Reading data object <2> applicationName: Unsigned Card Holder Unique Identifier Label: Unsigned Card Holder Unique Identifier applicationOID: 2.16.840.1.101.3.7.2.48.2 Path: 3010 Data object read failed: File not found Reading data object <3> applicationName: X.509 Certificate for PIV Authentication Label: X.509 Certificate for PIV Authentication applicationOID: 2.16.840.1.101.3.7.2.1.1 Path: 0101 Data object read failed: File not found Reading data object <4> applicationName: Cardholder Fingerprints Label: Cardholder Fingerprints applicationOID: 2.16.840.1.101.3.7.2.96.16 Path: 6010 Auth ID: 01 Reading data object <5> applicationName: Printed Information Label: Printed Information applicationOID: 2.16.840.1.101.3.7.2.48.1 Path: 3001 Auth ID: 01 Reading data object <6> applicationName: Cardholder Facial Image Label: Cardholder Facial Image applicationOID: 2.16.840.1.101.3.7.2.96.48 Path: 6030 Auth ID: 01 Reading data object <7> applicationName: X.509 Certificate for Digital Signature Label: X.509 Certificate for Digital Signature applicationOID: 2.16.840.1.101.3.7.2.1.0 Path: 0100 Data object read failed: File not found Reading data object <8> applicationName: X.509 Certificate for Key Management Label: X.509 Certificate for Key Management applicationOID: 2.16.840.1.101.3.7.2.1.2 Path: 0102 Data object read failed: File not found Reading data object <9> applicationName: X.509 Certificate for Card Authentication Label: X.509 Certificate for Card Authentication applicationOID: 2.16.840.1.101.3.7.2.5.0 Path: 0500 Data object read failed: File not found Reading data object <10> applicationName: Security Object Label: Security Object applicationOID: 2.16.840.1.101.3.7.2.144.0 Path: 9000 Data object read failed: File not found Reading data object <11> applicationName: Discovery Object Label: Discovery Object applicationOID: 2.16.840.1.101.3.7.2.96.80 Path: 6050 Data Object (20 bytes): < 7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00 5F 2F 02 40 00 > Reading data object <12> applicationName: Cardholder Iris Image Label: Cardholder Iris Image applicationOID: 2.16.840.1.101.3.7.2.16.21 Path: 1015 Data object read failed: File not found piv-tool has a --admin parameter that uses a PIV_EXT_AUTH_KEY environment variable that points to a file that contains the key in hexadecimal format. However I was not supplied with they key nor documentation. Searching the forum and the Internet I found a reference to https://github.com/berkmanmd/yubikey-neo-osx however it has since been removed from GitHub. Mike Berkman if you are reading this would you mind sharing the details again, please? There is also pki-tool in easy-rsa. I have not tried ./pki-tool --pkcs11-init, pkcs11-tool --init-token, nor pkcs15-init, yet as I do not want to delete/erase/wreck the applet by not supplying the correct key if it is needed. Can anyone clarify if the key is needed, or is only the PIN needed? Some commands have prompted for a PIN, I used 123456 which worked. Same default and the OpenPGP user PIN. Any help will be appreciated. Thanks, air

Author:	Klas [ Wed Feb 12, 2014 8:05 am ]
Post subject:	Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set
Hello, Sorry for a late reply here.. You've noticed some of this but I'll go over it again: default pin: 123456 default unblock pin: 12345678 default admin key (3des key): 010203040506070801020304050607080102030405060708 We've just published a little tool that can be used to do some of the administrative tasks with the piv applet: http://opensource.yubico.com/yubico-piv-tool/ If you're using ubuntu binaries of it is available in our PPA at: https://launchpad.net/~yubico/+archive/stable binaries for windows and osX is available at the opensource.yubico.com site. /klas

Author:	air [ Thu Feb 13, 2014 3:13 am ]
Post subject:	Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set
Thank you for the update. I got the default admin key from Yubico earlier via email, with some rough instructions. I managed to create a key pair on the device, with the public key extracted, to create the CSR and sign it, and load the certificate onto the card/applet. The part I wasn't sure about was generating unique CHUIDs as it seemed that the was surrounding data, and I had read that it is meant to be signed. I have compiled the yubico-piv-tool from GitHub sources. I will experiment, with it, but it looks like it will make the process flow much easier, and it supports generating a unique CHUID, which one of the last road-blocks for me. Thanks!

Author:	Klas [ Thu Feb 13, 2014 8:54 am ]
Post subject:	Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set
Good. I just discovered (and fixed) a bug with how the chuid is generated in the yubico-piv-tool, you might want to run newer code there. The chuid generated by the yubico-piv-tool isn't signed, but that doesn't seem to be an issue for any system I've run into. If you need a signed chuid we get into more complex issues.. /klas

Author:	air [ Fri Feb 14, 2014 5:58 am ]
Post subject:	Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set
Thanks Klas, I have updated to fix the CHUID bug. I still need to experiment, but it sounds like I won't need the CHUID signed, I just need Windows to use the Smart Card functionality.

Yubico Forum https://forum.yubico.com/

[QUESTION] Yubikey NEO with PIV Applet - How to Init/Setup? https://forum.yubico.com/viewtopic.php?f=26&t=1286	Page 1 of 1

Author:	guyome [ Sat Feb 15, 2014 5:46 pm ]
Post subject:	Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set
Hello, Thank a lot for the PIV-tool. I successed to import on the yubikey a certificate from CaCert and it works smoothly with opensc/pkcs11 on ubuntu a least. But I can't generate any key on the last ubuntu with Yubico PPA. Code: yubico-piv-tool -s 9a -A ECCP256 -a generate --verbose=2 parsed key: 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08 using reader 'Yubico Yubikey NEO OTP+CCID 00 00' matching 'Yubikey'. > 00 a4 04 00 05 a0 00 00 03 08 < 61 11 4f 06 00 00 10 00 01 00 79 07 4f 05 a0 00 00 03 08 90 00 > 00 87 03 9b 04 7c 02 80 00 < 7c 0a 80 08 de 8c d3 49 4b d6 85 cc 90 00 > 00 87 03 9b 0c 7c 0a 80 08 63 f4 87 37 d3 a2 75 58 < 90 00 Successful applet authentication. Now processing for action 1. Going to send 5 bytes in this go. > 00 47 00 9a 05 ac 03 80 01 11 < 6a 80 Failed to generate new key. Any idea how fix that ? Besides, what is the meaning of admin key ?

Author:	Klas [ Mon Feb 17, 2014 8:36 am ]
Post subject:	Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set
Hello, You've probably got a slightly older version of the PIV applet, not supporting ECC. I didn't give the tool any knowledge about versions (yet?) to keep it simple. If you give the tool the flag -a version it will tell you what version of the applet is running, I'm guessing on 0.0.3 for you, ecc functionality was added in 0.1.0. RSA-2048 should work fine though. The admin key (also called management key) is used to authenticate to the card for administrative functions like generating and importing keys. /klas

Author:	guyome [ Thu Feb 20, 2014 11:26 am ]
Post subject:	Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set
Yes, I have the version 0.0.3. Is there a way to upgrade it or ? BTW, the way to change PIN/PUK with yubico-piv-tool seems slightly buggy in this version. But anyway thanks for the help.

Author:	Klas [ Thu Feb 20, 2014 12:45 pm ]
Post subject:	Re: [QUESTION] Yubikey NEO with PIV Applet - How to Init/Set
Right now we don't provide an upgrade path for the applet. Most functions should work fine with that applet version, but you're limited to the RSA-2048 algorithm. /klas

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/