Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 6:17 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Tue Jan 14, 2014 5:10 am 
Offline

Joined: Tue Nov 05, 2013 3:08 am
Posts: 17
Hi All,

I purchased several Yubikey NEOs with the PIV applet (beta). I am not sure how to set it up or initialise it though. I am using Linux and OpenSC, although later I will be supporting other operating systems such as Windows and Mac OS X.

Code:
$ ykneomgr -a
0: a0000000035350
1: a0000005272001
2: a000000308
3: a0000005272101
4: d27600012401


AID a000000308 is the PIV applet, which appears to be ID-ONE by Oberthur Technologies - "Personal Identity Verification (PIV) / ID-ONE PIV BIO".

I haven't found any good documentation available on the Internet yet from Oberthur regarding the setup and initialisation.

Using OpenSC tools, such as piv-tool, pkcs15-tool, and pkcs11-tool, I can see that the certificates etc. have not yet been initialised.

Code:
$ piv-tool -n
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
PIV-II card


Code:
$ pcsc_scan
PC/SC device scanner
V 1.4.21 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.8
Using reader plug'n play mechanism
Scanning present readers...
0: Yubico Yubikey NEO OTP+CCID 00 00

Tue Jan 14 14:48:31 2014
Reader 0: Yubico Yubikey NEO OTP+CCID 00 00
  Card state: Card inserted,
  ATR: 3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6

ATR: 3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6
+ TS = 3B --> Direct Convention
+ T0 = FA, Y(1): 1111, K: 10 (historical bytes)
  TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F
  Category indicator byte: 59 (proprietary format)
+ TCK = A6 (correct checksum)

Possibly identified card (using /home/eh/.cache/smartcard_list.txt):
3B FA 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F A6
        Yubikey NEO


Code:
$ pkcs15-tool --list-data-objects
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
Reading data object <0>
applicationName: Card Capability Container
Label:           Card Capability Container
applicationOID:  2.16.840.1.101.3.7.1.219.0
Path:            db00
Data object read failed: File not found
Reading data object <1>
applicationName: Card Holder Unique Identifier
Label:           Card Holder Unique Identifier
applicationOID:  2.16.840.1.101.3.7.2.48.0
Path:            3000
Data object read failed: File not found
Reading data object <2>
applicationName: Unsigned Card Holder Unique Identifier
Label:           Unsigned Card Holder Unique Identifier
applicationOID:  2.16.840.1.101.3.7.2.48.2
Path:            3010
Data object read failed: File not found
Reading data object <3>
applicationName: X.509 Certificate for PIV Authentication
Label:           X.509 Certificate for PIV Authentication
applicationOID:  2.16.840.1.101.3.7.2.1.1
Path:            0101
Data object read failed: File not found
Reading data object <4>
applicationName: Cardholder Fingerprints
Label:           Cardholder Fingerprints
applicationOID:  2.16.840.1.101.3.7.2.96.16
Path:            6010
Auth ID:         01
Reading data object <5>
applicationName: Printed Information
Label:           Printed Information
applicationOID:  2.16.840.1.101.3.7.2.48.1
Path:            3001
Auth ID:         01
Reading data object <6>
applicationName: Cardholder Facial Image
Label:           Cardholder Facial Image
applicationOID:  2.16.840.1.101.3.7.2.96.48
Path:            6030
Auth ID:         01
Reading data object <7>
applicationName: X.509 Certificate for Digital Signature
Label:           X.509 Certificate for Digital Signature
applicationOID:  2.16.840.1.101.3.7.2.1.0
Path:            0100
Data object read failed: File not found
Reading data object <8>
applicationName: X.509 Certificate for Key Management
Label:           X.509 Certificate for Key Management
applicationOID:  2.16.840.1.101.3.7.2.1.2
Path:            0102
Data object read failed: File not found
Reading data object <9>
applicationName: X.509 Certificate for Card Authentication
Label:           X.509 Certificate for Card Authentication
applicationOID:  2.16.840.1.101.3.7.2.5.0
Path:            0500
Data object read failed: File not found
Reading data object <10>
applicationName: Security Object
Label:           Security Object
applicationOID:  2.16.840.1.101.3.7.2.144.0
Path:            9000
Data object read failed: File not found
Reading data object <11>
applicationName: Discovery Object
Label:           Discovery Object
applicationOID:  2.16.840.1.101.3.7.2.96.80
Path:            6050
Data Object (20 bytes): < 7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00 5F 2F 02 40 00 >
Reading data object <12>
applicationName: Cardholder Iris Image
Label:           Cardholder Iris Image
applicationOID:  2.16.840.1.101.3.7.2.16.21
Path:            1015
Data object read failed: File not found


Code:
$ pkcs15-tool --list-pins
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
PIN [PIV Card Holder pin]
        Object Flags   : [0x1], private
        ID             : 01
        Flags          : [0x22], local, needs-padding
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 128
        Type           : ascii-numeric

PIN [PIV PUK]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0xE2], local, needs-padding, unblockingPin, soPin
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 129
        Type           : ascii-numeric


Code:
$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --show-info
Cryptoki version 2.20
Manufacturer     OpenSC (www.opensc-project.org)
Library          Smart card PKCS#11 API (ver 0.0)
Using slot 1 with a present token (0x1)


Code:
$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): Yubico Yubikey NEO OTP+CCID 00 00
  token label:   PIV_II (PIV Card Holder pin)
  token manuf:   piv_II
  token model:   PKCS#15 emulated
  token flags:   rng, readonly, login required, PIN initialized, token initialized
  serial num  :  00000000


Code:
$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-mechanisms
Using slot 1 with a present token (0x1)
Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000
  ECDSA-SHA1, keySize={256,384}, hw, sign, other flags=0x1800000
  ECDSA-KEY-PAIR-GEN, keySize={256,384}, hw, generate_key_pair, other flags=0x1800000
  RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
  RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
  SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
  MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify
  RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, generate_key_pair


Code:
$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-objects
Using slot 1 with a present token (0x1)
Data object 877800048
  label:          'Card Capability Container'
  application:    'Card Capability Container'
  app_id:         2.16.840.1.101.3.7.1.219.0
  flags:         
Data object 877806224
  label:          'Card Holder Unique Identifier'
  application:    'Card Holder Unique Identifier'
  app_id:         2.16.840.1.101.3.7.2.48.0
  flags:         
Data object 877806320
  label:          'Unsigned Card Holder Unique Identifier'
  application:    'Unsigned Card Holder Unique Identifier'
  app_id:         2.16.840.1.101.3.7.2.48.2
  flags:         
Data object 877806416
  label:          'X.509 Certificate for PIV Authentication'
  application:    'X.509 Certificate for PIV Authentication'
  app_id:         2.16.840.1.101.3.7.2.1.1
  flags:         
Data object 877806800
  label:          'X.509 Certificate for Digital Signature'
  application:    'X.509 Certificate for Digital Signature'
  app_id:         2.16.840.1.101.3.7.2.1.0
  flags:         
Data object 877806896
  label:          'X.509 Certificate for Key Management'
  application:    'X.509 Certificate for Key Management'
  app_id:         2.16.840.1.101.3.7.2.1.2
  flags:         
Data object 877806992
  label:          'X.509 Certificate for Card Authentication'
  application:    'X.509 Certificate for Card Authentication'
  app_id:         2.16.840.1.101.3.7.2.5.0
  flags:         
Data object 877807088
  label:          'Security Object'
  application:    'Security Object'
  app_id:         2.16.840.1.101.3.7.2.144.0
  flags:         
Data object 877807184
  label:          'Discovery Object'
  application:    'Discovery Object'
  app_id:         2.16.840.1.101.3.7.2.96.80
  flags:         


piv-tool cannot read the serial, even as root:
Code:
# piv-tool --serial
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed -1201


But pkcs15-tool will print the serial when dumping:
Code:
$ pkcs15-tool --dump
Using reader with a card: Yubico Yubikey NEO OTP+CCID 00 00
PKCS#15 Card [PIV_II]:
        Version        : 0
        Serial number  : 00000000
        Manufacturer ID: piv_II
        Flags          :

PIN [PIV Card Holder pin]
        Object Flags   : [0x1], private
        ID             : 01
        Flags          : [0x22], local, needs-padding
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 128
        Type           : ascii-numeric

PIN [PIV PUK]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0xE2], local, needs-padding, unblockingPin, soPin
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0xFF
        Reference      : 129
        Type           : ascii-numeric

Reading data object <0>
applicationName: Card Capability Container
Label:           Card Capability Container
applicationOID:  2.16.840.1.101.3.7.1.219.0
Path:            db00
Data object read failed: File not found
Reading data object <1>
applicationName: Card Holder Unique Identifier
Label:           Card Holder Unique Identifier
applicationOID:  2.16.840.1.101.3.7.2.48.0
Path:            3000
Data object read failed: File not found
Reading data object <2>
applicationName: Unsigned Card Holder Unique Identifier
Label:           Unsigned Card Holder Unique Identifier
applicationOID:  2.16.840.1.101.3.7.2.48.2
Path:            3010
Data object read failed: File not found
Reading data object <3>
applicationName: X.509 Certificate for PIV Authentication
Label:           X.509 Certificate for PIV Authentication
applicationOID:  2.16.840.1.101.3.7.2.1.1
Path:            0101
Data object read failed: File not found
Reading data object <4>
applicationName: Cardholder Fingerprints
Label:           Cardholder Fingerprints
applicationOID:  2.16.840.1.101.3.7.2.96.16
Path:            6010
Auth ID:         01
Reading data object <5>
applicationName: Printed Information
Label:           Printed Information
applicationOID:  2.16.840.1.101.3.7.2.48.1
Path:            3001
Auth ID:         01
Reading data object <6>
applicationName: Cardholder Facial Image
Label:           Cardholder Facial Image
applicationOID:  2.16.840.1.101.3.7.2.96.48
Path:            6030
Auth ID:         01
Reading data object <7>
applicationName: X.509 Certificate for Digital Signature
Label:           X.509 Certificate for Digital Signature
applicationOID:  2.16.840.1.101.3.7.2.1.0
Path:            0100
Data object read failed: File not found
Reading data object <8>
applicationName: X.509 Certificate for Key Management
Label:           X.509 Certificate for Key Management
applicationOID:  2.16.840.1.101.3.7.2.1.2
Path:            0102
Data object read failed: File not found
Reading data object <9>
applicationName: X.509 Certificate for Card Authentication
Label:           X.509 Certificate for Card Authentication
applicationOID:  2.16.840.1.101.3.7.2.5.0
Path:            0500
Data object read failed: File not found
Reading data object <10>
applicationName: Security Object
Label:           Security Object
applicationOID:  2.16.840.1.101.3.7.2.144.0
Path:            9000
Data object read failed: File not found
Reading data object <11>
applicationName: Discovery Object
Label:           Discovery Object
applicationOID:  2.16.840.1.101.3.7.2.96.80
Path:            6050
Data Object (20 bytes): < 7E 12 4F 0B A0 00 00 03 08 00 00 10 00 01 00 5F 2F 02 40 00 >
Reading data object <12>
applicationName: Cardholder Iris Image
Label:           Cardholder Iris Image
applicationOID:  2.16.840.1.101.3.7.2.16.21
Path:            1015
Data object read failed: File not found


piv-tool has a --admin parameter that uses a PIV_EXT_AUTH_KEY environment variable that points to a file that contains the key in hexadecimal format. However I was not supplied with they key nor documentation.

Searching the forum and the Internet I found a reference to https://github.com/berkmanmd/yubikey-neo-osx however it has since been removed from GitHub. Mike Berkman if you are reading this would you mind sharing the details again, please?

There is also pki-tool in easy-rsa.

I have not tried ./pki-tool --pkcs11-init, pkcs11-tool --init-token, nor pkcs15-init, yet as I do not want to delete/erase/wreck the applet by not supplying the correct key if it is needed.

Can anyone clarify if the key is needed, or is only the PIN needed?
Some commands have prompted for a PIN, I used 123456 which worked. Same default and the OpenPGP user PIN.

Any help will be appreciated.

Thanks,
air


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Feb 12, 2014 8:05 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

Sorry for a late reply here.. You've noticed some of this but I'll go over it again:
default pin: 123456
default unblock pin: 12345678
default admin key (3des key): 010203040506070801020304050607080102030405060708

We've just published a little tool that can be used to do some of the administrative tasks with the piv applet: http://opensource.yubico.com/yubico-piv-tool/

If you're using ubuntu binaries of it is available in our PPA at: https://launchpad.net/~yubico/+archive/stable binaries for windows and osX is available at the opensource.yubico.com site.

/klas


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 13, 2014 3:13 am 
Offline

Joined: Tue Nov 05, 2013 3:08 am
Posts: 17
Thank you for the update. I got the default admin key from Yubico earlier via email, with some rough instructions. I managed to create a key pair on the device, with the public key extracted, to create the CSR and sign it, and load the certificate onto the card/applet. The part I wasn't sure about was generating unique CHUIDs as it seemed that the was surrounding data, and I had read that it is meant to be signed.

I have compiled the yubico-piv-tool from GitHub sources. I will experiment, with it, but it looks like it will make the process flow much easier, and it supports generating a unique CHUID, which one of the last road-blocks for me. Thanks!


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 13, 2014 8:54 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Good. I just discovered (and fixed) a bug with how the chuid is generated in the yubico-piv-tool, you might want to run newer code there.

The chuid generated by the yubico-piv-tool isn't signed, but that doesn't seem to be an issue for any system I've run into. If you need a signed chuid we get into more complex issues..

/klas


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 14, 2014 5:58 am 
Offline

Joined: Tue Nov 05, 2013 3:08 am
Posts: 17
Thanks Klas, I have updated to fix the CHUID bug.

I still need to experiment, but it sounds like I won't need the CHUID signed, I just need Windows to use the Smart Card functionality.


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 15, 2014 5:46 pm 
Offline

Joined: Fri Jan 10, 2014 10:44 pm
Posts: 7
Hello,

Thank a lot for the PIV-tool. I successed to import on the yubikey a certificate from CaCert and it works smoothly with opensc/pkcs11 on ubuntu a least.

But I can't generate any key on the last ubuntu with Yubico PPA.

Code:
yubico-piv-tool -s 9a -A ECCP256 -a generate --verbose=2
parsed key: 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08
using reader 'Yubico Yubikey NEO OTP+CCID 00 00' matching 'Yubikey'.
> 00 a4 04 00 05 a0 00 00 03 08
< 61 11 4f 06 00 00 10 00 01 00 79 07 4f 05 a0 00 00 03 08 90 00
> 00 87 03 9b 04 7c 02 80 00
< 7c 0a 80 08 de 8c d3 49 4b d6 85 cc 90 00
> 00 87 03 9b 0c 7c 0a 80 08 63 f4 87 37 d3 a2 75 58
< 90 00
Successful applet authentication.
Now processing for action 1.
Going to send 5 bytes in this go.
> 00 47 00 9a 05 ac 03 80 01 11
< 6a 80
Failed to generate new key.


Any idea how fix that ?

Besides, what is the meaning of admin key ?


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 17, 2014 8:36 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

You've probably got a slightly older version of the PIV applet, not supporting ECC. I didn't give the tool any knowledge about versions (yet?) to keep it simple.

If you give the tool the flag -a version it will tell you what version of the applet is running, I'm guessing on 0.0.3 for you, ecc functionality was added in 0.1.0. RSA-2048 should work fine though.

The admin key (also called management key) is used to authenticate to the card for administrative functions like generating and importing keys.

/klas


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 20, 2014 11:26 am 
Offline

Joined: Fri Jan 10, 2014 10:44 pm
Posts: 7
Yes, I have the version 0.0.3. Is there a way to upgrade it or ?

BTW, the way to change PIN/PUK with yubico-piv-tool seems slightly buggy in this version.

But anyway thanks for the help.


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 20, 2014 12:45 pm 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Right now we don't provide an upgrade path for the applet.

Most functions should work fine with that applet version, but you're limited to the RSA-2048 algorithm.

/klas


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 13 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group