Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sending raw apdu commands to generate private-public key pair RSA2048 #51

Open
ble0 opened this issue Apr 6, 2021 · 12 comments
Open

Sending raw apdu commands to generate private-public key pair RSA2048 #51

ble0 opened this issue Apr 6, 2021 · 12 comments

Comments

@ble0
Copy link

ble0 commented Apr 6, 2021

I tried to use the same commands as yubico-piv-tool to generate private public key pair:
//select applet
00a4040005a00000030800
00fd000000
00f8000000
//Request for encrypted challenge
0087039b047c028000
-->card provides encrypted challenge to tag 80
//Decrypt encrypted challenge from card in tag 80 while tag 81 is a random number
0087039b167c148008325F7E0D2323C75281080592bbb05e1a58d6
-->card provides encrypted challenge of tag 81

//send private public key pair
0047009a05ac0380010700
-->card responded: 7C 0A 82 08 90 02 37 FE A0 94 5C 60 90 00

Im expecting at the last apdu, public certificate using 2 get response but the card does not output anything.
It just ended with SW 9000 and it should be 61XX.
I do not see any special commands that yubico-piv-tool is sending

Is it because tag 81 has a calculation how to generate a random number that's causing this? or is there a timing involved in key generation that must be satisfied? or is it because opensc-tool has a bug?

This is the full APDU trace:
C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:a4:04:00:05:a0:00:00:03:08
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 A4 04 00 05 A0 00 00 03 08
Received (SW1=0x90, SW2=0x00):
61 81 66 4F 0B A0 00 00 03 08 00 00 10 00 01 00 a.fO............
79 07 4F 05 A0 00 00 03 08 50 15 50 69 76 41 70 y.O......P.PivAp
70 6C 65 74 20 76 30 2E 39 2E 30 2F 52 53 61 44 plet v0.9.0/RSaD
5F 50 1E 67 69 74 68 75 62 2E 63 6F 6D 2F 61 72 _P.github.com/ar
65 6B 69 6E 61 74 68 2F 50 69 76 41 70 70 6C 65 ekinath/PivApple
74 AC 06 80 01 03 06 01 00 AC 06 80 01 0C 06 01 t...............
00 AC 06 80 01 07 06 01 00                      .........

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:20:00:80:00
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 20 00 80 00
Received (SW1=0x63, SW2=0xC5)

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:fd:00:00:00
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 FD 00 00 00
Received (SW1=0x90, SW2=0x00):
05 03 00 ...

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:f8:00:00:00
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 F8 00 00 00
Received (SW1=0x90, SW2=0x00):
CF 45 CE 5D .E.]

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:87:03:9b:04:7c:02:80:00
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 87 03 9B 04 7C 02 80 00
Received (SW1=0x90, SW2=0x00):
7C 0A 80 08 5E 7B 71 DA 12 E7 E4 D3 |...^{q.....

// //i put some random value in tag 81// //
C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:87:03:9b:16:7c:14:80:08:1C:01:46:18:18:72:A2:F7:81:08:a5:34:28:45:78:4c:5c:3f
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 87 03 9B 16 7C 14 80 08 1C 01 46 18 18 72 A2 F7 81 08 A5 34 28 45 78 4C 5C 3F
Received (SW1=0x90, SW2=0x00):
7C 0A 82 08 B5 62 60 99 EE 1F C5 26 |....b`....&

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:47:00:9a:05:ac:03:80:01:07
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 47 00 9A 05 AC 03 80 01 07
Received (SW1=0x90, SW2=0x00):
7F 49 82 01 09 81 82 01 00 .I.......
@arekinath
Copy link
Owner

The output you've pasted there does not match what you wrote above. You wrote:

//send private public key pair
0047009a05ac0380010700
-->card responded: 7C 0A 82 08 90 02 37 FE A0 94 5C 60 90 00

But in the command output you pasted:

>opensc-tool -v -s 00:47:00:9a:05:ac:03:80:01:07
Received (SW1=0x90, SW2=0x00):
7F 49 82 01 09 81 82 01 00 .I.......

The "7C .." response looks like it was to your general authenticate command, not the generate asymmetric key command.

This response to the generate asymmetric key command looks correct (7F 49 .. with an 81 inside that's 0x100 long), but truncated -- I suspect because you sent a case 3 command APDU (with no Le byte) when you need a case 4, and either the card or your reader has cut the rest of the response off as a result. Is this a T=0 card? I would try adding the extra Le byte (set to zero) at the end of your generate asymmetric command APDU, to turn it into case 4 format.

@ble0
Copy link
Author

ble0 commented Apr 7, 2021

Hi,
I discovered the issue with the opensc-tool.
opensc-tool sends other commands behind the scenes that is not part of the actual APDU I’m sending. I tried another tool
which is working just fine

@dengert
Copy link

dengert commented Apr 7, 2021

opensc-tool does all the standard matching ATRs, and selecting a card driver. If that gets in your way, try with ./opensc-tool --card-driver default ...

From you output, you are running multiple opensc-tools each with its own "-s" option.
Try running it once with multiple "-s" options so it does not lose any login state.

@dengert
Copy link

dengert commented Apr 7, 2021

You could also try the OpenSC piv-tool with the --admin --genkey and --out options. See the man pages. Since NIST left it up to vendors to provision a card, these may or may not work.
piv-tool also accepts multiple "-s" options.

@ble0
Copy link
Author

ble0 commented Apr 7, 2021

i will try the opensc-tool --card-driver first, the piv-tool --admin does not work for me

@dengert
Copy link

dengert commented Apr 7, 2021

I am interested in understanding what problems where you having with piv-tool.

@asalkhanbadr
Copy link

Hi, , I am facing the same issue. I am sending plain APDU requests to a smart card (java card 3), but I am not sure how to retrieve the public key. I would appreciate any help on this matter.
If possible, @ble0 could you please let me know the name of the tool that worked for you? Thank you very much.
As for the APDU commands that I have been using, here they are:
Send: 00 47 00 9C 05 AC 03 80 01 07 00
Recv: 61 09
Time used: 24770.000 ms
Send: 00 C0 00 00 09
Recv: 7F 49 82 01 09 81 82 01 00 90 00
Time used: 18.000 ms

@dengert
Copy link

dengert commented Nov 3, 2023

@asalkhanbadr What tool are you using to send the APDU?

Looks like the reader, applet or java card 3 has a problem returning a response to the "47" command with more the 256 bytes.
Is java card 3 a card or a token? i.e. does the reader support 256 byte responses?

The command looks like using short APDU.

7F 49 82 01 09 81 82 01 00 looks like the start of a correct response with tag 74 49 and length 265 with "Modulus" of length 256. Not shown is the "Modules" or "Public exponent" length 3 with 1 byte tag(82) and 1 byte length (03) (If I did the math correctly.)

What it should have returned using T=0 would be would "61 00" then get response for 256 would have returned "61 14" then do second get response.

If using T=1, the first command should have returned 256 bytes data and status "61 0E" and get response for 14 bytes to read the rest retuning 90 00.

Why the first status "61 09" does not make sense.

Try Send: 00 C0 00 00 00 and see if it responses with 256 bytes and status "61 14"

You could try using extended APDU something like" 00 47 00 9C 00 00 05 AC 03 80 01 07 00 00

@asalkhanbadr
Copy link

asalkhanbadr commented Nov 3, 2023

Hi @dengert , thank you for your response, the Java card is a physical card and the reader/writer is HID OMNI 3111. According to the data sheet, it supports 115 kb/s data transmission. The protocol supported both by card and reader is T=0. Additionally, I have been using PyApduTool to send APDU commands.
Regarding the commands you mentiond, I tried them, but, the commands did not produce the expected results.

Send: 00 47 00 9C 00 00 05 AC 03 80 01 07 00 00
Recv: 61 09
Time used: 14794.000 ms
Send: 00 C0 00 00 00
Recv: 61 09
Time used: 10.000 ms
Send: 00 C0 00 00 09
Recv: 7F 49 82 01 09 81 82 01 00 90 00
Time used: 19.000 ms
Send: 00 C0 00 00 00
Recv: 69 85
Time used: 12.000 ms

@dengert
Copy link

dengert commented Nov 3, 2023

PyApduTool. According to the data sheet, it supports 115 kb/s data transmission.

Where is the data sheet?

What system are you using?

Best I can tell HID OMNI 3111 is a serial port, not USB, device from a few years ago. Most smartcard readers today are USB CCID compliant.

Can you try and force T=1? The only PIV cards I have seen that use T=0 are 20 years old. The Applet may only support T=1.

@asalkhanbadr
Copy link

I attach the datasheet so that you can download it. I use a serial to USB port converter to connect the reader to the computer using USB ports. Also, I tried forcing T=1, but every time I got the error message: 'Connect error: The requested protocols are incompatible with the protocol currently in use with the smart card. omnikey_3111.pdf

@dengert
Copy link

dengert commented Nov 4, 2023

Get a different reader. A USB CCID compliant reader.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants