search

GSA / piv-guides

This is the old location for the PIV Playbook. New location below.
https://playbooks.idmanagement.gov/piv/
Other
69 stars 44 forks source link

how to process the CHUID field on a PIV card #59

Closed rt-smithee closed 6 years ago

rt-smithee commented 8 years ago

this is a specific instance of "accessing information on a PIV credential" per the site. I'm asking this from the view of an implementor developing code to process a CHUID.

Questions: how do you retrieve the CHUID (see e.g. piv-tool of opensc for example code.) what is the CHUID format where is TIG-SCEPACS do you use 2.2 or 2.3 what about the dead link in SP800-73-4 is the CHUID data object a proper DER object, is there a published ASN.1 structure for it when appropriate what certificate/signature checking is necessary who signed the CHUID who gets a FASC-N (my TWIC card has a FASCN, I'm a civilian.)

THANK YOU the link inside gsa.github.io/piv-guides/identifiers/ works, it points to TIG-SCEPACS 2.3 (not 2.2) (search for "this document")

grandamp commented 8 years ago

Here is "a" code sample: https://github.com/grandamp/KSJavaAPI/blob/master/src/org/keysupport/tests/CHUIDTest.java

Would an apdu log suffice, or, should it be a walk-though using an api or tool?

The CHUID format is not DER, but BER. The BER encodings are conveyed in the data model within 800-73-4.

rt-smithee commented 8 years ago

I don't see what I'm looking for in that sample. What's in the first byte? why is it an 0x5E in my sample card and 0xEE in TIG-SCEPACS 2.3. The data model isn't really in 800-73-4, that's part of the description-dragged-across-9-specs problem. The actual format values seem to be in Figure 1 in TIG-SCEPACS 2.3.

grandamp commented 8 years ago

Download: https://github.com/grandamp/KSJavaAPI/raw/master/KSJavaAPI.jar

Execute: java -jar KSJavaAPI.jar org.keysupport.tests.CHUIDTest

Example output (TWIC), truncated:

- KeySupport PIV API Read Test -

Provider: SunPCSC - Sun PC/SC provider
Available Card Readers:

1: AKS ifdh 0
2: AKS ifdh 1
3: AKS VR 0
4: Broadcom Corp Contacted SmartCard 0
5: Rainbow Technologies iKeyVirtualReader 0
6: Rainbow Technologies iKeyVirtualReader 1
7: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0

Enter a number of the reader which contains the PIV credential,
and then press [Enter]:
7
CommmandAPDU: 16 bytes, nc=11, ne=0: 00A404000BA000000308000010000100
ResponseAPDU: 2 bytes, SW=613c:
CommmandAPDU: 5 bytes, nc=0, ne=60: 00C000003C
ResponseAPDU: 62 bytes, SW=9000: 613A4F0BA00000030800001000010079074F05A000000308500F49442D4F6E652050495620545749435F501
07777772E6F626572746875722E636F6D
Application Property:
PIV App Property:AID:           A000000308000010000100
PIV App Property:Tag Alloc:     4F05A000000308
PIV App Property:Description:   ID-One PIV TWIC
PIV App Property:Reference:     www.oberthur.com

Command APDU: 00CB3FFF035C017E00
Card: org.keysupport.nist80073.PIVCard@50aed564
Card ATR: 3BDB960081B1FE451F8380F9A0000003080000100098
Command APDU: 00CB3FFF055C035FC10200
CommmandAPDU: 11 bytes, nc=5, ne=256: 00CB3FFF055C035FC10200
ResponseAPDU: 258 bytes, SW=6100: 538207B83019D70339D841856C14561C85A16858210B6B58044D870339A3FF310032003300341000000000
000000000000000000000000350832303137313233303D003E8207733082076F06092A864886F70D010702A08207603082075C020103310B30090605
2B0E03021A0500300A06086086480165030601A082052A308205263082040EA003020102021100B7E773F6DA9D12A39DD326E267757866300D06092A
864886F70D01010505003033310B30090603550406130255533110300E060355040A13074F524320504B493112301006035504031309545749432043
412031301E170D3132303630313139313834325A170D3139313233313139313834
CommmandAPDU: 5 bytes, nc=0, ne=256: 00C0000000
ResponseAPDU: 258 bytes, SW=6100: 325A304E310B3009060355040613025553310C300A060355040A1303545341310D300B060355040B130454
5749433122302006035504031319545749432D436F6E74656E742D5369676E696E672D3230313230820122300D06092A864886F70D01010105000382
010F003082010A0282010100DB5AC93EDFED5060E2E048CF3E19554EA7E5F37A0955D4D1113F27929D4D98DA03128001D113D9E0A03EFF26FDAFCE6D
7C77A6C8C0D78F2FD4E4E2D3E879B3E52FB2E2F2401D4BBC0ED23B57C253822C1FF72DE8F292C1DCDCF4B57E9256D5667C4555368562D04AD4C61617
37BE4194486ADE2DEB3B21346847C05FFB58EB37316D64AAFB5F21ADAD307617FC
CommmandAPDU: 5 bytes, nc=0, ne=256: 00C0000000
ResponseAPDU: 258 bytes, SW=6100: 772DDEB47C16B7FC6138BC34B14C7658A4A67EE1CD44AEC0512A22CBD1057A9D047F69C597E3E2A2BA1F00
B2ACB914F90FC01965A95FF1438FA7C8600E8F196209B262942B3CCF46DE14C5DDD693CA8C8C78EBF395313377CA5E443868A228BDBE12091EDA5350
23594CDC3DA209C3B93CDE530203010001A3820218308202143081AD06082B060105050701010481A030819D303706082B06010505073002862B6874
74703A2F2F747769632D63726C2E6F72632E636F6D2F636143657274732F545749434341312E636572306206082B0601050507300286566C6461703A
2F2F747769632D64732E6F72632E636F6D2F636E25336454574943253230434125
CommmandAPDU: 5 bytes, nc=0, ne=256: 00C0000000
ResponseAPDU: 258 bytes, SW=6100: 3230312532636F2533644F5243253230504B4925326363336455533F634143657274696669636174653B62
696E617279301F0603551D23041830168014D8471547CAE7E05B90B65563E3271A06B42EDAC3303C0603551D20043530333031060860864801650306
073025301506082B060105050702011609312E322E332E342E35300C06082B0601050507020230003081A60603551D1F04819E30819B302EA02CA02A
8628687474703A2F2F747769632D63726C2E6F72632E636F6D2F43524C732F545749434341312E63726C3069A067A06586636C6461703A2F2F747769
632D64732E6F72632E636F6D2F636E253364545749432532304341253230312532
CommmandAPDU: 5 bytes, nc=0, ne=256: 00C0000000
ResponseAPDU: 258 bytes, SW=6100: 636F2533644F5243253230504B492532636325336455533F63657274696669636174655265766F63617469
6F6E4C6973743B62696E617279300E0603551D0F0101FF040403020780302B0603551D1004243022800F32303132303630313139313932315A810F32
303137303533313139313930305A301D0603551D0E04160414A98442DB3059C435E11D2632D321CCA4B3484BFE300D06092A864886F70D0101050500
03820101005D8E3C7D6ED4F2645BA116010BEF64D688E3AFBB1A298DC5DE2A06E54582BBDD9E91FC8C9D8F7B6873509D898394DC73554FEBD1F12D18
0B7D8B25F4A71F6B641EA7F9BB99CDA83F5F0E0D3C02CF264D1C8EE85BB484B0F6
CommmandAPDU: 5 bytes, nc=0, ne=256: 00C0000000
ResponseAPDU: 258 bytes, SW=6100: 2F5AC6E547163064909CF6A328B8021784984A00016B244BC3878E058A086A9F762A3127ECC154FF4F8801
2C379A9B4A984DC01A8A7BBDD07BC10C5947C96B1F93FD460210FA9AA609C8F972A3C41C837D2D6E08F1FDA64D63EF37C03581BA6BE2D8D362D4AA42
A0536EAF0361ED31D4C62D0F9739C153E3C963CA3A1B2223D6EF1121462EE9289B8590FE2A6D206C7ADA207CA007C81A894865A98EC1FB00DA016247
8ECA482FF23182020E3082020A02010130483033310B30090603550406130255533110300E060355040A13074F524320504B49311230100603550403
1309545749432043412031021100B7E773F6DA9D12A39DD326E267757866300906
CommmandAPDU: 5 bytes, nc=0, ne=256: 00C0000000
ResponseAPDU: 258 bytes, SW=61bc: 052B0E03021A0500A0819C301706092A864886F70D010903310A06086086480165030601302306092A8648
86F70D010904311604144797300AFC3D8C89909FD151668F96CD0D8A284C305C060860864801650306053150304E310B300906035504061302555331
0C300A060355040A1303545341310D300B060355040B1304545749433122302006035504031319545749432D436F6E74656E742D5369676E696E672D
32303132300D06092A864886F70D01010105000482010013608C4B094C415794903360552163B5A27C4FDD0655FB55F759354EDEFEAD16B62AAB1D37
E61B34AEC614E697D76DB549E39B050BD49440B870F6D21BB5D1024B2C5FFA7471
CommmandAPDU: 5 bytes, nc=0, ne=188: 00C00000BC
ResponseAPDU: 190 bytes, SW=9000: B3A5604BD257A8892C1BDFAF1EE841129BA4A0031DC73FA78390160239EB7193C03D08EF89E46C604C2F44
D3755CF10CE563992D7F8799D4F63BADBCEB7F3FF37E94EDDED4CB695407067B90BEE48A3FAE450A5299B1BEE6CFCF162B96E0CC1A8DDABDBD4ACD0C
DE6DDF789527BCE7BDF29222B44ACE47659BFCE3FD7C66DB8A3ED12A50E4FA1A5173313A7513B079B0C06D0D2D52BFCE32FC40571421BF964FFD8FD7
119DA6A67D2E7A7F95343E4A4B4DAF2DE5960F98463DD0FE00
Card Holder Unique ID:FASC-N:Agency Code:                       7099
Card Holder Unique ID:FASC-N:System Code:                       8015
Card Holder Unique ID:FASC-N:Credential Number:                 025171
Card Holder Unique ID:FASC-N:Credential Series:                 1
Card Holder Unique ID:FASC-N:Individual Credential Issue:       1
Card Holder Unique ID:FASC-N:Person Identifier:                 0006551086
Card Holder Unique ID:FASC-N:Organizational Category:           1
Card Holder Unique ID:FASC-N:Organizational Identifier:         7099
Card Holder Unique ID:FASC-N:Per/Org Association Category:      2
Card Holder Unique ID:Agency Code:
Card Holder Unique ID:Organization Identifier:
Card Holder Unique ID:DUNS:
Card Holder Unique ID:GUID:                                     00000000-0000-0000-0000-000000000000
Card Holder Unique ID:Expiration Date:                          Sat Dec 30 00:00:00 EST 2017
Card Holder Unique ID:Signature Bytes:                          3082076F06092A864886F70D010702A08207603082075C020103310B
300906052B0E03021A0500300A06086086480165030601A082052A308205263082040EA003020102021100B7E773F6DA9D12A39DD326E26775786630
0D06092A864886F70D01010505003033310B30090603550406130255533110300E060355040A13074F524320504B4931123010060355040313095457
49432043412031301E170D3132303630313139313834325A170D3139313233313139313834325A304E310B3009060355040613025553310C300A0603
55040A1303545341310D300B060355040B1304545749433122302006035504031319545749432D436F6E74656E742D5369676E696E672D3230313230
820122300D06092A864886F70D01010105000382010F003082010A0282010100DB5AC93EDFED5060E2E048CF3E19554EA7E5F37A0955D4D1113F2792
9D4D98DA03128001D113D9E0A03EFF26FDAFCE6D7C77A6C8C0D78F2FD4E4E2D3E879B3E52FB2E2F2401D4BBC0ED23B57C253822C1FF72DE8F292C1DC
DCF4B57E9256D5667C4555368562D04AD4C6161737BE4194486ADE2DEB3B21346847C05FFB58EB37316D64AAFB5F21ADAD307617FC772DDEB47C16B7
FC6138BC34B14C7658A4A67EE1CD44AEC0512A22CBD1057A9D047F69C597E3E2A2BA1F00B2ACB914F90FC01965A95FF1438FA7C8600E8F196209B262
942B3CCF46DE14C5DDD693CA8C8C78EBF395313377CA5E443868A228BDBE12091EDA535023594CDC3DA209C3B93CDE530203010001A3820218308202
143081AD06082B060105050701010481A030819D303706082B06010505073002862B687474703A2F2F747769632D63726C2E6F72632E636F6D2F6361
43657274732F545749434341312E636572306206082B0601050507300286566C6461703A2F2F747769632D64732E6F72632E636F6D2F636E25336454
5749432532304341253230312532636F2533644F5243253230504B4925326363336455533F634143657274696669636174653B62696E617279301F06
03551D23041830168014D8471547CAE7E05B90B65563E3271A06B42EDAC3303C0603551D20043530333031060860864801650306073025301506082B
060105050702011609312E322E332E342E35300C06082B0601050507020230003081A60603551D1F04819E30819B302EA02CA02A8628687474703A2F
2F747769632D63726C2E6F72632E636F6D2F43524C732F545749434341312E63726C3069A067A06586636C6461703A2F2F747769632D64732E6F7263
2E636F6D2F636E253364545749432532304341253230312532636F2533644F5243253230504B492532636325336455533F6365727469666963617465
5265766F636174696F6E4C6973743B62696E617279300E0603551D0F0101FF040403020780302B0603551D1004243022800F32303132303630313139
313932315A810F32303137303533313139313930305A301D0603551D0E04160414A98442DB3059C435E11D2632D321CCA4B3484BFE300D06092A8648
86F70D010105050003820101005D8E3C7D6ED4F2645BA116010BEF64D688E3AFBB1A298DC5DE2A06E54582BBDD9E91FC8C9D8F7B6873509D898394DC
73554FEBD1F12D180B7D8B25F4A71F6B641EA7F9BB99CDA83F5F0E0D3C02CF264D1C8EE85BB484B0F62F5AC6E547163064909CF6A328B8021784984A
00016B244BC3878E058A086A9F762A3127ECC154FF4F88012C379A9B4A984DC01A8A7BBDD07BC10C5947C96B1F93FD460210FA9AA609C8F972A3C41C
837D2D6E08F1FDA64D63EF37C03581BA6BE2D8D362D4AA42A0536EAF0361ED31D4C62D0F9739C153E3C963CA3A1B2223D6EF1121462EE9289B8590FE
2A6D206C7ADA207CA007C81A894865A98EC1FB00DA0162478ECA482FF23182020E3082020A02010130483033310B3009060355040613025553311030
0E060355040A13074F524320504B493112301006035504031309545749432043412031021100B7E773F6DA9D12A39DD326E267757866300906052B0E
03021A0500A0819C301706092A864886F70D010903310A06086086480165030601302306092A864886F70D010904311604144797300AFC3D8C89909F
D151668F96CD0D8A284C305C060860864801650306053150304E310B3009060355040613025553310C300A060355040A1303545341310D300B060355
040B1304545749433122302006035504031319545749432D436F6E74656E742D5369676E696E672D32303132300D06092A864886F70D010101050004
82010013608C4B094C415794903360552163B5A27C4FDD0655FB55F759354EDEFEAD16B62AAB1D37E61B34AEC614E697D76DB549E39B050BD49440B8
70F6D21BB5D1024B2C5FFA7471B3A5604BD257A8892C1BDFAF1EE841129BA4A0031DC73FA78390160239EB7193C03D08EF89E46C604C2F44D3755CF1
0CE563992D7F8799D4F63BADBCEB7F3FF37E94EDDED4CB695407067B90BEE48A3FAE450A5299B1BEE6CFCF162B96E0CC1A8DDABDBD4ACD0CDE6DDF78
9527BCE7BDF29222B44ACE47659BFCE3FD7C66DB8A3ED12A50E4FA1A5173313A7513B079B0C06D0D2D52BFCE32FC40571421BF964FFD8FD7119DA6A6
7D2E7A7F95343E4A4B4DAF2DE5960F98463DD0
Card Holder Unique ID:Error Detection Code:

PIV Content Signing Certificate from CHUID:
[
[
  Version: V3
  Subject: CN=TWIC-Content-Signing-2012, OU=TWIC, O=TSA, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 2769095708972738565429692683358859380584622314988974675077316843008042265296145563573001518995213414218431321
026705960817692303086815359378047228790244536397628302506757686285273128560495298649437572754685830670389802067799409091
524496217300660175163453813410301715992539285477097848543699328752762923791939924246177546859065372591204517814816232666
645143150462450359177654337967018626503428831309983564541627536276032157690163185449668598643149659770459778938469308711
911024916120746240086281567347342216671601855183432387670753203115907781577654967096951071993238882950088470085434158852
2732990515903631160076197459
  public exponent: 65537
  Validity: [From: Fri Jun 01 15:18:42 EDT 2012,
               To: Tue Dec 31 14:18:42 EST 2019]
  Issuer: CN=TWIC CA 1, O=ORC PKI, C=US
  SerialNumber: [    b7e773f6 da9d12a3 9dd326e2 67757866]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://twic-crl.orc.com/caCerts/TWICCA1.cer
,
   accessMethod: caIssuers
   accessLocation: URIName: ldap://twic-ds.orc.com/cn%3dTWIC%20CA%201%2co%3dORC%20PKI%2cc3dUS?cACertificate;binary
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D8 47 15 47 CA E7 E0 5B   90 B6 55 63 E3 27 1A 06  .G.G...[..Uc.'..
0010: B4 2E DA C3                                        ....
]
]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://twic-crl.orc.com/CRLs/TWICCA1.crl]
, DistributionPoint:
     [URIName: ldap://twic-ds.orc.com/cn%3dTWIC%20CA%201%2co%3dORC%20PKI%2cc%3dUS?certificateRevocationList;binary]
]]

[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.101.3.6.7]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 09 31 2E 32 2E 33 2E   34 2E 35                 ..1.2.3.4.5

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 00                                              0.

]]  ]
]

[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
]

[6]: ObjectId: 2.5.29.16 Criticality=false
PrivateKeyUsage: [
From: Fri Jun 01 15:19:21 EDT 2012, To: Wed May 31 15:19:00 EDT 2017]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 84 42 DB 30 59 C4 35   E1 1D 26 32 D3 21 CC A4  ..B.0Y.5..&2.!..
0010: B3 48 4B FE                                        .HK.
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 5D 8E 3C 7D 6E D4 F2 64   5B A1 16 01 0B EF 64 D6  ].<.n..d[.....d.
0010: 88 E3 AF BB 1A 29 8D C5   DE 2A 06 E5 45 82 BB DD  .....)...*..E...
0020: 9E 91 FC 8C 9D 8F 7B 68   73 50 9D 89 83 94 DC 73  .......hsP.....s
0030: 55 4F EB D1 F1 2D 18 0B   7D 8B 25 F4 A7 1F 6B 64  UO...-....%...kd
0040: 1E A7 F9 BB 99 CD A8 3F   5F 0E 0D 3C 02 CF 26 4D  .......?_..<..&M
0050: 1C 8E E8 5B B4 84 B0 F6   2F 5A C6 E5 47 16 30 64  ...[..../Z..G.0d
0060: 90 9C F6 A3 28 B8 02 17   84 98 4A 00 01 6B 24 4B  ....(.....J..k$K
0070: C3 87 8E 05 8A 08 6A 9F   76 2A 31 27 EC C1 54 FF  ......j.v*1'..T.
0080: 4F 88 01 2C 37 9A 9B 4A   98 4D C0 1A 8A 7B BD D0  O..,7..J.M......
0090: 7B C1 0C 59 47 C9 6B 1F   93 FD 46 02 10 FA 9A A6  ...YG.k...F.....
00A0: 09 C8 F9 72 A3 C4 1C 83   7D 2D 6E 08 F1 FD A6 4D  ...r.....-n....M
00B0: 63 EF 37 C0 35 81 BA 6B   E2 D8 D3 62 D4 AA 42 A0  c.7.5..k...b..B.
00C0: 53 6E AF 03 61 ED 31 D4   C6 2D 0F 97 39 C1 53 E3  Sn..a.1..-..9.S.
00D0: C9 63 CA 3A 1B 22 23 D6   EF 11 21 46 2E E9 28 9B  .c.:."#...!F..(.
00E0: 85 90 FE 2A 6D 20 6C 7A   DA 20 7C A0 07 C8 1A 89  ...*m lz. ......
00F0: 48 65 A9 8E C1 FB 00 DA   01 62 47 8E CA 48 2F F2  He.......bG..H/.

]
Command APDU: 00CB3FFF055C035FC10500
CommmandAPDU: 11 bytes, nc=5, ne=256: 00CB3FFF055C035FC10500
ResponseAPDU: 258 bytes, SW=6100: 538205937082058A308205863082046EA003020102021100F71F0A1F7641BEF365CF89F919F9E685300D06
092A864886F70D01010505003033310B30090603550406130255533110300E060355040A13074F524320504B49311230100603550403130954574943
2043412031301E170D3133303131303137333935325A170D3137313233303137333935325A3046310B3009060355040613025553310C300A06035504
0A1303545341310D300B060355040B130454574943311A301806035504031311544F44442045524943204A4F484E534F4E30820122300D06092A8648
86F70D01010105000382010F003082010A0282010100AC7D3372D6F0E80ABCD8C6
CommmandAPDU: 5 bytes, nc=0, ne=256: 00C0000000
ResponseAPDU: 258 bytes, SW=6100: B51B2EF62420AF4798558377AD36083DD059C44B2519CECA09ED9B27873203099BED034D77096B341BCD73
8ADE871090A1098CE875A6C580DA6E6C0E56354F41BF583E1C8BDB3C91E1CCBE77FBACE751EA283381790A525C243129A67D91AAA03879A82A40273C
76A90C6A562F2027FD70AD00BE0174AEADEE9B650CA835AEFEAB95DF119C726C5D725BA7CE8C9C1EA81FE83558DD380D1635545AAEB3403267FFC182
BBA6A7D85FDD4D19F7D7E365F599CE474BF994D313F1DC4AD5C5EBF35ED02C24976CAAEE8A06935EE254B0879A8C36A882D3B4FCAAD5277158D502EF
4A650E987F663E8D1079620F585F489E8E9C5B224D2B0203010001A38202803082
CommmandAPDU: 5 bytes, nc=0, ne=256: 00C0000000
ResponseAPDU: 258 bytes, SW=6100: 027C301F0603551D23041830168014D8471547CAE7E05B90B65563E3271A06B42EDAC330250603551D2504
1E301C0604551D250006082B06010505070302060A2B0601040182371402023081AE06082B060105050701010481A130819E303706082B0601050507
3002862B687474703A2F2F747769632D63726C2E6F72632E636F6D2F636143657274732F545749434341312E636572306306082B0601050507300286
576C6461703A2F2F747769632D64732E6F72632E636F6D2F636E253364545749432532304341253230312532636F2533644F5243253230504B492532
636325336455533F634143657274696669636174653B62696E6172793019060355
CommmandAPDU: 5 bytes, nc=0, ne=256: 00C0000000
ResponseAPDU: 258 bytes, SW=6100: 1D2004123010300E060C2B0601040181E3520201030D3081A60603551D1F04819E30819B302EA02CA02A86
28687474703A2F2F747769632D63726C2E6F72632E636F6D2F43524C732F545749434341312E63726C3069A067A06586636C6461703A2F2F74776963
2D64732E6F72632E636F6D2F636E253364545749432532304341253230312532636F2533644F5243253230504B492532636325336455533F63657274
696669636174655265766F636174696F6E4C6973743B62696E617279300E0603551D0F0101FF040403020780307A0603551D11047330718112677261
6E64616D7040676D61696C2E636F6DA029060A2B0601040181E3520606A01B0419
CommmandAPDU: 5 bytes, nc=0, ne=256: 00C0000000
ResponseAPDU: 258 bytes, SW=6197: D70339D841856C14561C85A16858210B6B58044D870339A3FFA030060A2B060104018237140203A0220C20
4D5647464F534E52407477696370726F6772616D2E7473612E6468732E676F763012060B2B0601040181E3520609010403010100301D0603551D0E04
1604147E39AC7BB9BC7B840717727C8A1C42F65BEE03ED300D06092A864886F70D010105050003820101009EFAFB61756BFB3A66A9DB6FC5E11E67B3
317F64410CF6E7D598F3C95E764EDA7138F828CE13DAEBE57F6F591A4513B0481A0B1F249D923E71B6BC835857BF3A237B81A5BE598EC5AF4E92CF22
888B187382AC9BC35E567D23B58487600199E9ADAA589CE316F6310B56AAE6BA54
CommmandAPDU: 5 bytes, nc=0, ne=151: 00C0000097
ResponseAPDU: 153 bytes, SW=9000: A595BAB1B780EC02BF749BF1C9379E3E3C8D200BD05F3764AB9B65F236BB975CEFE6215344D4091DF60729
03A507CDFA515B1A9633C6B2625230859703902555BA092D8D4051DD7F3AE40C962271CA9F95851D2DDB73248B2198F10577F684D8D0551D1D85BD94
78D452EEEB4131AC928C2A56ACE26D858A04E0F8CAD6E210CE1939104A097BC53970535833312540AE2A86710100FE00
PIV CERTIFICATE:CERTIFICATE:    308205863082046EA003020102021100F71F0A1F7641BEF365CF89F919F9E685300D06092A864886F70D0101
050500303331
PIV CERTIFICATE:CERTIFICATE:    0B30090603550406130255533110300E060355040A13074F524320504B493112301006035504031309545749
432043412031
PIV CERTIFICATE:CERTIFICATE:    301E170D3133303131303137333935325A170D3137313233303137333935325A3046310B3009060355040613
025553310C30
PIV CERTIFICATE:CERTIFICATE:    0A060355040A1303545341310D300B060355040B130454574943311A301806035504031311544F4444204552
4943204A4F48
PIV CERTIFICATE:CERTIFICATE:    4E534F4E30820122300D06092A864886F70D01010105000382010F003082010A0282010100AC7D3372D6F0E8
0ABCD8C6B51B
PIV CERTIFICATE:CERTIFICATE:    2EF62420AF4798558377AD36083DD059C44B2519CECA09ED9B27873203099BED034D77096B341BCD738ADE87
1090A1098CE8
PIV CERTIFICATE:CERTIFICATE:    75A6C580DA6E6C0E56354F41BF583E1C8BDB3C91E1CCBE77FBACE751EA283381790A525C243129A67D91AAA0
3879A82A4027
PIV CERTIFICATE:CERTIFICATE:    3C76A90C6A562F2027FD70AD00BE0174AEADEE9B650CA835AEFEAB95DF119C726C5D725BA7CE8C9C1EA81FE8
3558DD380D16
PIV CERTIFICATE:CERTIFICATE:    35545AAEB3403267FFC182BBA6A7D85FDD4D19F7D7E365F599CE474BF994D313F1DC4AD5C5EBF35ED02C2497
6CAAEE8A0693
PIV CERTIFICATE:CERTIFICATE:    5EE254B0879A8C36A882D3B4FCAAD5277158D502EF4A650E987F663E8D1079620F585F489E8E9C5B224D2B02
03010001A382
PIV CERTIFICATE:CERTIFICATE:    02803082027C301F0603551D23041830168014D8471547CAE7E05B90B65563E3271A06B42EDAC33025060355
1D25041E301C
PIV CERTIFICATE:CERTIFICATE:    0604551D250006082B06010505070302060A2B0601040182371402023081AE06082B060105050701010481A1
30819E303706
PIV CERTIFICATE:CERTIFICATE:    082B06010505073002862B687474703A2F2F747769632D63726C2E6F72632E636F6D2F636143657274732F54
574943434131
PIV CERTIFICATE:CERTIFICATE:    2E636572306306082B0601050507300286576C6461703A2F2F747769632D64732E6F72632E636F6D2F636E25
336454574943
PIV CERTIFICATE:CERTIFICATE:    2532304341253230312532636F2533644F5243253230504B492532636325336455533F634143657274696669
636174653B62
PIV CERTIFICATE:CERTIFICATE:    696E61727930190603551D2004123010300E060C2B0601040181E3520201030D3081A60603551D1F04819E30
819B302EA02C
PIV CERTIFICATE:CERTIFICATE:    A02A8628687474703A2F2F747769632D63726C2E6F72632E636F6D2F43524C732F545749434341312E63726C
3069A067A065
PIV CERTIFICATE:CERTIFICATE:    86636C6461703A2F2F747769632D64732E6F72632E636F6D2F636E2533645457494325323043412532303125
32636F253364
PIV CERTIFICATE:CERTIFICATE:    4F5243253230504B492532636325336455533F63657274696669636174655265766F636174696F6E4C697374
3B62696E6172
PIV CERTIFICATE:CERTIFICATE:    79300E0603551D0F0101FF040403020780307A0603551D110473307181126772616E64616D7040676D61696C
2E636F6DA029
PIV CERTIFICATE:CERTIFICATE:    060A2B0601040181E3520606A01B0419D70339D841856C14561C85A16858210B6B58044D870339A3FFA03006
0A2B06010401
PIV CERTIFICATE:CERTIFICATE:    8237140203A0220C204D5647464F534E52407477696370726F6772616D2E7473612E6468732E676F76301206
0B2B06010401
PIV CERTIFICATE:CERTIFICATE:    81E3520609010403010100301D0603551D0E041604147E39AC7BB9BC7B840717727C8A1C42F65BEE03ED300D
06092A864886
PIV CERTIFICATE:CERTIFICATE:    F70D010105050003820101009EFAFB61756BFB3A66A9DB6FC5E11E67B3317F64410CF6E7D598F3C95E764EDA
7138F828CE13
PIV CERTIFICATE:CERTIFICATE:    DAEBE57F6F591A4513B0481A0B1F249D923E71B6BC835857BF3A237B81A5BE598EC5AF4E92CF22888B187382
AC9BC35E567D
PIV CERTIFICATE:CERTIFICATE:    23B58487600199E9ADAA589CE316F6310B56AAE6BA54A595BAB1B780EC02BF749BF1C9379E3E3C8D200BD05F
3764AB9B65F2
PIV CERTIFICATE:CERTIFICATE:    36BB975CEFE6215344D4091DF6072903A507CDFA515B1A9633C6B2625230859703902555BA092D8D4051DD7F
3AE40C962271
PIV CERTIFICATE:CERTIFICATE:    CA9F95851D2DDB73248B2198F10577F684D8D0551D1D85BD9478D452EEEB4131AC928C2A56ACE26D858A04E0
F8CAD6E210CE
PIV CERTIFICATE:CERTIFICATE:    1939104A097BC53970535833312540AE2A86
PIV CERTIFICATE:CERTINFO:
PIV CERTIFICATE:MSCUID:         [null]
PIV CERTIFICATE:EDC:

PIV Auth Certificate:
[
[
  Version: V3
  Subject: CN=TODD ERIC JOHNSON, OU=TWIC, O=TSA, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 2177472735403377406265316918191463160051375471234548847609504432307299720535913268411493934560962633848444536
825326473416456332869164140546598260457168973611950224643217805512942702834068548424111290249831046741296513980004539399
736363160061988708979502916379866653338077276133716768297085915513425500389331668191650909211787259047511114855579515725
677127199241272080653429952025629435648058543367474274061750347422300955317665520632797560298817126952419974574685715236
973857242257183872930442339328622049405521610847409000170419122108414220016229174797286691004766082313989797821273340097
9040544021990373503044570411
  public exponent: 65537
  Validity: [From: Thu Jan 10 12:39:52 EST 2013,
               To: Sat Dec 30 12:39:52 EST 2017]
  Issuer: CN=TWIC CA 1, O=ORC PKI, C=US
  SerialNumber: [    f71f0a1f 7641bef3 65cf89f9 19f9e685]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.4.1.29138.6.9.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 03 01 01 00                                     .....

[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://twic-crl.orc.com/caCerts/TWICCA1.cer
,
   accessMethod: caIssuers
   accessLocation: URIName: ldap://twic-ds.orc.com/cn%3dTWIC%20CA%201%2co%3dORC%20PKI%2cc%3dUS?cACertificate;binary
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D8 47 15 47 CA E7 E0 5B   90 B6 55 63 E3 27 1A 06  .G.G...[..Uc.'..
0010: B4 2E DA C3                                        ....
]
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://twic-crl.orc.com/CRLs/TWICCA1.crl]
, DistributionPoint:
     [URIName: ldap://twic-ds.orc.com/cn%3dTWIC%20CA%201%2co%3dORC%20PKI%2cc%3dUS?certificateRevocationList;binary]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.29138.2.1.3.13]
[]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  anyExtendedKeyUsage
  clientAuth
  1.3.6.1.4.1.311.20.2.2
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: grandamp@gmail.com
  Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.4.1.29138.6.6
  Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.4.1.311.20.2.3
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7E 39 AC 7B B9 BC 7B 84   07 17 72 7C 8A 1C 42 F6  .9........r...B.
0010: 5B EE 03 ED                                        [...
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 9E FA FB 61 75 6B FB 3A   66 A9 DB 6F C5 E1 1E 67  ...auk.:f..o...g
0010: B3 31 7F 64 41 0C F6 E7   D5 98 F3 C9 5E 76 4E DA  .1.dA.......^vN.
0020: 71 38 F8 28 CE 13 DA EB   E5 7F 6F 59 1A 45 13 B0  q8.(......oY.E..
0030: 48 1A 0B 1F 24 9D 92 3E   71 B6 BC 83 58 57 BF 3A  H...$..>q...XW.:
0040: 23 7B 81 A5 BE 59 8E C5   AF 4E 92 CF 22 88 8B 18  #....Y...N.."...
0050: 73 82 AC 9B C3 5E 56 7D   23 B5 84 87 60 01 99 E9  s....^V.#...`...
0060: AD AA 58 9C E3 16 F6 31   0B 56 AA E6 BA 54 A5 95  ..X....1.V...T..
0070: BA B1 B7 80 EC 02 BF 74   9B F1 C9 37 9E 3E 3C 8D  .......t...7.><.
0080: 20 0B D0 5F 37 64 AB 9B   65 F2 36 BB 97 5C EF E6   .._7d..e.6..\..
0090: 21 53 44 D4 09 1D F6 07   29 03 A5 07 CD FA 51 5B  !SD.....).....Q[
00A0: 1A 96 33 C6 B2 62 52 30   85 97 03 90 25 55 BA 09  ..3..bR0....%U..
00B0: 2D 8D 40 51 DD 7F 3A E4   0C 96 22 71 CA 9F 95 85  -.@Q..:..."q....
00C0: 1D 2D DB 73 24 8B 21 98   F1 05 77 F6 84 D8 D0 55  .-.s$.!...w....U
00D0: 1D 1D 85 BD 94 78 D4 52   EE EB 41 31 AC 92 8C 2A  .....x.R..A1...*
00E0: 56 AC E2 6D 85 8A 04 E0   F8 CA D6 E2 10 CE 19 39  V..m...........9
00F0: 10 4A 09 7B C5 39 70 53   58 33 31 25 40 AE 2A 86  .J...9pSX31%@.*.

]
Command APDU: 00CB3FFF055C035FC10700
CommmandAPDU: 11 bytes, nc=5, ne=256: 00CB3FFF055C035FC10700
CCC:Card Identifier:                            4F626572746875722049442D4F6E65205049562020
CCC:Capability Container version number:        21
CCC:Capability Grammar version number:          21
CCC:Applications CardURL:
CCC:PKCS#15:                                    11
CCC:Registered Data Model number:               10
CCC:Access Control Rule Table:                  0000000000000000000000000000000000
CCC:Card APDUs:
CCC:Redirection Tag:
CCC:Capability Tuples (CTs):
CCC:Status Tuples (STs):
CCC:Next CCC:
CCC:Error Detection Code:
rt-smithee commented 7 years ago

Got it.. As you show in your sample code (PIVCardHolderUniqueID.java it includes all the CHUID fields except the signature and that includes the "check" value (tag FE.) This means you have to assemble a buffer of the chuid fields minus the signature and hash that.

clstmbrly commented 6 years ago

Originator questions appear to answered. Close this issue?

clstmbrly commented 6 years ago

Closing this Issue. It appears that the originator's questions were answered.