Sending raw apdu commands to generate private-public key pair RSA2048

[ble0]

I tried to use the same commands as yubico-piv-tool to generate private public key pair: //select applet 00a4040005a00000030800 00fd000000 00f8000000 //Request for encrypted challenge 0087039b047c028000 -->card provides encrypted challenge to tag 80 //Decrypt encrypted challenge from card in tag 80 while tag 81 is a random number 0087039b167c148008325F7E0D2323C75281080592bbb05e1a58d6 -->card provides encrypted challenge of tag 81

//send private public key pair 0047009a05ac0380010700 -->card responded: 7C 0A 82 08 90 02 37 FE A0 94 5C 60 90 00

Im expecting at the last apdu, public certificate using 2 get response but the card does not output anything. It just ended with SW 9000 and it should be 61XX. I do not see any special commands that yubico-piv-tool is sending

Is it because tag 81 has a calculation how to generate a random number that's causing this? or is there a timing involved in key generation that must be satisfied? or is it because opensc-tool has a bug?

This is the full APDU trace:
C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:a4:04:00:05:a0:00:00:03:08
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 A4 04 00 05 A0 00 00 03 08
Received (SW1=0x90, SW2=0x00):
61 81 66 4F 0B A0 00 00 03 08 00 00 10 00 01 00 a.fO............
79 07 4F 05 A0 00 00 03 08 50 15 50 69 76 41 70 y.O......P.PivAp
70 6C 65 74 20 76 30 2E 39 2E 30 2F 52 53 61 44 plet v0.9.0/RSaD
5F 50 1E 67 69 74 68 75 62 2E 63 6F 6D 2F 61 72 _P.github.com/ar
65 6B 69 6E 61 74 68 2F 50 69 76 41 70 70 6C 65 ekinath/PivApple
74 AC 06 80 01 03 06 01 00 AC 06 80 01 0C 06 01 t...............
00 AC 06 80 01 07 06 01 00                      .........

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:20:00:80:00
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 20 00 80 00
Received (SW1=0x63, SW2=0xC5)

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:fd:00:00:00
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 FD 00 00 00
Received (SW1=0x90, SW2=0x00):
05 03 00 ...

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:f8:00:00:00
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 F8 00 00 00
Received (SW1=0x90, SW2=0x00):
CF 45 CE 5D .E.]

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:87:03:9b:04:7c:02:80:00
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 87 03 9B 04 7C 02 80 00
Received (SW1=0x90, SW2=0x00):
7C 0A 80 08 5E 7B 71 DA 12 E7 E4 D3 |...^{q.....

// //i put some random value in tag 81// //
C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:87:03:9b:16:7c:14:80:08:1C:01:46:18:18:72:A2:F7:81:08:a5:34:28:45:78:4c:5c:3f
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 87 03 9B 16 7C 14 80 08 1C 01 46 18 18 72 A2 F7 81 08 A5 34 28 45 78 4C 5C 3F
Received (SW1=0x90, SW2=0x00):
7C 0A 82 08 B5 62 60 99 EE 1F C5 26 |....b`....&

C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -v -s 00:47:00:9a:05:ac:03:80:01:07
Using reader with a card: Gemalto USB SmartCard Reader 0
Connecting to card in reader Gemalto USB SmartCard Reader 0...
Using card driver Personal Identity Verification Card.
Sending: 00 47 00 9A 05 AC 03 80 01 07
Received (SW1=0x90, SW2=0x00):
7F 49 82 01 09 81 82 01 00 .I.......

[arekinath]

The output you've pasted there does not match what you wrote above. You wrote:

//send private public key pair
0047009a05ac0380010700
-->card responded: 7C 0A 82 08 90 02 37 FE A0 94 5C 60 90 00

But in the command output you pasted:

>opensc-tool -v -s 00:47:00:9a:05:ac:03:80:01:07
Received (SW1=0x90, SW2=0x00):
7F 49 82 01 09 81 82 01 00 .I.......

The "7C .." response looks like it was to your general authenticate command, not the generate asymmetric key command.

This response to the generate asymmetric key command looks correct (7F 49 .. with an 81 inside that's 0x100 long), but truncated -- I suspect because you sent a case 3 command APDU (with no Le byte) when you need a case 4, and either the card or your reader has cut the rest of the response off as a result. Is this a T=0 card? I would try adding the extra Le byte (set to zero) at the end of your generate asymmetric command APDU, to turn it into case 4 format.

[ble0]

Hi, I discovered the issue with the opensc-tool. opensc-tool sends other commands behind the scenes that is not part of the actual APDU I’m sending. I tried another tool which is working just fine

[dengert]

opensc-tool does all the standard matching ATRs, and selecting a card driver. If that gets in your way, try with ./opensc-tool --card-driver default ...

From you output, you are running multiple opensc-tools each with its own "-s" option. Try running it once with multiple "-s" options so it does not lose any login state.

[dengert]

You could also try the OpenSC piv-tool with the --admin --genkey and --out options. See the man pages. Since NIST left it up to vendors to provision a card, these may or may not work. piv-tool also accepts multiple "-s" options.

[ble0]

i will try the opensc-tool --card-driverfirst, the piv-tool --admin does not work for me

[dengert]

I am interested in understanding what problems where you having with piv-tool.

[asalkhanbadr]

Hi, , I am facing the same issue. I am sending plain APDU requests to a smart card (java card 3), but I am not sure how to retrieve the public key. I would appreciate any help on this matter. If possible, @ble0 could you please let me know the name of the tool that worked for you? Thank you very much. As for the APDU commands that I have been using, here they are: Send: 00 47 00 9C 05 AC 03 80 01 07 00 Recv: 61 09 Time used: 24770.000 ms Send: 00 C0 00 00 09 Recv: 7F 49 82 01 09 81 82 01 00 90 00 Time used: 18.000 ms

[dengert]

@asalkhanbadr What tool are you using to send the APDU?

Looks like the reader, applet or java card 3 has a problem returning a response to the "47" command with more the 256 bytes. Is java card 3 a card or a token? i.e. does the reader support 256 byte responses?

The command looks like using short APDU.

7F 49 82 01 09 81 82 01 00 looks like the start of a correct response with tag 74 49 and length 265 with "Modulus" of length 256. Not shown is the "Modules" or "Public exponent" length 3 with 1 byte tag(82) and 1 byte length (03) (If I did the math correctly.)

What it should have returned using T=0 would be would "61 00" then get response for 256 would have returned "61 14" then do second get response.

If using T=1, the first command should have returned 256 bytes data and status "61 0E" and get response for 14 bytes to read the rest retuning 90 00.

Why the first status "61 09" does not make sense.

Try Send: 00 C0 00 00 00 and see if it responses with 256 bytes and status "61 14"

You could try using extended APDU something like" 00 47 00 9C 00 00 05 AC 03 80 01 07 00 00

[asalkhanbadr]

Hi @dengert , thank you for your response, the Java card is a physical card and the reader/writer is HID OMNI 3111. According to the data sheet, it supports 115 kb/s data transmission. The protocol supported both by card and reader is T=0. Additionally, I have been using PyApduTool to send APDU commands. Regarding the commands you mentiond, I tried them, but, the commands did not produce the expected results.

Send: 00 47 00 9C 00 00 05 AC 03 80 01 07 00 00 Recv: 61 09 Time used: 14794.000 ms Send: 00 C0 00 00 00 Recv: 61 09 Time used: 10.000 ms Send: 00 C0 00 00 09 Recv: 7F 49 82 01 09 81 82 01 00 90 00 Time used: 19.000 ms Send: 00 C0 00 00 00 Recv: 69 85 Time used: 12.000 ms

[dengert]

PyApduTool. According to the data sheet, it supports 115 kb/s data transmission.

Where is the data sheet?

What system are you using?

Best I can tell HID OMNI 3111 is a serial port, not USB, device from a few years ago. Most smartcard readers today are USB CCID compliant.

Can you try and force T=1? The only PIV cards I have seen that use T=0 are 20 years old. The Applet may only support T=1.

[asalkhanbadr]

I attach the datasheet so that you can download it. I use a serial to USB port converter to connect the reader to the computer using USB ports. Also, I tried forcing T=1, but every time I got the error message: 'Connect error: The requested protocols are incompatible with the protocol currently in use with the smart card. omnikey_3111.pdf

[dengert]

Get a different reader. A USB CCID compliant reader.