search

arekinath / PivApplet

PIV applet for JavaCard 2.2.2 and 3.0.4+ with full ECDSA/ECDH support
106 stars 37 forks source link

Generate ECC Key and Selfsigned Cert using yubico-piv-tool #71

Open ghost opened 1 year ago

ghost commented 1 year ago

Is it possible to use yubico-piv-tool to generate an ECC P256/P384 key pair and self signed certificate as demonstrated in this link:

https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html

The key generation succeeds but generating the self signed certificate fails with this applet.

yubico-piv-tool -r Duali -a generate -a verify-pin -a selfsign -a import-certificate -s 9a -k -A ECCP256 -S "/CN=piv_auth/OU=test/O=example.com/" Enter management key: -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcGE6nJnaNpfyfcTKwhxtJa6pAQFi KG+um9UgQywc8/DaQ4E1BUNfnX5y209ZkB1vcmXAnrI1hy141Yim0ropzg== -----END PUBLIC KEY----- Successfully generated a new private key. Enter PIN: Successfully verified PIN. Please paste the public key... -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcGE6nJnaNpfyfcTKwhxtJa6pAQFi KG+um9UgQywc8/DaQ4E1BUNfnX5y209ZkB1vcmXAnrI1hy141Yim0ropzg== -----END PUBLIC KEY----- Failed signing certificate. 19632:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:crypto\asn1\a_sign.c:224:

ghost commented 1 year ago

Resolved - using Duali contactless reader. Policy for that slot must not be allowed. Switched to contact reader and it works.