How to read/write PIV data using PKCS#11

You must sign in to post in the forums.
11/2/2012 4:14:17 AM
ravneets
Gravatar
Total Posts 6
View Posts

How to read/write PIV data using PKCS#11

Hi,

I am evaluating NCryptoki for our product. I have found great use of it for our product. However, We have following requirement which I could not find a way to solve through NCryptoki. Please provide me guidance if it is possible to do via NCryptoki.

 

I want to read and write following PIV data

- Card Holder Unique Identifier

- Card Holder Fingerprint I

- Cardholder Iris Images

etc....

 

I am using following code to do that.

 

CryptokiCollection template = new CryptokiCollection();
template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_DATA));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, "Card Holder Unique Identifier"));

CryptokiCollection objects = session.Objects.Find(template, 10);

if (objects.Count == 0)
{
Console.WriteLine("Nothing found");
}
else if (objects.Count > 1)
{
Console.WriteLine("More than one found");
foreach (var obj in objects)
{
Console.WriteLine(((Data)obj).Label);
}
}
else
{
Data obj = (Data)objects[0];
Console.WriteLine(obj.Label);

string val = Encoding.ASCII.GetString(obj.DataValue);

Console.WriteLine(obj.DataValue);
}
 

 

 

 

Nothing is returned by the Find method. I used Cryptoki Explorer and that also showed empty in the Data. However If I use a different software, I could read and write the data through their UI.

 

Any guidance will be appreciated.

11/2/2012 9:30:48 AM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: How to read/write PIV data using PKCS#11

 

What do you see in DATA section in Cryptoki Explorer?

If you don't see any object this means that there isn' any DATA object in the token.

Did you also try to Login with the PIN? SUch objects may be private in your token.

 

Also your objects:

 

- Card Holder Unique Identifier

- Card Holder Fingerprint I

- Cardholder Iris Images

may not be DATA object but some other VENDOR defined objects.

 

11/2/2012 10:30:13 PM
ravneets
Gravatar
Total Posts 6
View Posts

Re: How to read/write PIV data using PKCS#11

Hi Urgo,

Thanks for your reply. I don't see anything under the Data section in Cryptoki Explorer. Still does not return anything If I pass CKO_VENDOR_DEFINED instead of CKO_DATA. However, I could see those fields under the Data Section if I use Charismathics Security Token Configurator software.

The fields being discussed are part of the pre-personalized PIV profile on Gemalto Protiva cards.

 

Thanks.

11/2/2012 11:04:12 PM
ravneets
Gravatar
Total Posts 6
View Posts

Re: How to read/write PIV data using PKCS#11

One more thing I noticed. I created a new Data object using the code shown in the Documentation section of this website. When I run my program next time, Find method still returns 0 object. Can NCryptoki read/write PIV cards ?

11/3/2012 9:59:26 AM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: How to read/write PIV data using PKCS#11

CKO_VENDOR_DEFINED is the base for defining custom objects. It cannot be used to define new objects. Usually a new object is defined in this way:

CKO_MY_OBJECT = CKO_VENDOR_DEFINED + 3;

Then, NCryptoki is a .NET wrapper to any PKCS#11 token. This means that it can work with any PKCS#11 token such as PIV card and any other PKCS#11 card.

 

Anyway, I just read the PIV specifications and I see that they defines a well defined, static, ISO 7816 filesystem. This means that such cards can be read and write by using low level command APDUs using PC/SC interface. I see also that Charismatics supplies a PKCS#11 module to access PIV cards while I was not able to find the same PKCS#11 module for gemalto.

Are you sure that you are using  the correct PKCS#11 module for gemalto PIV cards?

Maybe the other software that shows the content of the card uses the low level PC/SC for reading from the card instead of PKCS#11 module.

If so, you can use my .NET Smart Card API instead of NCryptoki to access the PIV card. I may update the  API by adding the PIV specific definitions.

  

 

11/5/2012 9:35:53 PM
ravneets
Gravatar
Total Posts 6
View Posts

Re: How to read/write PIV data using PKCS#11

Hello Urgo,

Thanks for your response. I am using Charismathics pkcs11 module to talk to Gemalto PIV cards. I spoke with engineer from Charismathics and they confirmed that these fields are not exposed through their pkcs11 module. So, It seems like going to low level API's is the only option at this point for me. Where can I find evaluation version of your .NET smart card API's ?

 

Thanks.

11/5/2012 10:31:41 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: How to read/write PIV data using PKCS#11

you can download the trial version of the smart card sdk (java and .NET) from this url:

http://www.cryptware.net/download/SmartCardSDK.zip   

This version is for any smart card and you should use the command APDUs and the file system defined in the PIV specifications.

if you can wait a week, we can release a plugin to this API to manage PIV without dealing with low level APDUs an file system, as we did for CNS (the italian PIV card)

11/6/2012 1:43:09 AM
ravneets
Gravatar
Total Posts 6
View Posts

Re: How to read/write PIV data using PKCS#11

Thanks.

Yes, I think I can wait for a week.

11/14/2012 12:53:56 AM
ravneets
Gravatar
Total Posts 6
View Posts

Re: How to read/write PIV data using PKCS#11

Hi Urgo,

 

Do you have PIV plugin available for me to test ?

 

Thanks.

11/14/2012 9:05:37 AM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: How to read/write PIV data using PKCS#11

we are still working on that. We need a couple of days more.

Can you contact me at one of the addresses that you find in contacts page? I have a couple of things to ask you.

You must sign in to post in the forums.