PivApplet
PivApplet copied to clipboard
arekinath
Card is Read only
We have loaded REePSAxaD.cap on a NXP J3H145 and use OMNIKEY 3121 reader. when we want to enroll card Windows say the card is in read only mode and we can't continue
It seems that you have to use Yubikey's minidriver. I'm struggling right now with it, still can't figure how it works.
PIV standard doesn't allow for user to create keys and certificate by themselves, this is why default Windows driver sees the card as read-only.
PIV as specified in NIST card specs actually does support key generation and certificate loading. So from the card edge point of view, this should work just fine. To my understanding, the Windows minidriver only exposes a subset of the PIV card edge. None of the write functions are implemented. So yes, you will need a proprietary minidriver that supports PivApplet card edge. That's why there are proprietary minidriver implementations for all the major PIV card manufacturers. This allows you to use native tools for certificate issuance & requests.
Thank you for your answer. So, with this applet which minidriver should I use to be able to enroll Windows smartcards ?
I have not worked with the Yubikey minidriver in combination with this applet yet. It's your best chance though. The default, Windows native minidriver will definitely not work for card issuance/perso.
PIV as specified in NIST card specs actually does support key generation and certificate loading. So from the card edge point of view, this should work just fine. But to do this requires admin access. PIV defines an admin keys 2des/3des/AES and 2 types of authentication. But it is really up to the card/applet manufacture on how to provision their cards. Some may use other means.
So if the PivApplet supports the Yubikey authentications and the Yubikey minidriver also supports the same authentications it might work.
https://www.yubico.com/support/download/smart-card-drivers-tools/ says:
"The YubiKey Smart Card Minidriver enables users and administrators to use the native Windows interface for certificate enrollment, managing the YubiKey smart Card PIN, and smart card authentication on Windows."
But note, it does not say key creation, loading keys, certificates and other objects via the minidriver. Certificate enrollment usually means read the certificate, and add to AD or local workstation.
You may need to use other Yubikey tools to provision that cards.
Ask Yubikey.
The OpenSC piv-tool was never designed to be part of card management system, but it does support the use of PIV specs, supports 2des, 3des and aes key management keys and both types of authentication and can generate keypairs on the card and load certificates and objects. It is similar to the Yubikey piv-tool.
I'm still struggling with it, has anyone ever tried using the YubiKey minidriver with this PivApplet ?
What I am doing, is changing REGEDIT...\Calais\SmartCards\Identity Device (Microsoft Generic Profile) and Identity Device (NIST SP 800-73 [PIV]) I change the 8000001 value from C:\Windows\System32\msclmd.dll to ykmd.dll
It doesn't work so far, am I in the right path ?
You are close.. But need to look at piv ATR cache. Will elaborate later.
On Fri, May 27, 2022, 9:11 AM Rayan BOULARES @.***> wrote:
I'm still struggling with it, has anyone ever tried using the YubiKey minidriver with this PivApplet ?
What I am doing, is changing REGEDIT...\Calais\SmartCards\Identity Device (Microsoft Generic Profile) and Identity Device (NIST SP 800-73 [PIV]) in 8000001 value from C:\Windows\System32\msclmd.dll to ykmd.dll
It doesn't work so far, am I in the right path ?
— Reply to this email directly, view it on GitHub https://github.com/arekinath/PivApplet/issues/66#issuecomment-1139657229, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGTIMNFSOCXKNBHKAEJDKTVMDJYBANCNFSM5ULHW5ZA . You are receiving this because you commented.Message ID: @.***>
I found the PIV Device ATR Cache in REGEDIT and found an ATR corresponding to my card cached into it. I guess it is good so far?
However, when I use ykmd.dll as minidriver I get this certutil output :
================ Certificate 0 ================ --- Reader: Gemalto IDBridge CT7xx 0 --- Card: Identity Device (NIST SP 800-73 [PIV]) Provider = Microsoft Base Smart Card Crypto Provider Key Container = (null) [Default Container]
When I use Windows default minidriver (C:\Windows\System32\msclmd.dll) or OpenSC minidriver then certutil works, but card becomes readonly...
The ATR cache for PIV is there to take a short cut to bet to device driver. It maybe there because you did not have a minidriver entry for your card at some time, and you inserted your card. Microsoft first looks at the cache. If not found does SELECT ATR APDU to the card. If found adds ATR to PIV cache. If not looks for driver by ATR. https://docs.microsoft.com/en-us/windows-hardware/drivers/smartcard/discovery-process
OpenSC does not install the registry entries for the PIV because Microsoft and most PIV card vendors have their own PIV minidriver. So what you may be seeing is the Microsoft driver. You could add registry entries to use the OpenSC minidriver, but it will treat the card as read only.
The default container is a problem, if you use more then one PIV card. Windows driver and OpenSC derive a serial number from the CHUID object on the card which is then used to create the container ID. The Yubikey piv-tool can create a CHUID. I suggest you create a CHUID.
It is not clear if the Yubico minidriver will work with non Yubico devices. It might. They do store the Yubikey version on the card using a vendor added command not in the PIV specs.
(I am speaking as the OpenSC PIV driver developer, that has had to put up "PIV-like" devices that differ from the PIV standards.)
Microsoft caches a number of things, PIV ATR, container IDs, certificates. So I suggest that if you make changes, you also uninstall/cleanup as much as possible. Before inserting your card, install a driver that you think can do what you want.
But I don't think there is a driver out there that will do what you want or if it could wont do it because the card is not from the vendor.
Bases on you original statement:
We have loaded REePSAxaD.cap on a NXP J3H145 and use OMNIKEY 3121 reader. when we want to enroll card Windows say the card is in read only mode and we can't continue
I think you are assuming Windows "enrollment" includes provisioning the card with keys and certificates and CHUID. To prove it does or does not is like reading-between-the-lines. "Enrollment appears to be adding certificates to AD or local computer with the container ID so a smartcard with corresponding key can be found and user asked to insert the card.
Another vendor of PIV cards is PIVKey. See:
https://pivkey.zendesk.com/hc/en-us/articles/203126729-PIVKey-Deployment-Overview
Also look at: https://developers.yubico.com/PIV/Guides/Windows_CA_issued_certificate.html
Also Google for "Your-favorite-PIV-card-vendor" "certutil" request certificate