ICAM Test Card Signer and Data Populator
Starting with Release 1.8.74, you can run the card builder tool’s .jar file via start-signer.sh or start-signer.bat. When the GUI appears, flip to the second tab called “Card Utilities” and use the PIN Retry Counts button to check the number of retries for both PINs. You can do this without having to provide a PIN. That prevents the retry counter from decrementing just to learn the number of retries.
To reset the retry counters to the card’s max retries for the Global and PIV PINs, enter the PIN for the PIV or Global PIN and click the PIV PIN button to toggle between PIV and Global so that it matches the type of PIN you are going to send to the card. Then, click Login. If the PIN and PIN type are correct, the retry counter for that PIN type will be reset. Repeat for both PIN types to reset both counters.
This functionality is designed to streamline Discovery Object testing and replace the JSmartCardBuilder utility that we documented in the FRTC 1.3.3 PIN Usage Policy Addendum.
The GSA-ICAM-Card-Builder signs CHUID and CBEFF containers and updates Security Object containers
for FIPS 201-2 PIV and PIV-I cards. This software was originally derived from the GSA PKCS7
signing tool. The original work was unable to:
Include support for signing with a .p12 key file versus a PIV card
In addition:
the original CBEFFs on ICAM test cards are expired and need to be updated. Facial image CBEFF headers indicated the wrong Image Data Type (1 versus 0).
Currently, this project includes tools to handle all of the above except the
card data populator.
Due to a change in the bytecode verifier in Java 8, the bytecode verifier
rejects the ContentSigningTool class. It has been fixed in JDK 1.8.0_141.
Oracle since a lot of code broke. If using an earlier JDK, insert the
“-noverify” option on the startup scripts mentioned below to get around the
issue. The risk is that the bytecode isn’t being verified.
To use the tools, click Releases on the main repo page, download and unzip the latest ZIP file, gsa-icam-card-builder-vM.m.b.zip containing the scripts, signing application, libraries, configuration files and artifacts. If you’d like to hack around in the source of the signing tool, download the -devel version of the same release.
In conjunction with the signing tool, we created the objects for eight new ICAM test cards, which are referred to as Gen 3:
| Card Number | Description |
|---|---|
| 25 | FIPS 201-2 Missing Discovery Object |
| 26 | FIPS 201-2 Discovery Object Present, PIV Application PIN only |
| 27 | FIPS 201-2 Discovery Object Present, PIV Application primary |
| 28 | FIPS 202-2 Discovery Object Present, Global PIN primary |
| 37 | Golden FIPS 201-2 PIV PPS F=512 D=64 |
| 38 | Security Object Hash Mismatch |
| 39 | Golden FIPS 201-2 Fed PIV-I |
| 40 | Deprecated |
| 41 | Re-keyed Card (same FASC-N different certs) |
| 42 | Expired OCSP Response Signer Certificate |
| 43 | Revoked OCSP Response Signer Certificate, pkix-ocsp-nocheck present |
| 44 | Revoked OCSP Response Signer Certificate, no id-pkix-ocsp-nocheck present |
| 44 | Invalid Signature in OCSP Response Signer Certificate |
| 46 | Golden FIPS 201-2 PIV (replaced Card 1) |
| 47 | Golden FIPS 201-2 PIV SAN Order |
| 48 | Golden FIPS 201-2 T=1 PPS Non-zero PPS LEN Value |
| 49 | FIPS 201-2 Facial Image CBEFF Expired |
| 50 | FIPS 201-2 Facial Image CBEFF Expires before CHUID |
| 51 | FIPS 201-2 Fingerprint CBEFF Expired |
| 52 | FIPS 201-2 Fingerprint CBEFF Expires before CHUID |
| 53 | FIPS 201-2 Large Card Auth Cert (2160 bytes) |
| 54 | Golden FIPS 201-2 NFI PIV-I (Replaces Card 2) |
| 55 | FIPS 201-2 PIV Missing Security Object |
| 57 | Revoked CHUID Signer Cert |
| 58 | Revoked Card Authentication Cert |
| ~59~ | ~Valid Card to Simulate Card 51 at Time of Access~ |
The artifacts used to create these cards are included beneath the cards
directory. The objects in each card’s subdirectory can be encoded directly on
to a PIV card. It may be necessary to precede the object files with a container-
specific TLV as described in SP 800-73-4’s data model. This system does not
current supply a method for doing this if your card data populator doesn’t handle
it for you.
This project consists of several related functions:
As of 3/1/2019, (4) above is in development and is not displayed on the GSA ICAM Card Builder GUI.
The certutils directory contains a bash script, mkcert.sh that uses command
line options to select an OpenSSL .cnf file that can request and sign private keys
for any of the four certificates on a PIV or PIV-I card. A batch-mode utility,
But it’s easier to use the makeall.sh script which invokes mkcert.sh
to create the certificates for all of the Gen 3 ICAM Test cards in one shot.
Each certificate for each Gen 3 ICAM Test card is defined by its own OpenSSL.cnf file.
Next, it’s time to create the CHUID and CBEFF objects, which also updates the
Security Object as described below.
Change directory to the directory created by unpacking the gsa-icam-card-builder.zip file and
run the following command:
java -classpath lib -jar gsa-icam-card-builder.jar gov.gsa.icamcardbuilder.app.Gui
The scripts start-signer.bat and start-signer.sh will do this for you.
Generally, you should stage your CBEFF containers and Security Object files
in a working directory. The application will write new files into the directory
of the CBEFF and/or Security Object files respectively. It’s most convenient if
your contentFile and securityObjectFile are in the same working directory.
The reference implementation does not use a working directory, writing
directly to directories that can be used to create the cards. The reference
implementation’s content signer properties files contain paths to objects
based on being run from the top level directory of the project.
To make it easy to test and run, the “File” menu includes a “Open Config”
menu item that enables you to easily load a properties file that contains the
following setup on a per-container basis. Below are some examples from the
reference implementation.
contentFile=cards/cards/ICAM_Card_Objects/46_Golden_FIPS_201-2_PIV/8 - Face Object
This is the file that contains the full container of the CBEFF to be signed
securityObjectFile=cards/ICAM_Card_Objects/46_Golden_FIPS_201-2_PIV/2 - Security Object
This is the file that contains the full container of the Security Object
updateSecurityObject=Y
This give the user the option to update the Security Object or not. This
enables the GSA to create invalid cards by, for instance, modifying a
CBEFF, but not updating the Security Object. By default, it’s enabled
via this setting. It can be overridden by de-selecting it on the Options
menu.
fascnOid=2.16.840.1.101.3.6.6
This is the FASC-N OID. If you change this, you could test whether a
validation system fails to read the CBEFF because the FASC-N is missing.
fascn=D13810D828AB6C10C339E5A1685A08C92ADE0A6184E739C3E7
This is just a default FASC-N for the Golden PIV. Other cards will have
different FASC-Ns. Create a new configuration file for that, or you can
override this on the form. Be careful. You can modify this if you want
to test whether a validation system detects a mismatch between this FASC-N
and the FASC-N in the CHUID.
uuidOid=1.3.6.1.1.16.4
This is the Card UUID OID, newly required in FIPS 201-2 and SP 800-73-4. If
you change this, you could test whether a validation system fails to read the
CBEFF because the FASC-N is missing. Most PACS systems do not check for this
nor will we require them to. The new 85B tool should check for this, and
should fail.
uuid=09d49c7e-fdd0-432e-acea-268ae905274c
This is the default UUID for the current Golden PIV. It turns out that this
is not a valid RFC 4122 UUID because the clock_seq is out of range. We will
want to correct this on the new Golden PIVs we create.
cardholderUuid=8123a5eb-5c64-4b33-a7e7-e739b5eb874b
This is an optional field that represents a unique identifier of the cardholder
and not the card. It should span multiple PIV cards.
expirationDate=20321231000000
This is the expiration date of the CHUID or notAfter date of a biometric. In
the case of the CHUID, only the first 8 digits are used.
signingKeyFile=cards/ICAM_Card_Objects/ICAM_CA_and_Signer/gold_-_PIV_Content_Signer.p12
This is the content signing key .p12 file used to sign the CBEFF and Security
Object.
keyAlias=gold - piv content signer
This is the content signing key alias name for the Golden PIV.
passcode=
This is the passcode to the content signing .p12 file. The default is no password.
digestAlgorithm=SHA-256
This will be the digest algorithm used to compute hashes and for signing.
signatureAlgorithm=SHA56withRSA
This will be the signature algorithm included in the signed attributes and is
what is used to sign the Security Object.
name=ICAM Card 39 Golden FIPS 201-2 Fed PIV-I
This parameter is only used for Printed Information containers. It specifies
the cardholder name.
employeeAffiliation=4700
|This parameter is only used for Printed Information containers. It specifies
the cardholder’s employee affiliation, usually an agency code.
agencyCardSerialNumber=123456789
This parameter is only used for Printed Information containers. It specifies
the agency card serial number printed on the back of the card.
For Discovery Object properties files, two additional properties are used.
pivCardApplicationAid=a000000308000010000100
This allows you to alter the PIV card AID, which you should do only if you
know what you’re doing.
pinUsagePolicy=6010
PIN useage policy controls whether the Application PIN or Global PIN is
the preferred PIN. The following rules apply:
pinUsagePolicy is set to 4000. Your systempinUsagePolicy is set to 6010.. Your systempinUsagePolicy is set to 6020.. Your systemFuture releases will expand on the Discovery Object for supporting VCI and OCC.
Other properties files can be created and used to sign fingerprint or iris
CBEFFs. The intent is to create property files for each biometric object
on each ICAM card.
Next, use the start-signer.sh or start-signer.bat script to start up the GSA
PIV Signer tool. Use the File -> Open menu option to choose a properties file from
the config directory. The contents of that file will be rendered in the text fields
of the GUI. Next, click the Sign button.
Prior to writing a new container to disk, the existing file is appended with a
time stamp and moved to a backup directory beneath the directory containing the
file being re-signed. The newly-created file is then written to disk using its
original name.
If you plan to update multiple biometrics on the same card, remember that the
Security Object file is being updated as you sign each biometric. When it’s time
to write the containers to the card, be sure that you load all newly-signed biometric
containers as well as the new security object at the same time. Otherwise, the
containers on the card will get out of sync, and you’ll encounter errors that the
hashes on the security object don’t match the container hashes.
Work remaining to be done if we want this to be really close to perfect:
See the list of issues for
more information.
A source code ZIP file is provided. It includes all of the source as well
as the artifacts needed to build, debug, and run this tool from with Eclipse.
You can either clone the GitHub directory, you can download the appropriate
“GSA-ICAM-Card-Builder-devel-vM.m.b” ZIP file and unzip it. Then use Eclipse to
import the file into a new Java project.