On 6/7/2010 9:55 AM, Harry Anuszewski wrote: > Hello, > > It has been a while. You know project delays. But I am now back on track. > The script worked great. I am looking into decoding that output of the > image so that I may view it and possibly get the header information from it. > I am just seeing if anyone could point me in a starting direction.
The facial image object is defined in NIST 800-76-1, http://csrc.nist.gov/publications/nistpubs/800-76-1/SP800-76-1_012407.pdf but does not give lengths or values for some of the fields. It also lists what fields may or may not be filled in. (I noted on some of our cards the gender, eye and hair are all the same...) To get sizeof the fields you will need to buy a copy of INCITS 385-2004, "American National Standard for Information Technology - Face Recognition Format for Data Interchange" for $30.00 from http://webstore.ansi.org/RecordDetail.aspx?sku=ANSI%20INCITS%20385-2004 The actual image is stored as a jpeg2000. Not many viewers can handle this, but http://www.openjpeg.org/ has a library, and converion routines so it could be converted to some more common format for display. > > Thank you, > > Harry Anuszewski > > <Script> > #!/bin/bash > # Dump the objects on a PIV card in the reader. > # to the current directory. > # Although pkcs15-tool -C can do this, it dumps > # to the printer. > # > > export LD_LIBRARY_PATH=/opt/smartcard/lib > export PATH=/opt/smartcard/bin:$PATH > PDA="pkcs11-tool -r -y data --application-id" > PDC="pkcs15-tool -r" > > $PDA 2.16.840.1.101.3.7.1.219.0> ccc > $PDA 2.16.840.1.101.3.7.2.48.0> chuid > $PDA 2.16.840.1.101.3.7.2.48.2> uchuid > > # X.509 Certificate for PIV Authentication > $PDA 2.16.840.1.101.3.7.2.1.1> cert.1.object > > #X.509 Certificate for Digital Signature > $PDA 2.16.840.1.101.3.7.2.1.0> cert.2.object > > #X.509 Certificate for Key Management > $PDA 2.16.840.1.101.3.7.2.1.2> cert.3.object > > #X.509 Certificate for Card Authentication > $PDA 2.16.840.1.101.3.7.2.5.0> cert.4.object > > $PDA 2.16.840.1.101.3.7.2.144.0> security.object > > $PDC 01> cert.1.txt > $PDC 02> cert.2.txt > $PDC 03> cert.3.txt > $PDC 04> cert.4.txt > > # next 3 need PIN > echo Will read PIN 3 times: fingerprints printedinfo and facialimage > $PDA 2.16.840.1.101.3.7.2.96.16 --login> fingerprints > $PDA 2.16.840.1.101.3.7.2.48.1 --login> printedinfo > $PDA 2.16.840.1.101.3.7.2.96.48 --login> facialimage > </Script> > > -----Original Message----- > From: Douglas E. Engert [mailto:deeng...@anl.gov] > Sent: Wednesday, April 07, 2010 11:12 AM > To: Harry Anuszewski > Cc: opensc-devel@lists.opensc-project.org > Subject: Re: [opensc-devel] Getting Facial image and Biometrics off Piv Card > > > > Harry Anuszewski wrote: >> Hello, >> Thanks for the information. I am glad that this has been done before. >> I am working with Java in windows xp and newer. >> >> The java program is just a standalone app. Users with a piv card will >> be able to launch the app select a reader and type in the pin. From >> there a window opens and it has the picture from the card and printed >> info then tabs that contain the certs, and biometric information. For >> now I am able to get the Certs with no problem since it is standard in > OpenSC-java. > > I am not much of a java programmer, and have not used the opensc-java, but > the pkcs11-tool uses the standard PKCS#11 commands to read objects. > > But looking at the > opensc-java/trunk/pkcs11/java/src/org/opensc/pkcs11/wrap/PKCS11Object.java > defines CKO_CERTIFICATE, CKO_PUBLIC_KEY, CKO_PRIVATE_KEY and CKO_SECRET_KEY, > but does not define CKO_DATA. There are calls to enumRawObjects() for > CKO_CERTIFICATE, CKO_PUBLIC_KEY, CKO_PRIVATE_KEY but not for CKO_DATA. > It might not be hard to add support for data objects. > > An alternative to the OpenSC-java might be: > http://java.sun.com/javase/7/docs/technotes/guides/security/p11guide.html > Does talk about how to use PKCS#11 shared library or dll, which could be the > opensc-pkcs11.dll. > > >> I am working >> on getting the fingerprints and facial image and printed info. I know >> I can do this using the pkcs11-tool and a command line but is there a >> way to do it inside of a java program using standard native functions? >> >> Harry >> >> -----Original Message----- >> From: Douglas E. Engert [mailto:deeng...@anl.gov] >> Sent: Monday, April 05, 2010 6:01 PM >> To: Harry Anuszewski >> Cc: opensc-devel@lists.opensc-project.org >> Subject: Re: [opensc-devel] Getting Facial image and Biometrics off >> Piv Card >> >> >> >> Harry Anuszewski wrote: >>> Hello, >>> >>> >>> >>> I am using openSC-java and want to pull data off a Fips 201 piv card. >>> The things I'm interested in getting are the facial image and >>> biometric information. Basically sending some adpu commands and >>> getting byte arrays back. I know openSC is a very extensive library >>> and have used the basic functions of openSC-java for a few programs. >>> I was wondering if there was a way to use OpenSC to return the facial >>> image and biometrics of a person? >> >> Yes, you can use pkcs11-tool and pkcs15-tool to do this. Note to read >> the fingerprints, printed info or facial image requires the user PIN. >> >> Attached is a simple script to copy all the objects off the card into >> to the current directory. The certificates are dumped in two forms, as >> the object (so may also be gzipped), and in PEM format as OpenSC can >> extracting the certificate from the object. >> >> The objects are in binary as defined in NIST 800-73-2 part 1. >> which for the Facial Image just says there is a tag 0xBC length and >> data of the "Image for Visual Verification" which is defined in other > documents. >> Decoding not cert objects is really out of scope of the OpenSC project. >> >> I did write a test program to display the picture, and get some of the >> other info from it. Send me some more e-mail on this. >> >>> This information is saved to the card. If this is not yet possible I >>> wouldn't mind designing support for new features with a little help >>> of course. Basically what files would I need to modify? >> >> No modifications are needed... >> >>> >>> >>> Thanks for any help >>> >>> >>> >>> Harry >>> >>> >>> --------------------------------------------------------------------- >>> --- >>> >>> _______________________________________________ >>> opensc-devel mailing list >>> opensc-devel@lists.opensc-project.org >>> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
