Skip to content

Releases: GSA/gsa-icam-card-builder

Eliminated Buffer Length Field from Gen1-2 CHUIDs and Re-signed Objects

19 Jun 05:01
Compare
Choose a tag to compare

This field was deprecated and should not be used in the CHUID hash computation. The content signer tool was not ignoring it and was actually propagating it. In this release the signing tool drops that field if it sees it in an existing CHUID file so that it isn't included in the hash or the output file.

All signed objects on Cards 1-24 were re-signed as a precaution to ensure that the Security Object remains in sync with changing card elements.

Added myfinger.sh Utility

17 Jun 13:11
Compare
Choose a tag to compare

FRTC Test Case 5.12.01 states, "With ICAM Test Card 01 registered with the PACS, the system recognizes when the Fingerprint signature is invalid and does not verify." This can only be tested if Card 7 has a fingerprint that matches the tester's. The myfinger.sh utility allows a tester to extract their biometric template from a known good source and marry it with the ICAM Test Card signature block to that the resulting signature is valid. This should be done with Card 1 and Card 7. Card 7 has an additional utility to tamper with the signature.

Requires Linux, Mac OS X or Cygwin and LogParser tools (extract latest .tar file from tlvparser directory into /usr/local.

Added Support for Batch Object Signing

10 Jun 18:03
Compare
Choose a tag to compare

In this release the content signer tool was updated to allow the user to select multiple properties files so that all of the objects in a given directory can be signed. The first of the selected objects populates the form so changes or adjustments can be made, and when the Sign button is clicked, the signing occurs and the next selected properties file populates the form. This continues until all of the selected objects have been signed and the form is cleared.

Corrected Bridge to Root CA Cross Cert

08 Jun 17:29
Compare
Choose a tag to compare

Corrected basicConstraints on Bridge to Root CA cross cert. Minor documentation updates.

Added Card 23 Public/Private Key Mismatch, Fixed Paths 1, 3, 11, 16, 33

30 May 19:29
Compare
Choose a tag to compare

The method we were using with previous card stock did not work with the new card encoder. Used a "patched" version of OpenSSL to create .p12 files without checking private/public key match. Fixed Paths 1, 3, 11, 16, 33. Added ./bin.

Updated bridge cross certs with missing policy OIDs

28 May 08:39
Compare
Choose a tag to compare

Policy checking is now accurate with Gen1-2 certs which had incorrect policies for content signing. Gen1-2 PIV-I cards asserted policies directly rather than through mapping, which also needed fixing. This release includes re-issued Gen1-2 signing CA and key rollover certs, content signing certs and re-signed PIV-I card objects.

Bridge CA certs were re-built with full set of policy OIDs and the Bridge to Root CA cert was re-issued with no Path Length in it s Basic Constraints.

Updated Gen1-2 signing CA with PIV-I OIDs and PIV-I policy mapping

22 May 20:36
Compare
Choose a tag to compare

Updated Gen1-2 signing CA with PIV-I OIDs and PIV-I policy mapping. Updated sia, aia directories with resulting .p7c, Removed crl.apl-test.cite host from responder installation. Removed extraneous Apache log.

Added ECC content signing certs, permission updates

18 May 09:54
bf1223d
Compare
Choose a tag to compare

Added ECC P-256 and P-384 content signing keys/certs for those needing to sign content with different algorithms. Updated permissions of all files to fix an Egit plugin bug.

Updated Cards 6, 7, 8

16 May 19:51
Compare
Choose a tag to compare

Updated CA data with newly renamed bridge certs.

Created altered objects and scripts for Cards 6, 7, and 8 so that signature verification should fail.

Turned on permission tracking (filemode = true) in .git/config.

Correction to Card 46

16 May 08:43
Compare
Choose a tag to compare

Fixed corrupted Security Object in Card 46 (might have just been a local problem).

Fixed the remaining "unknown" OCSP responses due to various duplicate certificate numbers. Rewrote routine that "uniquifies" the CA indices so that all certs are now picked up.

Added code to sure-fire clean up a security object with random hashes in it when encoding a new card.

Renamed roots and bridge CA fault path certs so that their path number pre-pends the name.