MacOS S/MIME Outlook or Mail.app no certificates on Yubikey smartcard detected

[onno182]

Smartcard (Yubikey) is not visible in MacOS Outlook or Mail.app for S/MIME signing / encryption. However, smartcard seems to work fine everywhere else, including SSH, login etc.

I am not sure if I am doing something wrong, as I have returned to MacOS after a long period of not using is, so not sure what has changed.

sc_auth command detects the smartcard and works as expected

security list-smartcards is however empty and shows no smart cards detected

Also the app Smart Card Utility detects the smartcard just fine.

I have searched all over, but have not found a solution for this. Any ideas?.

Thanks

[frankmorgner]

Are you sure that the yubikey is used through OpenSC? Typically, it would load the macOS' built-in driver for PIV cards...

[onno182]

Thanks for the reply.

I will troubleshoot further with the PIV driver.

[dengert]

The mail and S/MIME signing / encryption would use the "Certificate for Digital Signature" and "Certificate for Key Management" where as the auth commands would use the "Certificate for PIV Authentication"

Do you have all 3 certificates and 3 keys with proper keyUsage bits in the certificates?

What does "pkcs11-tool -O" show?
Something like this (run on linux):

pkcs11-tool -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      PIV AUTH pubkey
  ID:         01
  Usage:      encrypt, verify, wrap
  Access:     none
Certificate Object; type = X.509 cert
  label:      Certificate for PIV Authentication
  subject:    DN: CN=deengert
  ID:         01
Public Key Object; RSA 2048 bits
  label:      SIGN pubkey
  ID:         02
  Usage:      encrypt, verify, wrap
  Access:     none
Certificate Object; type = X.509 cert
  label:      Certificate for Digital Signature
  subject:    DN: CN=deengert
  ID:         02
Public Key Object; RSA 2048 bits
  label:      KEY MAN pubkey
  ID:         03
  Usage:      encrypt, wrap, derive
  Access:     none
Certificate Object; type = X.509 cert
  label:      Certificate for Key Management
  subject:    DN: CN=deengert
  ID:         03
...

[onno182]

Yes, this is something I was thinking before and want to check with a spare Yubikey once I get home.

"Certificate for Digital Signature" and "Certificate for Key Management" are both signed certificates from a known CA.

The "Certificate for PIV Authentication" (which should not get used for S/MIME) is another (self signed) certificate I use for SSH and other authentication.

Perhaps the Apple implementation expects all three of these to be the same, so I will try this at home and report back.

[onno182]

Just tested with all the same keys and certs in the 3 slots, but unfortunately it still does not detect the certificates on it.

PKCS11-tool test seems to work fine, so probably not an issue with OpenSC

[dengert]

The 3 keys and certificates should not be the same. The keyUsage bits in the certificate are different. " MacOS Outlook or Mail.app for S/MIME signing / encryption." maybe look at the certificates and and reject them as not usable.

I don't have a MAC.

[onno182]

Yes, normally only signing and encryption slot need to be populated, then it should work. The signing certificate is the same as the encryption (it is a S/MIME certificate from a public CA). It also worked fine on Linux this way.

Bits are set correctly (subject DN wildcards are of course not there in the actual output).

Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      PIV AUTH pubkey
  ID:         01
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     none
Certificate Object; type = X.509 cert
  label:      Certificate for PIV Authentication
  subject:    DN: C=NL, ST=Zuid-Holland, L='s-Gravenhage, O=*, CN=*/emailAddress=*
  serial:     658B3E0F41A569C9849CA086
  ID:         01
Public Key Object; RSA 2048 bits
  label:      SIGN pubkey
  ID:         02
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     none
Certificate Object; type = X.509 cert
  label:      Certificate for Digital Signature
  subject:    DN: C=NL, ST=Zuid-Holland, L='s-Gravenhage, O=*, CN=*/emailAddress=*
  serial:     658B3E0F41A569C9849CA086
  ID:         02
Public Key Object; RSA 2048 bits
  label:      KEY MAN pubkey
  ID:         03
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     none
Certificate Object; type = X.509 cert
  label:      Certificate for Key Management
  subject:    DN: C=NL, ST=Zuid-Holland, L='s-Gravenhage, O=*, CN=*/emailAddress=*
  serial:     658B3E0F41A569C9849CA086
  ID:         03
Profile object 25136816
  profile_id:          CKP_PUBLIC_CERTIFICATES_TOKEN (4)
Data object 17794560
  label:          'Card Capability Container'
  application:    'Card Capability Container'
  app_id:         2.16.840.1.101.3.7.1.219.0
  flags:          <empty>
Data object 17794656
  label:          'Card Holder Unique Identifier'
  application:    'Card Holder Unique Identifier'
  app_id:         2.16.840.1.101.3.7.2.48.0
  flags:          <empty>
Data object 17794752
  label:          'Unsigned Card Holder Unique Identifier'
  application:    'Unsigned Card Holder Unique Identifier'
  app_id:         2.16.840.1.101.3.7.2.48.2
  flags:          <empty>
Data object 17794848
  label:          'X.509 Certificate for PIV Authentication'
  application:    'X.509 Certificate for PIV Authentication'
  app_id:         2.16.840.1.101.3.7.2.1.1
  flags:          <empty>
Data object 17795232
  label:          'X.509 Certificate for Digital Signature'
  application:    'X.509 Certificate for Digital Signature'
  app_id:         2.16.840.1.101.3.7.2.1.0
  flags:          <empty>
Data object 17795328
  label:          'X.509 Certificate for Key Management'
  application:    'X.509 Certificate for Key Management'
  app_id:         2.16.840.1.101.3.7.2.1.2
  flags:          <empty>
Data object 17795424
  label:          'X.509 Certificate for Card Authentication'
  application:    'X.509 Certificate for Card Authentication'
  app_id:         2.16.840.1.101.3.7.2.5.0
  flags:          <empty>
Data object 17795520
  label:          'Security Object'
  application:    'Security Object'
  app_id:         2.16.840.1.101.3.7.2.144.0
  flags:          <empty>
Data object 17795616
  label:          'Discovery Object'
  application:    'Discovery Object'
  app_id:         2.16.840.1.101.3.7.2.96.80
  flags:          <empty>
Data object 17795808
  label:          'Biometric Information Templates Group Template'
  application:    'Biometric Information Templates Group Template'
  app_id:         2.16.840.1.101.3.7.2.16.22
  flags:          <empty>
Data object 17795904
  label:          'Secure Messaging Certificate Signer'
  application:    'Secure Messaging Certificate Signer'
  app_id:         2.16.840.1.101.3.7.2.16.23
  flags:          <empty>

[dengert]

As @frankmorgner said, you may not be using OpenSC drivers. You can get a debug log and PKCS11 SPY log See: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC

You may also need to add the CA certificates to some trusted list of certificates.

[mouse07410]

AFAIK, the only way Apple Mail on a recent MacOS would use OpenSC is if you install OpenSCToken.app - which never worked for me. If that's the case, I'd recommend removing that app and making sure it did not leave stale registration somewhere, like .plist file in LaunchDaemons directory or such.

Normally, Mail would use pivtoken provided by MacOS itself. If the token is PIV-compliant (current Yubikeys are), there shouldn't be a problem. We're using them "in bulk", on Macs both Intel and Mx (Apple Silicon). I also use OpenSC (with Firefox, with OpenSSL-based apps written locally, etc.) without a problem - but I don't install OpenSCToken.

For the fun of it, try signing and verifying signature some short file using pkcs11-tool with keys on your Yubikey.

[frankmorgner]

@mouse07410 , thanks for reminding us of the good old times, but I think by now OpenSCToken should work as expected.

@onno182 , what exactly is the output of sc_auth identities? it should not only show the name of your token but also which driver is used. I don't have any experience with Outlook on macOS, but I think they are using Apple's CTK (same for Smart Card Utility), so PKCS#11 spy or similar won't help.

[onno182]

Thanks for the suggestion.

sc_auth identities lists driver com.apple.pivtoken

Deactivating OpenSCToken.app does not solve the problem

Importing the certificate in keychain directly (as PKCS12 format) works as expected. However, the same certificate on the smartcard does not.

Also the command security list-smartcards does not list any smartcards. But im not sure if this is correct functionality

[frankmorgner]

sc_auth identities lists driver com.apple.pivtoken

Then your problem is with Apple's built-in token driver. Please contact the Apple support for help with this.

Deactivating OpenSCToken.app does not solve the problem

If you want to try OpenSC, then you should install OpenSC and deactivate Apple's pivtoken (see https://github.com/frankmorgner/OpenSCToken/?tab=readme-ov-file#useful-commands)

[onno182]

I was using OpenSC driver before deactivating as @mouse07410 suggested. After deactivation, Apples driver takes over.

The problem however is also there when OpenSC driver is used.

I have reinstalled the OpenSCDriver, and now it says org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken:1c9f99c35e5f4b3db55b387879282909 for instance

[frankmorgner]

So the Apple driver works as expected with Outlook? 🤔

[onno182]

No, neither driver works.

[frankmorgner]

How did you initialize the token?

Maybe the certificates are not linked to your private keys.

What does pkcs15-tool -D say?

[onno182]

I tried two ways. One was through the ykman command, and another via the GUI from Yubikey.

It is the same certificate and private key that work just fine in keychain (without the Yubikey).

`onno@Onnos-MacBook-Air ~ % pkcs15-tool -D
Using reader with a card: Yubico YubiKey OTP+FIDO+CCID
PKCS#15 Card [Onno 25750141]:
Version : 0
Serial number : 1c9f99c35e5f4b3db55b387879282909
Manufacturer ID: piv_II
Flags :

PIN [PIN]
Object Flags : [0x01], private
Auth ID : 02
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 128 (0x80)
Type : ascii-numeric
Tries left : 3

PIN [PIV PUK]
Object Flags : [0x01], private
ID : 02
Flags : [0xF2], local, initialized, needs-padding, unblockingPin, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 129 (0x81)
Type : ascii-numeric

Private RSA Key [PIV AUTH key]
Object Flags : [0x01], private
Usage : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 2048
Key ref : 154 (0x9A)
Native : yes
Auth ID : 01
ID : 01
MD:guid : 0x'30313966393963333565356634623364623535623338373837393238323930390000000000000000'

Private RSA Key [SIGN key]
Object Flags : [0x01], private
Usage : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 2048
Key ref : 156 (0x9C)
Native : yes
Auth ID : 01
ID : 02
MD:guid : 0x'30323966393963333565356634623364623535623338373837393238323930390000000000000000'

Private RSA Key [KEY MAN key]
Object Flags : [0x01], private
Usage : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 2048
Key ref : 157 (0x9D)
Native : yes
Auth ID : 01
ID : 03
MD:guid : 0x'30333966393963333565356634623364623535623338373837393238323930390000000000000000'

Public RSA Key [PIV AUTH pubkey]
Object Flags : [0x00]
Usage : [0xD1], encrypt, wrap, verify, verifyRecover
Access Flags : [0x02], extract
ModLength : 2048
Key ref : 154 (0x9A)
Native : yes
ID : 01
DirectValue :

Public RSA Key [SIGN pubkey]
Object Flags : [0x00]
Usage : [0xD1], encrypt, wrap, verify, verifyRecover
Access Flags : [0x02], extract
ModLength : 2048
Key ref : 156 (0x9C)
Native : yes
ID : 02
DirectValue :

Public RSA Key [KEY MAN pubkey]
Object Flags : [0x00]
Usage : [0xD1], encrypt, wrap, verify, verifyRecover
Access Flags : [0x02], extract
ModLength : 2048
Key ref : 157 (0x9D)
Native : yes
ID : 03
DirectValue :

X.509 Certificate [Certificate for PIV Authentication]
Object Flags : [0x00]
Authority : no
Path :
ID : 01
Encoded serial : 02 02 101C

X.509 Certificate [Certificate for Digital Signature]
Object Flags : [0x00]
Authority : no
Path :
ID : 02
Encoded serial : 02 0C 658B3E0F41A569C9849CA086

X.509 Certificate [Certificate for Key Management]
Object Flags : [0x00]
Authority : no
Path :
ID : 03
Encoded serial : 02 0C 658B3E0F41A569C9849CA086

Data object 'Card Capability Container'
applicationName: Card Capability Container
applicationOID: 2.16.840.1.101.3.7.1.219.0
Path: db00
Data object read failed: File not found
Data object 'Card Holder Unique Identifier'
applicationName: Card Holder Unique Identifier
applicationOID: 2.16.840.1.101.3.7.2.48.0
Path: 3000
Data (61 bytes): 533B3019D4E739DA739CED39CE739D836858210842108421C84210C3EB34101C9F99C35E5F4B3DB55B38787928290935
0832303330303130313E00FE00

Data object 'Unsigned Card Holder Unique Identifier'
applicationName: Unsigned Card Holder Unique Identifier
applicationOID: 2.16.840.1.101.3.7.2.48.2
Path: 3010
Data object read failed: File not found
Data object 'X.509 Certificate for PIV Authentication'
applicationName: X.509 Certificate for PIV Authentication
applicationOID: 2.16.840.1.101.3.7.2.1.1
Path: 0101
Data (1410 bytes): 5382057E708205753082057130820359A0030201020202101C300D06092A864886F70D01010B0500308190310B300906
0355040613024E4C3115301306035504080C0C5A75696420486F6C6C616E64312B3029060355040A0C224D61726D6120
56617374676F6564204F6E726F6572656E6420476F656420422E562E310B3009060355040B0C0249543130302E060355
04030C274D61726D612056617374676F656420496E7465726D656469617465204365727469666963617465301E170D32
33313130393232343632375A170D3234313131383232343632375A30818F310B3009060355040613024E4C3115301306
035504080C0C5A75696420486F6C6C616E64312B3029060355040A0C224D61726D612056617374676F6564204F6E726F
6572656E6420476F656420422E562E310B3009060355040B0C024954312F302D06035504030C264F6E6E6F204A6F6861
6E6E65732076616E20646572204865696A64656E20323537353031343130820122300D06092A864886F70D0101010500
0382010F003082010A0282010100B754D64BD318415B8CF4867FB916181A26C91F79434EDB307180325ED6466BC1D19D
A219F60FB610B2E2DE22986F4C5C652F3F5DBE9FC09903DB960A8AAC0F79D4227D32F56D80278CA6D7128609152B6CE2
70006C2BE35611E29D4E590F73F9A302572F2B222682855B7D016DF759DCAD4C5A7CAB1FEB9A6E7A79327A1DC3EA84D9
2BBAE0B6408D343A29D1A5F5086239CF7A95B2F0E62A49CD55401F0F33EE3A92CC7BAD8B65915C107B9C8F7918007621
4AC6DDD896E205166D5EFA46713B24024FD354B85546DCA33058DD6BD8FFA40EB7E043E71DA74230155629288BAA84B6
D2BEA5B34FDDE0289FBB1F680F32B23C017DBB7D6033D6F474D232CA84870203010001A381D33081D030090603551D13
04023000301106096086480186F84201010404030205A030130603551D25040C300A06082B0601050507030230210609
6086480186F842010D04141612436C69656E74206365727469666963617465301D0603551D0E041604146A035525FA4B
A6439A9C787618A7541F23232EDF301F0603551D230418301680145C97C1BD723E85F6D5677596BBB4718F920F998730
090603551D1204023000302D0603551D1F042630243022A020A01E861C68747470733A2F2F63726C2E6D61726D612E6E
6C2F63726C2E70656D300D06092A864886F70D01010B050003820201006976C6A65A09200270197F88EBE1D559B277E3
747A20B585AA2E357EDA3F1A8D1435076E6E478998528777BF9F26EEA9A94B5CA09222D9EFD40E5A63195642C2ECD292
F2A1E4CA9E3F626C487CF0339BBDE73C684A587F46F7B398BABBBA8C5B0BC48633D8861B4EFB4ECA69DD8D9EC85BC369
C4912AF4BE21434471B00EA0DD141DB473378913DCE68C3586AD44359FE0B73B4FB78981E6777A9E84437364BAD69675
5C8CDFD2714E98DB80A571F4FCF195F86EDFE64089C01E401043038041C309A82F6A2317BD6398B382C50F5D5BB343E3
FDAD106261E0E34CC28331AB73C64833C36D2EC43AE75EDD6C94768CB11C62CE1795616A8FE4AED0C9495659675FD727
F2CD532C9592437D870F72CA390AF269AAB90AFC54A2D2150A97E78CA59D89A6C973CEB2C7C804605246AAF1EF8C32C2
6953E77B255293E755416D3D3E36ADD6233CCC61E17CC08E9CBBFA7DEBD10C09467D11EC64028ACA8EEF5BB2ABA0D8D1
8AF3DE674C127D872A6F81CFD59F92B8176BC973ACFA0226D078D9E6649726B9D20E8BCBEC6DA4D00F319CF737C74B83
6B6980843871873E5FF21A3B804C62F8E992B094F87DAE6637B5295A01A89390948854CA712ECC1013F1EE2856FEC0C8
71D43B1042A4F1F31D8809769B615CED8647BAE37508B5B3FDF3982D3FB857C008B42AB7363AB7B19D6510E4AE7185B5
DF515D7D64E25F1AE3C145EEE8710100FE00

Data object 'Cardholder Fingerprints'
applicationName: Cardholder Fingerprints
applicationOID: 2.16.840.1.101.3.7.2.96.16
Path: 6010
Auth ID: 01

Data object 'Printed Information'
applicationName: Printed Information
applicationOID: 2.16.840.1.101.3.7.2.48.1
Path: 3001
Auth ID: 01

Data object 'Cardholder Facial Image'
applicationName: Cardholder Facial Image
applicationOID: 2.16.840.1.101.3.7.2.96.48
Path: 6030
Auth ID: 01

Data object 'X.509 Certificate for Digital Signature'
applicationName: X.509 Certificate for Digital Signature
applicationOID: 2.16.840.1.101.3.7.2.1.0
Path: 0100
Data (1413 bytes): 5382058170820578308205743082045CA003020102020C658B3E0F41A569C9849CA086300D06092A864886F70D01010B
0500305B310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613131302F
06035504031328476C6F62616C5369676E2047434320523320506572736F6E616C5369676E2032204341203230323030
1E170D3233303332313139323234355A170D3235303332313135353630335A3081B4310B3009060355040613024E4C31
1530130603550408130C5A7569642D486F6C6C616E64311630140603550407130D27732D47726176656E68616765312B
3029060355040A13224D61726D612056617374676F6564204F6E726F6572656E6420476F656420422E562E3126302406
03550403131D4F6E6E6F204A6F68616E6E65732076616E20646572204865696A64656E3121301F06092A864886F70D01
090116126F2E6865696A64656E406D61726D612E6E6C30820122300D06092A864886F70D01010105000382010F003082
010A0282010100A8C2D06750288BD0381E7F518D6497B19F21C4D28578DC94461423DDC111332BE9BD6B859855DCB782
96F873EDF590FC19EF862E1456471AD1C99DF716410A4EA1990A37B7715D28C04B6440BF47EF3576F5F663DD2D4548AF
0613E568A18FC7324AFFE629A9979D72445F325298EA8B58F777A3CF4172EF0FA473474E3E45E73D57049034AB525CDC
94515DD997616E92E73E1D8B428326E42CAAAAF87623912E2A46F59E2349810805D28DA7FA0DC6BF03E70AE68BDF02A9
9FFF297C70B897958D2D53053939E3C61392D568FC7569BEA6AB718234CEABE971DFCCC2F2C244F2DB79C67CC1A18895
0243A195DC6D9496FD0FA7BCDDD9911E0F9E8E59080AD70203010001A38201DC308201D8300E0603551D0F0101FF0404
030205A03081A306082B06010505070101048196308193304E06082B060105050730028642687474703A2F2F73656375
72652E676C6F62616C7369676E2E636F6D2F6361636572742F67736763637233706572736F6E616C7369676E32636132
3032302E637274304106082B060105050730018635687474703A2F2F6F6373702E676C6F62616C7369676E2E636F6D2F
67736763637233706572736F6E616C7369676E32636132303230304C0603551D2004453043304106092B06010401A032
01283034303206082B06010505070201162668747470733A2F2F7777772E676C6F62616C7369676E2E636F6D2F726570
6F7369746F72792F30090603551D130402300030490603551D1F04423040303EA03CA03A8638687474703A2F2F63726C
2E676C6F62616C7369676E2E636F6D2F67736763637233706572736F6E616C7369676E326361323032302E63726C301D
0603551D110416301481126F2E6865696A64656E406D61726D612E6E6C301D0603551D250416301406082B0601050507
030206082B06010505070304301F0603551D230418301680149633D1E658175B34758A815664D5BE48DEA18FCF301D06
03551D0E041604141F08C40F424AECE648DD3E83B1C14AA7BCFA9C3B300D06092A864886F70D01010B05000382010100
1C0024637AB056990EAC99D1F6EA999B3312690DC565238EFA684ED339A309F837A36FA4D261C66939AA674CBE6012B3
B27176DBE537BDA9291FAE45C3494AEFAAF7A4CAF5ABBC7EF7B085E1132773F68E46176A30B69CD1766B3B9A693F5368
D6B43C09053BE2BF051901BCFA75E4AC4A50CFAE6780A31A4978CED5F626A2D2D46F03BA24D4F67AA007710F46BB42A4
AC17CDA3CDE79DC68E350BC6B21E1C8F07C5603D25A25B0DD7EC572A98456F52747EEC24C1D2185C9D703075222EBC34
D43E95F2DE1ADA410A98933A0F3C82AA559547C0A63D4D38A464C7F8C588CA97069A9F5BD3A0D895253F4E9CB684274E
D980174E36EBB6B2AB9765E227D7E451710100FE00

Data object 'X.509 Certificate for Key Management'
applicationName: X.509 Certificate for Key Management
applicationOID: 2.16.840.1.101.3.7.2.1.2
Path: 0102
Data (1413 bytes): 5382058170820578308205743082045CA003020102020C658B3E0F41A569C9849CA086300D06092A864886F70D01010B
0500305B310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613131302F
06035504031328476C6F62616C5369676E2047434320523320506572736F6E616C5369676E2032204341203230323030
1E170D3233303332313139323234355A170D3235303332313135353630335A3081B4310B3009060355040613024E4C31
1530130603550408130C5A7569642D486F6C6C616E64311630140603550407130D27732D47726176656E68616765312B
3029060355040A13224D61726D612056617374676F6564204F6E726F6572656E6420476F656420422E562E3126302406
03550403131D4F6E6E6F204A6F68616E6E65732076616E20646572204865696A64656E3121301F06092A864886F70D01
090116126F2E6865696A64656E406D61726D612E6E6C30820122300D06092A864886F70D01010105000382010F003082
010A0282010100A8C2D06750288BD0381E7F518D6497B19F21C4D28578DC94461423DDC111332BE9BD6B859855DCB782
96F873EDF590FC19EF862E1456471AD1C99DF716410A4EA1990A37B7715D28C04B6440BF47EF3576F5F663DD2D4548AF
0613E568A18FC7324AFFE629A9979D72445F325298EA8B58F777A3CF4172EF0FA473474E3E45E73D57049034AB525CDC
94515DD997616E92E73E1D8B428326E42CAAAAF87623912E2A46F59E2349810805D28DA7FA0DC6BF03E70AE68BDF02A9
9FFF297C70B897958D2D53053939E3C61392D568FC7569BEA6AB718234CEABE971DFCCC2F2C244F2DB79C67CC1A18895
0243A195DC6D9496FD0FA7BCDDD9911E0F9E8E59080AD70203010001A38201DC308201D8300E0603551D0F0101FF0404
030205A03081A306082B06010505070101048196308193304E06082B060105050730028642687474703A2F2F73656375
72652E676C6F62616C7369676E2E636F6D2F6361636572742F67736763637233706572736F6E616C7369676E32636132
3032302E637274304106082B060105050730018635687474703A2F2F6F6373702E676C6F62616C7369676E2E636F6D2F
67736763637233706572736F6E616C7369676E32636132303230304C0603551D2004453043304106092B06010401A032
01283034303206082B06010505070201162668747470733A2F2F7777772E676C6F62616C7369676E2E636F6D2F726570
6F7369746F72792F30090603551D130402300030490603551D1F04423040303EA03CA03A8638687474703A2F2F63726C
2E676C6F62616C7369676E2E636F6D2F67736763637233706572736F6E616C7369676E326361323032302E63726C301D
0603551D110416301481126F2E6865696A64656E406D61726D612E6E6C301D0603551D250416301406082B0601050507
030206082B06010505070304301F0603551D230418301680149633D1E658175B34758A815664D5BE48DEA18FCF301D06
03551D0E041604141F08C40F424AECE648DD3E83B1C14AA7BCFA9C3B300D06092A864886F70D01010B05000382010100
1C0024637AB056990EAC99D1F6EA999B3312690DC565238EFA684ED339A309F837A36FA4D261C66939AA674CBE6012B3
B27176DBE537BDA9291FAE45C3494AEFAAF7A4CAF5ABBC7EF7B085E1132773F68E46176A30B69CD1766B3B9A693F5368
D6B43C09053BE2BF051901BCFA75E4AC4A50CFAE6780A31A4978CED5F626A2D2D46F03BA24D4F67AA007710F46BB42A4
AC17CDA3CDE79DC68E350BC6B21E1C8F07C5603D25A25B0DD7EC572A98456F52747EEC24C1D2185C9D703075222EBC34
D43E95F2DE1ADA410A98933A0F3C82AA559547C0A63D4D38A464C7F8C588CA97069A9F5BD3A0D895253F4E9CB684274E
D980174E36EBB6B2AB9765E227D7E451710100FE00

Data object 'X.509 Certificate for Card Authentication'
applicationName: X.509 Certificate for Card Authentication
applicationOID: 2.16.840.1.101.3.7.2.5.0
Path: 0500
Data object read failed: File not found
Data object 'Security Object'
applicationName: Security Object
applicationOID: 2.16.840.1.101.3.7.2.144.0
Path: 9000
Data object read failed: File not found
Data object 'Discovery Object'
applicationName: Discovery Object
applicationOID: 2.16.840.1.101.3.7.2.96.80
Path: 6050
Data (20 bytes): 7E124F0BA0000003080000100001005F2F024000

Data object 'Cardholder Iris Image'
applicationName: Cardholder Iris Image
applicationOID: 2.16.840.1.101.3.7.2.16.21
Path: 1015
Data object read failed: File not found
Data object 'Biometric Information Templates Group Template'
applicationName: Biometric Information Templates Group Template
applicationOID: 2.16.840.1.101.3.7.2.16.22
Path: 1016
Data object read failed: File not found
Data object 'Secure Messaging Certificate Signer'
applicationName: Secure Messaging Certificate Signer
applicationOID: 2.16.840.1.101.3.7.2.16.23
Path: 1017
Data object read failed: File not found
Data object 'Pairing Code Reference Data Container'
applicationName: Pairing Code Reference Data Container
applicationOID: 2.16.840.1.101.3.7.2.16.24
Path: 1018
Data object read failed: File not found
`