On Oct 23, 2015, at 1:09 PM, david.lloyd@fsmail.net wrote:

Hi,

I have been doing a little bit of debugging with the YubiKey Neo PIV card USB dongles on MacOSX (http://www.amazon.com/Yubico-Y-072-YubiKey-NEO/dp/B00LX8KZZ8/ref=sr_1_1?
ie=UTF8&qid=1445630304&sr=8-1&keywords=Yubikey+neo).

It looks like they aren't 100% PIV compliant, and they are falling over in PIVToken.cpp::probe()...


byte_string cccOid((const unsigned char *)oidCardCapabilityContainer, oidCardCapabilityContainer + sizeof(oidCardCapabilityContainer));
byte_string cccdata;
getDataCore(cccOid, "CCC", false, true, cccdata);
PIVCCC ccc(cccdata);


They do not return the CardCapabilityContainer here (although interestingly enough the other ADPU calls do return certificates at this point!).

You can reproduce this by running opensc-explorer and issuing:
   apdu 0 cb 3f ff 5 5c 3 5f c1 7
This returns 0x6a82 (file not found).

This call, however:
   apdu 0 cb 3f ff 5 5c 3 5f c1 5

Returns the X509 certificate correctly.


If I disable the probe call to GetDataCore for the CardCapabilityContainer, the device works correctly in Safari.


I have reported the issue to Yubico, but I am interested to see if you have any recommendations as to how to patch this in TokenD.  You have a "GetDataExists" method in there which would 
prevent the exception.  I guess that you need a unique ID for the smart card in probe though (would the CHUID be an alternative choice - that works?)

Let me know what you thing!

DDD
_______________________________________________
SmartcardServices-Users mailing list
SmartcardServices-Users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/smartcardservices-users