[SmartcardServices-Users] Submitting patches for PIVToken.cpp bugs [Yubikey Neo]

david.lloyd at fsmail.net david.lloyd at fsmail.net
Sat Oct 24 00:24:44 PDT 2015 

Hi Shawn,

Thanks!  I’m in contact with an engineer from Yubico, so I’ll raise a bug next week when they have had a chance to look at it.  It could just be a bug in their PIV provisioning tools.  At the 
very least they shouldn’t be returning "Status: OK" if mandatory files are missing.

In any case, my current patch is to probe for the existence of the CCC, and if that isn’t found, use a HEX string derived from the CHUID instead (PIV cards missing both probably won’t work 
anywhere!).

            const size_t sz = sizeof(oidCardCapabilityContainer);
            if (getDataExists(oidCardCapabilityContainer, sz, sDescripCardCapabilityContainer))
            {
                secdebug( "probe", "Look up Card Capability Container");

                byte_string cccOid((const unsigned char *)oidCardCapabilityContainer, oidCardCapabilityContainer + sizeof(oidCardCapabilityContainer));
                byte_string cccdata;
                /*
                 Since probe is called before establish, securityd has not passed us
                 the cache directory yet, so we don't try to cache anything right now
                 */
            
                const bool allowCaching = false;
                getDataCore(cccOid, "CCC", false, allowCaching, cccdata);
                PIVCCC ccc(cccdata);
                snprintf(tokenUid, TOKEND_MAX_UID, "PIV-%s", ccc.hexidentifier().c_str());
            }
            else
            {
                secdebug( "probe", "Look up CHUID");
                byte_string chuidOid((const unsigned char *)oidCardHolderUniqueIdentifier,
                                     oidCardHolderUniqueIdentifier + sizeof(oidCardHolderUniqueIdentifier));
                byte_string chuidData;

                const bool allowCaching = false;
                getDataCore(chuidOid, "CHUID", false, allowCaching, chuidData);
                
                CssmData data;
                data.Data = &chuidData[0];
                data.Length = MAX(chuidData.size(), TOKEND_MAX_UID/2 - 6);
                snprintf(tokenUid, TOKEND_MAX_UID, "PIV-%s", data.toHex().c_str());
            }
            

You also have a couple of “warnings as errors” fixes:  this one at least is genuine in PIVToken::getDataExists

	if(rx & 0xFF00 == SCARD_BYTES_LEFT_IN_SW2) return true; /* More bytes left */
should be:
	if((rx & 0xFF00) == SCARD_BYTES_LEFT_IN_SW2) return true; /* More bytes left */



Just as a note: http://smartcardservices.macosforge.org seems to be down at the moment.  Could you point me at your issue tracking web-page?

Regards,

David L



> Cc: "SmartCard Services-Users" <smartcardservices-users at lists.macosforge.org>
> Subject: Re: [SmartcardServices-Users] Submitting patches for PIVToken.cpp bugs [Yubikey Neo]
> 
> David,
> If you haven’t already, can you submit a tick4et for this and I’ll see what I can do.  
> 
> - Shawn

More information about the SmartcardServices-Users mailing list