[SmartcardServices-Users] Submitting patches for PIVToken.cpp bugs [Yubikey Neo]
Uri Blumenthal
uri at mit.edu
Sat Oct 24 21:40:51 PDT 2015
It would be nice if SmartCardServices tokend could work with a card that doesn't have a CCC object in it.
In my experience, NEO (a) does not have CCC, and (b) does not perform SELECT command properly.
One workaround I found for another tokend to work with NEO correctly was to generate a CCC object and write it to NEO using piv-tool from OpenSC package.
Sent from my iPad
> On Oct 24, 2015, at 13:52, "david.lloyd at fsmail.net" <david.lloyd at fsmail.net> wrote:
>
> Hi Shawn,
>
> Thanks! I’m in contact with an engineer from Yubico, so I’ll raise a bug next week when they have had a chance to look at it. It could just be a bug in their PIV provisioning tools. At the
> very least they shouldn’t be returning "Status: OK" if mandatory files are missing.
>
> In any case, my current patch is to probe for the existence of the CCC, and if that isn’t found, use a HEX string derived from the CHUID instead (PIV cards missing both probably won’t work
> anywhere!).
>
> const size_t sz = sizeof(oidCardCapabilityContainer);
> if (getDataExists(oidCardCapabilityContainer, sz, sDescripCardCapabilityContainer))
> {
> secdebug( "probe", "Look up Card Capability Container");
>
> byte_string cccOid((const unsigned char *)oidCardCapabilityContainer, oidCardCapabilityContainer + sizeof(oidCardCapabilityContainer));
> byte_string cccdata;
> /*
> Since probe is called before establish, securityd has not passed us
> the cache directory yet, so we don't try to cache anything right now
> */
>
> const bool allowCaching = false;
> getDataCore(cccOid, "CCC", false, allowCaching, cccdata);
> PIVCCC ccc(cccdata);
> snprintf(tokenUid, TOKEND_MAX_UID, "PIV-%s", ccc.hexidentifier().c_str());
> }
> else
> {
> secdebug( "probe", "Look up CHUID");
> byte_string chuidOid((const unsigned char *)oidCardHolderUniqueIdentifier,
> oidCardHolderUniqueIdentifier + sizeof(oidCardHolderUniqueIdentifier));
> byte_string chuidData;
>
> const bool allowCaching = false;
> getDataCore(chuidOid, "CHUID", false, allowCaching, chuidData);
>
> CssmData data;
> data.Data = &chuidData[0];
> data.Length = MAX(chuidData.size(), TOKEND_MAX_UID/2 - 6);
> snprintf(tokenUid, TOKEND_MAX_UID, "PIV-%s", data.toHex().c_str());
> }
>
>
> You also have a couple of “warnings as errors” fixes: this one at least is genuine in PIVToken::getDataExists
>
> if(rx & 0xFF00 == SCARD_BYTES_LEFT_IN_SW2) return true; /* More bytes left */
> should be:
> if((rx & 0xFF00) == SCARD_BYTES_LEFT_IN_SW2) return true; /* More bytes left */
>
>
>
> Just as a note: http://smartcardservices.macosforge.org seems to be down at the moment. Could you point me at your issue tracking web-page?
>
> Regards,
>
> David L
>
>
>
>> Cc: "SmartCard Services-Users" <smartcardservices-users at lists.macosforge.org>
>> Subject: Re: [SmartcardServices-Users] Submitting patches for PIVToken.cpp bugs [Yubikey Neo]
>>
>> David,
>> If you haven’t already, can you submit a tick4et for this and I’ll see what I can do.
>>
>> - Shawn
>
> _______________________________________________
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
More information about the SmartcardServices-Users
mailing list