[SmartcardServices-Users] Submitting patches for PIVToken.cpp bugs [Yubikey Neo]
david.lloyd at fsmail.net
david.lloyd at fsmail.net
Sun Oct 25 02:42:51 PDT 2015
Hi,
Yes. I have been reading through the Yubico PIV tools code as well (although I have not yet tried to add the CCC file)....
In particular, I have been looking at https://github.com/Yubico/yubico-piv-tool/blob/master/tool/yubico-piv-tool.c (line 1346 in the status display). Where it seems to report a missing
CHUID as an "interesting fact" rather than a corrupt PIV card... Windows uses it to produce a persistent CSP container name, so you end up with weird problems if the CHUID is missing. It
looks like the "-action setchuid" was a bug fix for that.
I am thinking that rather than a load of "-action setThisAndThat" options, the piv tool would be better off with an "-action initialize" option that adds all the required PIV files. Where
"required" from where I am sitting is CCC and CHUID -- PIV experts can feel free to add more.
I am also probably going to propose these patches for the PIV tool:
(1) reword the status() function to indicate that a missing CCC or CHUID is a somewhat serious problem.
(2) an isInitialized() method that checks to see whether the Yubikey is completely blank (i.e. - returns true if there is one of: a certificate, or a CCC, or a CHUID).
(3) make the tool to complain a bit if you try to do other things while isInitialized() returns false
Whether we go for a Smart Card Services patch, or a yubico-piv-tool patch (or ideally both), is probably something that you guys and the Yubico engineers need to discuss. The patch for
SCS is at least relatively "low risk", given that I have only needed to add an: if (xxx) {currentBehaviour} else {do something new}.
Regards,
David L
P.S. Is there a good tool in OpenSC that checks to see if a card PIV is ok? i.e. something that can use for PIV card compliance unit testing?
> Subject: Re: [SmartcardServices-Users] Submitting patches for PIVToken.cpp bugs [Yubikey Neo]
>
> It would be nice if SmartCardServices tokend could work with a card that doesn't have a CCC object in it.
>
> In my experience, NEO (a) does not have CCC, and (b) does not perform SELECT command properly.
>
> One workaround I found for another tokend to work with NEO correctly was to generate a CCC object and write it to NEO using piv-tool from OpenSC package.
More information about the SmartcardServices-Users
mailing list