[SmartcardServices-Users] Submitting patches for PIVToken.cpp bugs [Yubikey Neo]

Sun Oct 25 14:55:54 PDT 2015

On Oct 25, 2015, at 5:42 , david.lloyd at fsmail.net<mailto:david.lloyd at fsmail.net> wrote:
In particular, I have been looking at https://github.com/Yubico/yubico-piv-tool/blob/master/tool/yubico-piv-tool.c (line 1346 in the status display).  Where it seems to report a missing
CHUID as an "interesting fact" rather than a corrupt PIV card...  Windows uses it to produce a persistent CSP container name, so you end up with weird problems if the CHUID is missing.  It
looks like the "-action setchuid" was a bug fix for that.

Yes, very likely.

I am thinking that rather than a load of "-action setThisAndThat" options, the piv tool would be better off with an "-action initialize" option that adds all the required PIV files.  Where "required" from where I am sitting is CCC and CHUID -- PIV experts can feel free to add more.

So far it seems that CCC and CHUID is what’s necessary and sufficient for minimal PIV compliance.

I am also probably going to propose these patches for the PIV tool:
 (1) reword the status() function to indicate that a missing CCC or CHUID is a somewhat serious problem.

No, not a problem - just inability to work as a PIV.

 (2) an isInitialized() method that checks to see whether the Yubikey is completely blank  (i.e. - returns true if there
is one of: a certificate, or a CCC, or a CHUID).

Not sure. Probably not helpful. We need to know for each of those whether they are on the card:

  *   presence of key pairs
  *   presence of CHUID
  *   presence of CCC

A card without key pairs can be provisioned with keys, eventually.

A card without CHUID and CCC cannot be used as a PIV card, and must have those objects written to it.

 (3) make the tool to complain a bit if you try to do other things while isInitialized() returns false

Maybe.

Whether we go for a Smart Card Services patch, or a yubico-piv-tool patch (or ideally both), is probably something that you guys and the Yubico engineers need to discuss.  The patch for SCS is at least relatively "low risk", given that I have only needed to add an: if (xxx) {currentBehaviour} else {do something new}.

Maybe...

P.S.  Is there a good tool in OpenSC that checks to see if a card PIV is ok?   i.e. something that can use for PIV card compliance unit testing?

None, to the best of my knowledge. Today you find that it is really-really not PIV-ok when “true” PIV like PIV.tokend or PKard.tokend refuse to work with it.

Subject: Re: [SmartcardServices-Users] Submitting patches for PIVToken.cpp bugs [Yubikey Neo]

It would be nice if SmartCardServices tokend could work with a card that doesn't have a CCC object in it.

In my experience,  NEO (a) does not have CCC, and (b) does not perform SELECT command properly.

One workaround I found for another tokend to work with NEO correctly was to generate a CCC object and write it to NEO using piv-tool from OpenSC package.

--
Uri Blumenthal
uri at mit.edu<mailto:uri at mit.edu>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20151025/dee72b8a/attachment.html>