-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSC card-opengpg.c not selecting AID correctly #1230
Comments
card-openpgp.c in In The simple fix:
introduces a memory leak of the sc_file and does not try and get the full AID like in @frankmorgner it looks like you added the original code in d20290d2 The problem may be shown up now with newer Yubikey tokens that come with both PIV and OpenPGP applets and the PIV is the default applet on power up and the user wants to use the OpenSC openpgp driver. Future issue: |
Just tested with your patch, configuration
Thank you for having a look into that! |
OK, things are looking better. We know how to do a SELECT AID correctly in the OpenSC OpenPGP driver now. But there are more issues with a multi applet tokens such as Yubikey with PIV and OpenPGP applets. Only one appet can be active at a time. Switching between applets using SELECT AID can cause the login state for the deselected applet to be lost. The switching may be caused be some other user application and middleware OpenSC, OpenPGP, scdeamon, tokend, some Java or python based piece of software. They all need to be aware of this. P11-kit or Mozilla's NSS loading for example OpenPGP's pkcs#11 and Yubico's pkcs#11 module for PIV may end up interfering with each other as they both will need to do a SELECT AID for their applet to the token. PCSC's SCardConnect SCARD_SHARE_EXCLUSIVE can be used to make sure no other application cause a different applet to be selected. But holding on in exclusive mode for along time defeats the purpose of having multiple applets on the same device. The first running application that requests access to the card will lock out all other applications, and is not what the user expects. To determine if an applet is usable, or its serial number requires access to the token, and may require a SELECT AID. To work in a SCARD_SHARE_SHARED environment, requires the each piece of middleware expect that some other piece of middleware may have done a SELECT AID for a different applet, and thus it should be ready to do a SELECT AID for its applet and maybe a verify. The OpenSC card-piv.c tries to do this PCSC did not go far enough. It can report a card reset, of disconnect, but not a change in AID. And all the above assumes the applications are using PCSC. If the token is accessed some other way its not clear. Some careful examination of the EF.DIR might be in order. But standards like NIST 800-73 and OpenPGP lists the commands they support, including SELECT AID but do not require an EF.DIR, or require commands to support for a file system, so there may be tokens without an EF.DIR. Some careful examination of the EF.DIR might be in order. But standards like NIST 800-73 and OpenPGP lists the commands they support, but do not require an EF.DIR, or support for a file system, so there may be tokens without an EF.DIR. (TODO look if OpenSC could try and read the EF.DIR and pass it to the card drivers during the card match. This could avoid doing a SELECT AID and interfering with some other middleware. Needless to say, this is a can of worms. All the different middleware assume one applet (theirs) is the only applet on the token, and they can have exclusive access. Only when all the middleware addresses the use of multiple applets on a token, where the user wants to use more then one applet will this get resolved. Maybe Yubico could resolve this on the next Yubikey release, by placing each applet in its own device so they appear as independent CCID USB devices. They already make the Yubikey look like different devices, CCID being one of them. |
Loading the Yubico pkcs11 module is probably the worst idea one can do, since it is very broken and nobody touches the issues reported years ago on github: I would not consider it public PKCS#11 module, but just internal library for Thank you for the verbose analysis. It clearly makes and I believe we already mentioned that using two independent CCID USB devices would be much less troublesome. Did you already try to contact yubico in this matter? |
The comment about using the Yubico PKCS#11 with p11-kit was an example of unintended interference. OpenSC has the additional problem of only using one driver per card set via opensc.conf. It would take some work to get it to support the PIV and OpenPGP applets at the same time on the same card. I sent a note today to [email protected] (which may not be active any more) and Klas Lindfors and Simon Josefsson. Who appear to still be with Yubico. If you are anyone else have contracts at Yubico or a better way to send suggestions, let me know |
@frankmorgner @Jakuje @mouse07410 or any other developer interested in Yubikey making the changes needed in card-openpgp.c? |
I concur. That module is semi-useable at best, and exists only because some Yubikey-specific initialization parameters (like, generating a private key that requires touching the Yubikey touch-pad to allow an operation with it) aren't currently supported by OpenSC pkcs11 library.
I added it to p11-kit for the sake of completeness, but don't really use it.
Correct.
Yes. Could you briefly summarize what the exact message/request to Yubico should be? |
While addressing the email:
Re: [Opensc-devel] OpenSC and Yubikey 4 (OpenPGP)
The following problem was found:
card-openpgp.c tries to select the OpenPGP AID by sending:
00 A4 04 0C 06 D2 76 00 01 24 01
Note: P2='0C'ISO/CEI 7816-4:2013 says:
"12.2.5.2 Application selection using AID as DF name
A multi-application card shall support the SELECT command with P1='04', P2='00' and a data field containing 5 to 16 bytes with the AID of an application that may reside on the card. The command shall complete successfully if the AID of an application the card holds matches the data field."
This then fails on a Yubikey that has the PIV applet selected or selected by default
because the select: 00 A4 04 0C does not have P2='00' and thus the card does not interpret it
as a SELECT of a different AID, but rather as a command to the current applet.
As an example using a Yubikey 4: with PIV and OpenPGP applets. The PIV applet has been selected
and
opensc-tool -s
is used to send a specific command:The Yubico does not interpret this as a SELECT for an AID:
doug@XUbuntu-16:/tmp$ opensc-tool -s "00 A4 04 0C 06 D2 76 00 01 24 01"
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 00 00
Sending: 00 A4 04 0C 06 D2 76 00 01 24 01
Received (SW1=0x6D, SW2=0x00)
6D 00 is "Instruction code not supported or invalid" because current applet (PIV) does not support the
P2='0C' (This does not look like the correct response by teh Yubikey, but is a failure anyway.)
Sending a valid SELECT AID with P2='00' works and openpgp applet appears to be selected:
doug@XUbuntu-16:/tmp$ opensc-tool -s "00 A4 04 00 06 D2 76 00 01 24 01"
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 00 00
Sending: 00 A4 04 00 06 D2 76 00 01 24 01
Received (SW1=0x90, SW2=0x00)
Sending either version of the command to an Oberthur PIV card which does NOT have an OpenPGP applet returns 6A 82:
"Wrong parameters P1-P2" "File or application not found" with P2='0C" or '00'
The error covers both trying to select an AID or a file in the active applet.
doug@XUbuntu-16:/tmp$ opensc-tool -s "00 A4 04 00 06 D2 76 00 01 24 01 ff"
Using reader with a card: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00
Sending: 00 A4 04 00 06 D2 76 00 01 24 01 FF
Received (SW1=0x6A, SW2=0x82)
doug@XUbuntu-16:/tmp$ opensc-tool -s "00 A4 04 0C 06 D2 76 00 01 24 01"
Using reader with a card: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00
Sending: 00 A4 04 0C 06 D2 76 00 01 24 01
Received (SW1=0x6A, SW2=0x82)
"7.3.1 Structure selection methods
Selection by DF name — A DF name may reference any DF. It is a string of up to sixteen bytes. Any application identifier (AID, see 12.2.3) may be used as DF name. In order to select unambiguously by DF name, e.g. when selecting by means of application identifiers, each DF name shall be unique within a given card.
"
The AID appears to be a valid National AID.
FIX:
card-openpgp.c or iso7816.c needs to be change to send a correct SELECT AID (P1=00 and P2=00) command when selecting an AID.
In the email Re: [Opensc-devel] OpenSC and Yubikey 4 (OpenPGP) one of the tests was to
only use the openpgp driver, and it still failed.
ISO7816 does allow for a P2='00' but not in a SELECT AID.
The text was updated successfully, but these errors were encountered: