-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PIV detection of AID using Discovery Object before doing select AID - Partial Fix #1243 #1256
Merged
Commits on Feb 22, 2018
-
Yubico PIV application fixed CI_VERIFY_LC0_FAIL in version 4.3.2
Also add PIV card types to sc_pkcs15_is_emulation_only On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/pkcs15-syn.c
Configuration menu - View commit details
-
Copy full SHA for 8cc0c39 - Browse repository at this point
Copy the full SHA 8cc0c39View commit details -
PIV detection of AID using Discovery Object before doing select AID
Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
Configuration menu - View commit details
-
Copy full SHA for 3fea6b7 - Browse repository at this point
Copy the full SHA 3fea6b7View commit details -
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)"
Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: :https://github.com/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
Configuration menu - View commit details
-
Copy full SHA for 27add2e - Browse repository at this point
Copy the full SHA 27add2eView commit details -
Some CAC / PIV cards do not support Discovery Object
Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: OpenSC#1256 (review) They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
Configuration menu - View commit details
-
Copy full SHA for efe7eb5 - Browse repository at this point
Copy the full SHA efe7eb5View commit details -
Requested changed to not rely on success *_match_card being followed …
…by *_init As requested and as the alternative solution see: OpenSC#1256 (comment) In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
1Configuration menu - View commit details
-
Copy full SHA for aee62c7 - Browse repository at this point
Copy the full SHA aee62c7View commit details
Commits on Feb 28, 2018
-
PIV completely separate piv_match_card from piv_init
In order to satisfy some concerns over the use of <card>_match_card and <card>_init, this modification will do that at the cost of additional overhead of repeating some card commands. Hopefully this commit will not be needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
Configuration menu - View commit details
-
Copy full SHA for 4222036 - Browse repository at this point
Copy the full SHA 4222036View commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.