Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Yubikey-Manager sends non-standard-conforming APDU for selecting data #403

Closed
ya-isakov opened this issue Apr 3, 2021 · 1 comment
Closed

Yubikey-Manager sends non-standard-conforming APDU for selecting data #403

ya-isakov opened this issue Apr 3, 2021 · 1 comment

Comments

@ya-isakov
Copy link

ya-isakov commented Apr 3, 2021
edited
Loading

  • YubiKey Manager (ykman) version: 4.0.0
  • How was it installed?: Gentoo ebuild
  • Operating system and version: Gentoo
  • YubiKey model and version: YubiKey 5 NFC, 5.2.4
  • Bug description summary:

I tried to find, why MR OpenSC/OpenSC#2103 is not working with Yubikey, not showing any certificates, while I can extract certificate through ykman. I found that Yubikey-Manager uses uses APDU, which is not conforming to https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.pdf, 7.2.5 - it adds additional length field.

From the standard:

CLA INS P1 P2 Lc                  Le
00  A5  00 04 06 60 04 5C 02 7F21 00

But ykman sends

CLA INS P1 P2 Lc                     Le
00  A5  00 04 07 06 60 04 5C 02 7F21 00

It seems that sending standard-conforming APDU doesn't work.
@dainnilsson
Copy link
Member

Thanks for reporting! We've confirmed that the YubiKey here does not follow the specification correctly here. This will need to be changed in the YubiKey firmware before we can make any changes to this project. I've reported the issue to our firmware team.

dainnilsson added a commit that referenced this issue Apr 8, 2021
@dainnilsson
Prefix length byte in APDU when needed (see #403).
0ba0ad0
ya-isakov added a commit to ya-isakov/OpenSC that referenced this issue Dec 25, 2023
@ya-isakov
Workaround Yubikey bug with SELECT DATA
fc4886c 
There is a known issue with Yubikey tokens, that they're requiring
another length byte in APDU for SELECT DATA:
Yubico/yubikey-manager#403

Let's workaround this, by checking return value of SELECT DATA,
and if error indicates that parameters are wrong, let's try
Yubikey-specific ones.
@ya-isakov ya-isakov mentioned this issue Dec 25, 2023
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dainnilsson @ya-isakov