scd:piv: Improve APT parser compatibility.

* scd/app-piv.c (app_select_piv): Allow for full AID. -- It appears that SP-800-73-x is not too clear about the format of these objects. Many current cards (such as the Yubikey 5 series) apparently have only the PIX in DO 0x4F and only the RID in object 0x79/0x4F. However, other cards as well as the PivApplet Javacard applet have the full AID in 0x4F (which actually seems closer to what the standard says). PivApplet also has the full AID in 0x79/0x4F, but this is probably incorrect. (Here is a long discussion of the matter from an OpenSC author: arekinath/PivApplet#43 (comment)) [Taken from a mail to gnupg-devel date 2021-02-03.] Signed-off-by: Werner Koch <wk@gnupg.org>
gpg · Mar 11, 2021 · 8cad11d · 8cad11d
1 parent 6976a70
commit 8cad11d
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/doc/HACKING b/doc/HACKING
@@ -3,6 +3,7 @@
 #+TEXT: Some notes on GnuPG internals
 #+STARTUP: showall
 #+OPTIONS: ^:{}
+# Note: This might be a copy; the original lives in gnupg/doc/HACKING.
 
 * How to contribute
 

diff --git a/scd/app-piv.c b/scd/app-piv.c
@@ -3641,20 +3641,23 @@ app_select_piv (app_t app)
     }
 
   s = find_tlv (apt, aptlen, 0x4F, &n);
-  if (!s || n != 6 || memcmp (s, piv_aid+5, 4))
+  /* Some cards (new Yubikey) return only the PIX, while others
+   * (old Yubikey, PivApplet) return the RID+PIX. */
+  if (!s || !((n == 6 && !memcmp (s, piv_aid+5, 4))
+              || (n == 11 && !memcmp (s, piv_aid, 9))))
     {
       /* The PIX does not match.  */
       log_error ("piv: missing or invalid DO 0x4F in APT\n");
       err = gpg_error (GPG_ERR_CARD);
       goto leave;
     }
-  if (s[4] != 1 || s[5] != 0)
+  if (s[n-2] != 1 || s[n-1] != 0)
     {
       log_error ("piv: unknown PIV version %u.%u\n", s[4], s[5]);
       err = gpg_error (GPG_ERR_CARD);
       goto leave;
     }
-  app->appversion = ((s[4] << 8) | s[5]);
+  app->appversion = ((s[n-2] << 8) | s[n-1]);
 
   s = find_tlv (apt, aptlen, 0x79, &n);
   if (!s || n < 7)
@@ -3664,7 +3667,9 @@ app_select_piv (app_t app)
       goto leave;
     }
   s = find_tlv (s, n, 0x4F, &n);
-  if (!s || n != 5 || memcmp (s, piv_aid, 5))
+  /* Some cards may also return the full AID instead of just
+   * the 5-byte RID here. */
+  if (!s || !(n == 5 || n == 11) || memcmp (s, piv_aid, 5))
     {
       /* The RID does not match.  */
       log_error ("piv: missing or invalid DO 0x79.4F in APT\n");