Menu
▾
▴
[Opensc-commits] [OpenSC/OpenSC] e13c0b: PIV - Improved Card Matching for Dual CAC/PIV and ...
|
From: GitHub <no...@gi...> - 2018-12-27 13:25:59
|
Branch: refs/heads/master Home: https://github.com/OpenSC/OpenSC Commit: e13c0b83ef9dddb7294c10be37367071b69209f4 https://github.com/OpenSC/OpenSC/commit/e13c0b83ef9dddb7294c10be37367071b69209f4 Author: Doug Engert <dee...@gm...> Date: 2018-12-27 (Thu, 27 Dec 2018) Changed paths: M src/libopensc/card-piv.c M src/libopensc/cards.h Log Message: ----------- PIV - Improved Card Matching for Dual CAC/PIV and PIVKEY cards. Not all PIV applets are the same. Different versions of NIST 800-73 and improperly implemented or not implemented required features of NIST 800-73 cases problems. Have a look at the card_issues listed in card-piv.c. The PIV driver has tried to detect the differences based on clues found in the ATR historical bytes and vendor version numbers for some cards. At the same time it has tried to support the possibility there are multiple applets on a card that the user may want to use at the same time from different applications. This has lead to some detection problems with Dual CAC/PIV cards. The same cards sold by the vendor may have only a PIV applet that may not be the same PIV applet that is on the Dual PIV/CAC cards. http://www.cac.mil/Portals/53/Documents/CAC-utilziation-and-variation-matrix-v2.03-20May2016.doc defines a number of official CAC cards in active service. A table of the ATRs for these is now used to detect these cards. The PIV version of the CCC is also read to see if any CAC PKI objects are defined in the CCC, indicating it is a Dual CAC/PIV, even if the ATR is not listed. A more conservative approach to try and handle multiple applets on a card is used. Based on issues with the implementation of the PIV applet this may not be possible to do. So for many cards no additional detection will be done at the start of every transaction, and the login state can not be detected correctly. ATRs for PIVKEY are also in the match table, as these cards have a log of issues. Other PIV cards in the future or not yet tested may not be covered properly by this patch. Extra debugging was added with "PIV_MATCH" to help with these other cards. With "debug = 7;", `grep PIV_MATCH opensc-debug.log` can be used to see how a card type and card_issues are derived. On branch piv-improved-matching Changes to be committed: modified: card-piv.c modified: cards.h Commit: 1fe1d40e3812e564ddc1667b312053354e721eb7 https://github.com/OpenSC/OpenSC/commit/1fe1d40e3812e564ddc1667b312053354e721eb7 Author: Doug Engert <dee...@gm...> Date: 2018-12-27 (Thu, 27 Dec 2018) Changed paths: M src/libopensc/card-piv.c Log Message: ----------- PIV - Improved error handling of get_challenge Random data from PIV card is obtained using GENERAL AUTHENTICATE command for a request of a Challenge from the card. "00 87 00 9B 04 7C 02 81 00" Usually 8 bytes are returned. NIST 800-73-3_PART2, "A.1 Authentication of the PIV Card Application Administrator" "Table 11. Authentication of PIV Card Application Administrator" shows an example of how to do this. Some cards (one I have: 3b:7d:96:00:00:80:31:80:65:b0:83:11:17:d6:83:00:90:00) will not allow 2 of these commands in a row. (Maybe assuming command is only used as in Table 11 and is expecting the second command.) Code was added to card-piv.c so if "6A 80" is returned, try the command one more time. For any other GENERAL AUTHENTICATE failure, SC_ERROR_NOT_SUPPORTED is returned. piv_get_challenge may be called within a loop from sc_get_challenge if more random data is needed thus causing the the 2 commands to sent in a row. On branch piv-improved-matching Changes to be committed: modified: card-piv.c Commit: a78becb76e44b804389e049a3e1d35f850f93660 https://github.com/OpenSC/OpenSC/commit/a78becb76e44b804389e049a3e1d35f850f93660 Author: Doug Engert <dee...@gm...> Date: 2018-12-27 (Thu, 27 Dec 2018) Changed paths: M src/libopensc/card-piv.c Log Message: ----------- PIV - Fix blanks and use returned value On branch piv-improved-matching Changes to be committed: modified: card-piv.c Commit: 7fbcd6e920e09461536d6824659631d6d5f91030 https://github.com/OpenSC/OpenSC/commit/7fbcd6e920e09461536d6824659631d6d5f91030 Author: Doug Engert <dee...@gm...> Date: 2018-12-27 (Thu, 27 Dec 2018) Changed paths: M src/libopensc/card-piv.c Log Message: ----------- PIV - test i7e On branch piv-improved-matching Changes to be committed: modified: card-piv.c Commit: 075cac482b2723a2267c4fcd7985eb6b82effbc7 https://github.com/OpenSC/OpenSC/commit/075cac482b2723a2267c4fcd7985eb6b82effbc7 Author: Doug Engert <dee...@gm...> Date: 2018-12-27 (Thu, 27 Dec 2018) Changed paths: M src/libopensc/card-piv.c Log Message: ----------- PIV - Some VA cards have LCS = 0F Terminated Changes to be committed: modified: card-piv.c Compare: https://github.com/OpenSC/OpenSC/compare/dc505be808dc...075cac482b27 **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/ Functionality will be removed from GitHub.com on January 31st, 2019. |
