-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Current PIV Answer to Select Parsing in piv_find_aid restricts answer to 129 bytes #2242
Comments
the relevant output from
|
I confirmed that it is working as intended when the answer to select is 129 bytes or shorter. |
By the way, the test output is from version 0.19.0 (debian10), that's why the debug output refers to https://github.com/OpenSC/OpenSC/blob/0.19.0/src/libopensc/card-piv.c#L838. This part of the code didn't change though, since. |
Will look at this later today. |
I see two problems. First is the input data has the first tag length wrong. It is missing a extra "81" That section of code was completely rewritten in #2053 In both cases the response is expected to fit in: SC_MAX_APDU_BUFFER_SIZE == 261 bytes. But the data returned does not look correct either. (dropped 90 00 as it is not part of the data)
61 81 4F is being interpreted as tag 61 with 1 byte length of 4F But if you look at 61 81 as tag 61 with length 0x81, then the rest of it parses.
https://lapo.it/asn1js/ Application 1 (5 elem) The AID command is really a iso7816 select file, "8.2.2.2 Application selection using AID as DF name" which expects an "8.2.1.3 Application template" But I do not see any limitations to to the size of the response on 1is 7816-4 or PIV specs. Is this a new problem with the PIV Applet? |
I also see they are using the tag AC, which is new in NIST sp800-74-4 defines in Table 5. Which say before it: PivApplet added 9 elements and added "ALL" the algorithms supported by the card. A Idemia demo card, that supports SM from sp800-74-4 only adds 2 elements: sp800-73-3 does not define the "AC" tag. It looks like Idemia interpreted table 5 to be added only when SM was supported as stated in bolded line above and did not report the standard required algorithms. |
Interestingly enough, when I just fixed the ASN1 structure generated from the code of the PivApplet: relevant output:
This already returns in OpenSC/src/libopensc/card-piv.c Line 794 in f1691fc
so it doesn't hit the code point and potential bug referenced above. (this again was tested with version 0.19.0 of OpenSC from debian10) Thanks a lot to @dengert for finding the error in the returned ASN1. I really appreciate it. I should have checked the ASN1 myself fist before reporting an issue. |
If the tag lengths are correct the parsing works at OpenSC/src/libopensc/card-piv.c Line 778 in f1691fc
Then code finds the response looks like a PIV card because the response has the AID and returns from the function at OpenSC/src/libopensc/card-piv.c Line 794 in f1691fc
The code starting at OpenSC/src/libopensc/card-piv.c Line 804 in f1691fc
So I consider this issue is low priority issue because response was already invalid and the code will be removed by #2053 and would return at OpenSC/src/libopensc/card-piv.c Line 843 in f1691fc
|
What's the status of this topic, is there anything to do? |
#2053 fixes these problems as part of a major rewrite of card-piv.c. It will read up to SC_MAX_APDU_BUFFER_SIZE, and uses sc_asn1_find_tag to parse the response. |
Debugging some extensions to the PivApplet that further extend the answer to select (https://github.com/arekinath/PivApplet/blob/master/src/net/cooperi/pivapplet/PivApplet.java#L855) I noticed that there is a minor logic error in the code of card-piv.c (
OpenSC/src/libopensc/card-piv.c
Line 771 in 3044557
in particular:
apdu.resp[1] > apdu.resplen - 2
restricts the response length to 129 bytes, as a field larger then 127 would be coded as
81 xx
or82 xx xx
instead. I guess technically, the answer could be up toSC_MAX_EXT_APDU_RESP_SIZE
and even use response chaining.The PIV specification document(https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf) = Section 3.1.1 of Interfaces for Personal Identity Verification – Part 2: PIV Card Application Card Command Interface does not make any reference to a length restriction. Maybe I'm missing something else?
The text was updated successfully, but these errors were encountered: