Merge remote-tracking branch 'origin/private/chuid-parse' into ykcs11…

…_improvements
Yubico · Jan 27, 2020 · e4b4eb4 · e4b4eb4
2 parents c7561bd + 8add7fe
commit e4b4eb4
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 7 deletions.
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -0,0 +1,37 @@
+name: static code analysis
+
+on:
+  push:
+  schedule:
+    - cron: '0 0 * * 1'
+
+env:
+  SCAN_IMG:
+    yes-docker-local.artifactory.in.yubico.org/static-code-analysis/c:v1
+  PVS_IGNORE_WARNINGS: "V1037,V1048"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@master
+
+    - name: Prep scan
+      run: |
+        docker login yes-docker-local.artifactory.in.yubico.org/ \
+             -u svc-static-code-analysis-reader \
+             -p ${{ secrets.ARTIFACTORY_READER_TOKEN }}
+        docker pull ${SCAN_IMG}
+
+    - name: Scan but do not fail on warnings
+      run: |
+        docker run -v${PWD}:/k -e COMPILE_DEPS="${COMPILE_DEPS}" \
+          -e PROJECT_NAME=${GITHUB_REPOSITORY#Yubico/} \
+          -e PVS_IGNORE_WARNINGS=${PVS_IGNORE_WARNINGS} -t ${SCAN_IMG} || true
+
+    - uses: actions/upload-artifact@master
+      if: failure()
+      with:
+        name: suppression_files
+        path: suppression_files
diff --git a/doc/Attestation.adoc b/doc/Attestation.adoc
@@ -34,3 +34,8 @@ Now we're ready to verify the attestation:
   $ yubico-piv-tool --action=attest --slot=9a > attestation.pem
   $ openssl verify -CAfile certs.pem attestation.pem
   attestation.pem: OK
+
+[NOTE]
+====
+The above OpenSSL command doesn't work with OpenSSL 1.1.0 and newer with YubiKey 4. To verify certificate chains for such devices, see link:https://support.yubico.com/support/solutions/articles/15000013406-piv-attestation-verification-fails-with-openssl-1-1-0[PIV Attestation Verification Fails with OpenSSL 1.1.0].
+====
diff --git a/lib/util.c b/lib/util.c
@@ -63,6 +63,7 @@ const uint8_t CHUID_TMPL[] = {
   0x31, 0x30, 0x31, 0x3e, 0x00, 0xfe, 0x00,
 };
 #define CHUID_GUID_OFFS 29
+#define TAG_CHUID_UUID 0x34
 
 // f0: Card Identifier
 //  - 0xa000000116 == GSC-IS RID
@@ -97,20 +98,45 @@ ykpiv_rc ykpiv_util_get_cardid(ykpiv_state *state, ykpiv_cardid *cardid) {
   ykpiv_rc res = YKPIV_OK;
   uint8_t buf[CB_OBJ_MAX];
   size_t len = sizeof(buf);
+  uint8_t *p_temp = NULL;
+  size_t cb_temp = 0;
+  uint8_t tag = 0;
 
   if (!cardid) return YKPIV_GENERIC_ERROR;
 
   if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res;
   if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup;
 
-  res = _ykpiv_fetch_object(state, YKPIV_OBJ_CHUID, buf, (unsigned long *)&len);
-  if (YKPIV_OK == res) {
-    if (len != sizeof(CHUID_TMPL)) {
-      res = YKPIV_GENERIC_ERROR;
-    }
-    else {
-      memcpy(cardid->data, buf + CHUID_GUID_OFFS, YKPIV_CARDID_SIZE);
+  if ((res = _ykpiv_fetch_object(state, YKPIV_OBJ_CHUID, buf, (unsigned long *)&len)) == YKPIV_OK) {
+    p_temp = buf;
+
+    while (p_temp < (buf + len)) {
+      tag = *p_temp++;
+
+      if (!_ykpiv_has_valid_length(p_temp, (buf + len - p_temp))) {
+        res = YKPIV_SIZE_ERROR;
+        goto Cleanup;
+      }
+
+      p_temp += _ykpiv_get_length(p_temp, &cb_temp);
+
+      if (tag == TAG_CHUID_UUID) {
+        /* found card uuid */
+        if (cb_temp < YKPIV_CARDID_SIZE) {
+          res = YKPIV_SIZE_ERROR;
+          goto Cleanup;
+        }
+
+        res = YKPIV_OK;
+        memcpy(cardid->data, p_temp, YKPIV_CARDID_SIZE);
+        goto Cleanup;
+      }
+
+      p_temp += cb_temp;
     }
+
+    /* not found, not malformed */
+    res = YKPIV_GENERIC_ERROR;
   }
 
 Cleanup: