Update the ATR table for PIV/CAC matrix to 2019 -10-18 version:
https://www.cac.mil/Portals/53/Documents/DoD%20Token%20utilziation%20and%20variation%20matrix%20v2_06_17October2019.docx?ver=2019-10-18-102519-120
Also update table for several PivKey cards, and added ATR for IDEMIA PIV 2.4.1.
But did not update for use of SM or VCI.
Yubico changed the ATR historical data for Yubikey 5 NFC. Code was added to recognize
it, when used with USB or NFC.
Note: Yubikey 5 NFC when used with NFC cant use touch policy. NFC reader may not provide
enough power to power the LED on button.
On branch PIV-update-DOD-Yubikey
Changes to be committed:
modified: card-piv.c
The previous erase sequence did not always work. For example:
% pkcs15-init -C
Using reader with a card: Feitian ePass2003 00 00
New User PIN.
Please enter User PIN: 1234
Please type again to verify: 1234
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Failed to create PKCS #15 meta structure: Security status not satisfied
% pkcs15-init -E
Using reader with a card: Feitian ePass2003 00 00
Failed to erase card: Security status not satisfied
This apparently bricked many people's ePass2003 devices:
https://github.com/OpenSC/OpenSC/issues/767https://sourceforge.net/p/opensc/mailman/message/33621883/https://github.com/OpenSC/OpenSC/wiki/Feitian-ePass2003
Feitian provided a proprietary binary blob called `FIX_TOOL' to recover
devices from this state, but declined to offer source code when asked:
https://download.ftsafe.com/files/ePass/Fix_Tool.tar.gzhttps://download.ftsafe.com/files/reader/SDK/Fix_Tool_20200604.zip
With reverse-engineering help by Saleem Rashid (@saleemrashid on
Github), I was able to find the sequence of three APDUs that the tool
submits to the device to erase it. The mechanism seems to be:
1. Install a magic PIN. This is like install_secret_key, as used by
internal_install_pin, but with a few different magic constants.
2. Verify the magic PIN.
3. Delete the MF file, without selecting anything first.
With this patch, `pkcs15-init -E' successfully erases my ePass2003, and
I am able to initialize it with `pkcs15-init -C -p pkcs15+onepin' if I
set both a user pin and a PUK. (This patch does not prevent the
ePass2003 from getting into the state which could not be erased by the
old erase sequence.)
* add comment labels to steps
* DRY-out lib copy and config file install (one-shot for-loop giving cleaner control flow)
* change mv to cp during config config file install to enable simpler UNIXier mod check in future (diff opensc.conf{,.orig})
* remove refs to man pages during symlink step
* carefully remove the glob character symlinks described in #2092
* shellcheck-recommended quoting
Fix various spelling errors, mostly in comments but also in texts displayed.
Errors found & interactively fixed using 'codespell', with additional manual
checks after the fixes.
Have do_asn1() accept an optional parameter indicating a record number.
If this is given and the file is a record-oriented file, then ASN.1-decode
the record requested.
Have do_cat() accept an optional second parameter indicating a record number.
If this is given and the file is a record-oriented file, only print the record
requested.
supported by most of the card drivers and can therefore not be regarded to be
part of the public interface.
Modified the only remaining card driver that used it (authentic) to store acls
in a private variable.
- its definition is specific to the IAS-ECC card type
- its presence can not be assumed since it is read from non-mandatory SE type of an SDO
- it is currently not used anywhere in the code