Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c |
||
---|---|---|
.github | ||
MacOSX | ||
doc | ||
etc | ||
m4 | ||
packaging/debian.templates | ||
solaris | ||
src | ||
win32 | ||
.gitignore | ||
.travis.yml | ||
COPYING | ||
Makefile.am | ||
Makefile.mak | ||
NEWS | ||
README | ||
README.md | ||
appveyor.yml | ||
bootstrap | ||
bootstrap.ci | ||
configure.ac | ||
version.m4 |
README.md
OpenSC documentation
Wiki is available online
Please take a look at the documentation before trying to use OpenSC.