search

DangerousThings / flexsecure-applets

Collection of JavaCard applets for the FlexSecure, as well as build and testing scripts, and documentation.
MIT License
31 stars 2 forks source link

Error when personalizing the GP installed ykhmac applet using ykman #3

Open GrimzEcho opened 6 months ago

GrimzEcho commented 6 months ago

I'm getting the following error when attempting to personalize the HMAC-SHA1 secret on a P71 chip that has the v0.18.6 YkHMAC applet installed.

File "C:\Program Files\Yubico\YubiKey Manager\pymodules\yubikit\core\smartcard.py", line 206, in send_apdu
    raise ApduError(response, sw)
yubikit.core.smartcard.ApduError: APDU error: SW=0x6c00

I am able to successfully provision the applet using the yktool.jar utility. I am also able to successfully provision the Fidesmo installed version of the applet on an Apex flex using ykman, so this appears to only be affecting the version installed via gp and the .cap file. I am using an administrative command prompt on Windows 10.

I get the same error when attempting to manually calculate a response via ykman, but it works via yktool.jar.

The chip is a P71 test card that used to be available from javacardos (it is no longer available via the website store, but the person who runs the site directed me to purchase from Alibaba instead).

Version information:

PS G:\> gp.exe --version
GlobalPlatformPro v20.01.23-0-g5ad373b
Running on Windows 10 10.0 amd64, Java 1.8.0_401 by Oracle Corporation

PS G:\> ykman.exe --version
YubiKey Manager (ykman) version: 5.0.1

YkHMACApplet.cap: v0.18.6

No other applets were installed on the card before installing HMAC. Here is the list output after the applet was installed.

PS G:\My Drive\apps\Dangerous Things\applets\v0.18.6> gp.exe --list
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
ISD: A000000151000000 (OP_READY)
     Parent:  A000000151000000
     From:    A0000001515350
     Privs:   SecurityDomain, CardLock, CardTerminate, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

APP: D276000085304A434F900001 (SELECTABLE)
     Parent:  A000000151000000
     From:    D276000085304A434F9000
     Privs:   CardReset

APP: A000000527200101 (SELECTABLE)
     Parent:  A000000151000000
     From:    A00000052720
     Privs:

PKG: A0000001515350 (LOADED)
     Parent:  A000000151000000
     Version: -1.-1
     Applet:  A000000151535041

PKG: D276000085304A434F9000 (LOADED)
     Parent:  A000000151000000
     Version: 1.0
     Applet:  D276000085304A434F900001

PKG: A0000000620204 (LOADED)
     Parent:  A000000151000000
     Version: 1.0

PKG: A0000000620202 (LOADED)
     Parent:  A000000151000000
     Version: 1.3

PKG: A00000052720 (LOADED)
     Parent:  A000000151000000
     Version: 1.0
     Applet:  A000000527200101

Full logs starting with the install

PS G:\My Drive\apps\Dangerous Things\applets\v0.18.6> gp.exe --list
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
ISD: A000000151000000 (OP_READY)
     Parent:  A000000151000000
     From:    A0000001515350
     Privs:   SecurityDomain, CardLock, CardTerminate, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration

APP: D276000085304A434F900001 (SELECTABLE)
     Parent:  A000000151000000
     From:    D276000085304A434F9000
     Privs:   CardReset

PKG: A0000001515350 (LOADED)
     Parent:  A000000151000000
     Version: -1.-1
     Applet:  A000000151535041

PKG: D276000085304A434F9000 (LOADED)
     Parent:  A000000151000000
     Version: 1.0
     Applet:  D276000085304A434F900001

PKG: A0000000620204 (LOADED)
     Parent:  A000000151000000
     Version: 1.0

PKG: A0000000620202 (LOADED)
     Parent:  A000000151000000
     Version: 1.3

PS G:\My Drive\apps\Dangerous Things\applets\v0.18.6> gp.exe --install .\YkHMACApplet.cap
Warning: no keys given, using default test key 404142434445464748494A4B4C4D4E4F
CAP loaded

PS G:\My Drive\apps\Dangerous Things\applets\v0.18.6> ykman.exe list -r
ACS ACR1252 1S CL Reader PICC 0
ACS ACR1252 1S CL Reader SAM 0
JAVACOS Virtual Contact Reader 0
JAVACOS Virtual Contactless Reader 1
PS G:\My Drive\apps\Dangerous Things\applets\v0.18.6> ykman -l debug -r 'ACS ACR1252 1S CL Reader PICC 0' otp chalresp -f 1 '0000000001000000000200000000030000000004'
INFO 18:07:10.683 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 18:07:10.683 [ykman.logging.set_log_level:64]
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 18:07:10.683 [ykman._cli.__main__.cli:238] System info:
  ykman:            5.0.1
  Python:           3.11.1 (tags/v3.11.1:a7a450f, Dec  6 2022, 19:58:39) [MSC v.1934 64 bit (AMD64)]
  Platform:         win32
  Arch:             AMD64
  System date:      2024-03-09
  Running as admin: True
  Windows version:  (10, 0, 19045)

DEBUG 18:07:10.726 [yubikit.support.read_info:261] Attempting to read device info, using ScardSmartCardConnection
DEBUG 18:07:10.764 [yubikit.management.__init__:443] Management session initialized for connection=ScardSmartCardConnection, version=4.0.0
DEBUG 18:07:10.787 [yubikit.core.smartcard.enable_touch_workaround:150] Touch workaround enabled=False
DEBUG 18:07:10.787 [yubikit.yubiotp.__init__:739] YubiOTP session initialized for connection=ScardSmartCardConnection, version=4.0.0, state=ConfigState(configured: (False, False), touch_triggered: (False, False), led_inverted: False)
DEBUG 18:07:10.794 [yubikit.support._read_info_ccid:114] Scan for available applications...
DEBUG 18:07:10.801 [yubikit.support._read_info_ccid:122] Missing applet: aid: AID.FIDO, capability: U2F: 0x2
DEBUG 18:07:10.807 [yubikit.support._read_info_ccid:122] Missing applet: aid: b"\xa0\x00\x00\x05'\x10\x02", capability: U2F: 0x2
DEBUG 18:07:10.815 [yubikit.support._read_info_ccid:122] Missing applet: aid: AID.PIV, capability: PIV: 0x10
DEBUG 18:07:10.821 [yubikit.support._read_info_ccid:122] Missing applet: aid: AID.OPENPGP, capability: OPENPGP: 0x8
DEBUG 18:07:10.829 [yubikit.support._read_info_ccid:122] Missing applet: aid: AID.OATH, capability: OATH: 0x20
DEBUG 18:07:10.829 [yubikit.support.read_info:289] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>), serial=276870963, version=Version(major=4, minor=0, patch=0), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|U2F: 3>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F: 3>}, is_locked=False, is_fips=False, is_sky=False)
DEBUG 18:07:10.829 [yubikit.support.read_info:348] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY: 0>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F: 3>}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>), serial=276870963, version=Version(major=4, minor=0, patch=0), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|U2F: 3>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F: 3>}, is_locked=False, is_fips=False, is_sky=False)
ERROR 18:07:10.901 [ykman._cli.__main__.main:380] An unexpected error has occured
Traceback (most recent call last):
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\ykman\_cli\__main__.py", line 364, in main
    cli(obj={})
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\click\core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\click\core.py", line 1055, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\click\core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\click\core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\click\core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\click\core.py", line 760, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\click\decorators.py", line 26, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\ykman\_cli\otp.py", line 608, in chalresp
    session = _get_session(ctx)
              ^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\ykman\_cli\otp.py", line 207, in _get_session
    return YubiOtpSession(conn)
           ^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\yubikit\yubiotp.py", line 720, in __init__
    card_protocol.select(AID.MANAGEMENT)
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\yubikit\core\smartcard.py", line 154, in select
    return self.send_apdu(0, INS_SELECT, P1_SELECT, P2_SELECT, aid)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\yubikit\core\smartcard.py", line 206, in send_apdu
    raise ApduError(response, sw)
yubikit.core.smartcard.ApduError: APDU error: SW=0x6c00
StarGate01 commented 1 month ago

Thanks for the report, I will try to reproduce the issue. The 0x6c00 response code is somewhat strange, did you try again with the most recent version of ykman? Maybe test on Linux as well?

GrimzEcho commented 1 month ago

I downloaded v5.5.0 (2024-06-26) and tried again on Windows (with the v0.18.8 cap file). Some of the log output is more verbose/different, but I got the same error.

There's a v5.5.1 (2024-06-26) available for Linux only that I'll try tomorrow from a Debian machine.

 .\ykman.exe -l debug -r 'ACS ACR1252 1S CL Reader PICC 0' otp chalresp -f 1 '0000000001000000000200000000030000000004'
INFO 20:59:47.651 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 20:59:47.652 [ykman.logging.set_log_level:64]
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 20:59:47.652 [ykman._cli.__main__.cli:355] System info:
  ykman:            5.5.0
  Python:           3.12.4 (tags/v3.12.4:8e8a4ba, Jun  6 2024, 19:30:16) [MSC v.1940 64 bit (AMD64)]
  Platform:         win32
  Arch:             AMD64
  System date:      2024-07-22
  Running as admin: True
  Windows version:  (10, 0, 19045)

DEBUG 20:59:47.692 [yubikit.support.read_info:264] Attempting to read device info, using ScardSmartCardConnection
DEBUG 20:59:47.692 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272001
DEBUG 20:59:47.711 [yubikit.core.smartcard.select:417] Selecting AID: a000000527471117
DEBUG 20:59:47.718 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272001
DEBUG 20:59:47.730 [yubikit.management.__init__:558] Management session initialized for connection=ScardSmartCardConnection, version=4.0.0
DEBUG 20:59:47.734 [yubikit.core.smartcard.select:417] Selecting AID: a000000527471117
DEBUG 20:59:47.742 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272001
DEBUG 20:59:47.754 [yubikit.yubiotp.__init__:752] YubiOTP session initialized for connection=ScardSmartCardConnection, version=4.0.0, state=ConfigState(configured: (False, False), touch_triggered: (False, False), led_inverted: False)
DEBUG 20:59:47.760 [yubikit.support._read_info_ccid:114] Scan for available applications...
DEBUG 20:59:47.761 [yubikit.core.smartcard.select:417] Selecting AID: a0000006472f0001
DEBUG 20:59:47.772 [yubikit.support._read_info_ccid:120] Found applet: aid: AID.FIDO, capability: U2F: 0x2
DEBUG 20:59:47.772 [yubikit.core.smartcard.select:417] Selecting AID: a0000005271002
DEBUG 20:59:47.780 [yubikit.support._read_info_ccid:120] Found applet: aid: b"\xa0\x00\x00\x05'\x10\x02", capability: U2F: 0x2
DEBUG 20:59:47.780 [yubikit.core.smartcard.select:417] Selecting AID: a000000308
DEBUG 20:59:47.787 [yubikit.support._read_info_ccid:120] Found applet: aid: AID.PIV, capability: PIV: 0x10
DEBUG 20:59:47.788 [yubikit.core.smartcard.select:417] Selecting AID: d27600012401
DEBUG 20:59:47.796 [yubikit.support._read_info_ccid:120] Found applet: aid: AID.OPENPGP, capability: OPENPGP: 0x8
DEBUG 20:59:47.796 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272101
DEBUG 20:59:47.808 [yubikit.support._read_info_ccid:120] Found applet: aid: AID.OATH, capability: OATH: 0x20
DEBUG 20:59:47.808 [yubikit.support.read_info:292] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>, nfc_restricted=None), serial=271016424, version=Version(major=4, minor=0, patch=0), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP: 59>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP: 59>}, is_locked=False, is_fips=False, is_sky=False, part_number=None, fips_capable=<CAPABILITY: 0>, fips_approved=<CAPABILITY: 0>, pin_complexity=False, reset_blocked=<CAPABILITY: 0>, fps_version=None, stm_version=None)
DEBUG 20:59:47.809 [yubikit.support.read_info:351] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY: 0>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP: 59>}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>, nfc_restricted=None), serial=271016424, version=Version(major=4, minor=0, patch=0), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP: 59>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP: 59>}, is_locked=False, is_fips=False, is_sky=False, part_number=None, fips_capable=<CAPABILITY: 0>, fips_approved=<CAPABILITY: 0>, pin_complexity=False, reset_blocked=<CAPABILITY: 0>, fps_version=None, stm_version=None)
DEBUG 20:59:47.849 [yubikit.core.smartcard.select:417] Selecting AID: a000000527471117
ERROR 20:59:47.869 [ykman._cli.__main__.main:635] An unexpected error has occurred
Traceback (most recent call last):
  File "ykman\_cli\__main__.py", line 619, in main
  File "click\core.py", line 1157, in __call__
  File "click\core.py", line 1078, in main
  File "click\core.py", line 1688, in invoke
  File "click\core.py", line 1688, in invoke
  File "click\core.py", line 1434, in invoke
  File "click\core.py", line 783, in invoke
  File "click\decorators.py", line 33, in new_func
  File "ykman\_cli\otp.py", line 608, in chalresp
  File "ykman\_cli\otp.py", line 216, in _get_session
  File "yubikit\yubiotp.py", line 731, in __init__
  File "yubikit\core\smartcard\__init__.py", line 421, in select
  File "yubikit\core\smartcard\__init__.py", line 408, in send_apdu
yubikit.core.smartcard.ApduError: APDU error: SW=0x6c00
GrimzEcho commented 1 month ago

It gets worse .... v5.5.1 of the YubiKey CLI cannot program a secret into my Apex Flex. v5.0.1 is still working.

I get a generic Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info). I'm running in an administrative shell.

.\ykman.exe -l debug -r 'ACS ACR1252 1S CL Reader PICC 0' otp chalresp -f 1 '0000000001000000000200000000030000000004'
INFO 21:10:35.205 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 21:10:35.206 [ykman.logging.set_log_level:64]
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 21:10:35.206 [ykman._cli.__main__.cli:355] System info:
  ykman:            5.5.0
  Python:           3.12.4 (tags/v3.12.4:8e8a4ba, Jun  6 2024, 19:30:16) [MSC v.1940 64 bit (AMD64)]
  Platform:         win32
  Arch:             AMD64
  System date:      2024-07-22
  Running as admin: True
  Windows version:  (10, 0, 19045)

DEBUG 21:10:35.256 [yubikit.support.read_info:264] Attempting to read device info, using ScardSmartCardConnection
DEBUG 21:10:35.256 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272001
DEBUG 21:10:35.349 [yubikit.core.smartcard.select:417] Selecting AID: a000000527471117
DEBUG 21:10:35.377 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272001
DEBUG 21:10:35.430 [yubikit.management.__init__:558] Management session initialized for connection=ScardSmartCardConnection, version=4.0.0
DEBUG 21:10:35.447 [yubikit.core.smartcard.select:417] Selecting AID: a000000527471117
DEBUG 21:10:35.475 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272001
DEBUG 21:10:35.528 [yubikit.yubiotp.__init__:752] YubiOTP session initialized for connection=ScardSmartCardConnection, version=4.0.0, state=ConfigState(configured: (True, False), touch_triggered: (False, False), led_inverted: False)
DEBUG 21:10:35.550 [yubikit.support._read_info_ccid:114] Scan for available applications...
DEBUG 21:10:35.551 [yubikit.core.smartcard.select:417] Selecting AID: a0000006472f0001
DEBUG 21:10:35.599 [yubikit.support._read_info_ccid:120] Found applet: aid: AID.FIDO, capability: U2F: 0x2
DEBUG 21:10:35.600 [yubikit.core.smartcard.select:417] Selecting AID: a0000005271002
DEBUG 21:10:35.629 [yubikit.support._read_info_ccid:120] Found applet: aid: b"\xa0\x00\x00\x05'\x10\x02", capability: U2F: 0x2
DEBUG 21:10:35.629 [yubikit.core.smartcard.select:417] Selecting AID: a000000308
DEBUG 21:10:35.657 [yubikit.support._read_info_ccid:120] Found applet: aid: AID.PIV, capability: PIV: 0x10
DEBUG 21:10:35.657 [yubikit.core.smartcard.select:417] Selecting AID: d27600012401
DEBUG 21:10:35.686 [yubikit.support._read_info_ccid:120] Found applet: aid: AID.OPENPGP, capability: OPENPGP: 0x8
DEBUG 21:10:35.687 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272101
DEBUG 21:10:35.740 [yubikit.support._read_info_ccid:120] Found applet: aid: AID.OATH, capability: OATH: 0x20
DEBUG 21:10:35.741 [yubikit.support.read_info:292] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>, nfc_restricted=None), serial=270602213, version=Version(major=4, minor=0, patch=0), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP: 59>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP: 59>}, is_locked=False, is_fips=False, is_sky=False, part_number=None, fips_capable=<CAPABILITY: 0>, fips_approved=<CAPABILITY: 0>, pin_complexity=False, reset_blocked=<CAPABILITY: 0>, fps_version=None, stm_version=None)
DEBUG 21:10:35.742 [yubikit.support.read_info:351] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY: 0>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP: 59>}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>, nfc_restricted=None), serial=270602213, version=Version(major=4, minor=0, patch=0), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP: 59>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F|OATH|PIV|OPENPGP: 59>}, is_locked=False, is_fips=False, is_sky=False, part_number=None, fips_capable=<CAPABILITY: 0>, fips_approved=<CAPABILITY: 0>, pin_complexity=False, reset_blocked=<CAPABILITY: 0>, fps_version=None, stm_version=None)
DEBUG 21:10:35.786 [yubikit.core.smartcard.select:417] Selecting AID: a000000527471117
DEBUG 21:10:35.864 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272001
DEBUG 21:10:35.915 [yubikit.yubiotp.__init__:752] YubiOTP session initialized for connection=ScardSmartCardConnection, version=4.0.0, state=ConfigState(configured: (True, False), touch_triggered: (False, False), led_inverted: False)
DEBUG 21:10:35.916 [yubikit.yubiotp.put_configuration:812] Writing configuration of type HmacSha1SlotConfiguration to slot 1
DEBUG 21:10:35.917 [yubikit.yubiotp._write_config:787] Writing configuration to slot 1, access code: False
ERROR 21:10:35.950 [ykman._cli.__main__.main:635] Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).
Traceback (most recent call last):
  File "ykman\_cli\otp.py", line 649, in chalresp
  File "yubikit\yubiotp.py", line 816, in put_configuration
  File "yubikit\yubiotp.py", line 788, in _write_config
  File "yubikit\yubiotp.py", line 688, in write_update
  File "yubikit\core\smartcard\__init__.py", line 408, in send_apdu
yubikit.core.smartcard.ApduError: APDU error: SW=0x6700 (WRONG_LENGTH)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "ykman\_cli\__main__.py", line 619, in main
  File "click\core.py", line 1157, in __call__
  File "click\core.py", line 1078, in main
  File "click\core.py", line 1688, in invoke
  File "click\core.py", line 1688, in invoke
  File "click\core.py", line 1434, in invoke
  File "click\core.py", line 783, in invoke
  File "click\decorators.py", line 33, in new_func
  File "ykman\_cli\otp.py", line 657, in chalresp
StarGate01 commented 1 month ago

Thanks for the logfiles. I'll try to reproduce and debug the issue, if you find anything more feel free to update this issue.

StarGate01 commented 1 month ago

Try testing without the FIDO2 applet installed, that one currently has an issue which AID scanning (see https://github.com/BryanJacobs/FIDO2Applet/pull/33)

GrimzEcho commented 1 month ago

I uninstalled all applets on the Apex Flex and reinstalled just the HMAC-SHA1 (2f2e363b), then tried to provision via ykman 5.5.0 in an administrative prompt. Same error.

Ran the same command using ykman 5.0.1 and it worked on my Apex, but still failed on my P71 test card.

.\ykman.exe -l debug -r 'ACS ACR1252 1S CL Reader PICC 0' otp chalresp -f 1 '0000000001000000000200000000030000000004'
INFO 21:50:26.415 [ykman.logging.set_log_level:60] Logging at level: DEBUG
WARNING 21:50:26.416 [ykman.logging.set_log_level:64]
#############################################################################
#                                                                           #
# WARNING: Sensitive data may be logged!                                    #
# Some personally identifying information may be logged, such as usernames! #
#                                                                           #
#############################################################################
INFO 21:50:26.417 [ykman._cli.__main__.cli:355] System info:
  ykman:            5.5.0
  Python:           3.12.4 (tags/v3.12.4:8e8a4ba, Jun  6 2024, 19:30:16) [MSC v.1940 64 bit (AMD64)]
  Platform:         win32
  Arch:             AMD64
  System date:      2024-07-23
  Running as admin: True
  Windows version:  (10, 0, 19045)

DEBUG 21:50:26.427 [yubikit.support.read_info:264] Attempting to read device info, using ScardSmartCardConnection
DEBUG 21:50:26.427 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272001
DEBUG 21:50:26.509 [yubikit.core.smartcard.select:417] Selecting AID: a000000527471117
DEBUG 21:50:26.533 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272001
DEBUG 21:50:26.579 [yubikit.management.__init__:558] Management session initialized for connection=ScardSmartCardConnection, version=4.0.0
DEBUG 21:50:26.595 [yubikit.core.smartcard.select:417] Selecting AID: a000000527471117
DEBUG 21:50:26.619 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272001
DEBUG 21:50:26.665 [yubikit.yubiotp.__init__:752] YubiOTP session initialized for connection=ScardSmartCardConnection, version=4.0.0, state=ConfigState(configured: (False, False), touch_triggered: (False, False), led_inverted: False)
DEBUG 21:50:26.686 [yubikit.support._read_info_ccid:114] Scan for available applications...
DEBUG 21:50:26.687 [yubikit.core.smartcard.select:417] Selecting AID: a0000006472f0001
DEBUG 21:50:26.711 [yubikit.support._read_info_ccid:122] Missing applet: aid: AID.FIDO, capability: U2F: 0x2
DEBUG 21:50:26.711 [yubikit.core.smartcard.select:417] Selecting AID: a0000005271002
DEBUG 21:50:26.735 [yubikit.support._read_info_ccid:122] Missing applet: aid: b"\xa0\x00\x00\x05'\x10\x02", capability: U2F: 0x2
DEBUG 21:50:26.735 [yubikit.core.smartcard.select:417] Selecting AID: a000000308
DEBUG 21:50:26.760 [yubikit.support._read_info_ccid:122] Missing applet: aid: AID.PIV, capability: PIV: 0x10
DEBUG 21:50:26.761 [yubikit.core.smartcard.select:417] Selecting AID: d27600012401
DEBUG 21:50:26.785 [yubikit.support._read_info_ccid:122] Missing applet: aid: AID.OPENPGP, capability: OPENPGP: 0x8
DEBUG 21:50:26.786 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272101
DEBUG 21:50:26.812 [yubikit.support._read_info_ccid:122] Missing applet: aid: AID.OATH, capability: OATH: 0x20
DEBUG 21:50:26.813 [yubikit.support.read_info:292] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>, nfc_restricted=None), serial=284604146, version=Version(major=4, minor=0, patch=0), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|U2F: 3>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F: 3>}, is_locked=False, is_fips=False, is_sky=False, part_number=None, fips_capable=<CAPABILITY: 0>, fips_approved=<CAPABILITY: 0>, pin_complexity=False, reset_blocked=<CAPABILITY: 0>, fps_version=None, stm_version=None)
DEBUG 21:50:26.813 [yubikit.support.read_info:351] Device info, after tweaks: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY: 0>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F: 3>}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=<DEVICE_FLAG: 0>, nfc_restricted=None), serial=284604146, version=Version(major=4, minor=0, patch=0), form_factor=<FORM_FACTOR.UNKNOWN: 0>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.OTP|U2F: 3>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.OTP|U2F: 3>}, is_locked=False, is_fips=False, is_sky=False, part_number=None, fips_capable=<CAPABILITY: 0>, fips_approved=<CAPABILITY: 0>, pin_complexity=False, reset_blocked=<CAPABILITY: 0>, fps_version=None, stm_version=None)
DEBUG 21:50:26.865 [yubikit.core.smartcard.select:417] Selecting AID: a000000527471117
DEBUG 21:50:26.933 [yubikit.core.smartcard.select:417] Selecting AID: a0000005272001
DEBUG 21:50:26.978 [yubikit.yubiotp.__init__:752] YubiOTP session initialized for connection=ScardSmartCardConnection, version=4.0.0, state=ConfigState(configured: (False, False), touch_triggered: (False, False), led_inverted: False)
DEBUG 21:50:26.979 [yubikit.yubiotp.put_configuration:812] Writing configuration of type HmacSha1SlotConfiguration to slot 1
DEBUG 21:50:26.979 [yubikit.yubiotp._write_config:787] Writing configuration to slot 1, access code: False
ERROR 21:50:27.9 [ykman._cli.__main__.main:635] Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).
Traceback (most recent call last):
  File "ykman\_cli\otp.py", line 649, in chalresp
  File "yubikit\yubiotp.py", line 816, in put_configuration
  File "yubikit\yubiotp.py", line 788, in _write_config
  File "yubikit\yubiotp.py", line 688, in write_update
  File "yubikit\core\smartcard\__init__.py", line 408, in send_apdu
yubikit.core.smartcard.ApduError: APDU error: SW=0x6700 (WRONG_LENGTH)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "ykman\_cli\__main__.py", line 619, in main
  File "click\core.py", line 1157, in __call__
  File "click\core.py", line 1078, in main
  File "click\core.py", line 1688, in invoke
  File "click\core.py", line 1688, in invoke
  File "click\core.py", line 1434, in invoke
  File "click\core.py", line 783, in invoke
  File "click\decorators.py", line 33, in new_func
  File "ykman\_cli\otp.py", line 657, in chalresp
ykman._cli.util.CliFail: Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).