Closed StarGate01 closed 3 years ago
I configured a second Yubikey 5 NFC with only one (1) OTP entry, just like I did with the Fidesmo card 2.0. Turns out, now it works. This leads me to believe that there is some kind of limit on the amount of OTP entries that can be transmitted via the USB NFC reader.
I tested another NFC reader: a "SCL011 Contactless Reader" marketed as a personal ID reader for the citizens of Germany. This device and its drive don't appear to have this strange "number of OTP entries" limitation, everything works as expected.
In conclusion, this problem does not seem to be related to the Yubikey software at all, but rather to the Linux driver of a specific device. I will report the problem to PCSClite, where I think the problem could be fixed maybe.
This issue is now void, however I'll leave it online if anyone else stumble upon this in the future.
Rationale: I want to use my Yubikey 5 NFC via NFC on all my devices.
I did some differential testing, for results see below.
Steps to reproduce
Expected result
All three operating systems are able to interface both hardware devices (key and card) and are able to read and write OTP entries.
Actual results
Windows:
scl3711 reader & NFC device
smartcard reader. (Driver:SCM Microsystems - 25.07.2013 - 1.13.0.0
/SCardSvr
)SCM Microsystems SCL3711 reader & NFC device 0
Android:
Linux:
SCM Microsystems, Inc. SCL3711-NFC&RW
. (Driver:usbfs
/pcsclite
(identiv proprietary driver) /pcscd
)SCL3711 Reader and NFC Device 00 00
Other info
The following are the
pcsc_scan
reports from Linux for various configurations.:heavy_check_mark: Yubikey 5 via physical USB
``` 0: Yubico YubiKey OTP+FIDO+CCID 00 00 1: SCL3711 Reader and NFC Device 00 00 Sun Jul 11 11:03:59 2021 Reader 0: Yubico YubiKey OTP+FIDO+CCID 00 00 Event number: 18 Card state: Card inserted, ATR: 3B FD 13 00 00 81 31 FE 15 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 40 ATR: 3B FD 13 00 00 81 31 FE 15 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 40 + TS = 3B --> Direct Convention + T0 = FD, Y(1): 1111, K: 13 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 ----- TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 + Historical bytes: 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 Category indicator byte: 80 (compact TLV data object) Tag: 7, len: 3 (card capabilities) Selection methods: C0 - DF selection by full DF name - DF selection by partial DF name Data coding byte: 21 - Behaviour of write functions: proprietary - Value 'FF' for the first byte of BER-TLV tag fields: invalid - Data unit in quartets: 2 Command chaining, length fields and logical channels: C0 - Command chaining - Extended Lc and Le fields - Logical channel number assignment: No logical channel - Maximum number of logical channels: 1 Tag: 5, len: 7 (card issuer's data) Card issuer data: 59 75 62 69 4B 65 79 + TCK = 40 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B FD 13 00 00 81 31 FE 15 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 40 Yubico YubiKey 5 NFC (PKI) https://www.yubico.com/product/yubikey-5-nfc Reader 1: SCL3711 Reader and NFC Device 00 00 Event number: 0 Card state: Card removed, ```:x: Yubikey 5 via NFC USB reader
``` 0: Yubico YubiKey OTP+FIDO+CCID 00 00 1: SCL3711 Reader and NFC Device 00 00 Sun Jul 11 11:05:31 2021 Reader 0: Yubico YubiKey OTP+FIDO+CCID 00 00 Event number: 0 Card state: Status unavailable, Reader 1: SCL3711 Reader and NFC Device 00 00 Event number: 11 Card state: Card inserted, ATR: 3B 8D 80 01 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 F9 ATR: 3B 8D 80 01 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 F9 + TS = 3B --> Direct Convention + T0 = 8D, Y(1): 1000, K: 13 (historical bytes) TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 ----- TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1 ----- + Historical bytes: 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 Category indicator byte: 80 (compact TLV data object) Tag: 7, len: 3 (card capabilities) Selection methods: C0 - DF selection by full DF name - DF selection by partial DF name Data coding byte: 21 - Behaviour of write functions: proprietary - Value 'FF' for the first byte of BER-TLV tag fields: invalid - Data unit in quartets: 2 Command chaining, length fields and logical channels: C0 - Command chaining - Extended Lc and Le fields - Logical channel number assignment: No logical channel - Maximum number of logical channels: 1 Tag: 5, len: 7 (card issuer's data) Card issuer data: 59 75 62 69 4B 65 79 + TCK = F9 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 8D 80 01 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 F9 Yubikey 5 NFC (via NFC) (Other) https://www.yubico.com/product/yubikey-5-nfc/#yubikey-5-nfc ```:heavy_check_mark: Fidesmo Card 2.0 via NFC USB reader
``` 0: Yubico YubiKey OTP+FIDO+CCID 00 00 1: SCL3711 Reader and NFC Device 00 00 Sun Jul 11 11:08:45 2021 Reader 0: Yubico YubiKey OTP+FIDO+CCID 00 00 Event number: 0 Card state: Status unavailable, Reader 1: SCL3711 Reader and NFC Device 00 00 Event number: 23 Card state: Card inserted, ATR: 3B 80 80 01 01 ATR: 3B 80 80 01 01 + TS = 3B --> Direct Convention + T0 = 80, Y(1): 1000, K: 0 (historical bytes) TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 ----- TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1 ----- + Historical bytes: + TCK = 01 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 80 80 01 01 ISO 14443 Type B without historical bytes Electronic Passport Spanish passport (2012) Canadian Passport Venez_Prox ```As you can see, the physical USB Yubikey is recognized as
Yubico YubiKey 5 NFC (PKI)
, while the Yubikey via USB NFC reader ist recognized asYubikey 5 NFC (via NFC) (Other)
.This is the debug console log when I compiled
master
from this repository and reproduced the error::x: Debug and stderr output for Yubikey 5 NFC via USB NFC reader
``` Got library name: "/usr/lib/qt/qml/io/thp/pyotherside/libpyothersideplugin.so" 2021-07-11T11:53:39+0200 INFO [ykman.logging_setup.setup:76] Initialized logging for level: DEBUG 2021-07-11T11:53:39+0200 INFO [ykman.logging_setup.setup:77] Running ykman version: 4.0.3 2021-07-11T11:53:39+0200 DEBUG [ykman.logging_setup.log_sys_info:48] Python: 3.9.5 (default, May 24 2021, 12:50:35) [GCC 11.1.0] 2021-07-11T11:53:39+0200 DEBUG [ykman.logging_setup.log_sys_info:49] Platform: linux 2021-07-11T11:53:39+0200 DEBUG [ykman.logging_setup.log_sys_info:50] Arch: x86_64 2021-07-11T11:53:39+0200 DEBUG [ykman.logging_setup.log_sys_info:56] Running as admin: False 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040008a000000527471117 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 5669727475616c206d6772202d2046572076657273696f6e20352e322e36 SW=9000 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 001d000000 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 2e0102023f0302022f020400cb85b704010105030502060602000007010f0801000d02023f0e02022b0a01000f0100 SW=9000 2021-07-11T11:53:46+0200 DEBUG [ykman.device.read_info:453] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={For comparision, here is the output for the (working) Fidesmo card 2.0:
:heavy_check_mark: Debug and stderr output for Fidesmo Card 2.0 via USB NFC reader
``` Got library name: "/usr/lib/qt/qml/io/thp/pyotherside/libpyothersideplugin.so" 2021-07-11T11:57:15+0200 INFO [ykman.logging_setup.setup:76] Initialized logging for level: DEBUG 2021-07-11T11:57:15+0200 INFO [ykman.logging_setup.setup:77] Running ykman version: 4.0.3 2021-07-11T11:57:15+0200 DEBUG [ykman.logging_setup.log_sys_info:48] Python: 3.9.5 (default, May 24 2021, 12:50:35) [GCC 11.1.0] 2021-07-11T11:57:15+0200 DEBUG [ykman.logging_setup.log_sys_info:49] Platform: linux 2021-07-11T11:57:15+0200 DEBUG [ykman.logging_setup.log_sys_info:50] Arch: x86_64 2021-07-11T11:57:15+0200 DEBUG [ykman.logging_setup.log_sys_info:56] Running as admin: False 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040008a000000527471117 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:286] Unable to select Management application, use fallback. 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040008a000000527471117 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040007a0000005272001 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:298] Unable to select OTP application 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:308] Check for FIDO U2F 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040008a0000006472f0001 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:313] Missing applet: aid: AID.FIDO, capability: FIDO U2F 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:308] Check for FIDO U2F 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040007a0000005271002 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:313] Missing applet: aid: b"\xa0\x00\x00\x05'\x10\x02", capability: FIDO U2F 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:308] Check for PIV 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040005a000000308 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:313] Missing applet: aid: AID.PIV, capability: PIV 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:308] Check for OpenPGP 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040006d27600012401 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=9000 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:311] Found applet: aid: AID.OPENPGP, capability: OpenPGP 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:308] Check for OATH 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040007a0000005272101 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 790300030071080ed789f4cb22b75f SW=9000 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:311] Found applet: aid: AID.OATH, capability: OATH 2021-07-11T11:57:18+0200 DEBUG [ykman.device.read_info:453] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=I understand if this issue is low-priority for you due to the specific hard- and software configuration. However I would be willing to fix is myself if you could point me to the corresponding places in the codebase. Or maybe the issue lies within my Linux configuration - please advise.
Thank you for any help.
Related: #664
Edit: Clarification - Yubikey 5 NFC is indeed recognized, but OTP entries do not display. Edit: Add related issue Edit: Add stderr log Edit: Add debug log Edit: Add Fidesmo card log