Yubikey 5 NFC is not recognized when using USB NFC reader on Linux

[StarGate01]

• Yubico Authenticator version: 5.0.5
• Operating system and version: Windows 10 x64 / Android 9 - Lineage 16 / Linux 5.4.124-1-MANJARO
• YubiKey model and version: Yubikey 5 NFC / Fidesmo Card 2.0
• Bug description summary: Yubikey is not recognized when using USB NFC reader on Linux

Rationale: I want to use my Yubikey 5 NFC via NFC on all my devices.

I did some differential testing, for results see below.

Steps to reproduce

• Use a USB NFC reader such as a SCM SCL3711
• Configure a Yubikey 5 NFC as OTP device using the Yubikey manager application.
• Configure a Fisdesmo Card 2.0 as OTP device using the Fidesmo mobile app.
• Interface the devices using the Yubico Authentificator software via the USB NFC reader (Windows & Linux) or the mobile phones integrated NFC chip.

Expected result

All three operating systems are able to interface both hardware devices (key and card) and are able to read and write OTP entries.

Actual results

Windows:

• USB NFC reader is recognized and installed as a scl3711 reader & NFC device smartcard reader. (Driver: SCM Microsystems - 25.07.2013 - 1.13.0.0 / SCardSvr)
• Yubico Authentificator (exe version) is configured to use a custom CCID filter: SCM Microsystems SCL3711 reader & NFC device 0
• :heavy_check_mark: The Yubikey 5 NFC is recognized via NFC in the app and able to function correctly
• :heavy_check_mark: The Fidesmo Card 2.0 is recognized via NFC in the app (as Yubikey NEO) and able to function correctly

Android:

• Yubico Authentificator configuration is unchanged from stock
• :heavy_check_mark: The Yubikey 5 NFC is recognized via NFC in the app and able to function correctly
• :heavy_check_mark: The Fidesmo Card 2.0 is recognized via NFC in the app and able to function correctly

Linux:

• USB NFC reader is recognized and installed as a SCM Microsystems, Inc. SCL3711-NFC&RW. (Driver: usbfs / pcsclite (identiv proprietary driver) / pcscd)
• Yubico Authentificator is configured to use a custom CCID filter: SCL3711 Reader and NFC Device 00 00
• :x: The Yubikey 5 NFC is recognized via NFC in the app, but OTP entries to NOT display rendering it unusable
  • However: Connection via direct physical USB works if no CCID filter is used
• :heavy_check_mark: The Fidesmo Card 2.0 is recognized via NFC in the app (as Yubikey NEO) and able to function correctly

Other info

The following are the pcsc_scan reports from Linux for various configurations.

:heavy_check_mark: Yubikey 5 via physical USB

``` 0: Yubico YubiKey OTP+FIDO+CCID 00 00 1: SCL3711 Reader and NFC Device 00 00 Sun Jul 11 11:03:59 2021 Reader 0: Yubico YubiKey OTP+FIDO+CCID 00 00 Event number: 18 Card state: Card inserted, ATR: 3B FD 13 00 00 81 31 FE 15 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 40 ATR: 3B FD 13 00 00 81 31 FE 15 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 40 + TS = 3B --> Direct Convention + T0 = FD, Y(1): 1111, K: 13 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 ----- TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 + Historical bytes: 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 Category indicator byte: 80 (compact TLV data object) Tag: 7, len: 3 (card capabilities) Selection methods: C0 - DF selection by full DF name - DF selection by partial DF name Data coding byte: 21 - Behaviour of write functions: proprietary - Value 'FF' for the first byte of BER-TLV tag fields: invalid - Data unit in quartets: 2 Command chaining, length fields and logical channels: C0 - Command chaining - Extended Lc and Le fields - Logical channel number assignment: No logical channel - Maximum number of logical channels: 1 Tag: 5, len: 7 (card issuer's data) Card issuer data: 59 75 62 69 4B 65 79 + TCK = 40 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B FD 13 00 00 81 31 FE 15 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 40 Yubico YubiKey 5 NFC (PKI) https://www.yubico.com/product/yubikey-5-nfc Reader 1: SCL3711 Reader and NFC Device 00 00 Event number: 0 Card state: Card removed, ```

:x: Yubikey 5 via NFC USB reader

``` 0: Yubico YubiKey OTP+FIDO+CCID 00 00 1: SCL3711 Reader and NFC Device 00 00 Sun Jul 11 11:05:31 2021 Reader 0: Yubico YubiKey OTP+FIDO+CCID 00 00 Event number: 0 Card state: Status unavailable, Reader 1: SCL3711 Reader and NFC Device 00 00 Event number: 11 Card state: Card inserted, ATR: 3B 8D 80 01 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 F9 ATR: 3B 8D 80 01 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 F9 + TS = 3B --> Direct Convention + T0 = 8D, Y(1): 1000, K: 13 (historical bytes) TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 ----- TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1 ----- + Historical bytes: 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 Category indicator byte: 80 (compact TLV data object) Tag: 7, len: 3 (card capabilities) Selection methods: C0 - DF selection by full DF name - DF selection by partial DF name Data coding byte: 21 - Behaviour of write functions: proprietary - Value 'FF' for the first byte of BER-TLV tag fields: invalid - Data unit in quartets: 2 Command chaining, length fields and logical channels: C0 - Command chaining - Extended Lc and Le fields - Logical channel number assignment: No logical channel - Maximum number of logical channels: 1 Tag: 5, len: 7 (card issuer's data) Card issuer data: 59 75 62 69 4B 65 79 + TCK = F9 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 8D 80 01 80 73 C0 21 C0 57 59 75 62 69 4B 65 79 F9 Yubikey 5 NFC (via NFC) (Other) https://www.yubico.com/product/yubikey-5-nfc/#yubikey-5-nfc ```

:heavy_check_mark: Fidesmo Card 2.0 via NFC USB reader

``` 0: Yubico YubiKey OTP+FIDO+CCID 00 00 1: SCL3711 Reader and NFC Device 00 00 Sun Jul 11 11:08:45 2021 Reader 0: Yubico YubiKey OTP+FIDO+CCID 00 00 Event number: 0 Card state: Status unavailable, Reader 1: SCL3711 Reader and NFC Device 00 00 Event number: 23 Card state: Card inserted, ATR: 3B 80 80 01 01 ATR: 3B 80 80 01 01 + TS = 3B --> Direct Convention + T0 = 80, Y(1): 1000, K: 0 (historical bytes) TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 ----- TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1 ----- + Historical bytes: + TCK = 01 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 80 80 01 01 ISO 14443 Type B without historical bytes Electronic Passport Spanish passport (2012) Canadian Passport Venez_Prox ```

As you can see, the physical USB Yubikey is recognized as Yubico YubiKey 5 NFC (PKI), while the Yubikey via USB NFC reader ist recognized as Yubikey 5 NFC (via NFC) (Other).

This is the debug console log when I compiled master from this repository and reproduced the error:

:x: Debug and stderr output for Yubikey 5 NFC via USB NFC reader

``` Got library name: "/usr/lib/qt/qml/io/thp/pyotherside/libpyothersideplugin.so" 2021-07-11T11:53:39+0200 INFO [ykman.logging_setup.setup:76] Initialized logging for level: DEBUG 2021-07-11T11:53:39+0200 INFO [ykman.logging_setup.setup:77] Running ykman version: 4.0.3 2021-07-11T11:53:39+0200 DEBUG [ykman.logging_setup.log_sys_info:48] Python: 3.9.5 (default, May 24 2021, 12:50:35) [GCC 11.1.0] 2021-07-11T11:53:39+0200 DEBUG [ykman.logging_setup.log_sys_info:49] Platform: linux 2021-07-11T11:53:39+0200 DEBUG [ykman.logging_setup.log_sys_info:50] Arch: x86_64 2021-07-11T11:53:39+0200 DEBUG [ykman.logging_setup.log_sys_info:56] Running as admin: False 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040008a000000527471117 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 5669727475616c206d6772202d2046572076657273696f6e20352e322e36 SW=9000 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 001d000000 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 2e0102023f0302022f020400cb85b704010105030502060602000007010f0801000d02023f0e02022b0a01000f0100 SW=9000 2021-07-11T11:53:46+0200 DEBUG [ykman.device.read_info:453] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={: , : }, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=), serial=13338039, version=Version(major=5, minor=2, patch=6), form_factor=, supported_capabilities={: , : }, is_locked=False, is_fips=False) 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040007a0000005272101 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 7903050206710879bee80de57efb61 SW=9000 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040007a0000005272101 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 7903050206710879bee80de57efb61 SW=9000 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a400010a740800000000033b0663 2021-07-11T11:53:46+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6f00 "PyOtherSide error: Traceback (most recent call last):\n\n File \"qrc:///py/yubikey.py\", line 25, in wrapped\n return json.dumps(f(*(json.loads(a) for a in args)))\n\n File \"qrc:///py/yubikey.py\", line 139, in wrapped\n return f(*args, **kwargs)\n\n File \"qrc:///py/yubikey.py\", line 375, in ccid_calculate_all\n entries = oath_controller.calculate_all(timestamp)\n\n File \"/usr/lib/python3.9/site-packages/yubikit/oath.py\", line 383, in calculate_all\n self.protocol.send_apdu(\n\n File \"/usr/lib/python3.9/site-packages/yubikit/core/smartcard.py\", line 177, in send_apdu\n raise ApduError(response, sw)\n\nyubikit.core.smartcard.ApduError: APDU error: SW=0x6f00\n" Unhandled PyOtherSide error: Return value of PyObject call is NULL: Traceback (most recent call last): File "qrc:///py/yubikey.py", line 25, in wrapped return json.dumps(f(*(json.loads(a) for a in args))) File "qrc:///py/yubikey.py", line 139, in wrapped return f(*args, **kwargs) File "qrc:///py/yubikey.py", line 375, in ccid_calculate_all entries = oath_controller.calculate_all(timestamp) File "/usr/lib/python3.9/site-packages/yubikit/oath.py", line 383, in calculate_all self.protocol.send_apdu( File "/usr/lib/python3.9/site-packages/yubikit/core/smartcard.py", line 177, in send_apdu raise ApduError(response, sw) yubikit.core.smartcard.ApduError: APDU error: SW=0x6f00 ```

For comparision, here is the output for the (working) Fidesmo card 2.0:

:heavy_check_mark: Debug and stderr output for Fidesmo Card 2.0 via USB NFC reader

``` Got library name: "/usr/lib/qt/qml/io/thp/pyotherside/libpyothersideplugin.so" 2021-07-11T11:57:15+0200 INFO [ykman.logging_setup.setup:76] Initialized logging for level: DEBUG 2021-07-11T11:57:15+0200 INFO [ykman.logging_setup.setup:77] Running ykman version: 4.0.3 2021-07-11T11:57:15+0200 DEBUG [ykman.logging_setup.log_sys_info:48] Python: 3.9.5 (default, May 24 2021, 12:50:35) [GCC 11.1.0] 2021-07-11T11:57:15+0200 DEBUG [ykman.logging_setup.log_sys_info:49] Platform: linux 2021-07-11T11:57:15+0200 DEBUG [ykman.logging_setup.log_sys_info:50] Arch: x86_64 2021-07-11T11:57:15+0200 DEBUG [ykman.logging_setup.log_sys_info:56] Running as admin: False 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040008a000000527471117 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:286] Unable to select Management application, use fallback. 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040008a000000527471117 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040007a0000005272001 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:298] Unable to select OTP application 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:308] Check for FIDO U2F 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040008a0000006472f0001 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:313] Missing applet: aid: AID.FIDO, capability: FIDO U2F 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:308] Check for FIDO U2F 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040007a0000005271002 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:313] Missing applet: aid: b"\xa0\x00\x00\x05'\x10\x02", capability: FIDO U2F 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:308] Check for PIV 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040005a000000308 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:313] Missing applet: aid: AID.PIV, capability: PIV 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:308] Check for OpenPGP 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040006d27600012401 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=9000 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:311] Found applet: aid: AID.OPENPGP, capability: OpenPGP 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:308] Check for OATH 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040007a0000005272101 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 790300030071080ed789f4cb22b75f SW=9000 2021-07-11T11:57:18+0200 DEBUG [ykman.device._read_info_ccid:311] Found applet: aid: AID.OATH, capability: OATH 2021-07-11T11:57:18+0200 DEBUG [ykman.device.read_info:453] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={}, auto_eject_timeout=0, challenge_response_timeout=0, device_flags=), serial=None, version=Version(major=3, minor=0, patch=0), form_factor=, supported_capabilities={: , : }, is_locked=False, is_fips=False) 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040007a0000005272101 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 790300030071080ed789f4cb22b75f SW=9000 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040007a0000005272101 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 790300030071080ed789f4cb22b75f SW=9000 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a400010a740800000000033b066a 2021-07-11T11:57:18+0200 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 712746696465736d6f4f54505475746f7269616c3a7475746f7269616c4066696465736d6f2e636f6d7605060f61fe36 SW=9000 ```

I understand if this issue is low-priority for you due to the specific hard- and software configuration. However I would be willing to fix is myself if you could point me to the corresponding places in the codebase. Or maybe the issue lies within my Linux configuration - please advise.

Thank you for any help.

Related: #664

Edit: Clarification - Yubikey 5 NFC is indeed recognized, but OTP entries do not display. Edit: Add related issue Edit: Add stderr log Edit: Add debug log Edit: Add Fidesmo card log

[StarGate01]

I configured a second Yubikey 5 NFC with only one (1) OTP entry, just like I did with the Fidesmo card 2.0. Turns out, now it works. This leads me to believe that there is some kind of limit on the amount of OTP entries that can be transmitted via the USB NFC reader.

[StarGate01]

I tested another NFC reader: a "SCL011 Contactless Reader" marketed as a personal ID reader for the citizens of Germany. This device and its drive don't appear to have this strange "number of OTP entries" limitation, everything works as expected.

In conclusion, this problem does not seem to be related to the Yubikey software at all, but rather to the Linux driver of a specific device. I will report the problem to PCSClite, where I think the problem could be fixed maybe.

This issue is now void, however I'll leave it online if anyone else stumble upon this in the future.