implement ykpiv command INS_GET_SERIAL

[arekinath]

Yubikey5 series devices have a new 0xF8 INS_GET_SERIAL we should implement (probably returning a fake serial number with the high bit set)

[dengert]

NIST 800-73 specs do not define a serial number. Both OpenSC and Windows PIV drivers derive a "serial number" from the FASC-N or GUID information in the CHUID. OpenSC does not really need it, but Windows does.

[dengert]

How do you differentiate between your PIV applet and a Yubico PIV applet? There are many other PIV applets out there and the NIST specs do not says how to do it.

One way is the ATR historical bytes. Another is to use the '50' tag in the response to a SELECT AID. Yubico does not use this, but real PIV card do. (no need for an extra APDU.) For example older Oberthur cards would return:

61 39 4F 0B A0 00 00 03 08 00 00 10 00 01 00 79 a9O............y
07 4F 05 A0 00 00 03 08 50 0E 49 44 2D 4F 6E 65 .O......P.ID-One
20 50 49 56 20 42 49 4F 5F 50 10 77 77 77 2E 6F  PIV BIO_P.www.o
62 65 72 74 68 75 72 2E 63 6F 6D 7F 66 08 02 02 berthur.com.f...
80 00 02 02 80 00

[arekinath]

NIST 800-73 specs do not define a serial number. Both OpenSC and Windows PIV drivers derive a "serial number" from the FASC-N or GUID information in the CHUID. OpenSC does not really need it, but Windows does.

Yeah, I'm aware. This is a YubicoPIV-specific command and is only to avoid any risk of the yubico-piv-tool reading an invalid value here or misbehaving when we claim compatibility with YubicoPIV 5.x. I don't expect any other software to bother looking at it, really.

How do you differentiate between your PIV applet and a Yubico PIV applet? There are many other PIV applets out there and the NIST specs do not says how to do it.

This applet currently returns "PivApplet" in the '50' tag in response to select, so you could use that if you need to. It also returns an actual supported algorithm list in the 'AC' tag which I haven't yet seen another PIV applet do (maybe you have?), so that could be diagnostic. I've considered adding a link to the GitHub repo in the '5f50' URL tag in RTS as well, but have yet to do it.

So far our YKPIV version command response has always been 4.0.0 or 5.0.0, as well, when it seems like Yubico usually start their version numbering (at least for publically released versions of their applet) at >X.0.0

[dengert]

I have recently (this week) acquired a demo PIV card that supports SM and Key Establishment Protocol in NIST 800-73-4. Is uses 'AC' tag with '27' to generate an ephemeral key pair over Curve P-256. I am planing on using it to add these features to OpenSC. It will take awhile.

[arekinath]

Oh, that's quite exciting! Can I get one? :P

[dengert]

Probably not.