arekinath / YkOtpApplet

Javacard applet emulating the Yubikey challenge-response interface
19 stars 10 forks source link

YkTool and custom cards #1

Closed Aiosa closed 4 years ago

Aiosa commented 4 years ago

Hello,

I tried to install the applet onto my card (JNXP) and although the installation went flawlessly, the yktool does not seem to have recognized it. Is it an issue or only yubikey smart cards are supported?

Thank you

Aiosa commented 4 years ago

Ok tried another card (older sdk, no NFC..) and worked...

jaredvacanti commented 4 years ago

@Aiosa did only a change of what card you installed on allow the card to be detected by yktool? I have tested on two cards, a 2.2.2 and a 3.0.4 version, and both yktool and ykman otp do not detect a yubikey.

Aiosa commented 4 years ago

Well I tried with JavaCOS A40 or something similar (I have two, one unknown version, I think it was the unknown one). But, for some reason when I tried it again later, it did not work anymore. I was a bit confused, but could not find out the reason, using different cards, different yktool versions and observing with APDU tracer. I don't really remember but my notes say I did notice successful select command on the applet aid before.

Aiosa commented 4 years ago

Please let me know if you succeed in the applet use. Yubico apps most likely check the reader vendor and allow communication with Yubico HW only, though it may not be the case with yktool. I thought so at first, but nothing has worked for me ever since closing the issue - ironically.

jaredvacanti commented 4 years ago

@Aiosa I looked through to see if yktool was doing a hardware check of some kind, it looks like the tool just tries to connect to each card connected: https://github.com/arekinath/yktool/blob/master/yktool.java#L132

As a small aside: I use the Yubikey OTP applet for securing a KeePassXC database. This is my backup for if that yubikey auth method fails or becomes unavailable. There is a tool available for computing the HMAC-SHA1 response that is useful for my case in the meantime, but I still do need to have the backup on a physical card and I will let you know when I have that available.

jaredvacanti commented 4 years ago

I am using Ubuntu 19.10 as my primary development workstation. There is a Linux issue when working with smartcards that is documented here: https://stackoverflow.com/questions/12376257/accessing-javax-smartcardio-from-linux-64-bits

On my machine, using java -Dsun.security.smartcardio.library=/usr/lib/x86_64-linux-gnu/libpcsclite.so -jar yktool.jar for yktool allows me to list the YkOtpApplet as a yubikey with the tool and program that HMAC slot. Currently I don't have it working from KeePassXC yet, which I think is probably the same issue ... but I am able to interact with and program the card!