Card not being detected in yktool.jar

[CueMaxX]

Hi!

I've tried loading the applet on J2E081, J3D081 and J3H145 cards, but when using: java -jar yktool.jar list it just shows Yubikeys available:

without anything being available. Do I miss something or did I misinterpret the function of this applet?

Thanks

[jaredvacanti]

@CueMaxX I have the same issue with the JavaCOS A22 155K Java Card 2.2.2. Have you had any success in the meantime?

I have the same result installing with the release https://github.com/arekinath/YkOtpApplet/releases/download/v0.1.0/YkOtpApplet.cap and building from the master branch.

[StarGate01]

For my card (J3H145 aka. Fidesmo card 2.0) the problem was that other applets would use RAM and then the call to JCSystem.makeTransientByteArray would fail. So I had to uninstall enough of the other applets. Since I was using the Fidesmo framework, I had to modify the AID_YUBIOTP definition in yktool to hold the Fidesmo assigned application ID.

[BryanJacobs]

I've raised a pull request, https://github.com/arekinath/YkOtpApplet/pull/6 , that should allow users to initialize the card without using yktool.

This applet doesn't make an arbitrary smart card show up as a Yubikey. yktool is looking for USB Yubikeys, not random PC/SC readers or CCID smart cards. You're not going to see your JavaCard in the list output from yktool, but that won't stop you from using it with software like KeepassXC that supports non-Yubikey cards.

[StarGate01]

Interesting, for me yktool works great with a NFC PC/SC reader, for both my Yubikey 5 NFC, as well as this applet - if you use the a0:00:00:05:27:20 AID.

[BryanJacobs]

It sounds like you're using a Yubikey. I'm not. yktool doesn't detect my J3H145 card, even inserted, when using the Yubico AID.

[StarGate01]

I am using NXP P71D321 J3R200 JCOP4 chips additionally running this applet, and I was able to use yktool for that as well. Maybe there is a difference in the chips. If your card contactless?

[BryanJacobs]

I'm not sure why it would work for you, but it certainly doesn't for me. It also doesn't detect my Gemalto IDPrime 3940, but does my actual Yubikeys.

At any rate, if you want to program your smartcard for challenge-response when yktool doesn't work, now you have an easy way to do that. I can guarantee that sending APDUs to the card will work, because if those are somehow broken you're not going to be having a fun time with challenge-response anyhow.

[StarGate01]

I saw your PR, your script is great! And way easier to use than yktool, I might end up using it in some CI systems. I am using a SCL011 reader, maybe there are differences on what yktool can handle in terms of readers.

[BryanJacobs]

I've had a look at the sources of yktool and I think I found a way our setup could be different.

For me, the challenge-response module is not the default applet. It needs to be selected before it will answer requests. Sending an INS_STATUS to the card immediately after connecting gets back an error.

I don't see anything in the list codepath in yktool which sends an applet-select APDU to the card.

[BryanJacobs]

Scratch that last, the updateStatus method calls select. I guess the functionality difference just comes down to:

    TerminalFactory factory = TerminalFactory.getDefault();
    List<CardTerminal> terms = factory.terminals().list();

[StarGate01]

If your Javacard gets detected by my PCSC driver of KeePassXC (https://github.com/keepassxreboot/keepassxc/blob/develop/src/keys/drivers/YubiKeyInterfacePCSC.cpp), then its probably some issue with the java smartcard drivers, yea.

[BryanJacobs]

Works fine with KeePassXC. Thanks for your PR there, by the way.

[StarGate01]

Good to hear, you are welcome! I am happy people are using it.