search

hoehermann / usbtan-cli

Request chipTAN from USB-cardreaders via libchipcard.
GNU Lesser General Public License v2.1
6 stars 0 forks source link

Allow for selection of card reader or block Security Keys #1

Open xorbital opened 3 years ago

xorbital commented 3 years ago

Hey, thank you for this amazing tool, it's really saving me a lot of time.

At the moment, I have to pull out my YubiKey before generating TANs though. The same issue is present with a NitroKey plugged in. The YubiKey itself is a card reader for a PGP Smartcard, and as such seems to get picked up by the library (It also shows up in Jameica for example), and the TAN generation fails when both it and another TAN generator is plugged in (the order of plugging them in doesn't matter):

4:2020/11/28 21-13-04:chipcard3-client(80461):card.c:  146: Unknown card type (no matching ATR)
3:2020/11/28 21-13-04:(null)(80461):chiptanusb.c:  177: ERROR: Error Reading Tan from card.
Fehler bei TAN Generierung

Unplugging the key results in the program working fine again. Would it be possible to add a parameter that allows for device selection? Maybe a different solution would be to exclude Yubi-/Nitrokeys somehow.

hoehermann commented 3 years ago

Good idea.

Currently, I am simply calling GetTanfromUSB_Generator which does not offer an interface for device or card selection. The implementation in libchipcard-5.1.5rc2/src/ct/chiptanusb/chiptanusb.c calls LC_Client_GetNextCard once and once only. I am not sure whether a consecutive call to LC_Client_GetNextCard would get the next card-like object in any reader or whether wait for the next card in the first selected reader. I cannot really tell from libchipcard's documentation. I need to do some experiments to even find out whether this is possible at all. I cannot tell when I want to look into this, sorry.

Yours is the first feedback I ever received. Does the tool work for you in any way? I can use it for login TANs reliably. For transactions (or anything with an IBAN and an amount, really) I need to be lucky.

xorbital commented 3 years ago

Hey, thanks for the quick reply and yes, it works really well (usbtan-cli). :smile: The usbtan-viaclipboard is throwing errors at me, so I haven't really used it:

Traceback (most recent call last):
  File "./usbtan-viaclipboard", line 18, in <module>
    clipboard = pyperclip.paste()
  File "/usr/lib/python3.8/site-packages/pyperclip/__init__.py", line 638, in lazy_load_stub_paste
    return paste()
  File "/usr/lib/python3.8/site-packages/pyperclip/__init__.py", line 155, in paste_gtk
    clipboardContents = gtk.Clipboard().wait_for_text()
  File "/usr/lib/python3.8/site-packages/gi/__init__.py", line 69, in __getattr__
    raise AttributeError(_static_binding_error)
AttributeError: When using gi.repository you must not import static modules like "gobject". Please change all occurrences of "import gobject" to "from gi.repository import GObject". See: https://bugzilla.gnome.org/show_bug.cgi?id=709183

OS: Manjaro/Arch, Gnome Wayland

However just using

$HOME/Programme/usbtan-cli/usbtan-cli $(wl-paste) | grep "TAN =" | sed 's/^.*= //' | wl-copy

is all I need, I copy the Start-Code, press a keyboard combination and the TAN is copied to the clipboard. I only use Jameica for Transactions and I need the TAN generation to authorize credit card payments, and again, that works really well. Haven't looked into Jameica/Hibiscus source yet, don't know if they use the same underlying library though :thinking:

hoehermann commented 3 years ago

@xorbital Can you give cardcounter in https://github.com/hoehermann/usbtan-cli/tree/cardcounter a shot? I cannot test for ambiguity since I only have one card reader and no other token provider.

xorbital commented 3 years ago

Hey, thanks again for the quick follow-up! :smile: I went a bit crazy and plugged in 3 security keys (2 Yubi-, 1 Nitrokey), as well as a ReinerSCT TanJack USB, I can test with a few other card readers as well. Please let me know if I did any mistake preparing/executing it:

git clone https://github.com/hoehermann/usbtan-cli
cd usbtan-cli
git checkout cardcounter
make cardcounter
./cardcounter

That gives me, with a girocard plugged into the tanjack:

7:2020/11/30 10-14-43:(null)(4661):client_xml.c:  181: Reading XML file (cards) from here: /usr/share/chipcard/cards
7:2020/11/30 10-14-43:(null)(4661):client_xml.c:  181: Reading XML file (apps) from here: /usr/share/chipcard/apps
7:2020/11/30 10-14-43:(null)(4661):driverinfo.c:  234: Reading driver file "/usr/share/chipcard/drivers/cyberjack_pcsc.xml"
6:2020/11/30 10-14-43:(null)(4661):driverinfo.c:  175: XML file "/usr/share/chipcard/drivers/cyberjack_pcsc.xml" contains no readers
7:2020/11/30 10-14-43:(null)(4661):driverinfo.c:  234: Reading driver file "/usr/share/chipcard/drivers/generic_pcsc.xml"
6:2020/11/30 10-14-43:(null)(4661):driverinfo.c:  175: XML file "/usr/share/chipcard/drivers/generic_pcsc.xml" contains no readers
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   50: Connecting to server.
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   55: Connected.
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   60: Waiting 20 seconds for next card...
7:2020/11/30 10-14-44:(null)(4661):client_cmd.c:   12: Adding card types...
4:2020/11/30 10-14-44:chipcard3-client(4661):card.c:  146: Unknown card type (no matching ATR)
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   67: Found a card.
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   70: Access to this card is provided by reader: "Yubico YubiKey OTP+FIDO+CCID 00 00"
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   75: This card is of type: "processor"
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   85: Opening card.
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   91: Card is a CipTanUsb card as expected.
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   96: I am done with this card.
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   98: Waiting 20 seconds for next card...
7:2020/11/30 10-14-44:(null)(4661):client_cmd.c:   12: Adding card types...
4:2020/11/30 10-14-44:chipcard3-client(4661):card.c:  146: Unknown card type (no matching ATR)
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   67: Found a card.
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   70: Access to this card is provided by reader: "Nitrokey Nitrokey Storage (0000000000000) 01 00"
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   75: This card is of type: "processor"
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   85: Opening card.
6:2020/11/30 10-14-44:(null)(4661):cardcounter.c:   91: Card is a CipTanUsb card as expected.
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   96: I am done with this card.
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   98: Waiting 20 seconds for next card...
7:2020/11/30 10-14-45:(null)(4661):client_cmd.c:   12: Adding card types...
4:2020/11/30 10-14-45:chipcard3-client(4661):card.c:  146: Unknown card type (no matching ATR)
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   67: Found a card.
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   70: Access to this card is provided by reader: "Yubico YubiKey OTP+FIDO+CCID 02 00"
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   75: This card is of type: "processor"
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   85: Opening card.
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   91: Card is a CipTanUsb card as expected.
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   96: I am done with this card.
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   98: Waiting 20 seconds for next card...
7:2020/11/30 10-14-45:(null)(4661):client_cmd.c:   12: Adding card types...
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   67: Found a card.
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   70: Access to this card is provided by reader: "Reiner tanjack usb (AF3BDCA25C) 03 00"
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   75: This card is of type: "processor"
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   85: Opening card.
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   91: Card is a CipTanUsb card as expected.
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   96: I am done with this card.
6:2020/11/30 10-14-45:(null)(4661):cardcounter.c:   98: Waiting 20 seconds for next card...
3:2020/11/30 10-14-45:chipcard3-client(4661):client.c: 1066: Error connecting to card in reader [Reiner tanjack usb (AF3BDCA25C) 03 00]
6:2020/11/30 10-15-06:(null)(4661):cardcounter.c:  101: Found a total of 4 cards.

Without a card plugged in the tanjack doesn't get picked up. The security keys act as if they were GPG smartcard readers, so that makes sense:

7:2020/11/30 10-22-58:(null)(7569):client_xml.c:  181: Reading XML file (cards) from here: /usr/share/chipcard/cards
7:2020/11/30 10-22-59:(null)(7569):client_xml.c:  181: Reading XML file (apps) from here: /usr/share/chipcard/apps
7:2020/11/30 10-22-59:(null)(7569):driverinfo.c:  234: Reading driver file "/usr/share/chipcard/drivers/cyberjack_pcsc.xml"
6:2020/11/30 10-22-59:(null)(7569):driverinfo.c:  175: XML file "/usr/share/chipcard/drivers/cyberjack_pcsc.xml" contains no readers
7:2020/11/30 10-22-59:(null)(7569):driverinfo.c:  234: Reading driver file "/usr/share/chipcard/drivers/generic_pcsc.xml"
6:2020/11/30 10-22-59:(null)(7569):driverinfo.c:  175: XML file "/usr/share/chipcard/drivers/generic_pcsc.xml" contains no readers
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   50: Connecting to server.
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   55: Connected.
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   60: Waiting 20 seconds for next card...
7:2020/11/30 10-22-59:(null)(7569):client_cmd.c:   12: Adding card types...
4:2020/11/30 10-22-59:chipcard3-client(7569):card.c:  146: Unknown card type (no matching ATR)
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   67: Found a card.
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   70: Access to this card is provided by reader: "Yubico YubiKey OTP+FIDO+CCID 00 00"
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   75: This card is of type: "processor"
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   85: Opening card.
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   91: Card is a CipTanUsb card as expected.
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   96: I am done with this card.
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   98: Waiting 20 seconds for next card...
7:2020/11/30 10-22-59:(null)(7569):client_cmd.c:   12: Adding card types...
4:2020/11/30 10-22-59:chipcard3-client(7569):card.c:  146: Unknown card type (no matching ATR)
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   67: Found a card.
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   70: Access to this card is provided by reader: "Nitrokey Nitrokey Storage (0000000000000) 01 00"
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   75: This card is of type: "processor"
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   85: Opening card.
6:2020/11/30 10-22-59:(null)(7569):cardcounter.c:   91: Card is a CipTanUsb card as expected.
6:2020/11/30 10-23-00:(null)(7569):cardcounter.c:   96: I am done with this card.
6:2020/11/30 10-23-00:(null)(7569):cardcounter.c:   98: Waiting 20 seconds for next card...
7:2020/11/30 10-23-00:(null)(7569):client_cmd.c:   12: Adding card types...
4:2020/11/30 10-23-00:chipcard3-client(7569):card.c:  146: Unknown card type (no matching ATR)
6:2020/11/30 10-23-00:(null)(7569):cardcounter.c:   67: Found a card.
6:2020/11/30 10-23-00:(null)(7569):cardcounter.c:   70: Access to this card is provided by reader: "Yubico YubiKey OTP+FIDO+CCID 02 00"
6:2020/11/30 10-23-00:(null)(7569):cardcounter.c:   75: This card is of type: "processor"
6:2020/11/30 10-23-00:(null)(7569):cardcounter.c:   85: Opening card.
6:2020/11/30 10-23-00:(null)(7569):cardcounter.c:   91: Card is a CipTanUsb card as expected.
6:2020/11/30 10-23-00:(null)(7569):cardcounter.c:   96: I am done with this card.
6:2020/11/30 10-23-00:(null)(7569):cardcounter.c:   98: Waiting 20 seconds for next card...
6:2020/11/30 10-23-21:(null)(7569):cardcounter.c:  101: Found a total of 3 cards.
hoehermann commented 3 years ago

Thank you for your participation. It is very helpful.

On the bright side: We can use the string to distinguish the readers.

On the not-so-bright side: GetTanfromUSB_Generator does not offer any argument to select the reader. The normal card client interface does not expose the reader's name, either. For this reason, I would need to reimplement GetTanfromUSB_Generator and copy card_p.h and dependencies into my code. I need to figure out how to do this without losing any chance to incorporate future updates to libchipcard.

xorbital commented 3 years ago

Thanks for your investigation there 👍 Doesn't sound too practical..

I was thinking about realizing this at a different level - packaging this as a flatpak could be an easy way to only allow access to a single device. I know that's a bit overkill, is there maybe a different approach to block access to the "wrong" devices? 🤔