Non-standard instructions

[nickray]

Hi! I am writing a PIV application for SoloKeys, and found some idiosyncrasies in this repository (which is named piv-go and not yubico-piv-go 👼).

This is the start of the "handshake" when I run @FiloSottile's https://github.com/FiloSottile/yubikey-agent:

10055575 APDU: 00 A4 04 00 05 A0 00 00 03 08                                                                                                                                                                                                                                     
00001734 SW: 61 11 4F 06 00 00 10 00 01 00 79 07 4F 05 A0 00 00 03 08 90 00

00001345 APDU: 00 FD 00 00 00                                                                                                                                                                                                                                                    
00004496 SW: 04 03 04 90 00                                                                                                                                                                                                                                                      

00000965 APDU: 00 A4 04 00 08 A0 00 00 05 27 20 01 01                                                                                                                                                                                                                            
00002205 SW: 04 03 04 01 05 00 05 0F 00 00 90 00

00000661 APDU: 00 01 10 00 00                                                                                                                                                                                                                                                    
00000929 SW: 00 52 F7 43 90 00

For one, you send instruction 0xFD (getVersion) against the PIV app, I guess because Yubico implements it there. Secondly, instruction 0x01 is used, is this also an idiosyncrasy? As ISO 7816-4 does not contain it. I can "fake" responses here, but it would be neat if answering these commands for non-Yubikeys would not be mandatory.

Also, the "AID" in

piv-go/piv/piv.go

Line 336 in 564f246

aidPIV = [...]byte{0xa0, 0x00, 0x00, 0x03, 0x08}

is only the RID for NIST, the AID should be either the right-truncated or full version, including the the PIV app's PIX [0x00, 0x00, 0x10, 0x00] or additionally its version [0x01, 0x00].

[FiloSottile]

BTW, I know it's named yubikey-agent, but if feasible I'd be happy for it to also support SoloKeys!

[ericchiang]

Yep I'm not surprised this only works with YubiKeys since it's the only thing I've tested against. Much of the spec logic is ported directly from the ykpiv C codebase. That's also what's up with all the "YubiKey" structs :)

It'd be good to understand what changes we'd need to make to support other smart cards that implement PIV. Given that, if it's a larger change I likely won't have bandwidth to maintain it. For example I don't own a SoloKey.

If you send changes that don't expose new APIs and keep the YubiKey portions running, I'm happy to test and merge them. If you'd like to add new APIs (e.g. add a SoloKey type), I'd like to discuss that before taking PRs.