pivy
pivy copied to clipboard
arekinath
chuid with a deprecated field in yubikey
Hi, I recently received a "new" yubikey 5 nano with already imported piv certs (corporate CA). When running pivy-tool -d list this new key produces: error = InvalidDataError: PIV device 'Yubico YubiKey FIDO+CCID 00 00' returned invalid or unsupported payload in piv_read_chuid() at piv.c:1112 Caused by PIVTagError: Invalid tag 0x3d in PIV CHUID response in piv_chuid_decode() at piv.c:7300
Tag 0x3d is a deprecated field and not even listed anymore in the latest PIV spec. An older one (https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-73-2.pdf) still has it. When i hack piv.c:7305:piv_chuid_decode() to just skip the tag I can successfully run the list command and get all the infos displayed. pivy-agent also seems to work just fine then. I don't know why the key has this deprecated field (it's probably not regenerated when importing certs) but do you think adding it to the parser (and dropping its content) would hurt?
I'm attaching a pull request with my extremely simple patch.
I'm going to keep this issue open (even though the PR is merged), because we will probably need to still keep a copy of this field in order to generate the to-be-signed CHUID for CHUID signature validation later.
Currently that code isn't finished in general, so it isn't super important, but it's coming.
