Skip to content

Do not deselect applications if the application was not found #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 12, 2025
Merged

Do not deselect applications if the application was not found #28

merged 1 commit into from
Feb 12, 2025

Conversation

sosthene-nitrokey
Copy link
Contributor

From NIST SP 800-73-4:

If the currently selected application is the PIV Card Application when the SELECT command is given
and the AID in the data field of the SELECT command is an invalid AID not supported by the ICC, then
the PIV Card Application shall remain the currently selected application and all PIV Card Application
security status indicators shall remain unchanged.

@dengert
Copy link

dengert commented Feb 7, 2025

Thanks.

The section of 800-74-4 lists 4 cases. Since these cards can also have an openpgp applet,
if openpgp AID was received, 800-73-4 would require the PIV to lose login state, but that makes it harder
if user wants to have one application using PIV and another with OpenPGP without having to re enter PIN or use a cached pin.
If user only wants to use one of the applet, Is there a way to disable one or more of the applets so only one is active, to avoid this situation? (Yubikey can do that.)

I am not familiar with rust, but does the change return "not found" for an unknown AID? 6A 82

@sosthene-nitrokey
Copy link
Contributor Author

if openpgp AID was received, 800-73-4 would require the PIV to lose login state,

From what I understand the previous behaviour was already correct for the case of selecting an existing AID.

If user only wants to use one of the applet, Is there a way to disable one or more of the applets so only one is active, to avoid this situation

Yes: nitropy nk3 set-config piv.disabled true and nitropy nk3 set-config opcard.disabled true for disabling PIV and OpenPGP respectively. To re-enable them, it's the same command with false instead of `true. We're working on exposing this config in the nitrokey app 2. It's also an issue with some software

I am not familiar with rust, but does the change return "not found" for an unknown AID? 6A 82

Yes, this does not change

@dengert
Copy link

dengert commented Feb 10, 2025

Looks good. I will be looking for the next firmware update to try it.

robin-nitrokey
robin-nitrokey approved these changes Feb 10, 2025
View reviewed changes
dispatch/src/dispatch.rs
};

self.current_aid = Some(aid);
let old_aid = mem::replace(&mut self.current_aid, Some(aid));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Can we use Option::replace instead? IMHO easier to read.

Suggested change
let old_aid = mem::replace(&mut self.current_aid, Some(aid));
let old_aid = self.current_aid.replace(aid);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Probably should be a clippy lint.

@sosthene-nitrokey sosthene-nitrokey merged commit 228013c into main Feb 12, 2025
1 check passed
@robin-nitrokey robin-nitrokey deleted the fix-deselect-not-found branch February 12, 2025 14:05
@sosthene-nitrokey sosthene-nitrokey mentioned this pull request Feb 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daringer daringer daringer approved these changes

@robin-nitrokey robin-nitrokey robin-nitrokey approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sosthene-nitrokey @dengert @daringer @robin-nitrokey