Add initial support for SCP

core/src/main/java/com/yubico/yubikit/core/smartcard/ApduFormatProcessor.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2024 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.core.smartcard;
+
+import java.io.IOException;
+
+abstract class ApduFormatProcessor implements ApduProcessor {
+    protected final SmartCardConnection connection;
+
+    ApduFormatProcessor(SmartCardConnection connection) {
+        this.connection = connection;
+    }
+
+    abstract byte[] formatApdu(byte cla, byte ins, byte p1, byte p2, byte[] data, int offset, int length, int le);
+
+    @Override
+    public ApduResponse sendApdu(Apdu apdu) throws IOException {
+        byte[] data = apdu.getData();
+        byte[] payload = formatApdu(apdu.getCla(), apdu.getIns(), apdu.getP1(), apdu.getP2(), data, 0, data.length, apdu.getLe());
+        return new ApduResponse(connection.sendAndReceive(payload));
+    }
+}

testing/src/main/java/com/yubico/yubikit/testing/piv/PivTestConstants.java → core/src/main/java/com/yubico/yubikit/core/smartcard/ApduProcessor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 Yubico.
+ * Copyright (C) 2024 Yubico.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,12 +14,13 @@
  * limitations under the License.
  */
 
-package com.yubico.yubikit.testing.piv;
+package com.yubico.yubikit.core.smartcard;
 
-import org.bouncycastle.util.encoders.Hex;
+import com.yubico.yubikit.core.application.BadResponseException;
 
-public class PivTestConstants {
-    static final byte[] DEFAULT_MANAGEMENT_KEY = Hex.decode("010203040506070801020304050607080102030405060708");
-    static final char[] DEFAULT_PIN = "123456".toCharArray();
-    static final char[] DEFAULT_PUK = "12345678".toCharArray();
+import java.io.Closeable;
+import java.io.IOException;
+
+public interface ApduProcessor extends Closeable {
+    ApduResponse sendApdu(Apdu apdu) throws IOException, BadResponseException;
 }

core/src/main/java/com/yubico/yubikit/core/smartcard/AppId.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 Yubico.
+ * Copyright (C) 2022,2024 Yubico.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,11 +17,13 @@
 package com.yubico.yubikit.core.smartcard;
 
 public final class AppId {
-    public static final byte[] MANAGEMENT = {(byte)0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17};
+    public static final byte[] MANAGEMENT = {(byte) 0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17};
     public static final byte[] OTP = {(byte) 0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01};
     public static final byte[] OATH = {(byte) 0xa0, 0x00, 0x00, 0x05, 0x27, 0x21, 0x01, 0x01};
     public static final byte[] PIV = {(byte) 0xa0, 0x00, 0x00, 0x03, 0x08};
     public static final byte[] FIDO = {(byte) 0xa0, 0x00, 0x00, 0x06, 0x47, 0x2f, 0x00, 0x01};
     public static final byte[] OPENPGP = {(byte) 0xd2, 0x76, 0x00, 0x01, 0x24, 0x01};
     public static final byte[] HSMAUTH = {(byte) 0xa0, 0x00, 0x00, 0x05, 0x27, 0x21, 0x07, 0x01};
+    public static final byte[] SECURITYDOMAIN = {(byte) 0xa0, 0x00, 0x00, 0x01, 0x51, 0x00, 0x00, 0x00};
+
 }

core/src/main/java/com/yubico/yubikit/core/smartcard/ChainedResponseProcessor.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2024 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.core.smartcard;
+
+import com.yubico.yubikit.core.application.BadResponseException;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+class ChainedResponseProcessor implements ApduProcessor {
+    private static final byte SW1_HAS_MORE_DATA = 0x61;
+
+    private final SmartCardConnection connection;
+    protected final ApduFormatProcessor processor;
+    private final byte[] getData;
+
+    ChainedResponseProcessor(SmartCardConnection connection, boolean extendedApdus, int maxApduSize, byte insSendRemaining) {
+        this.connection = connection;
+        if (extendedApdus) {
+            processor = new ExtendedApduProcessor(connection, maxApduSize);
+        } else {
+            processor = new ShortApduProcessor(connection);
+        }
+        getData = processor.formatApdu((byte)0, insSendRemaining, (byte)0, (byte)0, new byte[0], 0, 0, 0);
+    }
+
+    @Override
+    public ApduResponse sendApdu(Apdu apdu) throws IOException, BadResponseException {
+        ApduResponse response = processor.sendApdu(apdu);
+        // Read full response
+        ByteArrayOutputStream readBuffer = new ByteArrayOutputStream();
+        while (response.getSw() >> 8 == SW1_HAS_MORE_DATA) {
+            readBuffer.write(response.getData());
+            response = new ApduResponse(connection.sendAndReceive(getData));
+        }
+        readBuffer.write(response.getData());
+        readBuffer.write(response.getSw() >> 8);
+        readBuffer.write(response.getSw() & 0xff);
+        return new ApduResponse(readBuffer.toByteArray());
+    }
+
+    @Override
+    public void close() throws IOException {
+        processor.close();
+    }
+}

core/src/main/java/com/yubico/yubikit/core/smartcard/ExtendedApduProcessor.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2024 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.core.smartcard;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+
+class ExtendedApduProcessor extends ApduFormatProcessor {
+    private final int maxApduSize;
+
+    ExtendedApduProcessor(SmartCardConnection connection, int maxApduSize) {
+        super(connection);
+        this.maxApduSize = maxApduSize;
+    }
+
+    @Override
+    byte[] formatApdu(byte cla, byte ins, byte p1, byte p2, byte[] data, int offset, int length, int le) {
+        ByteBuffer buf = ByteBuffer.allocate(5 + (data.length > 0 ? 2 : 0) + data.length + (le > 0 ? 2 : 0))
+                .put(cla)
+                .put(ins)
+                .put(p1)
+                .put(p2)
+                .put((byte) 0x00);
+        if (data.length > 0) {
+            buf.putShort((short) data.length).put(data);
+        }
+        if (le > 0) {
+            buf.putShort((short) le);
+        }
+        if (buf.limit() > maxApduSize) {
+            throw new UnsupportedOperationException("APDU length exceeds YubiKey capability");
+        }
+        return buf.array();
+    }
+
+    @Override
+    public void close() throws IOException {
+    }
+}

testing-android/src/main/java/com/yubico/yubikit/testing/framework/DeviceInstrumentedTests.java → core/src/main/java/com/yubico/yubikit/core/smartcard/MaxApduSize.java

@@ -14,17 +14,14 @@
  * limitations under the License.
  */
 
-package com.yubico.yubikit.testing.framework;
+package com.yubico.yubikit.core.smartcard;
 
-import com.yubico.yubikit.core.YubiKeyDevice;
+final class MaxApduSize {
+    static final int NEO = 1390;
+    static final int YK4 = 2038;
+    static final int YK4_3 = 3062;
 
-public class DeviceInstrumentedTests extends YKInstrumentedTests {
-
-    public interface Callback {
-        void invoke(YubiKeyDevice value) throws Throwable;
-    }
-
-    protected void withDevice(Callback callback) throws Throwable {
-        callback.invoke(device);
+    private MaxApduSize() {
+        throw new IllegalStateException();
     }
-}
+}

core/src/main/java/com/yubico/yubikit/core/smartcard/SW.java

@@ -34,6 +34,7 @@ public final class SW {
     public static final short REFERENCED_DATA_NOT_FOUND = 0x6A88;
     public static final short WRONG_PARAMETERS_P1P2 = 0x6B00;
     public static final short INVALID_INSTRUCTION = 0x6D00;
+    public static final short CLASS_NOT_SUPPORTED = 0x6E00;
     public static final short COMMAND_ABORTED = 0x6F00;
     public static final short OK = (short) 0x9000;
 

core/src/main/java/com/yubico/yubikit/core/smartcard/ScpProcessor.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2024 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.core.smartcard;
+
+import com.yubico.yubikit.core.application.BadResponseException;
+import com.yubico.yubikit.core.smartcard.scp.ScpState;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.Arrays;
+
+public class ScpProcessor extends ChainedResponseProcessor {
+    private final ScpState state;
+
+    ScpProcessor(SmartCardConnection connection, ScpState state, int maxApduSize, byte insSendRemaining) {
+        super(connection, true, maxApduSize, insSendRemaining);
+        this.state = state;
+    }
+
+    @Override
+    public ApduResponse sendApdu(Apdu apdu) throws IOException, BadResponseException {
+        return sendApdu(apdu, true);
+    }
+
+    public ApduResponse sendApdu(Apdu apdu, boolean encrypt) throws IOException, BadResponseException {
+        byte[] data = apdu.getData();
+        if (encrypt) {
+            data = state.encrypt(data);
+        }
+        byte cla = (byte) (apdu.getCla() | 0x04);
+
+        // Calculate and add MAC to data
+        byte[] macedData = new byte[data.length + 8];
+        System.arraycopy(data, 0, macedData, 0, data.length);
+        byte[] apduData = processor.formatApdu(cla, apdu.getIns(), apdu.getP1(), apdu.getP2(), macedData, 0, macedData.length, 0);
+        byte[] mac = state.mac(Arrays.copyOf(apduData, apduData.length - 8));
+        System.arraycopy(mac, 0, macedData, macedData.length - 8, 8);
+
+        ApduResponse resp = super.sendApdu(new Apdu(cla, apdu.getIns(), apdu.getP1(), apdu.getP2(), macedData, apdu.getLe()));
+        byte[] respData = resp.getData();
+
+        // Un-MAC and decrypt, if needed
+        if (respData.length > 0) {
+            respData = state.unmac(respData, resp.getSw());
+        }
+        if (respData.length > 0) {
+            respData = state.decrypt(respData);
+        }
+
+        return new ApduResponse(ByteBuffer.allocate(respData.length + 2).put(respData).putShort(resp.getSw()).array());
+    }
+}

core/src/main/java/com/yubico/yubikit/core/smartcard/ShortApduProcessor.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2024 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.core.smartcard;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+
+class ShortApduProcessor extends ApduFormatProcessor {
+    private static final int SHORT_APDU_MAX_CHUNK = 0xff;
+
+    ShortApduProcessor(SmartCardConnection connection) {
+        super(connection);
+    }
+
+    @Override
+    byte[] formatApdu(byte cla, byte ins, byte p1, byte p2, byte[] data, int offset, int length, int le) {
+        if (length > SHORT_APDU_MAX_CHUNK) {
+            throw new IllegalArgumentException("Length must be no greater than " + SHORT_APDU_MAX_CHUNK);
+        }
+        if (le < 0 || le > SHORT_APDU_MAX_CHUNK) {
+            throw new IllegalArgumentException("Le must be between 0 and " + SHORT_APDU_MAX_CHUNK);
+        }
+
+        ByteBuffer buf = ByteBuffer.allocate(4 + (length > 0 ? 1 : 0) + length + (le > 0 ? 1 : 0))
+                .put(cla)
+                .put(ins)
+                .put(p1)
+                .put(p2);
+        if (length > 0) {
+            buf.put((byte) length).put(data, offset, length);
+        }
+        if (le > 0) {
+            buf.put((byte) le);
+        }
+        return buf.array();
+    }
+
+    @Override
+    public ApduResponse sendApdu(Apdu apdu) throws IOException {
+        byte[] data = apdu.getData();
+        int offset = 0;
+        while (data.length - offset > SHORT_APDU_MAX_CHUNK) {
+            ApduResponse response = new ApduResponse(connection.sendAndReceive(formatApdu((byte) (apdu.getCla() | 0x10), apdu.getIns(), apdu.getP1(), apdu.getP2(), data, offset, SHORT_APDU_MAX_CHUNK, apdu.getLe())));
+            if (response.getSw() != SW.OK) {
+                return response;
+            }
+            offset += SHORT_APDU_MAX_CHUNK;
+        }
+        return new ApduResponse(connection.sendAndReceive(formatApdu(apdu.getCla(), apdu.getIns(), apdu.getP1(), apdu.getP2(), data, offset, data.length - offset, apdu.getLe())));
+    }
+
+    @Override
+    public void close() throws IOException {
+    }
+}