added debugging

src/libopensc/card-piv.c

@@ -22,6 +22,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
+#include "errors.h"
 #if HAVE_CONFIG_H
 #include "config.h"
 #endif
@@ -4384,20 +4385,22 @@ static int piv_get_pin_preference(sc_card_t *card, int *pin_ref)
 	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
 }
 
-static void
+static int
 piv_yk_metadata_get_policy(sc_context_t *ctx, u8 *buf, size_t buflen, u8 *pin, u8 *touch)
 {
 	size_t policylen;
 	const u8 *policy = sc_asn1_find_tag(ctx, buf, buflen, 0x02, &policylen);
 	if (policy && policylen == 2) {
 		*pin = policy[0];
 		*touch = policy[1];
+		return SC_SUCCESS;
 	} else {
 		sc_log(ctx, "Yubikey PIN policy not found");
+		return SC_ERROR_DATA_OBJECT_NOT_FOUND;
 	}
 }
 
-static void
+static int
 piv_yk_get_metadata(sc_card_t *card, u8 slot, u8 *pin_policy, u8 *touch_policy)
 {
 	sc_apdu_t apdu;
@@ -4414,7 +4417,7 @@ piv_yk_get_metadata(sc_card_t *card, u8 slot, u8 *pin_policy, u8 *touch_policy)
 	if (priv->yubico_version < 0x00050300) {
 		if (priv->yubico_version != 0)
 			sc_log(card->ctx, "Yubikey's PIN and touch policy not available");
-		return;
+		return SC_ERROR_NOT_SUPPORTED;
 	}
 
 	for (i = 0; i < (sizeof(priv->yk_pin) / sizeof(*priv->yk_pin) - 1); i++) {
@@ -4430,30 +4433,33 @@ piv_yk_get_metadata(sc_card_t *card, u8 slot, u8 *pin_policy, u8 *touch_policy)
 	if (priv->yk_pin[i].slot == 0x00) {
 		/* initialize this entry */
 		sc_format_apdu_ex(&apdu, 0x00, 0xF7, 0x00, slot, NULL, 0, resp, sizeof resp);
-		if (SC_SUCCESS == sc_transmit_apdu(card, &apdu) && SC_SUCCESS == sc_check_sw(card, apdu.sw1, apdu.sw2)) {
-			piv_yk_metadata_get_policy(card->ctx, resp, apdu.resplen,
-					&priv->yk_pin[i].policy,
-					&priv->yk_pin[i].touch);
+		if (SC_SUCCESS == sc_transmit_apdu(card, &apdu) && SC_SUCCESS == sc_check_sw(card, apdu.sw1, apdu.sw2)
+				&& SC_SUCCESS == piv_yk_metadata_get_policy(card->ctx, resp, apdu.resplen, &priv->yk_pin[i].policy, &priv->yk_pin[i].touch)) {
 			sc_log(card->ctx, "PIN policy for slot 0x%02X: 0x%02X (touch 0x%02X)",
 					slot, priv->yk_pin[i].policy, priv->yk_pin[i].touch);
 			priv->yk_pin[i].slot = slot;
+		} else {
+			sc_log(card->ctx, "Could not get Yubikey's PIN and touch policy");
+			return SC_ERROR_INVALID_DATA;
 		}
+	} else if (priv->yk_pin[i].slot != slot) {
+		sc_log(card->ctx, "No free slot found");
+		return SC_ERROR_INTERNAL;
 	}
 
-	if (priv->yk_pin[i].slot == slot) {
-		if (pin_policy)
-			*pin_policy = priv->yk_pin[i].policy;
-		if (touch_policy)
-			*touch_policy = priv->yk_pin[i].touch;
-	}
+	if (pin_policy)
+		*pin_policy = priv->yk_pin[i].policy;
+	if (touch_policy)
+		*touch_policy = priv->yk_pin[i].touch;
+
+	return SC_SUCCESS;
 }
 
 static int
 piv_yk_pin_policy(sc_card_t *card, u8 *ptr)
 {
 	u8 slot = *ptr;
-	piv_yk_get_metadata(card, slot, ptr, NULL);
-	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+	LOG_FUNC_RETURN(card->ctx, piv_yk_get_metadata(card, slot, ptr, NULL));
 }
 
 static int piv_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)

src/libopensc/pkcs15-piv.c

@@ -1167,21 +1167,28 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 		prkey_obj.flags = prkeys[i].obj_flags;
 		prkey_obj.user_consent = prkeys[i].user_consent; /* only Sign key */
 
-		sc_card_ctl(p15card->card, SC_CARDCTL_PIV_YK_PIN_POLICY, &pin_policy);
-		switch (pin_policy) {
-		case 0x02:
-			/* PIN is checked once for the session */
-			prkey_obj.user_consent = 0;
-			break;
-		case 0x03:
-			/* PIN is verified just before operation */
-			prkey_obj.user_consent = 1;
-		}
-		/* PIN is never checked for operations if PIN policy is set to 0x01 */
-		if (prkeys[i].auth_id && pin_policy != 0x01)
+		r = sc_card_ctl(p15card->card, SC_CARDCTL_PIV_YK_PIN_POLICY, &pin_policy);
+		if (r == SC_SUCCESS) switch (pin_policy) {
+			case 0x01:
+				prkey_obj.flags &= ~SC_PKCS15_CO_FLAG_PRIVATE;
+				sc_log(card->ctx, "PIN is never checked");
+				break;
+			case 0x02:
+				prkey_obj.user_consent = 0;
+				sc_pkcs15_format_id(prkeys[i].auth_id, &prkey_obj.auth_id);
+				sc_log(card->ctx, "PIN is checked once for the session");
+				break;
+			case 0x03:
+				prkey_obj.user_consent = 1;
+				sc_pkcs15_format_id(prkeys[i].auth_id, &prkey_obj.auth_id);
+				sc_log(card->ctx, "PIN is verified just before operation");
+				break;
+			case 0x00:
+			default:
+				sc_pkcs15_format_id(prkeys[i].auth_id, &prkey_obj.auth_id);
+				break;
+		} else
 			sc_pkcs15_format_id(prkeys[i].auth_id, &prkey_obj.auth_id);
-		else
-			prkey_obj.flags &= ~SC_PKCS15_CO_FLAG_PRIVATE;
 
 		/*
 		 * When no cert is present and a pubkey in a file was found,