# Copyright (c) 2020 Yubico AB
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or
# without modification, are permitted provided that the following
# conditions are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
import logging
import os
import subprocess # nosec
import sys
from time import sleep
from smartcard import System
from smartcard.Exceptions import CardConnectionException, NoCardException
from smartcard.ExclusiveConnectCardConnection import ExclusiveConnectCardConnection
from smartcard.pcsc.PCSCExceptions import ListReadersException
from yubikit.core import PID, TRANSPORT, YUBIKEY
from yubikit.core.fido import SmartCardCtapDevice
from yubikit.core.smartcard import SmartCardConnection
from yubikit.logging import LOG_LEVEL
from yubikit.management import USB_INTERFACE
from yubikit.support import read_info
from ..base import REINSERT_STATUS, CancelledException, YkmanDevice
logger = logging.getLogger(__name__)
YK_READER_NAME = "yubico yubikey"
_YKMAN_NO_EXCLUSIVE = "YKMAN_NO_EXLUSIVE"
# Figure out what the PID should be based on the reader name
def _pid_from_name(name):
if YK_READER_NAME not in name.lower():
return None
interfaces = USB_INTERFACE(0)
for iface in USB_INTERFACE:
if iface.name in name:
interfaces |= iface
if "U2F" in name:
interfaces |= USB_INTERFACE.FIDO
key_type = YUBIKEY.NEO if "NEO" in name else YUBIKEY.YK4
return PID.of(key_type, interfaces)
def _release(connection):
if hasattr(connection, "release"):
connection.release()
[docs]
class ScardSmartCardConnection(SmartCardConnection):
def __init__(self, connection):
connection.connect()
self.connection = connection
atr = self.connection.getATR()
self._transport = (
TRANSPORT.USB if atr and atr[1] & 0xF0 == 0xF0 else TRANSPORT.NFC
)
@property
def transport(self):
return self._transport
[docs]
def close(self):
self.connection.disconnect()
_release(self.connection)
[docs]
def send_and_receive(self, apdu):
"""Sends a command APDU and returns the response data and sw"""
logger.log(LOG_LEVEL.TRAFFIC, "SEND: %s", apdu.hex())
data, sw1, sw2 = self.connection.transmit(list(apdu))
logger.log(
LOG_LEVEL.TRAFFIC, "RECV: %s SW=%02x%02x", bytes(data).hex(), sw1, sw2
)
return bytes(data), sw1 << 8 | sw2
[docs]
class ScardYubiKeyDevice(YkmanDevice):
"""YubiKey Smart card device"""
def __init__(self, reader):
# Base transport on reader name: NFC readers will have a different name
if YK_READER_NAME in reader.name.lower():
transport = TRANSPORT.USB
else:
transport = TRANSPORT.NFC
super().__init__(transport, reader.name, _pid_from_name(reader.name))
self.reader = reader
[docs]
def supports_connection(self, connection_type):
if issubclass(SmartCardCtapDevice, connection_type):
return self.transport == TRANSPORT.NFC
return issubclass(ScardSmartCardConnection, connection_type)
[docs]
def open_connection(self, connection_type):
assert isinstance(connection_type, type) # noqa: S101
if issubclass(ScardSmartCardConnection, connection_type):
return self._open_smartcard_connection()
elif issubclass(SmartCardCtapDevice, connection_type):
return SmartCardCtapDevice(self._open_smartcard_connection())
return super().open_connection(connection_type)
def _open_smartcard_connection(self, retry=True) -> SmartCardConnection:
connection = self.reader.createConnection()
try:
# Try an exclusive connection, unless disabled
if os.environ.get(_YKMAN_NO_EXCLUSIVE) is None:
excl_connection = ExclusiveConnectCardConnection(connection)
try:
scard_conn = ScardSmartCardConnection(excl_connection)
logger.debug("Using exclusive CCID connection")
return scard_conn
except CardConnectionException:
logger.info("Failed to get exclusive CCID access")
# Try a shared connection
return ScardSmartCardConnection(connection)
except CardConnectionException:
_release(connection)
# Neither connection worked, maybe we need to kill stuff
if retry and (kill_scdaemon() or kill_yubikey_agent()):
return self._open_smartcard_connection(False)
raise
except (NoCardException, ValueError):
_release(connection)
# Handle reclaim timeout
# TODO: Maybe only on NEO?
if retry and self.transport == TRANSPORT.USB:
for _ in range(6):
try:
sleep(0.5)
return self._open_smartcard_connection(False)
except (NoCardException, ValueError):
continue
raise
def _do_reinsert(self, reinsert_cb, event):
removed = False
with self.open_connection(SmartCardConnection) as conn:
info = read_info(conn, self.pid)
reinsert_cb(REINSERT_STATUS.REMOVE)
if self.transport == TRANSPORT.NFC:
while not event.wait(0.5):
try:
conn = self.open_connection(SmartCardConnection)
if removed:
info2 = read_info(conn, self.pid)
conn.close()
if info.serial != info2.serial or info.version != info2.version:
raise ValueError(
"Reinserted YubiKey does not match the original"
)
sleep(1.0) # Wait for the device to settle
return
conn.close()
except CardConnectionException:
pass # Expected, ignore
except NoCardException:
if not removed:
reinsert_cb(REINSERT_STATUS.REINSERT)
removed = True
raise CancelledException()
else:
while not event.wait(0.5):
if not removed:
# Wait for the reader to be removed
if self.reader not in list_readers():
reinsert_cb(REINSERT_STATUS.REINSERT)
removed = True
else:
# Wait for the reader to be reinserted
for reader in list_readers():
if reader.name == self.reader.name:
self.reader = reader
with self.open_connection(SmartCardConnection) as conn:
info2 = read_info(conn, self.pid)
if (
info.serial != info2.serial
or info.version != info2.version
):
raise ValueError(
"Reinserted YubiKey does not match the original"
)
sleep(1.0) # Wait for the device to settle
return
raise CancelledException()
[docs]
def kill_scdaemon():
killed = False
if sys.platform == "win32":
# Works for Windows.
from win32api import CloseHandle, OpenProcess, TerminateProcess
from win32com.client import GetObject
wmi = GetObject("winmgmts:")
ps = wmi.InstancesOf("Win32_Process")
for p in ps:
if p.Properties_("Name").Value == "scdaemon.exe":
pid = p.Properties_("ProcessID").Value
handle = OpenProcess(1, False, pid)
TerminateProcess(handle, -1)
CloseHandle(handle)
killed = True
else:
# Works for Linux and OS X.
return_code = subprocess.call(["pkill", "-9", "scdaemon"]) # noqa: S603, S607
if return_code == 0:
killed = True
if killed:
sleep(0.1)
return killed
[docs]
def kill_yubikey_agent():
killed = False
if sys.platform != "win32":
return_code = subprocess.call(["pkill", "-HUP", "yubikey-agent"]) # noqa: S603, S607
if return_code == 0:
killed = True
if killed:
sleep(0.1)
return killed
[docs]
def list_readers():
try:
return System.readers()
except ListReadersException as e:
# If the PCSC system has restarted the context might be stale, try
# forcing a new context (This happens on Windows if the last reader is
# removed):
try:
from smartcard.pcsc.PCSCContext import PCSCContext # type: ignore
PCSCContext.instance = None
return System.readers()
except ImportError:
# As of pyscard 2.2.2 the PCSCContext singleton has been removed
raise e
[docs]
def list_devices(name_filter=None):
name_filter = YK_READER_NAME if name_filter is None else name_filter
devices = []
for reader in list_readers():
if name_filter.lower() in reader.name.lower():
devices.append(ScardYubiKeyDevice(reader))
return devices