Blame SOURCES/opensc-0.19.0-dual.patch

5831fa
diff --git a/src/libopensc/card-piv.c b/src/libopensc/card-piv.c
5831fa
index 03c83868f1..794472134c 100644
5831fa
--- a/src/libopensc/card-piv.c
5831fa
+++ b/src/libopensc/card-piv.c
5831fa
@@ -3,7 +3,7 @@
5831fa
  * card-default.c: Support for cards with no driver
5831fa
  *
5831fa
  * Copyright (C) 2001, 2002  Juha Yrjölä <juha.yrjola@iki.fi>
5831fa
- * Copyright (C) 2005-2016  Douglas E. Engert <deengert@gmail.com>
5831fa
+ * Copyright (C) 2005-2018  Douglas E. Engert <deengert@gmail.com>
5831fa
  * Copyright (C) 2006, Identity Alliance, Thomas Harning <thomas.harning@identityalliance.com>
5831fa
  * Copyright (C) 2007, EMC, Russell Larner <rlarner@rsa.com>
5831fa
  *
5831fa
@@ -53,6 +53,7 @@
5831fa
 #ifdef ENABLE_ZLIB
5831fa
 #include "compression.h"
5831fa
 #endif
5831fa
+#include "simpletlv.h"
5831fa
 
5831fa
 enum {
5831fa
 	PIV_OBJ_CCC = 0,
5831fa
@@ -146,6 +147,16 @@ enum {
5831fa
 	PIV_STATE_INIT
5831fa
 };
5831fa
 
5831fa
+/* ccc_flags */
5831fa
+#define PIV_CCC_FOUND		0x00000001
5831fa
+#define PIV_CCC_F0_PIV		0x00000002
5831fa
+#define PIV_CCC_F0_CAC		0x00000004
5831fa
+#define PIV_CCC_F0_JAVA		0x00000008
5831fa
+#define PIV_CCC_F3_CAC_PKI	0x00000010
5831fa
+
5831fa
+#define PIV_CCC_TAG_F0		0xF0
5831fa
+#define PIV_CCC_TAG_F3		0xF3
5831fa
+
5831fa
 typedef struct piv_private_data {
5831fa
 	int enumtag;
5831fa
 	int  selected_obj; /* The index into the piv_objects last selected */
5831fa
@@ -174,6 +185,7 @@ typedef struct piv_private_data {
5831fa
 	unsigned int card_issues; /* card_issues flags for this card */
5831fa
 	int object_test_verify; /* Can test this object to set verification state of card */
5831fa
 	int yubico_version; /* 3 byte version number of NEO or Yubikey4  as integer */
5831fa
+	unsigned int ccc_flags;	    /* From  CCC indicate if CAC card */
5831fa
 } piv_private_data_t;
5831fa
 
5831fa
 #define PIV_DATA(card) ((piv_private_data_t*)card->drv_data)
5831fa
@@ -198,6 +210,37 @@ struct piv_aid {
5831fa
  * These can be discovered by trying GET DATA
5831fa
  */
5831fa
 
5831fa
+/* ATRs of cards known to have PIV applet. But must still be tested for a PIV applet */
5831fa
+static const struct sc_atr_table piv_atrs[] = {
5831fa
+	/* CAC cards with PIV from: CAC-utilziation-and-variation-matrix-v2.03-20May2016.doc */
5831fa
+	/* Oberthur Card Systems (PIV Endpoint) with PIV endpoint applet and PIV auth cert OBSOLETE */
5831fa
+	{ "3B:DB:96:00:80:1F:03:00:31:C0:64:77:E3:03:00:82:90.00:C1", NULL, NULL, SC_CARD_TYPE_PIV_II_OBERTHUR, 0, NULL },
5831fa
+
5831fa
+	/* Gemalto (PIV Endpoint) with PIV endpoint applet and PIV auth cert OBSOLETE */
5831fa
+	{ "3B 7D 96 00 00 80 31 80 65 B0 83 11 13 AC 83 00 90 00", NULL, NULL, SC_CARD_TYPE_PIV_II_GEMALTO, 0, NULL },
5831fa
+
5831fa
+	/* Gemalto (PIV Endpoint) 2 entries */
5831fa
+	{ "3B:7D:96:00:00:80:31:80:65:B0:83:11:17:D6:83:00:90:00", NULL, NULL, SC_CARD_TYPE_PIV_II_GEMALTO, 0, NULL },
5831fa
+
5831fa
+	/* Oberthur Card System (PIV Endpoint)  2 entries*/
5831fa
+	{ "3B:DB:96:00:80:1F:03:00:31:C0:64:B0:F3:10:00:07:90:00:80", NULL, NULL, SC_CARD_TYPE_PIV_II_OBERTHUR, 0, NULL },
5831fa
+
5831fa
+	/* Giesecke & Devrient (PIV Endpoint)  2 entries */
5831fa
+	{ "3B:7A:18:00:00:73:66:74:65:20:63:64:31:34:34", NULL, NULL, SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC, 0, NULL },
5831fa
+
5831fa
+	/* PIVKEY from Taligo */
5831fa
+	/* PIVKEY T600 token and T800  on Feitian eJAVA */
5831fa
+	{ "3B:FC:18:00:00:81:31:80:45:90:67:46:4A:00:64:2D:70:C1:72:FE:E0:FE", NULL, NULL, SC_CARD_TYPE_PIV_II_PIVKEY, 0, NULL },
5831fa
+
5831fa
+	/* PIVKEY C910 */
5831fa
+	{ "3b:fc:18:00:00:81:31:80:45:90:67:46:4a:00:64:16:06:f2:72:7e:00:e0", NULL, NULL, SC_CARD_TYPE_PIV_II_PIVKEY, 0, NULL },
5831fa
+
5831fa
+	/* PIVKEY C980 */
5831fa
+	{ "3B:f9:96:00:00:81:31:fe:45:53:50:49:56:4b:45:59:37:30:28", NULL, NULL, SC_CARD_TYPE_PIV_II_PIVKEY, 0, NULL },
5831fa
+
5831fa
+	{ NULL, NULL, NULL, 0, 0, NULL }
5831fa
+};
5831fa
+
5831fa
 /* all have same AID */
5831fa
 static struct piv_aid piv_aids[] = {
5831fa
 	{SC_CARD_TYPE_PIV_II_GENERIC, /* TODO not really card type but what PIV AID is supported */
5831fa
@@ -209,9 +252,10 @@ static struct piv_aid piv_aids[] = {
5831fa
 #define CI_VERIFY_630X			    0x00000001U /* VERIFY tries left returns 630X rather then 63CX */
5831fa
 #define CI_VERIFY_LC0_FAIL		    0x00000002U /* VERIFY Lc=0 never returns 90 00 if PIN not needed */
5831fa
 							/* will also test after first PIN verify if protected object can be used instead */
5831fa
+#define CI_NO_RANDOM			    0x00000004U /* can not use Challenge to get random data or no 9B key */
5831fa
 #define CI_CANT_USE_GETDATA_FOR_STATE	    0x00000008U /* No object to test verification inplace of VERIFY Lc=0 */
5831fa
 #define CI_LEAKS_FILE_NOT_FOUND		    0x00000010U /* GET DATA of empty object returns 6A 82 even if PIN not verified */
5831fa
-#define CI_DISCOVERY_USELESS		    0x00000020U /* Discovery can not be used to query active AID */
5831fa
+#define CI_DISCOVERY_USELESS		    0x00000020U /* Discovery can not be used to query active AID invalid or no data returned */
5831fa
 #define CI_PIV_AID_LOSE_STATE		    0x00000040U /* PIV AID can lose the login state run with out it*/
5831fa
 
5831fa
 #define CI_OTHER_AID_LOSE_STATE		    0x00000100U /* Other drivers match routines may reset our security state and lose AID!!! */
5831fa
@@ -219,7 +263,7 @@ static struct piv_aid piv_aids[] = {
5831fa
 
5831fa
 #define CI_NO_RSA2048			    0x00010000U /* does not have RSA 2048 */
5831fa
 #define CI_NO_EC384			    0x00020000U /* does not have EC 384 */
5831fa
-
5831fa
+#define CI_NO_EC			    0x00040000U /* No EC at all */
5831fa
 
5831fa
 /*
5831fa
  * Flags in the piv_object:
5831fa
@@ -2222,11 +2266,33 @@ static int piv_get_challenge(sc_card_t *card, u8 *rnd, size_t len)
5831fa
 	size_t rbuf_len = 0, out_len = 0;
5831fa
 	int r;
5831fa
 	unsigned int tag, cla;
5831fa
+	piv_private_data_t * priv = PIV_DATA(card);
5831fa
 
5831fa
 	LOG_FUNC_CALLED(card->ctx);
5831fa
 
5831fa
+	if (priv->card_issues & CI_NO_RANDOM) {
5831fa
+		r = SC_ERROR_NOT_SUPPORTED;
5831fa
+		LOG_TEST_GOTO_ERR(card->ctx, r, "No support for random data");
5831fa
+	}
5831fa
+
5831fa
 	/* NIST 800-73-3 says use 9B, previous verisons used 00 */
5831fa
 	r = piv_general_io(card, 0x87, 0x00, 0x9B, sbuf, sizeof sbuf, &rbuf, &rbuf_len);
5831fa
+	/*
5831fa
+	 * piv_get_challenge is called in a loop. 
5831fa
+	 * some cards may allow 1 challenge expecting it to be part of 
5831fa
+	 * NIST 800-73-3 part 2 "Authentication of PIV Card Application Administrator"
5831fa
+	 * and return "6A 80" if last command was a get_challenge.
5831fa
+	 * Now that the card returned error, we can try one more time.
5831fa
+	 */
5831fa
+	 if (r == SC_ERROR_INCORRECT_PARAMETERS) {
5831fa
+		if (rbuf)
5831fa
+			free(rbuf);
5831fa
+		rbuf_len = 0;
5831fa
+		r = piv_general_io(card, 0x87, 0x00, 0x9B, sbuf, sizeof sbuf, &rbuf, &rbuf_len);
5831fa
+		if (r == SC_ERROR_INCORRECT_PARAMETERS) {
5831fa
+			r = SC_ERROR_NOT_SUPPORTED;
5831fa
+		}
5831fa
+	}
5831fa
 	LOG_TEST_GOTO_ERR(card->ctx, r, "GENERAL AUTHENTICATE failed");
5831fa
 
5831fa
 	p = rbuf;
5831fa
@@ -2635,6 +2701,91 @@ static int piv_process_discovery(sc_card_t *card)
5831fa
 	LOG_FUNC_RETURN(card->ctx, r);
5831fa
 }
5831fa
 
5831fa
+/*
5831fa
+ * parse a CCC to test  if this is a Dual CAC/PIV
5831fa
+ * We read teh CCC using the PIV API.
5831fa
+ * Look for CAC RID=A0 00 00 00 79
5831fa
+ */
5831fa
+ static int piv_parse_ccc(sc_card_t *card, u8* rbuf, size_t rbuflen)
5831fa
+{
5831fa
+	int r = 0;
5831fa
+	const u8 * body;
5831fa
+	size_t bodylen;
5831fa
+	unsigned int cla_out, tag_out;
5831fa
+
5831fa
+	u8  tag;
5831fa
+	const u8 * end;
5831fa
+	size_t len;
5831fa
+
5831fa
+	piv_private_data_t * priv = PIV_DATA(card);
5831fa
+
5831fa
+	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
5831fa
+
5831fa
+	if (rbuf == NULL || rbuflen == 0) {
5831fa
+		r = SC_ERROR_WRONG_LENGTH;
5831fa
+		goto  err;
5831fa
+	}
5831fa
+
5831fa
+	/* Outer layer is a DER tlv */
5831fa
+	body = rbuf;
5831fa
+	if ((r = sc_asn1_read_tag(&body, rbuflen, &cla_out, &tag_out,  &bodylen)) != SC_SUCCESS) {
5831fa
+		sc_log(card->ctx, "DER problem %d",r);
5831fa
+		r = SC_ERROR_INVALID_ASN1_OBJECT;
5831fa
+		goto err;
5831fa
+	}
5831fa
+
5831fa
+	priv->ccc_flags |= PIV_CCC_FOUND;
5831fa
+
5831fa
+	/* CCC  entries are simple tlv */
5831fa
+	end = body + bodylen;
5831fa
+	
5831fa
+	for(; (body < end); body += len) {
5831fa
+	
5831fa
+		r = sc_simpletlv_read_tag((u8**)&body, end - body , &tag, &len;;
5831fa
+		if (r < 0)
5831fa
+			goto err;
5831fa
+		switch (tag) {
5831fa
+			case PIV_CCC_TAG_F0:
5831fa
+				if (len == 0x15) {
5831fa
+					if (memcmp(body ,"\xA0\x00\x00\x03\08", 5) == 0)
5831fa
+						priv->ccc_flags |= PIV_CCC_F0_PIV;
5831fa
+					else if (memcmp(body ,"\xA0\x00\x00\x00\x79", 5) == 0)
5831fa
+						priv->ccc_flags |= PIV_CCC_F0_CAC;
5831fa
+					if (*(body + 6) == 0x02)
5831fa
+						priv->ccc_flags |= PIV_CCC_F0_JAVA;
5831fa
+				}
5831fa
+				break;
5831fa
+			case PIV_CCC_TAG_F3:
5831fa
+				if (len == 0x10) {
5831fa
+					if (memcmp(body ,"\xA0\x00\x00\x00\x79\x04", 6) == 0)
5831fa
+						priv->ccc_flags |= PIV_CCC_F3_CAC_PKI;
5831fa
+				}
5831fa
+				break;
5831fa
+		}
5831fa
+	}
5831fa
+
5831fa
+err:
5831fa
+	LOG_FUNC_RETURN(card->ctx, r);
5831fa
+}
5831fa
+
5831fa
+static int piv_process_ccc(sc_card_t *card)
5831fa
+{
5831fa
+	int r = 0;
5831fa
+	u8 * rbuf = NULL;
5831fa
+	size_t rbuflen = 0;
5831fa
+
5831fa
+	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
5831fa
+	r = piv_get_cached_data(card, PIV_OBJ_CCC, &rbuf, &rbuflen);
5831fa
+
5831fa
+	if (r < 0)
5831fa
+		goto err;
5831fa
+
5831fa
+	/* the object is now cached, see what we have */
5831fa
+	r = piv_parse_ccc(card, rbuf, rbuflen);
5831fa
+err:
5831fa
+	LOG_FUNC_RETURN(card->ctx, r);
5831fa
+}
5831fa
+
5831fa
 
5831fa
 static int piv_find_discovery(sc_card_t *card)
5831fa
 {
5831fa
@@ -2922,7 +3073,8 @@ piv_finish(sc_card_t *card)
5831fa
 static int piv_match_card(sc_card_t *card)
5831fa
 {
5831fa
 	int r = 0;
5831fa
-
5831fa
+	
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d\n", card->type);
5831fa
 	/* piv_match_card may be called with card->type, set by opensc.conf */
5831fa
 	/* user provide card type must be one we know */
5831fa
 	switch (card->type) {
5831fa
@@ -2931,7 +3083,13 @@ static int piv_match_card(sc_card_t *card)
5831fa
 		case SC_CARD_TYPE_PIV_II_HIST:
5831fa
 		case SC_CARD_TYPE_PIV_II_NEO:
5831fa
 		case SC_CARD_TYPE_PIV_II_YUBIKEY4:
5831fa
+		case SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC:
5831fa
 		case SC_CARD_TYPE_PIV_II_GI_DE:
5831fa
+		case SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC:
5831fa
+		case SC_CARD_TYPE_PIV_II_GEMALTO:
5831fa
+		case SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC:
5831fa
+		case SC_CARD_TYPE_PIV_II_OBERTHUR:
5831fa
+		case SC_CARD_TYPE_PIV_II_PIVKEY:
5831fa
 			break;
5831fa
 		default:
5831fa
 			return 0; /* can not handle the card */
5831fa
@@ -2950,13 +3108,14 @@ static int piv_match_card(sc_card_t *card)
5831fa
 		piv_finish(card);
5831fa
 	}
5831fa
 
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d r:%d\n", card->type,r);
5831fa
 	return r;
5831fa
 }
5831fa
 
5831fa
 
5831fa
 static int piv_match_card_continued(sc_card_t *card)
5831fa
 {
5831fa
-	int i, r;
5831fa
+	int i, r = 0;
5831fa
 	int type  = -1;
5831fa
 	piv_private_data_t *priv = NULL;
5831fa
 	int saved_type = card->type;
5831fa
@@ -2973,12 +3132,19 @@ static int piv_match_card_continued(sc_card_t *card)
5831fa
 		case SC_CARD_TYPE_PIV_II_HIST:
5831fa
 		case SC_CARD_TYPE_PIV_II_NEO:
5831fa
 		case SC_CARD_TYPE_PIV_II_YUBIKEY4:
5831fa
+		case SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC:
5831fa
 		case SC_CARD_TYPE_PIV_II_GI_DE:
5831fa
+		case SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC:
5831fa
+		case SC_CARD_TYPE_PIV_II_GEMALTO:
5831fa
+		case SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC:
5831fa
+		case SC_CARD_TYPE_PIV_II_OBERTHUR:
5831fa
+		case SC_CARD_TYPE_PIV_II_PIVKEY:
5831fa
 			type = card->type;
5831fa
 			break;
5831fa
 		default:
5831fa
 			return 0; /* can not handle the card */
5831fa
 	}
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d type:%d r:%d\n", card->type, type, r);
5831fa
 	if (type == -1) {
5831fa
 
5831fa
 		/*
5831fa
@@ -2997,18 +3163,6 @@ static int piv_match_card_continued(sc_card_t *card)
5831fa
 					!(memcmp(card->reader->atr_info.hist_bytes, "Yubikey", 7))) {
5831fa
 				type = SC_CARD_TYPE_PIV_II_NEO;
5831fa
 			}
5831fa
-			/*
5831fa
-			 * https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1239.pdf
5831fa
-			 * lists 2 ATRS with historical bytes:
5831fa
-			 *   73 66 74 65 2D 63 64 30 38 30
5831fa
-			 *   73 66 74 65 20 63 64 31 34 34
5831fa
-			 * will check for 73 66 74 65
5831fa
-			 */
5831fa
-			else if (card->reader->atr_info.hist_bytes_len >= 4
5831fa
-					&& !(memcmp(card->reader->atr_info.hist_bytes, "sfte", 4))) {
5831fa
-				type = SC_CARD_TYPE_PIV_II_GI_DE;
5831fa
-			}
5831fa
-
5831fa
 			else if (card->reader->atr_info.hist_bytes_len > 0
5831fa
 					&& card->reader->atr_info.hist_bytes[0] == 0x80u) { /* compact TLV */
5831fa
 				size_t datalen;
5831fa
@@ -3029,10 +3183,17 @@ static int piv_match_card_continued(sc_card_t *card)
5831fa
 				}
5831fa
 			}
5831fa
 		}
5831fa
-		if (type == -1)
5831fa
-			type = SC_CARD_TYPE_PIV_II_GENERIC;
5831fa
+		sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d type:%d r:%d\n", card->type, type, r);
5831fa
+
5831fa
+		if (type == -1) {
5831fa
+			/* use known ATRs  */
5831fa
+			i = _sc_match_atr(card, piv_atrs, &type);
5831fa
+			if (type == -1)
5831fa
+				type = SC_CARD_TYPE_PIV_II_GENERIC; /* may  still be CAC with PIV Endpoint */
5831fa
+		}
5831fa
 	}
5831fa
 
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d type:%d r:%d\n", card->type, type, r);
5831fa
 	/* allocate and init basic fields */
5831fa
 
5831fa
 	priv = calloc(1, sizeof(piv_private_data_t));
5831fa
@@ -3046,6 +3207,7 @@ static int piv_match_card_continued(sc_card_t *card)
5831fa
 	card->drv_data = priv; /* will free if no match, or pass on to piv_init */
5831fa
 	priv->selected_obj = -1;
5831fa
 	priv->pin_preference = 0x80; /* 800-73-3 part 1, table 3 */
5831fa
+	/* TODO Dual CAC/PIV are bases on 800-73-1 were priv->pin_preference = 0. need to check later */
5831fa
 	priv->logged_in = SC_PIN_STATE_UNKNOWN;
5831fa
 	priv->tries_left = 10; /* will assume OK at start */
5831fa
 	priv->pstate = PIV_STATE_MATCH;
5831fa
@@ -3064,38 +3226,104 @@ static int piv_match_card_continued(sc_card_t *card)
5831fa
 	}
5831fa
 
5831fa
 	/*
5831fa
-	 * detect if active AID is PIV. NIST 800-73 says Only one PIV application per card
5831fa
-	 * and PIV must be the default application
5831fa
-	 * This can avoid doing doing a select_aid and losing the login state on some cards
5831fa
+	 * Detect if active AID is PIV. NIST 800-73 says only one PIV application per card
5831fa
+	 * and PIV must be the default application.
5831fa
+	 * Try to avoid doing a select_aid and losing the login state on some cards.
5831fa
 	 * We may get interference on some cards by other drivers trying SELECT_AID before
5831fa
-	 * we get to see if PIV application is still active.
5831fa
+	 * we get to see if PIV application is still active
5831fa
 	 * putting PIV driver first might help. 
5831fa
-	 * This may fail if the wrong AID is active
5831fa
+	 * This may fail if the wrong AID is active.
5831fa
+	 * Discovery Object introduced in 800-73-3 so will return 0 if found and PIV applet active.
5831fa
+	 * Will fail with SC_ERROR_FILE_NOT_FOUND if 800-73-3 and no Discovery object.
5831fa
+	 * But some other card could also return SC_ERROR_FILE_NOT_FOUND.
5831fa
+	 * Will fail for other reasons if wrong applet is selected, or bad PIV implimentation. 
5831fa
 	 */
5831fa
-	i = piv_find_discovery(card);
5831fa
+	
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d CI:%08x r:%d\n", card->type,  priv->card_issues, r);
5831fa
+	if (priv->card_issues & CI_DISCOVERY_USELESS) /* TODO may be in wrong place */
5831fa
+		i = -1;
5831fa
+	else
5831fa
+		i = piv_find_discovery(card);
5831fa
 
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i:%d CI:%08x r:%d\n", card->type, i, priv->card_issues, r);
5831fa
 	if (i < 0) {
5831fa
 		/* Detect by selecting applet */
5831fa
 		i = piv_find_aid(card);
5831fa
 	}
5831fa
 
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i:%d CI:%08x r:%d\n", card->type, i, priv->card_issues, r);
5831fa
 	if (i >= 0) {
5831fa
+		int iccc = 0;
5831fa
+		 /* We now know PIV AID is active, test CCC object  800-73-* say CCC is required */
5831fa
+		switch (card->type)  {
5831fa
+			/*
5831fa
+			 * For cards that may also be CAC, try and read the CCC
5831fa
+			 * CCC is required and all Dual PIV/CAC will have a CCC
5831fa
+			 * Currently Dual PIV/CAC are based on NIST 800-73-1 which does not have Discovery or History
5831fa
+			 */
5831fa
+			case SC_CARD_TYPE_PIV_II_GENERIC: /* i.e. really dont know what this is */
5831fa
+			case SC_CARD_TYPE_PIV_II_HIST:
5831fa
+			case SC_CARD_TYPE_PIV_II_GI_DE:
5831fa
+			case SC_CARD_TYPE_PIV_II_GEMALTO:
5831fa
+			case SC_CARD_TYPE_PIV_II_OBERTHUR:
5831fa
+				iccc = piv_process_ccc(card);
5831fa
+				sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d iccc:%d ccc_flags:%08x CI:%08x r:%d\n",
5831fa
+						card->type, iccc, priv->ccc_flags, priv->card_issues, r);
5831fa
+				/* ignore an error? */
5831fa
+				/* if CCC says it has CAC with PKI on card set to one of the SC_CARD_TYPE_PIV_II_*_DUAL_CAC */
5831fa
+				if (priv->ccc_flags & PIV_CCC_F3_CAC_PKI) {
5831fa
+					switch (card->type)  {
5831fa
+						case SC_CARD_TYPE_PIV_II_GENERIC:
5831fa
+						case SC_CARD_TYPE_PIV_II_HIST:
5831fa
+						case SC_CARD_TYPE_PIV_II_GI_DE:
5831fa
+						    card->type = SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC;
5831fa
+						    priv->card_issues |= CI_DISCOVERY_USELESS;
5831fa
+						    priv->obj_cache[PIV_OBJ_DISCOVERY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
5831fa
+						    break;
5831fa
+						case SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC:
5831fa
+						case SC_CARD_TYPE_PIV_II_GEMALTO:
5831fa
+							card->type = SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC;
5831fa
+							priv->card_issues |= CI_DISCOVERY_USELESS;
5831fa
+							priv->obj_cache[PIV_OBJ_DISCOVERY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
5831fa
+							break;
5831fa
+						case SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC:
5831fa
+						case SC_CARD_TYPE_PIV_II_OBERTHUR:
5831fa
+							card->type =  SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC;
5831fa
+							priv->card_issues |= CI_DISCOVERY_USELESS;
5831fa
+							priv->obj_cache[PIV_OBJ_DISCOVERY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
5831fa
+							break;
5831fa
+					}
5831fa
+				}
5831fa
+				break;
5831fa
+
5831fa
+				/* if user forced it to be one of the CAC types, assume it is CAC */
5831fa
+			case SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC:
5831fa
+			case SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC:
5831fa
+			case SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC:
5831fa
+				priv->card_issues |= CI_DISCOVERY_USELESS;
5831fa
+				priv->obj_cache[PIV_OBJ_DISCOVERY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
5831fa
+				break;
5831fa
+			}
5831fa
+		}
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i:%d CI:%08x r:%d\n", card->type, i, priv->card_issues, r);
5831fa
+	if (i >= 0 && (priv->card_issues & CI_DISCOVERY_USELESS) == 0) {
5831fa
 		/*
5831fa
-		 * We now know PIV AID is active, test DISCOVERY object 
5831fa
-		 * Some CAC cards with PIV don't support DISCOVERY and return 
5831fa
-		 * SC_ERROR_INCORRECT_PARAMETERS. Any error other then 
5831fa
-		 * SC_ERROR_FILE_NOT_FOUND means we cannot use discovery 
5831fa
+		 * We now know PIV AID is active, test DISCOVERY object again 
5831fa
+		 * Some PIV don't support DISCOVERY and return 
5831fa
+		 * SC_ERROR_INCORRECT_PARAMETERS. Any error 
5831fa
+		 * including SC_ERROR_FILE_NOT_FOUND means we cannot use discovery 
5831fa
 		 * to test for active AID.
5831fa
 		 */
5831fa
 		int i7e = piv_find_discovery(card);
5831fa
 
5831fa
-		if (i7e != 0 && i7e !=  SC_ERROR_FILE_NOT_FOUND) {
5831fa
+		sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i7e:%d CI:%08x r:%d\n", card->type, i7e, priv->card_issues, r);
5831fa
+		if (i7e != 0) {
5831fa
 			priv->card_issues |= CI_DISCOVERY_USELESS;
5831fa
 			priv->obj_cache[PIV_OBJ_DISCOVERY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
5831fa
 		}
5831fa
 	}
5831fa
 
5831fa
-
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i:%d CI:%08x r:%d\n", card->type, i, priv->card_issues, r);
5831fa
 	if (i < 0) {
5831fa
 		/* don't match. Does not have a PIV applet. */
5831fa
 		sc_unlock(card);
5831fa
@@ -3104,6 +3332,7 @@ static int piv_match_card_continued(sc_card_t *card)
5831fa
 		return 0;
5831fa
 	}
5831fa
 
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d i:%d CI:%08x r:%d\n", card->type, i, priv->card_issues, r);
5831fa
 	/* Matched, caller will use or free priv and sc_lock as needed */
5831fa
 	priv->pstate=PIV_STATE_INIT;
5831fa
 	return 1; /* match */
5831fa
@@ -3124,7 +3353,7 @@ static int piv_init(sc_card_t *card)
5831fa
 	/* continue the matching get a lock and the priv */
5831fa
 	r = piv_match_card_continued(card);
5831fa
 	if (r != 1)  {
5831fa
-		sc_log(card->ctx,"piv_match_card_continued failed");
5831fa
+		sc_log(card->ctx,"piv_match_card_continued failed card->type:%d", card->type);
5831fa
 		piv_finish(card);
5831fa
 		/* tell sc_connect_card to try other drivers */
5831fa
 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_CARD);
5831fa
@@ -3147,6 +3376,7 @@ static int piv_init(sc_card_t *card)
5831fa
 	 * Set card_issues based on card type either set by piv_match_card or by opensc.conf
5831fa
 	 */
5831fa
 
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d CI:%08x r:%d\n", card->type, priv->card_issues, r);
5831fa
 	switch(card->type) {
5831fa
 		case SC_CARD_TYPE_PIV_II_NEO:
5831fa
 		case SC_CARD_TYPE_PIV_II_YUBIKEY4:
5831fa
@@ -3178,6 +3408,7 @@ static int piv_init(sc_card_t *card)
5831fa
 	 * may be set earlier or later then in the following code. 
5831fa
 	 */
5831fa
 
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d CI:%08x r:%d\n", card->type, priv->card_issues, r);
5831fa
 	switch(card->type) {
5831fa
 		case SC_CARD_TYPE_PIV_II_NEO:
5831fa
 			priv->card_issues |= CI_NO_EC384
5831fa
@@ -3196,30 +3427,53 @@ static int piv_init(sc_card_t *card)
5831fa
 				priv->card_issues |= CI_VERIFY_LC0_FAIL;
5831fa
 			break;
5831fa
 
5831fa
+		case SC_CARD_TYPE_PIV_II_GI_DE:
5831fa
+		case SC_CARD_TYPE_PIV_II_OBERTHUR:
5831fa
+		case SC_CARD_TYPE_PIV_II_GEMALTO:
5831fa
+			priv->card_issues |= 0; /* could add others here */
5831fa
+			break;
5831fa
+
5831fa
 		case SC_CARD_TYPE_PIV_II_HIST:
5831fa
-			priv->card_issues |= 0;
5831fa
+			priv->card_issues |= 0; /* could add others here */
5831fa
 			break;
5831fa
 
5831fa
-		case SC_CARD_TYPE_PIV_II_GI_DE:
5831fa
+		case SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC:
5831fa
+		case SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC:
5831fa
+		case SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC:
5831fa
 			priv->card_issues |= CI_VERIFY_LC0_FAIL
5831fa
 				| CI_PIV_AID_LOSE_STATE
5831fa
-				| CI_OTHER_AID_LOSE_STATE;;
5831fa
+				| CI_NO_RANDOM
5831fa
+				| CI_OTHER_AID_LOSE_STATE;
5831fa
 			/* TODO may need more research */
5831fa
 			break;
5831fa
 
5831fa
+
5831fa
 		case SC_CARD_TYPE_PIV_II_GENERIC:
5831fa
 			priv->card_issues |= CI_VERIFY_LC0_FAIL
5831fa
 				| CI_OTHER_AID_LOSE_STATE;
5831fa
 			/* TODO may need more research */
5831fa
 			break;
5831fa
 
5831fa
+		case SC_CARD_TYPE_PIV_II_PIVKEY:
5831fa
+			priv->card_issues |= CI_VERIFY_LC0_FAIL
5831fa
+				| CI_PIV_AID_LOSE_STATE /* be conservative */
5831fa
+				| CI_NO_EC384 | CI_NO_EC
5831fa
+				| CI_NO_RANDOM; /* does not have 9B key */
5831fa
+				/* Discovery object returns 6A 82 so is not on card by default */
5831fa
+				/*  TODO may need more research */
5831fa
+			break;
5831fa
+
5831fa
 		default:
5831fa
-		     priv->card_issues = 0; /* opensc.conf may have it wrong, continue anyway */
5831fa
-		     sc_log(card->ctx, "Unknown PIV card->type %d", card->type);
5831fa
-		     card->type = SC_CARD_TYPE_PIV_II_BASE;
5831fa
+			priv->card_issues |= CI_VERIFY_LC0_FAIL
5831fa
+				| CI_OTHER_AID_LOSE_STATE;
5831fa
+			/* opensc.conf may have it wrong, continue anyway */
5831fa
+			sc_log(card->ctx, "Unknown PIV card->type %d", card->type);
5831fa
+			card->type = SC_CARD_TYPE_PIV_II_GENERIC;
5831fa
 	}
5831fa
 	sc_log(card->ctx, "PIV card-type=%d card_issues=0x%08x", card->type, priv->card_issues);
5831fa
 
5831fa
+	sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH card->type:%d CI:%08x r:%d\n", card->type, priv->card_issues, r);
5831fa
+
5831fa
 	priv->enumtag = piv_aids[0].enumtag;
5831fa
 
5831fa
 	/* PKCS#11 may try to generate session keys, and get confused
5831fa
@@ -3233,15 +3487,20 @@ static int piv_init(sc_card_t *card)
5831fa
 	_sc_card_add_rsa_alg(card, 2048, flags, 0); /* optional */
5831fa
 	_sc_card_add_rsa_alg(card, 3072, flags, 0); /* optional */
5831fa
 
5831fa
-	flags = SC_ALGORITHM_ECDSA_RAW | SC_ALGORITHM_ECDH_CDH_RAW | SC_ALGORITHM_ECDSA_HASH_NONE;
5831fa
-	ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES;
5831fa
+	if (!(priv->card_issues & CI_NO_EC)) {
5831fa
+		flags = SC_ALGORITHM_ECDSA_RAW | SC_ALGORITHM_ECDH_CDH_RAW | SC_ALGORITHM_ECDSA_HASH_NONE;
5831fa
+		ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES;
5831fa
+
5831fa
+		_sc_card_add_ec_alg(card, 256, flags, ext_flags, NULL);
5831fa
+		if (!(priv->card_issues & CI_NO_EC384))
5831fa
+			_sc_card_add_ec_alg(card, 384, flags, ext_flags, NULL);
5831fa
+	}
5831fa
 
5831fa
-	_sc_card_add_ec_alg(card, 256, flags, ext_flags, NULL);
5831fa
-	if (!(priv->card_issues & CI_NO_EC384))
5831fa
-		_sc_card_add_ec_alg(card, 384, flags, ext_flags, NULL);
5831fa
+	if (!(priv->card_issues & CI_NO_RANDOM))
5831fa
+		card->caps |= SC_CARD_CAP_RNG;
5831fa
 
5831fa
-	/* TODO may turn off SC_CARD_CAP_ISO7816_PIN_INFO later */
5831fa
-	card->caps |= SC_CARD_CAP_RNG | SC_CARD_CAP_ISO7816_PIN_INFO;
5831fa
+	/* May turn off SC_CARD_CAP_ISO7816_PIN_INFO later */
5831fa
+	card->caps |=  SC_CARD_CAP_ISO7816_PIN_INFO;
5831fa
 
5831fa
 	/*
5831fa
 	 * 800-73-3 cards may have a history object and/or a discovery object
5831fa
@@ -3565,11 +3824,13 @@ static int piv_card_reader_lock_obtained(sc_card_t *card, int was_reset)
5831fa
 	    r =  SC_ERROR_NO_CARD_SUPPORT;
5831fa
 	} else {
5831fa
 	    r = piv_find_discovery(card);
5831fa
+	    sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH piv_find_discovery card->type:%d r:%d\n", card->type, r);
5831fa
 	}
5831fa
 
5831fa
 	if (r < 0) {
5831fa
 		if (was_reset > 0 || !(priv->card_issues & CI_PIV_AID_LOSE_STATE)) {
5831fa
 			r = piv_select_aid(card, piv_aids[0].value, piv_aids[0].len_short, temp, &templen);
5831fa
+			sc_debug(card->ctx,SC_LOG_DEBUG_MATCH, "PIV_MATCH piv_select_aid card->type:%d r:%d\n", card->type, r);
5831fa
 		} else {
5831fa
 			r = 0; /* cant do anything with this card, hope there was no interference */
5831fa
 		}
5831fa
diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h
5831fa
index f4df17fb04..121182bb6a 100644
5831fa
--- a/src/libopensc/cards.h
5831fa
+++ b/src/libopensc/cards.h
5831fa
@@ -136,7 +136,13 @@ enum {
5831fa
 	SC_CARD_TYPE_PIV_II_HIST,
5831fa
 	SC_CARD_TYPE_PIV_II_NEO,
5831fa
 	SC_CARD_TYPE_PIV_II_YUBIKEY4,
5831fa
+	SC_CARD_TYPE_PIV_II_GI_DE_DUAL_CAC,
5831fa
 	SC_CARD_TYPE_PIV_II_GI_DE,
5831fa
+	SC_CARD_TYPE_PIV_II_GEMALTO_DUAL_CAC,
5831fa
+	SC_CARD_TYPE_PIV_II_GEMALTO,
5831fa
+	SC_CARD_TYPE_PIV_II_OBERTHUR_DUAL_CAC,
5831fa
+	SC_CARD_TYPE_PIV_II_OBERTHUR,
5831fa
+	SC_CARD_TYPE_PIV_II_PIVKEY,
5831fa
 
5831fa
 	/* MuscleApplet */
5831fa
 	SC_CARD_TYPE_MUSCLE_BASE = 15000,
5831fa