pcsc: Replace custom code with github/com/ebfe/scard

This uses the ebfe/scard package to replace custom code
for interfacing with the PIV token on various platforms.

Author: stv0g

go.mod

@@ -1,3 +1,5 @@
 module github.com/go-piv/piv-go
 
 go 1.16
+
+require github.com/ebfe/scard v0.0.0-20230420082256-7db3f9b7c8a7

go.sum

@@ -0,0 +1,2 @@
+github.com/ebfe/scard v0.0.0-20230420082256-7db3f9b7c8a7 h1:HYAhfGa9dEemCZgGZWL5AvVsctBCsHxl2CI0HUXzHQE=
+github.com/ebfe/scard v0.0.0-20230420082256-7db3f9b7c8a7/go.mod h1:BkYEeWL6FbT4Ek+TcOBnPzEKnL7kOq2g19tTQXkorHY=

piv/pcsc.go

@@ -17,19 +17,9 @@ package piv
 import (
 	"errors"
 	"fmt"
-)
-
-type scErr struct {
-	// rc holds the return code for a given call.
-	rc int64
-}
 
-func (e *scErr) Error() string {
-	if msg, ok := pcscErrMsgs[e.rc]; ok {
-		return msg
-	}
-	return fmt.Sprintf("unknown pcsc return code 0x%08x", e.rc)
-}
+	"github.com/ebfe/scard"
+)
 
 // AuthErr is an error indicating an authentication error occurred (wrong PIN or blocked).
 type AuthErr struct {
@@ -134,6 +124,42 @@ type apdu struct {
 	data        []byte
 }
 
+type scTx struct {
+	*scard.Card
+}
+
+func newTx(h *scard.Card) (*scTx, error) {
+	if err := h.BeginTransaction(); err != nil {
+		return nil, err
+	}
+
+	return &scTx{
+		Card: h,
+	}, nil
+}
+
+func (t *scTx) Close() error {
+	return t.Card.EndTransaction(scard.LeaveCard)
+}
+
+func (t *scTx) transmit(req []byte) (more bool, b []byte, err error) {
+	resp, err := t.Card.Transmit(req)
+	if err != nil {
+		return false, nil, fmt.Errorf("transmitting request: %w", err)
+	} else if len(resp) < 2 {
+		return false, nil, fmt.Errorf("scard response too short: %d", len(resp))
+	}
+	sw1 := resp[len(resp)-2]
+	sw2 := resp[len(resp)-1]
+	if sw1 == 0x90 && sw2 == 0x00 {
+		return false, resp[:len(resp)-2], nil
+	}
+	if sw1 == 0x61 {
+		return true, resp[:len(resp)-2], nil
+	}
+	return false, nil, &apduErr{sw1, sw2}
+}
+
 func (t *scTx) Transmit(d apdu) ([]byte, error) {
 	data := d.data
 	var resp []byte

piv/pcsc_darwin.go

@@ -18,37 +18,39 @@ import (
 	"errors"
 	"strings"
 	"testing"
+
+	"github.com/ebfe/scard"
 )
 
-func runContextTest(t *testing.T, f func(t *testing.T, c *scContext)) {
-	ctx, err := newSCContext()
+func runContextTest(t *testing.T, f func(t *testing.T, c *scard.Context)) {
+	ctx, err := scard.EstablishContext()
 	if err != nil {
 		t.Fatalf("creating context: %v", err)
 	}
 	defer func() {
-		if err := ctx.Close(); err != nil {
+		if err := ctx.Release(); err != nil {
 			t.Errorf("closing context: %v", err)
 		}
 	}()
 	f(t, ctx)
 }
 
 func TestContextClose(t *testing.T) {
-	runContextTest(t, func(t *testing.T, c *scContext) {})
+	runContextTest(t, func(t *testing.T, c *scard.Context) {})
 }
 
 func TestContextListReaders(t *testing.T) {
 	runContextTest(t, testContextListReaders)
 }
 
-func testContextListReaders(t *testing.T, c *scContext) {
+func testContextListReaders(t *testing.T, c *scard.Context) {
 	if _, err := c.ListReaders(); err != nil {
 		t.Errorf("listing readers: %v", err)
 	}
 }
 
-func runHandleTest(t *testing.T, f func(t *testing.T, h *scHandle)) {
-	runContextTest(t, func(t *testing.T, c *scContext) {
+func runHandleTest(t *testing.T, f func(t *testing.T, h *scard.Card)) {
+	runContextTest(t, func(t *testing.T, c *scard.Context) {
 		readers, err := c.ListReaders()
 		if err != nil {
 			t.Fatalf("listing smartcard readers: %v", err)
@@ -63,12 +65,12 @@ func runHandleTest(t *testing.T, f func(t *testing.T, h *scHandle)) {
 		if reader == "" {
 			t.Skip("could not find yubikey, skipping testing")
 		}
-		h, err := c.Connect(reader)
+		h, err := c.Connect(reader, scard.ShareExclusive, scard.ProtocolT1)
 		if err != nil {
 			t.Fatalf("connecting to %s: %v", reader, err)
 		}
 		defer func() {
-			if err := h.Close(); err != nil {
+			if err := h.Disconnect(scard.LeaveCard); err != nil {
 				t.Errorf("disconnecting from handle: %v", err)
 			}
 		}()
@@ -77,12 +79,12 @@ func runHandleTest(t *testing.T, f func(t *testing.T, h *scHandle)) {
 }
 
 func TestHandle(t *testing.T) {
-	runHandleTest(t, func(t *testing.T, h *scHandle) {})
+	runHandleTest(t, func(t *testing.T, h *scard.Card) {})
 }
 
 func TestTransaction(t *testing.T) {
-	runHandleTest(t, func(t *testing.T, h *scHandle) {
-		tx, err := h.Begin()
+	runHandleTest(t, func(t *testing.T, h *scard.Card) {
+		tx, err := newTx(h)
 		if err != nil {
 			t.Fatalf("beginning transaction: %v", err)
 		}

piv/pcsc_errors

@@ -24,6 +24,8 @@ import (
 	"fmt"
 	"io"
 	"math/big"
+
+	"github.com/ebfe/scard"
 )
 
 var (
@@ -101,8 +103,8 @@ const (
 //
 // To release the connection, call the Close method.
 type YubiKey struct {
-	ctx *scContext
-	h   *scHandle
+	ctx *scard.Context
+	h   *scard.Card
 	tx  *scTx
 
 	rand io.Reader
@@ -117,8 +119,8 @@ type YubiKey struct {
 
 // Close releases the connection to the smart card.
 func (yk *YubiKey) Close() error {
-	err1 := yk.h.Close()
-	err2 := yk.ctx.Close()
+	err1 := yk.h.Disconnect(scard.LeaveCard)
+	err2 := yk.ctx.Release()
 	if err1 == nil {
 		return err2
 	}
@@ -141,26 +143,26 @@ type client struct {
 }
 
 func (c *client) Cards() ([]string, error) {
-	ctx, err := newSCContext()
+	ctx, err := scard.EstablishContext()
 	if err != nil {
 		return nil, fmt.Errorf("connecting to pcsc: %w", err)
 	}
-	defer ctx.Close()
+	defer ctx.Release()
 	return ctx.ListReaders()
 }
 
 func (c *client) Open(card string) (*YubiKey, error) {
-	ctx, err := newSCContext()
+	ctx, err := scard.EstablishContext()
 	if err != nil {
 		return nil, fmt.Errorf("connecting to smart card daemon: %w", err)
 	}
 
-	h, err := ctx.Connect(card)
+	h, err := ctx.Connect(card, scard.ShareExclusive, scard.ProtocolT1)
 	if err != nil {
-		ctx.Close()
+		ctx.Release()
 		return nil, fmt.Errorf("connecting to smart card: %w", err)
 	}
-	tx, err := h.Begin()
+	tx, err := newTx(h)
 	if err != nil {
 		return nil, fmt.Errorf("beginning smart card transaction: %w", err)
 	}

piv/pcsc_errors.go

@@ -24,6 +24,8 @@ import (
 	"math/bits"
 	"strings"
 	"testing"
+
+	"github.com/ebfe/scard"
 )
 
 // canModifyYubiKey indicates whether the test running has constented to