Merge branch 'main' into release/2.8.1

Author: AdamVe

core/src/main/java/com/yubico/yubikit/core/smartcard/ScpProcessor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2024 Yubico.
+ * Copyright (C) 2024-2025 Yubico.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,12 +23,24 @@
 import java.util.Arrays;
 
 public class ScpProcessor extends ChainedResponseProcessor {
+
+  private static final int SHORT_APDU_MAX_CHUNK = 255;
+
   private final ScpState state;
+  private final boolean usingShortApdus;
+  private final ApduFormatProcessor extendedProcessor;
 
   ScpProcessor(
-      SmartCardConnection connection, ScpState state, int maxApduSize, byte insSendRemaining) {
-    super(connection, true, maxApduSize, insSendRemaining);
+      SmartCardConnection connection,
+      boolean extendedApdus,
+      ScpState state,
+      int maxApduSize,
+      byte insSendRemaining) {
+    super(connection, extendedApdus, maxApduSize, insSendRemaining);
     this.state = state;
+    this.usingShortApdus = !extendedApdus;
+    this.extendedProcessor =
+        usingShortApdus ? new ExtendedApduProcessor(connection, maxApduSize) : super.processor;
   }
 
   @Override
@@ -47,9 +59,7 @@ public ApduResponse sendApdu(Apdu apdu, boolean encrypt)
     // Calculate and add MAC to data
     byte[] macedData = new byte[data.length + 8];
     System.arraycopy(data, 0, macedData, 0, data.length);
-    byte[] apduData =
-        processor.formatApdu(
-            cla, apdu.getIns(), apdu.getP1(), apdu.getP2(), macedData, 0, macedData.length, 0);
+    byte[] apduData = formatApduData(cla, apdu, macedData);
     byte[] mac = state.mac(Arrays.copyOf(apduData, apduData.length - 8));
     System.arraycopy(mac, 0, macedData, macedData.length - 8, 8);
 
@@ -69,4 +79,14 @@ public ApduResponse sendApdu(Apdu apdu, boolean encrypt)
     return new ApduResponse(
         ByteBuffer.allocate(respData.length + 2).put(respData).putShort(resp.getSw()).array());
   }
+
+  private byte[] formatApduData(byte cla, Apdu apdu, byte[] macedData) {
+    if (usingShortApdus && macedData.length > SHORT_APDU_MAX_CHUNK) {
+      return extendedProcessor.formatApdu(
+          cla, apdu.getIns(), apdu.getP1(), apdu.getP2(), macedData, 0, macedData.length, 0);
+    } else {
+      return processor.formatApdu(
+          cla, apdu.getIns(), apdu.getP1(), apdu.getP2(), macedData, 0, macedData.length, 0);
+    }
+  }
 }

core/src/main/java/com/yubico/yubikit/core/smartcard/SmartCardProtocol.java

@@ -52,6 +52,30 @@ public class SmartCardProtocol implements Closeable {
 
   private ApduProcessor processor;
 
+  public static class Configuration {
+
+    public static final Configuration DEFAULT = new Builder().setForceShortApdus(false).build();
+
+    final boolean forceShortApdus;
+
+    private Configuration(Builder builder) {
+      this.forceShortApdus = builder.forceShortApdus;
+    }
+
+    public static class Builder {
+      private boolean forceShortApdus = false;
+
+      public Builder setForceShortApdus(boolean forceShortApdus) {
+        this.forceShortApdus = forceShortApdus;
+        return this;
+      }
+
+      public Configuration build() {
+        return new Configuration(this);
+      }
+    }
+  }
+
   /**
    * Create new instance of {@link SmartCardProtocol} and selects the application for use
    *
@@ -84,18 +108,28 @@ public void close() throws IOException {
   }
 
   /**
-   * Enable all relevant settings and workarounds given the firmware version of the YubiKey.
+   * Enable all relevant settings and workarounds given the firmware version of the YubiKey. Uses a
+   * default configuration.
    *
    * @param firmwareVersion the firmware version to use to configure relevant settings
    */
   public void configure(Version firmwareVersion) throws IOException {
+    configure(firmwareVersion, Configuration.DEFAULT);
+  }
+
+  /**
+   * Enable all relevant settings and workarounds given the firmware version of the YubiKey.
+   *
+   * @param firmwareVersion the firmware version to use to configure relevant settings
+   */
+  public void configure(Version firmwareVersion, Configuration configuration) throws IOException {
     if (connection.getTransport() == Transport.USB
         && firmwareVersion.isAtLeast(4, 2, 0)
         && firmwareVersion.isLessThan(4, 2, 7)) {
       //noinspection deprecation
       setEnableTouchWorkaround(true);
-    } else if (firmwareVersion.isAtLeast(4, 0, 0) && !(processor instanceof ScpProcessor)) {
-      extendedApdus = connection.isExtendedLengthApduSupported();
+    } else if (firmwareVersion.isAtLeast(4, 0, 0)) {
+      extendedApdus = !configuration.forceShortApdus && connection.isExtendedLengthApduSupported();
       maxApduSize = firmwareVersion.isAtLeast(4, 3, 0) ? MaxApduSize.YK4_3 : MaxApduSize.YK4;
       resetProcessor(null);
     }
@@ -234,11 +268,6 @@ public byte[] sendAndReceive(Apdu command) throws IOException, ApduException {
       } else {
         throw new IllegalArgumentException("Unsupported ScpKeyParams");
       }
-      if (!connection.isExtendedLengthApduSupported()) {
-        throw new IllegalStateException("SCP requires extended APDU support");
-      }
-      extendedApdus = true;
-      maxApduSize = MaxApduSize.YK4_3;
       return state.getDataEncryptor();
     } catch (ApduException e) {
       if (e.getSw() == SW.CLASS_NOT_SUPPORTED) {
@@ -251,8 +280,10 @@ public byte[] sendAndReceive(Apdu command) throws IOException, ApduException {
   private ScpState initScp03(Scp03KeyParams keyParams)
       throws IOException, ApduException, BadResponseException {
     Pair<ScpState, byte[]> pair = ScpState.scp03Init(processor, keyParams, null);
+    // SCP was introduced in FW 5.3, so we can use max APDU size for from YubiKey FW 4.3
     ScpProcessor processor =
-        new ScpProcessor(connection, pair.first, MaxApduSize.YK4_3, insSendRemaining);
+        new ScpProcessor(
+            connection, extendedApdus, pair.first, MaxApduSize.YK4_3, insSendRemaining);
 
     // Send EXTERNAL AUTHENTICATE
     // P1 = C-DECRYPTION, R-ENCRYPTION, C-MAC, and R-MAC
@@ -267,7 +298,9 @@ private ScpState initScp03(Scp03KeyParams keyParams)
   private ScpState initScp11(Scp11KeyParams keyParams)
       throws IOException, ApduException, BadResponseException {
     ScpState scp = ScpState.scp11Init(processor, keyParams);
-    resetProcessor(new ScpProcessor(connection, scp, MaxApduSize.YK4_3, insSendRemaining));
+    // SCP was introduced in FW 5.3, so we can use max APDU size for from YubiKey FW 4.3
+    resetProcessor(
+        new ScpProcessor(connection, extendedApdus, scp, MaxApduSize.YK4_3, insSendRemaining));
     return scp;
   }
 }

management/src/main/java/com/yubico/yubikit/management/ManagementSession.java

@@ -201,19 +201,8 @@ void deviceReset() throws IOException, CommandException {
             }
           };
     }
-
-    if (SessionVersionOverride.isDevelopmentVersion(version)) {
-      try {
-        logger.debug("Overriding development version...");
-        version = readDeviceInfo().getVersionQualifier().getVersion();
-        SessionVersionOverride.set(version);
-      } catch (CommandException e) {
-        // failed to read device info where it was expected
-        throw new IOException("Failed reading device info.", e);
-      }
-    }
-
-    this.version = version;
+    this.version = getQualifiedVersion(version);
+    protocol.configure(version);
     logCtor(connection);
   }
 
@@ -228,7 +217,7 @@ void deviceReset() throws IOException, CommandException {
   public ManagementSession(OtpConnection connection)
       throws IOException, ApplicationNotAvailableException {
     OtpProtocol protocol = new OtpProtocol(connection);
-    version = Version.fromBytes(protocol.readStatus());
+    Version version = Version.fromBytes(protocol.readStatus());
     if (version.isLessThan(3, 0, 0) && version.major != 0) {
       throw new ApplicationNotAvailableException(
           "Management Application requires YubiKey 3 or later");
@@ -261,6 +250,7 @@ void deviceReset() {
             throw new UnsupportedOperationException("deviceReset is only available over CCID");
           }
         };
+    this.version = getQualifiedVersion(version);
     logCtor(connection);
   }
 
@@ -273,14 +263,14 @@ void deviceReset() {
    */
   public ManagementSession(FidoConnection connection) throws IOException {
     FidoProtocol protocol = new FidoProtocol(connection);
-    Version protocolVersion = protocol.getVersion();
-    if (protocolVersion.major < 4) {
+    Version version = protocol.getVersion();
+    if (version.major < 4) {
       // Prior to YK4 this was not firmware version
-      if (!(protocolVersion.major == 0 && protocol.supports(FidoProtocol.Capability.CBOR))) {
-        protocolVersion = new Version(3, 0, 0);
+      if (!(version.major == 0 && protocol.supports(FidoProtocol.Capability.CBOR))) {
+        version = new Version(3, 0, 0);
       }
     }
-    version = protocolVersion;
+
     backend =
         new Backend<FidoProtocol>(protocol) {
           @Override
@@ -304,6 +294,7 @@ void deviceReset() {
             throw new UnsupportedOperationException("deviceReset is only available over CCID");
           }
         };
+    this.version = getQualifiedVersion(version);
     logCtor(connection);
   }
 
@@ -529,4 +520,29 @@ private static byte[] pagePayload(int page) {
     }
     return new byte[] {(byte) page};
   }
+
+  /**
+   * Retrieves the versionQualifier version of the YubiKey device.
+   *
+   * <p>If the provided version is identified as a development version, this method overrides it by
+   * with version from the versionQualifier.
+   *
+   * @param version the initial version of the YubiKey device.
+   * @return the version override.
+   * @throws IOException if reading the device information fails.
+   */
+  private Version getQualifiedVersion(Version version) throws IOException {
+    if (!SessionVersionOverride.isDevelopmentVersion(version)) {
+      return version;
+    }
+    try {
+      logger.debug("Overriding development version...");
+      Version result = readDeviceInfo().getVersionQualifier().getVersion();
+      SessionVersionOverride.set(result);
+      return result;
+    } catch (CommandException e) {
+      // failed to read device info where it was expected
+      throw new IOException("Failed reading device info.", e);
+    }
+  }
 }

testing-android/src/androidTest/java/com/yubico/yubikit/testing/DeviceTests.java

@@ -16,6 +16,7 @@
 
 package com.yubico.yubikit.testing;
 
+import com.yubico.yubikit.testing.core.SmartCardProtocolInstrumentedTests;
 import com.yubico.yubikit.testing.fido.FidoTests;
 import com.yubico.yubikit.testing.mpe.MultiProtocolResetTests;
 import com.yubico.yubikit.testing.oath.OathTests;
@@ -29,8 +30,6 @@
  * All integration tests for Security domain, PIV, OpenPGP, OATH, FIDO2 and MPE.
  *
  * <p>The YubiKey applications will be reset several times.
- *
- * <p>
  */
 @RunWith(Suite.class)
 @Suite.SuiteClasses({
@@ -39,6 +38,7 @@
   OpenPgpTests.class,
   OathTests.class,
   MultiProtocolResetTests.class,
-  FidoTests.class
+  FidoTests.class,
+  SmartCardProtocolInstrumentedTests.class
 })
 public class DeviceTests {}

testing-android/src/androidTest/java/com/yubico/yubikit/testing/core/SmartCardProtocolInstrumentedTests.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2025 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.testing.core;
+
+import com.yubico.yubikit.testing.SmokeTest;
+import com.yubico.yubikit.testing.framework.CoreInstrumentedTests;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+public class SmartCardProtocolInstrumentedTests extends CoreInstrumentedTests {
+  @Test
+  @Category(SmokeTest.class)
+  public void testApduSizesOverScp() throws Throwable {
+    withState(SmartCardProtocolTests::testApduSizesOverScp);
+  }
+
+  @Test
+  @Category(SmokeTest.class)
+  public void testApduSizes() throws Throwable {
+    withState(SmartCardProtocolTests::testApduSizes);
+  }
+}

testing-android/src/androidTest/java/com/yubico/yubikit/testing/sd/Scp11Tests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2024 Yubico.
+ * Copyright (C) 2024-2025 Yubico.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

testing-android/src/main/java/com/yubico/yubikit/testing/framework/CoreInstrumentedTests.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2025 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.testing.framework;
+
+import com.yubico.yubikit.testing.TestState;
+import com.yubico.yubikit.testing.core.CoreTestState;
+
+public class CoreInstrumentedTests extends YKInstrumentedTests {
+  protected void withState(TestState.StatefulDeviceCallback<CoreTestState> callback)
+      throws Throwable {
+    final CoreTestState state =
+        new CoreTestState.Builder(device, usbPid)
+            .reconnectDeviceCallback(this::reconnectDevice)
+            .build();
+
+    state.withDeviceCallback(callback);
+  }
+}

testing-desktop/src/integrationTest/java/com/yubico/yubikit/testing/desktop/core/SmartCardProtocolInstrumentedTests.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2025 Yubico.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.yubico.yubikit.testing.desktop.core;
+
+import com.yubico.yubikit.testing.core.SmartCardProtocolTests;
+import com.yubico.yubikit.testing.desktop.SmokeTest;
+import com.yubico.yubikit.testing.desktop.framework.CoreInstrumentedTests;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+import org.junit.runners.Suite;
+
+@RunWith(Suite.class)
+public class SmartCardProtocolInstrumentedTests extends CoreInstrumentedTests {
+  @Test
+  @Category(SmokeTest.class)
+  public void testApduSizesOverScp() throws Throwable {
+    withState(SmartCardProtocolTests::testApduSizesOverScp);
+  }
+
+  @Test
+  @Category(SmokeTest.class)
+  public void testApduSizes() throws Throwable {
+    withState(SmartCardProtocolTests::testApduSizes);
+  }
+}