Proper errors thrown. Removed debug print. Added aes encryption unit tests.

Author: jensutbult

README.md

@@ -147,6 +147,7 @@ To add support for NFC YubiKeys in your application, follow these steps:
     <string>A0000005272101</string>   // OATH AID
     <string>A000000308</string>       // PIV AID
     <string>A000000527200101</string> // YubiKey application/OTP AID (for HMAC SHA1 challenge-response)
+    <string>A000000151000000</string> // YubiKey Security Domain
 </array>
 </plist>
 ```

YubiKit/YubiKit/Connections/SCP/YKFSCPProcessor.m

@@ -25,6 +25,8 @@
 #import "YKFAPDU.h"
 #import "YKFSCPProcessor.h"
 #import "YKFTLVRecord.h"
+#import "YKFSessionError.h"
+#import "YKFSessionError+Private.h"
 
 @interface YKFSCPProcessor ()
 @property (nonatomic, strong) YKFSCPState *state;
@@ -55,7 +57,6 @@ + (void)processorWithSCPKeyParams:(id<YKFSCPKeyParamsProtocol> _Nonnull)scpKeyPa
     if ([scpKeyParams isKindOfClass:[YKFSCP03KeyParams class]]) {
         YKFSCP03KeyParams *scp03KeyParams = (YKFSCP03KeyParams *)scpKeyParams;
         NSData *hostChallenge = [NSData ykf_randomDataOfSize:8];
-        NSLog(@"Send challenge: %@", [hostChallenge ykf_hexadecimalString]);
 
         uint8_t insInitializeUpdate = 0x50;
         YKFAPDU *apdu = [[YKFAPDU alloc] initWithCla:0x80 ins:insInitializeUpdate p1:scp03KeyParams.keyRef.kvn p2:0x00 data:hostChallenge type:YKFAPDUTypeShort];
@@ -68,7 +69,7 @@ + (void)processorWithSCPKeyParams:(id<YKFSCPKeyParamsProtocol> _Nonnull)scpKeyPa
 
             if (result.length < 29) { // Ensure sufficient length
                 if (completion) {
-                    completion(nil, [NSError errorWithDomain:@"SCPErrorDomain" code:-2 userInfo:@{NSLocalizedDescriptionKey: @"Unexpected result"}]);
+                    completion(nil, [YKFSessionError errorWithCode:YKFSessionErrorUnexpectedResult]);
                 }
                 return;
             }
@@ -87,7 +88,7 @@ + (void)processorWithSCPKeyParams:(id<YKFSCPKeyParamsProtocol> _Nonnull)scpKeyPa
 
             if (![genCardCryptogram ykf_constantTimeCompareWithData:cardCryptogram]) {
                 if (completion) {
-                    completion(nil, [NSError errorWithDomain:@"SCPErrorDomain" code:-3 userInfo:@{NSLocalizedDescriptionKey: @"Invalid card cryptogram"}]);
+                    completion(nil, [YKFSessionError errorWithCode:YKFSessionErrorUnexpectedResult]);
                 }
                 return;
             }
@@ -177,7 +178,8 @@ + (void)processorWithSCPKeyParams:(id<YKFSCPKeyParamsProtocol> _Nonnull)scpKeyPa
             }
             NSArray<YKFTLVRecord *> *tlvs = [YKFTLVRecord sequenceOfRecordsFromData:result];
             if (tlvs.count != 2 || [tlvs[0] tag] != 0x5f49 || [tlvs[1] tag] != 0x86) {
-                @throw [NSException exceptionWithName:NSInternalInconsistencyException reason:@"Invalid response TLVs" userInfo:nil];
+                completion(nil, [YKFSessionError errorWithCode:YKFSessionErrorUnexpectedResult]);
+                return;
             }
 
             NSData *epkSdEckaEncodedPoint = tlvs[0].value;
@@ -225,12 +227,8 @@ + (void)processorWithSCPKeyParams:(id<YKFSCPKeyParamsProtocol> _Nonnull)scpKeyPa
 
             YKFSCPProcessor *processor = [[YKFSCPProcessor alloc] initWithState:state];
             completion(processor, nil);
-            
-            NSLog(@"✅ done configuring SCP11");
         }];
     }
-    
-    
 }
 
 
@@ -241,8 +239,6 @@ - (void)executeCommand:(YKFAPDU *)apdu
 usingSmartCardInterface:(YKFSmartCardInterface *)smartCardInterface
             completion:(YKFSmartCardInterfaceResponseBlock)completion {
 
-    NSLog(@"👾 process %@, %@", apdu, self.state);
-    
     NSData *data;
     if (encrypt) {
         NSError *error = nil;
@@ -271,7 +267,6 @@ - (void)executeCommand:(YKFAPDU *)apdu
     YKFAPDU *processedAPDU = [[YKFAPDU alloc] initWithCla:cla ins:apdu.ins p1:apdu.p1 p2:apdu.p2 data:dataAndMac type:apdu.type];
 
     NSMutableData *resultData = [NSMutableData new];
-    
     [smartCardInterface executeRecursiveCommand:processedAPDU sendRemainingIns:sendRemainingIns timeout:20 data:resultData completion:^(NSData * _Nullable result, NSError * _Nullable error) {
         if (error) {
             completion(nil, error);

YubiKit/YubiKit/Connections/SCP/YKFSCPSecurityDomainSession.m

@@ -23,6 +23,8 @@
 #import "YKFNSDataAdditions+Private.h"
 #import "YKFSCPProcessor.h"
 #import "YKFSCPKeyParamsProtocol.h"
+#import "YKFSessionError.h"
+#import "YKFSessionError+Private.h"
 
 @implementation YKFSecurityDomainSession
 
@@ -97,7 +99,8 @@ - (void)getCertificateBundleWithKeyRef:(YKFSCPKeyRef *)keyRef completion:(YKFSec
             }
         }
         if (records.count != certs.count) {
-            NSLog(@"ERROR");
+            completion(nil, [YKFSessionError errorWithCode:YKFSessionErrorUnexpectedResult]);
+            return;
         }
         completion(certs, nil);
     }];

YubiKit/YubiKit/Connections/SCP/YKFSCPState.m

@@ -28,9 +28,7 @@ - (instancetype)initWithSessionKeys:(YKFSCPSessionKeys *)sessionKeys macChain:(N
     return self;
 }
 
-- (NSData *)encrypt:(NSData *)data error:(NSError **)error {
-    NSLog(@"👾 encrypt %@ using %@", [data ykf_hexadecimalString], self);
-    
+- (NSData *)encrypt:(NSData *)data error:(NSError **)error {    
     NSData *paddedData = [data ykf_bitPadded];
     NSMutableData *ivData = [NSMutableData dataWithLength:12];
     uint32_t encCounterBE = CFSwapInt32HostToBig(self.encCounter);
@@ -44,8 +42,6 @@ - (NSData *)encrypt:(NSData *)data error:(NSError **)error {
 }
 
 - (NSData *)decrypt:(NSData *)data error:(NSError **)error {
-    NSLog(@"decrypt: %@", [data ykf_hexadecimalString]);
-    
     NSMutableData *ivData = [NSMutableData data];
     uint8_t paddingByte = 0x80;
     [ivData appendBytes:&paddingByte length:1];
@@ -60,7 +56,6 @@ - (NSData *)decrypt:(NSData *)data error:(NSError **)error {
 
     if (!decrypted) return nil;
 
-    NSLog(@"decrypted: %@", [decrypted ykf_hexadecimalString]);
     return [self unpadData:decrypted];
 }
 

YubiKit/YubiKit/Connections/Shared/Errors/YKFSessionError.h

@@ -71,7 +71,11 @@ typedef NS_ENUM(NSUInteger, YKFSessionErrorCode) {
 
     /*! Invalid session state. This can be caused by another session connecting to the Yubkey or stale stored state.
      */
-    YKFSessionErrorInvalidSessionStateStatusCode = 0x000008
+    YKFSessionErrorInvalidSessionStateStatusCode = 0x000008,
+    
+    /*! Unexpected result. This is caused when the YubiKey returns unexpected data.
+     */
+    YKFSessionErrorUnexpectedResult = 0x000009
 };
 
 /*!

YubiKit/YubiKit/Connections/Shared/Errors/YKFSessionError.m

@@ -25,6 +25,7 @@
 static NSString* const YKFSessionErrorConnectionLostDescription = @"Connection lost.";
 static NSString* const YKFSessionErrorNoConnectionDescription = @"Connection is not found.";
 static NSString* const YKFSessionErrorInvalidSessionStateDescription = @"Invalid session state.";
+static NSString* const YKFSessionErrorUnexpectedResultDescription = @"Unexpted data returned by YubiKey.";
 
 #pragma mark - YKFSessionError
 
@@ -56,6 +57,7 @@ + (void)buildErrorMap {
       @(YKFSessionErrorConnectionLost):                      YKFSessionErrorConnectionLostDescription,
       @(YKFSessionErrorNoConnection):                        YKFSessionErrorNoConnectionDescription,
       @(YKFSessionErrorInvalidSessionStateStatusCode):       YKFSessionErrorInvalidSessionStateDescription,
+      @(YKFSessionErrorUnexpectedResult):          YKFSessionErrorUnexpectedResultDescription,
       };
 }
 

YubiKit/YubiKitTests/Tests/YKFSCPTests.m

@@ -0,0 +1,63 @@
+// Copyright 2018-2025 Yubico AB
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#import <XCTest/XCTest.h>
+#import "YKFTestCase.h"
+#import "YKFNSDataAdditions+Private.h"
+#import "YKFSCPKeyRef.h"
+#import "YKFSCPState.h"
+#import "YKFSCPStaticKeys.h"
+#import "YKFSCPSessionKeys.h"
+
+@interface YKFSCPTests : XCTestCase
+
+@end
+
+@implementation YKFSCPTests
+
+-(void)testEncryptAESECB {
+    NSData *key = [NSData dataFromHexString:@"5ec1bf26a34a6300c23bb45a9f8420495e472259a729439158766cfee5497c2b"];
+    NSData *msg = [@"Hello World!0000" dataUsingEncoding: NSUTF8StringEncoding];
+    NSData *expectedResult = [NSData dataFromHexString:@"0cb774fc5a0a3d4fbb9a6b582cb56b84"];
+    NSData *result = [msg ykf_cryptOperation:kCCEncrypt algorithm:kCCAlgorithmAES mode:kCCModeECB key:key iv:nil];
+    XCTAssertEqualObjects(result, expectedResult);
+}
+
+-(void)testDecryptAESECB {
+    NSData *data = [NSData dataFromHexString:@"0cb774fc5a0a3d4fbb9a6b582cb56b84fa4e95678dbb6cc763bb4ce68df9155ffa4e95678dbb6cc763bb4ce68df9155ffa4e95678dbb6cc763bb4ce68df9155f"];
+    NSData *key = [NSData dataFromHexString:@"5ec1bf26a34a6300c23bb45a9f8420495e472259a729439158766cfee5497c2b"];
+    NSString *result = [[NSString alloc] initWithData:[data ykf_cryptOperation:kCCDecrypt algorithm:kCCAlgorithmAES mode:kCCModeECB key:key iv:nil] encoding: NSUTF8StringEncoding];
+    NSString *expectedResult = @"Hello World!0000000000000000000000000000000000000000000000000000";
+    XCTAssertEqualObjects(result, expectedResult);
+}
+
+-(void)testEncryptAESCBC {
+    NSData *key = [NSData dataFromHexString:@"5ec1bf26a34a6300c23bb45a9f842049"];
+    NSData *iv = [NSData dataFromHexString:@"000102030405060708090a0b0c0d0e0f"];
+    NSData *msg = [@"Hello World!0000" dataUsingEncoding: NSUTF8StringEncoding];
+    NSData *expectedResult = [NSData dataFromHexString:@"9dcb09c51227ea753fad4c6bda8efa46"];
+    NSData *result = [msg ykf_cryptOperation:kCCEncrypt algorithm:kCCAlgorithmAES mode:kCCModeCBC key:key iv:iv];
+    XCTAssertEqualObjects(result, expectedResult);
+}
+
+-(void)testDecryptAESCBC {
+    NSData *data = [NSData dataFromHexString:@"9dcb09c51227ea753fad4c6bda8efa46"];
+    NSData *key = [NSData dataFromHexString:@"5ec1bf26a34a6300c23bb45a9f842049"];
+    NSData *iv = [NSData dataFromHexString:@"000102030405060708090a0b0c0d0e0f"];
+    NSString *result = [[NSString alloc] initWithData:[data ykf_cryptOperation:kCCDecrypt algorithm:kCCAlgorithmAES mode:kCCModeCBC key:key iv:iv] encoding: NSUTF8StringEncoding];
+    NSString *expectedResult = @"Hello World!0000";
+    XCTAssertEqualObjects(result, expectedResult);
+}
+
+@end

YubiKitTests/HostApp/Info.plist

@@ -59,6 +59,7 @@
 		<string>A0000005272101</string>
 		<string>A000000308</string>
 		<string>A000000527200101</string>
+		<string>A000000151000000</string>
 	</array>
 </dict>
 </plist>