feat: throw InvalidOperationException on too large APDU size

Author: DennisDyallo

Yubico.Core/src/Yubico/Core/Devices/SmartCard/DesktopSmartCardConnection.cs

@@ -146,18 +146,18 @@ public ResponseApdu Transmit(CommandApdu commandApdu)
             // The YubiKey likely will never return a buffer larger than 512 bytes without instead
             // using response chaining.
             byte[] outputBuffer = new byte[512];
-
+            
+            byte[] apdu = commandApdu.AsByteArray();
             uint result = SCardTransmit(
                 _cardHandle,
                 new SCARD_IO_REQUEST(_activeProtocol),
-                commandApdu.AsByteArray(),
+                apdu,
                 IntPtr.Zero,
                 outputBuffer,
                 out int outputBufferSize
                 );
 
             _log.SCardApiCall(nameof(SCardTransmit), result);
-
             _device.LogDeviceAccessTime();
 
             if (result != ErrorCode.SCARD_S_SUCCESS)

Yubico.YubiKey/src/Resources/ExceptionMessages.Designer.cs

@@ -910,4 +910,8 @@
   <data name="KeyAgreementReceiptMissmatch" xml:space="preserve">
     <value>Key agreement receipts do not match</value>
   </data>
+
+  <data name="CommandApduTooLarge" xml:space="preserve">
+    <value>Command APDU size ({0} bytes) exceeds maximum size ({1} bytes) supported by the YubiKey</value>
+  </data>
 </root>

Yubico.YubiKey/src/Resources/ExceptionMessages.resx

@@ -62,10 +62,10 @@ public ConnectionFactory(
         [Obsolete("Obsolete")]
         internal IScp03YubiKeyConnection CreateScpConnection(YubiKeyApplication application, Scp03.StaticKeys scp03Keys)
         {
-
             if (_smartCardDevice is null)
             {
-                throw new InvalidOperationException("No smart card interface present. Unable to establish SCP connection to YubiKey.");
+                throw new InvalidOperationException(
+                    "No smart card interface present. Unable to establish SCP connection to YubiKey.");
             }
 
             _log.LogDebug("Connecting via the SmartCard interface using SCP03.");
@@ -79,38 +79,44 @@ internal IScp03YubiKeyConnection CreateScpConnection(YubiKeyApplication applicat
         /// </summary>
         /// <param name="application">The YubiKey application to connect to.</param>
         /// <param name="keyParameters">The security parameters for establishing the SCP connection.</param>
+        /// <param name="firmwareVersion">The firmware version of the YubiKey.q</param>
         /// <returns>A secure connection to the specified YubiKey application.</returns>
         /// <exception cref="InvalidOperationException">Thrown when the SmartCard interface is not available on the YubiKey.</exception>
         /// <remarks>
         /// This method establishes a secure channel to the YubiKey using the SmartCard interface. The connection
         /// is protected using the Secure Channel Protocol (SCP) with the provided key parameters.
         /// </remarks>
-        public IScpYubiKeyConnection CreateScpConnection(YubiKeyApplication application, ScpKeyParameters keyParameters)
+        public IScpYubiKeyConnection CreateScpConnection(
+            YubiKeyApplication application,
+            ScpKeyParameters keyParameters,
+            FirmwareVersion firmwareVersion)
         {
             LogConnectionAttempt(application, keyParameters);
 
             if (_smartCardDevice is null)
             {
-                throw new InvalidOperationException("No smart card interface present. Unable to establish SCP connection to YubiKey.");
+                throw new InvalidOperationException(
+                    "No smart card interface present. Unable to establish SCP connection to YubiKey.");
             }
 
             _log.LogDebug("Connecting via the SmartCard interface using SCP.");
             WaitForReclaimTimeout(Transport.SmartCard);
 
-            return new ScpConnection(_smartCardDevice, application, keyParameters);
+            return new ScpConnection(_smartCardDevice, application, keyParameters, firmwareVersion);
         }
 
         /// <summary>
         /// Creates a standard (non-SCP) connection to a specific YubiKey application.
         /// </summary>
         /// <param name="application">The YubiKey application to connect to.</param>
+        /// <param name="firmwareVersion">The firmware version of the YubiKey.</param>
         /// <returns>A connection to the specified YubiKey application.</returns>
         /// <exception cref="InvalidOperationException">Thrown when no suitable interface is available for the requested application.</exception>
         /// <remarks>
         /// This method creates a connection using the most appropriate interface available for the specified application.
         /// It first attempts to use the SmartCard interface, then falls back to HID interfaces if necessary.
         /// </remarks>
-        public IYubiKeyConnection CreateConnection(YubiKeyApplication application)
+        public IYubiKeyConnection CreateConnection(YubiKeyApplication application, FirmwareVersion firmwareVersion)
         {
             if (_hidKeyboardDevice != null && application == YubiKeyApplication.Otp)
             {
@@ -120,7 +126,9 @@ public IYubiKeyConnection CreateConnection(YubiKeyApplication application)
                 return new KeyboardConnection(_hidKeyboardDevice);
             }
 
-            bool isFidoApplication = application == YubiKeyApplication.Fido2 || application == YubiKeyApplication.FidoU2f;
+            bool isFidoApplication =
+                application == YubiKeyApplication.Fido2 || application == YubiKeyApplication.FidoU2f;
+
             if (_hidFidoDevice != null && isFidoApplication)
             {
                 _log.LogDebug("Connecting via the FIDO interface.");
@@ -134,10 +142,11 @@ public IYubiKeyConnection CreateConnection(YubiKeyApplication application)
                 _log.LogDebug("Connecting via the SmartCard interface.");
 
                 WaitForReclaimTimeout(Transport.SmartCard);
-                return new SmartCardConnection(_smartCardDevice, application);
+                return new SmartCardConnection(_smartCardDevice, application, firmwareVersion);
             }
 
-            throw new InvalidOperationException("No suitable interface present. Unable to establish connection to YubiKey.");
+            throw new InvalidOperationException(
+                "No suitable interface present. Unable to establish connection to YubiKey.");
         }
 
         // This function handles waiting for the reclaim timeout on the YubiKey to elapse. The reclaim timeout requires

Yubico.YubiKey/src/Yubico/YubiKey/ConnectionFactory.cs

@@ -40,12 +40,13 @@ namespace Yubico.YubiKey
     /// Connecting to different YubiKeys at once is fine, just not to a single key.
     /// </para>
     /// </remarks>
+
     // JUSTIFICATION: This class is a singleton, which means its lifetime will span the process lifetime. It contains
     // a lock which is disposable, so we must call its Dispose method at some point. The only reasonable time to do that
     // is in this class's finalizer. This analyzer doesn't seem to see this and still warns.
-#pragma warning disable CA1001
+    #pragma warning disable CA1001
     internal class ConnectionManager
-#pragma warning restore CA1001
+        #pragma warning restore CA1001
     {
         // Easy thread-safe singleton pattern using Lazy<>
         private static readonly Lazy<ConnectionManager> _instance =
@@ -62,15 +63,18 @@ internal class ConnectionManager
         /// <param name="device">A concrete device object from Yubico.Core.</param>
         /// <param name="application">An application of the YubiKey.</param>
         /// <returns>`true` if the device object supports the application, `false` otherwise.</returns>
+
         // This function uses C# 8.0 pattern matching to build a concise table.
         public static bool DeviceSupportsApplication(IDevice device, YubiKeyApplication application) =>
             (device, application) switch
             {
                 // FIDO interface
                 (IHidDevice { UsagePage: HidUsagePage.Fido }, YubiKeyApplication.FidoU2f) => true,
                 (IHidDevice { UsagePage: HidUsagePage.Fido }, YubiKeyApplication.Fido2) => true,
+
                 // Keyboard interface
                 (IHidDevice { UsagePage: HidUsagePage.Keyboard }, YubiKeyApplication.Otp) => true,
+
                 // All Smart Card based interfaces
                 (ISmartCardDevice _, YubiKeyApplication.Management) => true,
                 (ISmartCardDevice _, YubiKeyApplication.Oath) => true,
@@ -79,10 +83,12 @@ public static bool DeviceSupportsApplication(IDevice device, YubiKeyApplication
                 (ISmartCardDevice _, YubiKeyApplication.InterIndustry) => true,
                 (ISmartCardDevice _, YubiKeyApplication.SecurityDomain) => true,
                 (ISmartCardDevice _, YubiKeyApplication.YubiHsmAuth) => true,
+
                 // NB: Certain past models of YK NEO and YK 4 supported these applications over CCID
                 (ISmartCardDevice _, YubiKeyApplication.FidoU2f) => true,
                 (ISmartCardDevice _, YubiKeyApplication.Fido2) => true,
                 (ISmartCardDevice _, YubiKeyApplication.Otp) => true,
+
                 // NFC interface
                 (ISmartCardDevice { Kind: SmartCardConnectionKind.Nfc }, YubiKeyApplication.OtpNdef) => true,
                 _ => false
@@ -133,8 +139,7 @@ public bool TryCreateConnection(
             IYubiKeyDevice yubiKeyDevice,
             IDevice device,
             YubiKeyApplication application,
-            [MaybeNullWhen(returnValue: false)]
-            out IYubiKeyConnection connection)
+            [MaybeNullWhen(returnValue: false)] out IYubiKeyConnection connection)
         {
             if (!DeviceSupportsApplication(device, application))
             {
@@ -180,7 +185,7 @@ public bool TryCreateConnection(
                 {
                     IHidDevice { UsagePage: HidUsagePage.Fido } d => new FidoConnection(d),
                     IHidDevice { UsagePage: HidUsagePage.Keyboard } d => new KeyboardConnection(d),
-                    ISmartCardDevice d => new SmartCardConnection(d, application),
+                    ISmartCardDevice d => new SmartCardConnection(d, application, yubiKeyDevice.FirmwareVersion),
                     _ => throw new NotSupportedException(ExceptionMessages.DeviceTypeNotRecognized)
                 };
 
@@ -222,12 +227,11 @@ public bool TryCreateConnection(
             IYubiKeyDevice yubiKeyDevice,
             IDevice device,
             byte[] applicationId,
-            [MaybeNullWhen(returnValue: false)]
-            out IYubiKeyConnection connection)
+            [MaybeNullWhen(returnValue: false)] out IYubiKeyConnection connection)
         {
             var smartCardDevice = device as ISmartCardDevice ?? throw new ArgumentException(
-                    ExceptionMessages.DeviceDoesNotSupportApplication,
-                    nameof(applicationId));
+                ExceptionMessages.DeviceDoesNotSupportApplication,
+                nameof(applicationId));
 
             // Since taking a write lock is potentially very expensive, let's try and make a best effort to see if the
             // YubiKey is already present. This way we can fail fast.
@@ -262,7 +266,7 @@ public bool TryCreateConnection(
                     return false;
                 }
 
-                connection = new SmartCardConnection(smartCardDevice, applicationId);
+                connection = new SmartCardConnection(smartCardDevice, applicationId, yubiKeyDevice.FirmwareVersion);
                 _ = _openConnections.Add(yubiKeyDevice);
             }
             finally

Yubico.YubiKey/src/Yubico/YubiKey/ConnectionManager.cs

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 using System;
+using System.Globalization;
 using Yubico.Core.Devices.SmartCard;
 using Yubico.Core.Iso7816;
 
@@ -24,28 +25,59 @@ namespace Yubico.YubiKey.Pipelines
     /// </summary>
     internal class SmartCardTransform : IApduTransform
     {
-        readonly ISmartCardConnection _smartCardConnection;
+        private readonly ISmartCardConnection _smartCardConnection;
+        private readonly int _maxApduSizeBytes;
 
-        public SmartCardTransform(ISmartCardConnection smartCardConnection)
+        public SmartCardTransform(
+            ISmartCardConnection smartCardConnection,
+            FirmwareVersion? firmwareVersion = null)
         {
-            if (smartCardConnection is null)
-            {
-                throw new ArgumentNullException(nameof(smartCardConnection));
-            }
-
-            _smartCardConnection = smartCardConnection;
+            _smartCardConnection = smartCardConnection ?? throw new ArgumentNullException(nameof(smartCardConnection));
+            _maxApduSizeBytes = GetMaxApduSize(firmwareVersion);
         }
 
         public void Cleanup()
         {
-
+            // No cleanup needed
         }
 
-        public ResponseApdu Invoke(CommandApdu command, Type commandType, Type responseType) => _smartCardConnection.Transmit(command);
+        public ResponseApdu Invoke(CommandApdu command, Type commandType, Type responseType)
+        {
+            // Verify APDU size is within limits before sending
+            byte[] apduBytes = command.AsByteArray();
+            if (apduBytes.Length > _maxApduSizeBytes)
+            {
+                throw new InvalidOperationException(
+                    string.Format(
+                        CultureInfo.CurrentCulture,
+                        ExceptionMessages.CommandApduTooLarge, 
+                        apduBytes.Length,
+                        _maxApduSizeBytes)
+                    );
+            }
+
+            return _smartCardConnection.Transmit(command);
+        }
 
         public void Setup()
         {
-
+            // No setup needed
+        }
+        
+        private static int GetMaxApduSize(FirmwareVersion? fwVersion)
+        {
+            if (fwVersion is null)
+            {
+                return (int)SmartCardMaxApduSizes.NEO;
+            }
+            
+            var maxApduSize = fwVersion >= FirmwareVersion.V4_3_0
+                ? SmartCardMaxApduSizes.YK4_3
+                : fwVersion >= FirmwareVersion.V4_0_0
+                    ? SmartCardMaxApduSizes.YK4
+                    : SmartCardMaxApduSizes.NEO;
+            
+            return (int)maxApduSize;
         }
     }
 }

Yubico.YubiKey/src/Yubico/YubiKey/Pipelines/SmartCardTransform.cs

@@ -29,8 +29,10 @@ internal class ScpConnection : SmartCardConnection, IScpYubiKeyConnection
         public ScpConnection(
             ISmartCardDevice smartCardDevice,
             YubiKeyApplication application,
-            ScpKeyParameters keyParameters)
-            : base(smartCardDevice, application, null)
+            ScpKeyParameters keyParameters,
+            FirmwareVersion firmwareVersion
+            )
+            : base(smartCardDevice, application, firmwareVersion)
         {
             var scpPipeline = CreateScpPipeline(keyParameters);
             var withErrorHandling = CreateParentPipeline(scpPipeline, application);

Yubico.YubiKey/src/Yubico/YubiKey/Scp/ScpConnection.cs

@@ -33,13 +33,13 @@ public Scp03Connection(
             ISmartCardDevice smartCardDevice,
             YubiKeyApplication yubiKeyApplication,
             Scp03.StaticKeys scp03Keys)
-            : base(smartCardDevice, yubiKeyApplication, null)
+            : base(smartCardDevice, yubiKeyApplication)
         {
             _scp03ApduTransform = SetObject(yubiKeyApplication, scp03Keys);
         }
 
         public Scp03Connection(ISmartCardDevice smartCardDevice, byte[] applicationId, Scp03.StaticKeys scp03Keys)
-            : base(smartCardDevice, YubiKeyApplication.Unknown, applicationId)
+            : base(smartCardDevice, YubiKeyApplication.Unknown, applicationId, null)
         {
             var setError = YubiKeyApplication.Unknown;
             if (applicationId.SequenceEqual(YubiKeyApplication.Fido2.GetIso7816ApplicationId()))