When trying to use the smart card extension configuration function in Yubico Authenticator (three-dot menu at upper right > Configuration > Smart card extension), the app immediately crashes when I plug my Yubico 5Ci into my device. (Of note, I am using a FIPS device.)

I've attached the crash log from iOS here.

Device info: iPhone 13 Pro, iOS 16.3.1.
Yubico Authenticator: v1.7.1 (build 96)
YubiKey: YubiKey 5Ci FIPS, firmware 5.4.2

Authenticator-2023-03-20-133002.ips.zip

In the SwiftUI version of the app, account name and issuer is scaled down to minuscule sizes instead of being truncated when to long to fit on the screen.

At this link:

https://www.yubico.com/blog/uncovered-piv-use-cases-on-ios-using-yubikey-as-a-smart-card-on-ios/

yubico talks about the possibility of extracting public certificates and inserting them into the iOS keychain. public key smime which would be used for email apps for what? Signing a message works by making the yubico Authenticator interact with the yubico 5 token via NFC. and so far ok. but if you try to decrypt a smime certificate received from someone else's email. the private key that worked to sign my email by interacting with yubico 5 via NFC was not zipped to decrypt emails received, including replies.

so I wonder what utility there is in using yubico Authenticator since it does not allow me to decrypt my smime emails received. What is the point of placing a public certificate via yubico Authenticator? to make it interact by signing my email and sending the public certificate attached? Could you kindly explain the meaning to me?

Yubico Authenticator IOS: v1.7.8 (build 126)

IPad Pro 12.9 (M1): IOS 17.3 beta

Hi folks,
Popped in my Yubico 5 NFC to the USB port on my iPad Pro and it came up with details in the app.
Any attempt after, the app does not show any details like it is not detecting.

It does light up for a second. And if i tap on it, it will spit out characters into a text file… so it is being detected and working.

Is there a way i can help debug?

Now that #114 is fixed, plugging in our PIV-D-provisioned Yubikey 5Ci devices into our phones doesn't cause an app crash when we go to Configuration > Smart card extension — so that's a win! But unfortunately, the app doesn't appear to see our certs at all; when going to Configuration > Smart card extension, the app reports "No certificates on Yubikey". (See screenshot that I'm attaching.)

How can we help you debug this? The devices work perfectly to allow login to Windows and macOS computers, so the certs themselves are fine, and their provisioning onto the keys is such that both Windows and macOS happily see them.

Would be nice to have this feature also in the iOS App :)

class TokenSession: TKTokenSession, TKTokenSessionDelegate
These class not respect the key size discovery statement in the norm : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf page 48
C.1 PIV Algorithm Identifier Discovery for Asymmetric Cryptographic Authentication
As illustrated in the authentication mechanisms in Appendix B, an asymmetric cryptographic authentication involves issuing a challenge (request to sign a nonce) to the PIV Card. The relying party issuing the command provides the nonce to be signed, the key reference, and the PIV algorithm identifier as parameters of the command. The nonce is random data generated by the relying party and the key reference is known. The PIV algorithm identifier, on the other hand, is unknown to the relying party and needs to be identified in order to issue the challenge command. The PIV algorithm identifier can be derived from the previous steps of the authentication mechanism. The relying party, prior to issuing the challenge command, retrieved and parsed the X.509 certificate from the card in order to 1) validate the certificate and 2) extract the public key for the pending verification of the signed nonce once returned from the card. It is during the parsing of the X.509 certificate that the PIV algorithm identifier can be identified in two steps:27
Step 1: Algorithm Type Discovery:
The X.509 certificate stores the public key in the subjectPublicKeyInfo field. The subjectPublicKeyInfo data structure has an algorithm field, which includes an OID that identifies the public key’s algorithm (RSA or ECC) as listed in Table 3-4 of SP 800-78.
Step 2: Key Size Discovery:
If the algorithm type, as determined in Step 1, is ECC then the key size is determined by the elliptic curve on which the key has been generated, which is P-256 for all elliptic curve PIV Authentication keys and Card Authentication keys.
If the algorithm type, as determined in Step 1, is RSA then the key size is determined by the public key’s modulus. The public key appears in the subjectPublicKey field of subjectPublicKeyInfo and is encoded as a sequence that includes both the key’s modulus and public exponent.

The norm is not restrictive for the RSA algorithm. The norm instructs to use the modulus from the public key, regardless of the type of key used for generation. Please adjust the function according to these specifications. This allows for key signatures greater than RSA 2048 and is in accordance with the PIV norm. Typically, it is the public certificate, not the private key, that is used. The PIV application does not have knowledge of the private slot or the key size. This data is usually inaccessible to the PIV application. In this context, the correct implementation is to take the modulus of the public key and build the challenge with it. The PIV device knows the truth about the key and it is the device’s responsibility to return an error, not the PIV application’s. If the device returns a bad length, the key is not supported. It is important to respect the role of each. The PIV application does not build the key parameters from the norm; it discovers the algorithm and size from the public key.

I'm unsure which version of iOS introduced this, but on iOS 16.1.2 from Settings > Passwords > Password Options, there is a list of apps which you can use to set up verification codes. I'm unfamiliar with iOS app development so I'm not sure how difficult this would be to implement, but it would be nice to see Yubico Authenticator as an option there.

Steam code that is supported in Yubico Authenticator desktop app won't work in the iOS app and displayed as six digits code.

Error from app while reading OATH tokens

Using a Yubikey 5 NFC which has OATH password enabled
Able to read and obtain OATH tokens over NFC using this key, password is also saved on device
When connected to iPhone over Lightning to USB adaptor, partial list of OATH tokens displays and then failure message shown.

Something went wrong
Status error 0x6D00 returned by the key.