Allow CCID to be enabled for 'FIDO Edition' devices

Author: dainnilsson

tests/test_device.py

@@ -1,7 +1,7 @@
+from dataclasses import replace
 from typing import cast
 
 import pytest
-
 from yubikit.core import TRANSPORT, YUBIKEY, Tlv
 from yubikit.management import (
     CAPABILITY,
@@ -11,8 +11,6 @@
     Version,
 )
 from yubikit.support import get_name
-from dataclasses import replace
-
 
 DEFAULT_INFO = DeviceInfo(
     config=cast(DeviceConfig, None),
@@ -220,6 +218,10 @@ def test_enhanced_pin():
         "YubiKey 5Ci",
         "0102023f0302023f020400a0392204010505030502030602000007010f0801000a01000f010c",
     ),
+    (
+        "YubiKey C Bio - FIDO Edition",
+        "01021206030212060204023251e904010705030000010602000007010f0801000a01000f010020030100002103030001100101110400000000120100130c3738434c5546583530303050140200001502000016010017010018020000190e0103050800020101030400000003",
+    ),
 ]
 
 

yubikit/support.py

@@ -63,6 +63,7 @@
 # Old U2F AID, only used to detect the presence of the applet
 _AID_U2F_YUBICO = bytes.fromhex("a0000005271002")
 
+# Only used for pre YK4 devices, does not need to include any newer applets
 _SCAN_APPLETS = (
     # OTP will be checked elsewhere and thus isn't needed here
     (AID.FIDO, CAPABILITY.U2F),
@@ -338,7 +339,19 @@ def read_info(conn: Connection, pid: PID | None = None) -> DeviceInfo:
 
 
 def _fido_only(capabilities):
-    return capabilities & ~(CAPABILITY.U2F | CAPABILITY.FIDO2) == 0
+    # Explicit list of non-FIDO capabilities, to prevent future capability additions
+    # from breaking this check.
+    return (
+        capabilities
+        & (
+            CAPABILITY.OTP
+            | CAPABILITY.OATH
+            | CAPABILITY.PIV
+            | CAPABILITY.OPENPGP
+            | CAPABILITY.HSMAUTH
+        )
+        == 0
+    ) and capabilities & (CAPABILITY.U2F | CAPABILITY.FIDO2) != 0
 
 
 def _is_preview(version):