rixxc/keepassxc
1
0
Fork 0
mirror of https://github.com/keepassxreboot/keepassxc.git synced 2025-12-04 15:39:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement support for Yubikeys and potential other tokens via wireless NFC using smartcard readers (Rebase) (#6895)

Browse Source 
* Support NFC readers for hardware tokens using PC/SC

This requires a new library dependency: PCSC.
The PCSC library provides methods to access smartcards. On Linux, the third-party pcsc-lite package is used. On Windows, the native Windows API (Winscard.dll) is used. On Mac OSX, the native OSX API (framework-PCSC) is used.

* Split hardware key access into multiple classes to handle different methods of communicating with the keys.

* Since the Yubikey can now be a wireless token as well, the verb "plug in" was replaced with a more
generic "interface with". This shall indicate that the user has to present their token to the reader, or plug it in via USB.

* Add PC/SC interface for YubiKey challenge-response

This new interface uses the PC/SC protocol and API
instead of the USB protocol via ykpers. Many YubiKeys expose their functionality as a CCID device, which can be interfaced with using PC/SC. This is especially useful for NFC-only or NFC-capable Yubikeys, when they are used together with a PC/SC compliant NFC reader device.

Although many (not all) Yubikeys expose their CCID functionality over their own USB connection as well, the HMAC-SHA1 functionality is often locked in this mode, as it requires eg. a touch on the gold button. When accessing the CCID functionality wirelessly via NFC (like this code can do using a reader), then the user interaction is to present the key to the reader.

This implementation has been tested on Linux using pcsc-lite, Windows using the native Winscard.dll library, and Mac OSX using the native PCSC-framework library.

* Remove PC/SC ATR whitelist, instead scan for AIDs

Before, a whitelist of ATR codes (answer to reset, hardware-specific)
was used to scan for compatible (Yubi)Keys.
Now, every connected smartcard is scanned for AIDs (applet identifier),
which are known to implement the HMAC-SHA1 protocol.

This enables the support of currently unknown or unreleased hardware.

Co-authored-by: Jonathan White <support@dmapps.us>
This commit is contained in:
Christoph Honal
2021-10-01 16:39:07 +02:00
committed by GitHub
parent cc39f9ec23
commit 6d1fc31e96
18 changed files with 1740 additions and 356 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/keys/drivers/YubiKeyStub.cpp
View File

@@ -1,6 +1,6 @@
/*
* Copyright (C) 2014 Kyle Manna <kyle@kylemanna.com>
* Copyright (C) 2017 KeePassXC Team <team@keepassxc.org>
* Copyright (C) 2017-2021 KeePassXC Team <team@keepassxc.org>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -22,11 +22,7 @@ YubiKey::YubiKey()
{
}
YubiKey::~YubiKey()
{
}
YubiKey* YubiKey::m_instance(nullptr);
YubiKey* YubiKey::m_instance(Q_NULLPTR);
YubiKey* YubiKey::instance()
{
@@ -62,18 +58,18 @@ QString YubiKey::errorMessage()
return {};
}
YubiKey::ChallengeResult YubiKey::challenge(YubiKeySlot slot, const QByteArray& chal, Botan::secure_vector<char>& resp)
{
Q_UNUSED(slot);
Q_UNUSED(chal);
Q_UNUSED(resp);
return ERROR;
}
bool YubiKey::testChallenge(YubiKeySlot slot, bool* wouldBlock)
{
Q_UNUSED(slot);
Q_UNUSED(wouldBlock);
return false;
}
YubiKey::ChallengeResult YubiKey::challenge(YubiKeySlot slot, const QByteArray& chal, Botan::secure_vector<char>& resp)
{
Q_UNUSED(slot);
Q_UNUSED(chal);
Q_UNUSED(resp);
return YubiKey::ChallengeResult::YCR_ERROR;
}