jacobpascual/keepassxc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement support for Yubikeys and potential other tokens via wireless NFC using smartcard readers (Rebase) (#6895)

Browse Source 
* Support NFC readers for hardware tokens using PC/SC

This requires a new library dependency: PCSC.
The PCSC library provides methods to access smartcards. On Linux, the third-party pcsc-lite package is used. On Windows, the native Windows API (Winscard.dll) is used. On Mac OSX, the native OSX API (framework-PCSC) is used.

* Split hardware key access into multiple classes to handle different methods of communicating with the keys.

* Since the Yubikey can now be a wireless token as well, the verb "plug in" was replaced with a more
generic "interface with". This shall indicate that the user has to present their token to the reader, or plug it in via USB.

* Add PC/SC interface for YubiKey challenge-response

This new interface uses the PC/SC protocol and API
instead of the USB protocol via ykpers. Many YubiKeys expose their functionality as a CCID device, which can be interfaced with using PC/SC. This is especially useful for NFC-only or NFC-capable Yubikeys, when they are used together with a PC/SC compliant NFC reader device.

Although many (not all) Yubikeys expose their CCID functionality over their own USB connection as well, the HMAC-SHA1 functionality is often locked in this mode, as it requires eg. a touch on the gold button. When accessing the CCID functionality wirelessly via NFC (like this code can do using a reader), then the user interaction is to present the key to the reader.

This implementation has been tested on Linux using pcsc-lite, Windows using the native Winscard.dll library, and Mac OSX using the native PCSC-framework library.

* Remove PC/SC ATR whitelist, instead scan for AIDs

Before, a whitelist of ATR codes (answer to reset, hardware-specific)
was used to scan for compatible (Yubi)Keys.
Now, every connected smartcard is scanned for AIDs (applet identifier),
which are known to implement the HMAC-SHA1 protocol.

This enables the support of currently unknown or unreleased hardware.

Co-authored-by: Jonathan White <support@dmapps.us>
This commit is contained in:
Christoph Honal
2021-10-01 16:39:07 +02:00
committed by GitHub
parent cc39f9ec23
commit 6d1fc31e96
18 changed files with 1740 additions and 356 deletions
Download Patch File Download Diff File Expand all files Collapse all files

151
share/translations/keepassxc_en.ts
View File

@@ -1442,10 +1442,6 @@ If you do not have a key file, please leave the field empty.</source>
<source>Key file to unlock the database</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Please touch the button on your YubiKey!</source>
<translation type="unfinished">Please touch the button on your YubiKey!</translation>
</message>
<message>
<source>Detecting hardware keys</source>
<translation type="unfinished"></translation>
@@ -1479,6 +1475,10 @@ If you do not have a key file, please leave the field empty.</source>
<source>You are using an old key file format which KeePassXC may&lt;br&gt;stop supporting in the future.&lt;br&gt;&lt;br&gt;Please consider generating a new key file by going to:&lt;br&gt;&lt;strong&gt;Database &amp;gt; Database Security &amp;gt; Change Key File.&lt;/strong&gt;&lt;br&gt;</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Please present or touch your YubiKey to continue</source>
<translation type="unfinished"></translation>
</message>
</context>
<context>
<name>DatabaseSettingWidgetMetaData</name>
@@ -4755,10 +4755,6 @@ Are you sure you want to continue with this file?</source>
<source>Quit KeePassXC</source>
<translation>Quit KeePassXC</translation>
</message>
<message>
<source>Please touch the button on your YubiKey!</source>
<translation>Please touch the button on your YubiKey!</translation>
</message>
<message>
<source>&amp;Donate</source>
<translation>&amp;Donate</translation>
@@ -5119,6 +5115,10 @@ Expect some bugs and minor issues, this version is meant for testing purposes.</
We recommend you use the AppImage available on our downloads page.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Please present or touch your YubiKey to continue</source>
<translation type="unfinished"></translation>
</message>
</context>
<context>
<name>ManageDatabase</name>
@@ -6889,10 +6889,6 @@ Kernel: %3 %4</source>
<source>Invalid YubiKey serial %1</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Please touch the button on your YubiKey to continue</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Do you want to create a database with an empty password? [y/N]: </source>
<translation type="unfinished"></translation>
@@ -7233,6 +7229,10 @@ Please consider generating a new key file.</source>
<source>Warning: Failed to prevent screenshots on a top level window!</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Please present or touch your YubiKey to continue</source>
<translation type="unfinished"></translation>
</message>
</context>
<context>
<name>QtIOCompressor</name>
@@ -8268,49 +8268,15 @@ Example: JBSWY3DPEHPK3PXP</source>
<context>
<name>YubiKey</name>
<message>
<source>%1 [%2] Configured Slot - %3</source>
<source>%1 No interface, slot %2</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>%1 Invalid slot specified - %2</source>
<source>General: </source>
<translation type="unfinished"></translation>
</message>
<message>
<source>The YubiKey interface has not been initialized.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Hardware key is currently in use.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Could not find hardware key with serial number %1. Please plug it in to continue.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Hardware key timed out waiting for user interaction.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Failed to complete a challenge-response, the specific error was: %1</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>%1 [%2] Challenge-Response - Slot %3 - %4</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Press</source>
<comment>Challenge-Response Key interaction request</comment>
<translation type="unfinished">Press</translation>
</message>
<message>
<source>Passive</source>
<comment>Challenge-Response Key no interaction required</comment>
<translation type="unfinished">Passive</translation>
</message>
<message>
<source>A USB error occurred when accessing the hardware key: %1</source>
<source>Could not find interface for hardware key with serial number %1. Please connect it to continue.</source>
<translation type="unfinished"></translation>
</message>
</context>
@@ -8369,4 +8335,91 @@ Example: JBSWY3DPEHPK3PXP</source>
<translation type="unfinished"></translation>
</message>
</context>
<context>
<name>YubiKeyInterface</name>
<message>
<source>%1 Invalid slot specified - %2</source>
<translation type="unfinished"></translation>
</message>
</context>
<context>
<name>YubiKeyInterfacePCSC</name>
<message>
<source>(PCSC) %1 [%2] Challenge-Response - Slot %3</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>The YubiKey PCSC interface has not been initialized.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Hardware key is currently in use.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Could not find or access hardware key with serial number %1. Please present it to continue. </source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Hardware key is locked or timed out. Unlock or re-present it to continue.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Hardware key was not found or is misconfigured.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Failed to complete a challenge-response, the PCSC error code was: %1</source>
<translation type="unfinished"></translation>
</message>
</context>
<context>
<name>YubiKeyInterfaceUSB</name>
<message>
<source>Unknown</source>
<translation type="unfinished">Unknown</translation>
</message>
<message>
<source>(USB) %1 [%2] Configured Slot - %3</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>(USB) %1 [%2] Challenge-Response - Slot %3 - %4</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Press</source>
<comment>USB Challenge-Response Key interaction request</comment>
<translation type="unfinished">Press</translation>
</message>
<message>
<source>Passive</source>
<comment>USB Challenge-Response Key no interaction required</comment>
<translation type="unfinished">Passive</translation>
</message>
<message>
<source>The YubiKey USB interface has not been initialized.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Hardware key is currently in use.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Could not find hardware key with serial number %1. Please plug it in to continue.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Hardware key timed out waiting for user interaction.</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>A USB error occurred when accessing the hardware key: %1</source>
<translation type="unfinished"></translation>
</message>
<message>
<source>Failed to complete a challenge-response, the specific error was: %1</source>
<translation type="unfinished"></translation>
</message>
</context>
</TS>