jacobpascual/keepassxc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d1fc31e961d46bd459ba1e89529da3a6943c575
keepassxc/src/keys/ChallengeResponseKey.cpp
Christoph Honal 6d1fc31e96 Implement support for Yubikeys and potential other tokens via wireless NFC using smartcard readers (Rebase) (#6895) 
* Support NFC readers for hardware tokens using PC/SC

This requires a new library dependency: PCSC.
The PCSC library provides methods to access smartcards. On Linux, the third-party pcsc-lite package is used. On Windows, the native Windows API (Winscard.dll) is used. On Mac OSX, the native OSX API (framework-PCSC) is used.

* Split hardware key access into multiple classes to handle different methods of communicating with the keys.

* Since the Yubikey can now be a wireless token as well, the verb "plug in" was replaced with a more
generic "interface with". This shall indicate that the user has to present their token to the reader, or plug it in via USB.

* Add PC/SC interface for YubiKey challenge-response

This new interface uses the PC/SC protocol and API
instead of the USB protocol via ykpers. Many YubiKeys expose their functionality as a CCID device, which can be interfaced with using PC/SC. This is especially useful for NFC-only or NFC-capable Yubikeys, when they are used together with a PC/SC compliant NFC reader device.

Although many (not all) Yubikeys expose their CCID functionality over their own USB connection as well, the HMAC-SHA1 functionality is often locked in this mode, as it requires eg. a touch on the gold button. When accessing the CCID functionality wirelessly via NFC (like this code can do using a reader), then the user interaction is to present the key to the reader.

This implementation has been tested on Linux using pcsc-lite, Windows using the native Winscard.dll library, and Mac OSX using the native PCSC-framework library.

* Remove PC/SC ATR whitelist, instead scan for AIDs

Before, a whitelist of ATR codes (answer to reset, hardware-specific)
was used to scan for compatible (Yubi)Keys.
Now, every connected smartcard is scanned for AIDs (applet identifier),
which are known to implement the HMAC-SHA1 protocol.

This enables the support of currently unknown or unreleased hardware.

Co-authored-by: Jonathan White <support@dmapps.us>
2021-10-01 10:39:07 -04:00

55 lines
1.6 KiB
C++
Raw Blame History

/*
* Copyright (C) 2019 KeePassXC Team <team@keepassxc.org>
* Copyright (C) 2014 Kyle Manna <kyle@kylemanna.com>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 2 or (at your option)
* version 3 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "ChallengeResponseKey.h"
#include "core/AsyncTask.h"
QUuid ChallengeResponseKey::UUID("e092495c-e77d-498b-84a1-05ae0d955508");
ChallengeResponseKey::ChallengeResponseKey(YubiKeySlot keySlot)
: Key(UUID)
, m_keySlot(keySlot)
{
}
QByteArray ChallengeResponseKey::rawKey() const
{
return QByteArray(m_key.data(), m_key.size());
}
QString ChallengeResponseKey::error() const
{
return m_error;
}
bool ChallengeResponseKey::challenge(const QByteArray& challenge)
{
m_error.clear();
auto result =
AsyncTask::runAndWaitForFuture([&] { return YubiKey::instance()->challenge(m_keySlot, challenge, m_key); });
if (result != YubiKey::ChallengeResult::YCR_SUCCESS) {
// Record the error message
m_key.clear();
m_error = YubiKey::instance()->errorMessage();
}
return result == YubiKey::ChallengeResult::YCR_SUCCESS;
}
Reference in New Issue View Git Blame Copy Permalink