Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add challenge-response support for Nitrokey 3 #9397

Closed
wants to merge 3 commits into from
Closed

Add challenge-response support for Nitrokey 3 #9397

wants to merge 3 commits into from

Conversation

szszszsz
Copy link
Contributor

@szszszsz szszszsz commented May 6, 2023

Add challenge-response support for Nitrokey 3.

In detail:

  • Add Get Response call when More Available / 0x61 SW1 is received
  • Increase buffer for answer to select call (required for Nitrokey 3)
  • Small refactorization for reading the SW

Example log for selecting app with More Available / Get Response used below:

00009450 APDU: 00 A4 04 00 07 A0 00 00 05 27 20 01
00001675 SW: 6A 82
00000071 APDU: 00 A4 04 00 07 A0 00 00 05 27 21 01
00057807 SW: 61 0F
00000037 APDU: 00 C0 00 00 FF
00000893 SW: 79 03 04 0B 00 71 08 3C 73 5F 60 F2 03 EB 0D 90 00

To test:

  • Yubikey behavior for that change. The Nitrokey 3's application responsible for challenge-response is QByteArrayLiteral("\xA0\x00\x00\x05\x27\x21\x01"), which is Yubikey's OATH AID. Check if that could make any conflict.
    • Yubikey behaves normally - tests are passing.

Screenshots

image

Testing strategy

  1. Test creating database (manual)
  2. Test opening database (manual)`

Automatic tests: testykchallengeresponsekey (built with ASAN)

~/w/3/k/c/tests (support-challenge-response-in-nitrokey3|✚2) $ ./testykchallengeresponsekey
********* Start testing of TestYubiKeyChallengeResponse *********
Config: Using QtTest library 5.15.9, Qt 5.15.9 (x86_64-little_endian-lp64 shared (dynamic) release build;
by GCC 13.0.1 20230401 (Red Hat 13.0.1-0)), fedora 38
PASS   : TestYubiKeyChallengeResponse::initTestCase()
PASS   : TestYubiKeyChallengeResponse::testDetectDevices()
PASS   : TestYubiKeyChallengeResponse::testKeyChallenge()
PASS   : TestYubiKeyChallengeResponse::cleanupTestCase()
Totals: 4 passed, 0 failed, 0 skipped, 0 blacklisted, 1336ms
********* Finished testing of TestYubiKeyChallengeResponse *********

This PR was tested against:

  • Nitrokey 3 (unreleased firmware, based on v1.4), and
  • YubiKey 4 (4.3.5) [OTP+FIDO+CCID] Serial: 5668784

Type of change

  • ✅ New feature (change that adds functionality)

@droidmonkey
Copy link
Member

Nice!

@droidmonkey droidmonkey added this to the v2.8.0 milestone May 6, 2023
This was referenced May 6, 2023
Closed
Merged
@szszszsz szszszsz mentioned this pull request May 17, 2023
Open
@scholzri scholzri mentioned this pull request Jun 5, 2023
Closed
@droidmonkey
Copy link
Member

Closing this and opening a new PR since I cannot push to the source repo.

@szszszsz
Copy link
Contributor Author

Note: merged in #9631

@szszszsz szszszsz deleted the support-challenge-response-in-nitrokey3 branch July 17, 2023 07:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
feature: Hardware Keys new feature
Projects
None yet
Milestone
v2.8.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@szszszsz @droidmonkey