Use with KeePassXC as a Yubikey OTP HMAC-SHA1 Challenge Response

[jaredvacanti]

I was able to successfully install this applet and get challenge-responses from it on a JavaCard 2.2.2 card over a CCID-compliant PCSC card reader.

Is it possible to use this applet with an application like KeePassXC? Is there a way to appear to be an HID (how the Yubikey presents the OTP interface), or is that a separate driver issue, or something else?

(By the way, thanks for the great smartcard projects!)

Edit: I do notice the README explicitly mentions there are no HID features:

It presents the same interface that a real Yubikey presents over CCID (i.e. this applet does not have any HID features).

Is there any way to achieve that?

[arekinath]

Sadly, not that I know of. Many Javacard chips have built-in USB MACs and can be combined with a PHY to speak USB (e.g. most of the NXP SmartMX chips have this) but there are no standardised Javacard APIs for controlling it. On the NXP platforms they have proprietary APIs for using it, but the export files and docs are under NXP NDAs and can't be distributed freely. I've heard mixed messages about whether you can distribute open-source code written against the APIs or not, but even if we did you wouldn't be able to compile it without the NDA'd export files.

[arekinath]

(And to clarify, this would never work with a plain smartcard and card reader -- it would need to be an integrated USB Javacard device like the ones that Feitian and G&D make)

[jaredvacanti]

Thanks for your feedback on this, I needed to take the time to do some more research and you really put me in the right direction. I contacted Identiv and it seems most of their readers have HID-emulation capabilities, but I was informed from support in regards to a specific reader:

The tool available for 3700F allows to stuff the UID of the tag into the keyboard buffer. It does not allow any other data to be stuffed into keyboard buffer.

It seems like some readers have an API for emulating the PHY layer, and in this case specifically just for NDEF tags. (Do the cards that support PHY interfacing not rely on reader compliance?) I'm still searching for where to purchase a G&D integrated device in small quantities.

KeePassXC already has a few bountied tickets for some security token integration. Would an application (KeePassXC) interacting with this applet (YkOtpApplet) require full CCID interfacing (and as a result, satisfy PKCS#11 requirements, too)?

[StarGate01]

I also looked into this, specifically into the KeePassXC integration. I don't think it would be that hard to extend https://github.com/keepassxreboot/keepassxc/blob/develop/src/keys/drivers/YubiKey.cpp to not only query and interface USB keys (via the https://github.com/Yubico/yubikey-personalization library) but also any CCID card (with a whitelist matched ATR) presented via PC/SC (using the https://github.com/LudovicRousseau/PCSC library on Linux or https://docs.microsoft.com/en-us/windows/win32/api/winscard/ on Windows). The protocol for communication with the challenge-response applet via APDUs is implemented in e.g. https://github.com/arekinath/yktool and https://github.com/pp3345/ykDroid/tree/master/app/src/main/java/net/pp3345/ykdroid and discussed in https://forum.yubico.com/viewtopic696a.html?p=4386 .

[BryanJacobs]

The applet here works just fine with modern versions of KeepassXC, thanks to @StarGate01 . I think this issue is obsolete.