Some USB YubiKeys could be processed incorrectly

[keepassium]

Description KeePassium's code for USB YubiKeys on macOS uses incorrect data padding algorithm. In some cases, this can lead to incorrect challenge-response processing, making the database unreadable by other apps or even by different interface of the same key.

In particular, the a database saved with the USB end of YubiKey 5Ci could not be read with the Lightning end of the same key, and vice versa. However, the issue did not apply to USB and NFC interfaces of a YubiKey 5 NFC key. This implies that the issue is somehow related to how the keys were configured.

How to reproduce

1. Configure a YubiKey 5Ci for challenge-response using YubiKey Personalization Tool and "Fixed 64 byte input" mode.
2. Launch the native KeePassium for macOS, and change the master key to use the YubiKey
3. Try to open the database on iOS, using the Lightning connection. (Alternatively, try to open the database in KeePassXC.)
4. Observe the incorrect master key error

Expected behavior The database should be opened correctly.

Environment:

• OS: macOS 14, iOS 16/17
• App Version: 1.50.146

Additional context Challenge-response code for iOS (for NFC and Lightning keys) pads the challenge to 64 bytes using PKCS-7 method. The native macOS code (for USB keys) simply appends zeros. This works for some key configurations (which is why this code was shipped), but not for others (which is why the issue was detected).

[keepassium]

This will be fixed in the next update.

If your database is encrypted with USB YubiKey and fails to open on v1.51+:

• [Install v1.50.146] and open your database there (with YubiKey)
• Change your master key to password-only
• Open your database in the new version of the app (using the password)
• Change your master key to include YubiKey
• The database will be encrypted correctly and should open correctly in other apps and devices