I propose porting of Keepass Multi Cert Keyprovider plugin to Macpass. The idea is to use smartcard (eq Yubikey PIV/OpenPGP) based client certificates as second factor for decrypting Keepass keyfile (hash). The prerequisite is having pluggable keyproviders support in Macpass.
Here is more info (and source) about the current implementation:
http://www.creative-webdesign.de/en/software/keepass-plugins/multi-cert-keyprovider.html
Multiple certificates support would also enable mobile Keepass-compatbile apps (eq MiniKeePass) to use client certificates generated and stored in phone keystore and provide backup when smartcard or mobile device is lost.
The multi-certificate keyprovider will also need Key Manager companion app to manage public certificates and encrypted Keepass keys.
Here is the overview of current implementation:
http://www.creative-webdesign.de/en/software/keymanagerrsa.html
Also, link to Keepass key provider development documentation:
http://keepass.info/help/v2_dev/plg_keyprov.html
What do you think, is it doable?
KeePassKit does currently not support arbitrary key provider. This is something I did consider while adopting KDBX 4 but haven't had the time to deliver. Everything is doable and KeePassKit surely would benefit from a loser structure for key provider. MacPass then of course has to deliver UI support for this as well.
This is something I'm interested in as well but as Michael explained, it
will require tweaking the core keepasskit... Not trivial
On Apr 25, 2017 1:54 AM, "martinl" notifications@github.com wrote:
I propose porting of Keepass Multi Cert Keyprovider plugin to Macpass. The
idea is to use smartcard (eq Yubikey PIV/OpenPGP) based client certificates
as second factor for decrypting Keepass keyfile (hash). The prerequisite is
having pluggable keyproviders support in Macpass.Here is more info about the current implementation:
http://www.creative-webdesign.de/en/software/keepass-plugins/multi-cert-
keyprovider.htmlThe certificate keyprovider will also need Key Manager companion
app/plugin to manage public certificates. Here is the overview of current
implementation:http://www.creative-webdesign.de/en/software/keymanagerrsa.html
Keepass key provider development api documentation:
http://keepass.info/help/v2_dev/plg_keyprov.htmlWhat do you think, is it doable?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/mstarke/MacPass/issues/574, or mute the thread
https://github.com/notifications/unsubscribe-auth/AMqqs0-UwkVGwaEjJYtzu5fUC9TF-5Vnks5rzabJgaJpZM4NHHtp
.
I'm getting up to speed with latest changes in macOS smartcard support infrastructure. Do I underestand correctly that CryptoTokenKit API is a way forward for Sierra and best option for building support for Yubikey PIV in macOS?
https://ludovicrousseau.blogspot.com.ee/2016/06/macos-sierra-and-cryptotokenkit-api.html
https://developer.apple.com/reference/cryptotokenkit
https://developer.apple.com/library/content/samplecode/PIVToken/Introduction/Intro.html
A few more references potentially relevant to the topic:
Certificate, Key, and Trust Services Programming Guide
https://developer.apple.com/library/content/documentation/Security/Conceptual/CertKeyTrustProgGuide/index.html#//apple_ref/doc/uid/TP40001358-CH218-SW1
Certificate, Key, and Trust Services API Reference
https://developer.apple.com/reference/security/certificate_key_and_trust_services
Just a quick update, I'm currently writing a spec and studying MacPass and KeePassKit source as time permits. First deliverable will be standalone Cert Key Manager application for creating and modifying Keepass MultiCertProvider kmx (xml) files. Apple documentation and examples for interfacing with CryptoTokenKit and Keychain are quite clear and I hope to have something usable to show after the weekend.
Has there been any movement on this implementation? It would be nice to be able to use a smartcard or PIV with MacPass.
Most helpful comment
Just a quick update, I'm currently writing a spec and studying MacPass and KeePassKit source as time permits. First deliverable will be standalone Cert Key Manager application for creating and modifying Keepass MultiCertProvider kmx (xml) files. Apple documentation and examples for interfacing with CryptoTokenKit and Keychain are quite clear and I hope to have something usable to show after the weekend.