Macpass: Port Multi Cert Key Provider plugin to Macpass

Created on 25 Apr 2017  Â·  6Comments  Â·  Source: MacPass/MacPass

I propose porting of Keepass Multi Cert Keyprovider plugin to Macpass. The idea is to use smartcard (eq Yubikey PIV/OpenPGP) based client certificates as second factor for decrypting Keepass keyfile (hash). The prerequisite is having pluggable keyproviders support in Macpass.

Here is more info (and source) about the current implementation:
http://www.creative-webdesign.de/en/software/keepass-plugins/multi-cert-keyprovider.html

Multiple certificates support would also enable mobile Keepass-compatbile apps (eq MiniKeePass) to use client certificates generated and stored in phone keystore and provide backup when smartcard or mobile device is lost.

The multi-certificate keyprovider will also need Key Manager companion app to manage public certificates and encrypted Keepass keys.

Here is the overview of current implementation:
http://www.creative-webdesign.de/en/software/keymanagerrsa.html

Also, link to Keepass key provider development documentation:
http://keepass.info/help/v2_dev/plg_keyprov.html

What do you think, is it doable?

Most helpful comment

Just a quick update, I'm currently writing a spec and studying MacPass and KeePassKit source as time permits. First deliverable will be standalone Cert Key Manager application for creating and modifying Keepass MultiCertProvider kmx (xml) files. Apple documentation and examples for interfacing with CryptoTokenKit and Keychain are quite clear and I hope to have something usable to show after the weekend.

All 6 comments

KeePassKit does currently not support arbitrary key provider. This is something I did consider while adopting KDBX 4 but haven't had the time to deliver. Everything is doable and KeePassKit surely would benefit from a loser structure for key provider. MacPass then of course has to deliver UI support for this as well.

This is something I'm interested in as well but as Michael explained, it
will require tweaking the core keepasskit... Not trivial

On Apr 25, 2017 1:54 AM, "martinl" notifications@github.com wrote:

I propose porting of Keepass Multi Cert Keyprovider plugin to Macpass. The
idea is to use smartcard (eq Yubikey PIV/OpenPGP) based client certificates
as second factor for decrypting Keepass keyfile (hash). The prerequisite is
having pluggable keyproviders support in Macpass.

Here is more info about the current implementation:
http://www.creative-webdesign.de/en/software/keepass-plugins/multi-cert-
keyprovider.html

The certificate keyprovider will also need Key Manager companion
app/plugin to manage public certificates. Here is the overview of current
implementation:

http://www.creative-webdesign.de/en/software/keymanagerrsa.html

Keepass key provider development api documentation:
http://keepass.info/help/v2_dev/plg_keyprov.html

What do you think, is it doable?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/mstarke/MacPass/issues/574, or mute the thread
https://github.com/notifications/unsubscribe-auth/AMqqs0-UwkVGwaEjJYtzu5fUC9TF-5Vnks5rzabJgaJpZM4NHHtp
.

I'm getting up to speed with latest changes in macOS smartcard support infrastructure. Do I underestand correctly that CryptoTokenKit API is a way forward for Sierra and best option for building support for Yubikey PIV in macOS?

https://ludovicrousseau.blogspot.com.ee/2016/06/macos-sierra-and-cryptotokenkit-api.html
https://developer.apple.com/reference/cryptotokenkit
https://developer.apple.com/library/content/samplecode/PIVToken/Introduction/Intro.html

A few more references potentially relevant to the topic:

Certificate, Key, and Trust Services Programming Guide
https://developer.apple.com/library/content/documentation/Security/Conceptual/CertKeyTrustProgGuide/index.html#//apple_ref/doc/uid/TP40001358-CH218-SW1

Certificate, Key, and Trust Services API Reference
https://developer.apple.com/reference/security/certificate_key_and_trust_services

Just a quick update, I'm currently writing a spec and studying MacPass and KeePassKit source as time permits. First deliverable will be standalone Cert Key Manager application for creating and modifying Keepass MultiCertProvider kmx (xml) files. Apple documentation and examples for interfacing with CryptoTokenKit and Keychain are quite clear and I hope to have something usable to show after the weekend.

Has there been any movement on this implementation? It would be nice to be able to use a smartcard or PIV with MacPass.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

mstarke picture mstarke  Â·  3Comments

btxtiger picture btxtiger  Â·  7Comments

aliok picture aliok  Â·  7Comments

bokysan picture bokysan  Â·  6Comments

hugoholzwurm picture hugoholzwurm  Â·  5Comments