Add challenge-response support for Nitrokey 3

[droidmonkey]

Add challenge-response support for Nitrokey 3.

In detail:

• Add Get Response call when More Available / 0x61 SW1 is received
• Increase buffer for answer to select call (required for Nitrokey 3)
• Small refactorization for reading the SW

Example log for selecting app with More Available / Get Response used below:

00009450 APDU: 00 A4 04 00 07 A0 00 00 05 27 20 01
00001675 SW: 6A 82
00000071 APDU: 00 A4 04 00 07 A0 00 00 05 27 21 01
00057807 SW: 61 0F
00000037 APDU: 00 C0 00 00 FF
00000893 SW: 79 03 04 0B 00 71 08 3C 73 5F 60 F2 03 EB 0D 90 00

To test:

• Yubikey behavior for that change. The Nitrokey 3's application responsible for challenge-response is QByteArrayLiteral("\xA0\x00\x00\x05\x27\x21\x01"), which is Yubikey's OATH AID. Check if that could make any conflict.
  • Yubikey behaves normally - tests are passing.

Screenshots

Testing strategy

1. Test creating database (manual)
2. Test opening database (manual)`

Automatic tests: testykchallengeresponsekey (built with ASAN)

~/w/3/k/c/tests (support-challenge-response-in-nitrokey3|✚2) $ ./testykchallengeresponsekey
********* Start testing of TestYubiKeyChallengeResponse *********
Config: Using QtTest library 5.15.9, Qt 5.15.9 (x86_64-little_endian-lp64 shared (dynamic) release build;
by GCC 13.0.1 20230401 (Red Hat 13.0.1-0)), fedora 38
PASS   : TestYubiKeyChallengeResponse::initTestCase()
PASS   : TestYubiKeyChallengeResponse::testDetectDevices()
PASS   : TestYubiKeyChallengeResponse::testKeyChallenge()
PASS   : TestYubiKeyChallengeResponse::cleanupTestCase()
Totals: 4 passed, 0 failed, 0 skipped, 0 blacklisted, 1336ms
********* Finished testing of TestYubiKeyChallengeResponse *********

This PR was tested against:

• Nitrokey 3 (unreleased firmware, based on v1.4), and
• YubiKey 4 (4.3.5) [OTP+FIDO+CCID] Serial: 5668784

Type of change

• ✅ New feature (change that adds functionality)

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: -0.07 ⚠️

Comparison is base (9214ab2) 64.82% compared to head (f23ee13) 64.75%.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #9631      +/-   ##
===========================================
- Coverage    64.82%   64.75%   -0.07%     
===========================================
  Files          337      337              
  Lines        44564    44606      +42     
===========================================
- Hits         28885    28882       -3     
- Misses       15679    15724      +45     

Impacted Files	Coverage Δ
src/keys/drivers/YubiKeyInterfacePCSC.cpp	4.68% <0.00%> (-0.40%)	⬇️
src/keys/drivers/YubiKeyInterfacePCSC.h	0.00% <0.00%> (ø)

... and 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[rugk]

Is this also compatible with SoloKeys – which AFAIK share quite much code with Nitrokey's? Or FIDO2 keys in general?

(keywords: U2F, WebAuthn although likely these protocols are not used here, it makes this PR searchable hehe)

[szszszsz]

Is this also compatible with SoloKeys – which AFAIK share quite much code with Nitrokey's? Or FIDO2 keys in general?
(keywords: U2F, WebAuthn although likely these protocols are not used here, it makes this PR searchable hehe)

Hey @rugk !
This PR is sadly using the proprietary Yubikey challenge-response protocol. The PKCS#11- and FIDO-based would be much better, but we wanted to add support to NK3 for this one quickly for the interim/temporary solution until they will become ready.

Regarding SoloKeys, I do not know the answer. I can tell, that we have forked their oath-authenticator app to secrets-app, and heavily extended it. Technically it should be possible for them to switch to it at some point, but I do not know their plans.