Closed rotarydrone closed 2 months ago
Does the --info command indicate if any of the keys are protected by a sandbox account?
I get a similar error, but before the OktaInk SignDeviceBind. The error happens as soon as I enter the email and select Next.
.\OktaTerrify.exe --backdoor --db .\OVStore.db --dbkey 765b7... --sid S-1-5-21-...-1001 -v
2024-05-22 14:58:02.2802|INFO|OktaTerrify|Okta Terrify is starting....
2024-05-22 14:58:02.3120|INFO|OktaTerrify.Oidc.LoopbackHttpListener|HTTP server listening on loopback ports 8769 65112
Unhandled Exception: System.ArgumentNullException: Value cannot be null.
Parameter name: inArray
at System.Convert.ToBase64String(Byte[] inArray)
at OktaVerify.OktaTerrify.<SendChallengeResponse>d__23.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at OktaTerrify.Oidc.LoopbackHttpListener.<HandleChallenge>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at OktaTerrify.Oidc.LoopbackHttpListener.<ListenerCallback>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
at System.Threading.ThreadPoolWorkQueue.Dispatch()
My --info command shows Sandboxed: Yes - is this the indication of a protected sandbox account?
Keys:
Id: HDW_7B..., Sandboxed: Yes, Type ProofOfPossession
Id: HDW_D4..., Sandboxed: No, Type DeviceAttestation
Confirmed this was related to a sandboxed account - I had two account associated with my OVStore.db file and I was forced to remove the sandbox account from Verify to obtain the appropriate data. Perhaps functionality could be added that enables selection of accounts in the DB file?
Confirmed this was related to a sandboxed account - I had two account associated with my OVStore.db file and I was forced to remove the sandbox account from Verify to obtain the appropriate data. Perhaps functionality could be added that enables selection of accounts in the DB file?
Looks like you did have a PoP key that was enrolled via a sandbox Windows account but it threw an NPE on this line https://github.com/CCob/okta-terrify/blob/b9f94b4691c16fd4e704d245c472bb28aa0bb509/OktaTerrify/OktaTerrify.cs#L253
Which means the instance identifier was not present in the database, which is used to derive the password for the sandbox account. My guess is an even older sandbox account method that I've not come across. When you cleared your account and re-added it, the newer versions of Okta Verify most likely didn't wrap the keys in a sandbox account. I've only come across it on the odd occasion, hence testing in this area is limited.
Running into an issue with OktaTerrify.exe in backdoor mode throwing an
System.NullReferenceException
exception after generating the backdoor key.