arshadnoor
commented
3 years ago You cannot use mydomain as your FQDN. It has to be a "top-level domain" (TLD) + 1 sub-domain.
.com is a TLD. .org is a TLD. .gov or .edu is a TLD.
The subdomain is something like "strongkey" or "fidoalliance".
So a valid TLD+1 is "strongkey.com" or "fidoalliance.org".
You need to set your machine's FQDN to a valid hostname + TLD + 1 - such as demo.strongkey.com, where demo is the hostname and strongkey.com is the TLD+1.
Once you do that, the Relying Party ID (RPID) will be set correctly and you can use your FIDO server correctly.
Also, if you are authenticated into a Shell session in your SKFS machine, and if it is Linux, just type aslg and it will take you to the directory of your SKFS logs. The log file is server.log and you can see the error messages there.
You can also type tsl in a Shell window separately on the SKFS machine and you'll see a running log of your FIDO server.
Hope that helps.
On 11/5/21 2:43 AM, wsideveloper wrote:
I am able to install a SKFS server with my internet domain. I can do a ping to my server too: java -jar skfsclient.jar P https://mydomain:8181 https://mydomain:8181 1 REST PASSWORD svcfidouser Abcd1234!
However when I install the Basic Java Sample Demo and launch it to my server https://mydomain:8181//basicdemo/ https://mydomain:8181//basicdemo/
I get this error when I do a register: SecurityError: The relying party ID is not a registrable domain suffix of, nor equal to the current domain.
I have tried to change the policy for DID 1 in the database by only replacing "strongkey.com" to mydomain:
{"FidoPolicy":{"name":"MinimalPolicy","copyright":"","version":"1.0","startDate":"1635942582","endDate":"1760103870871","system":{"requireCounter":"mandatory","integritySignatures":false,"userVerification":["required","preferred","discouraged"],"userPresenceTimeout":0,"allowedAaguids":["all"],"jwtKeyValidity":365,"jwtRenewalWindow":30,"transport":["usb","internal"]},"algorithms":{"curves":["secp256r1","secp384r1","secp521r1","curve25519"],"rsa":["RS256","RS384","RS512","PS256","PS384","PS384"],"signatures":["ES256","ES384","ES512","EdDSA","ES256K"]},"attestation":{"conveyance":["none","indirect","direct","enterprise"],"formats":["fido-u2f","packed","tpm","android-key","android-safetynet","apple","none"]},"registration":{"displayName":"required","attachment":["platform","cross-platform"],"discoverableCredential":["required","preferred","discouraged"],"excludeCredentials":"enabled"},"authentication":{"allowCredentials":"enabled"},"authorization":{"maxdataLength":256,"preserve":true},"rp":{"id":"strongkey.com","name":"FIDOServer"},"extensions":{},"mds":{"authenticatorStatusReport":[{"status":"FIDO_CERTIFIED_L1","priority":"1","decision":"IGNORE"},{"status":"FIDO_CERTIFIED_L2","priority":"1","decision":"ACCEPT"},{"status":"UPDATE_AVAILABLE","priority":"5","decision":"IGNORE"},{"status":"REVOKED","priority":"10","decision":"DENY"}]},"jwt":{"algorithms":["ES256","ES384","ES521"],"duration":30,"required":["rpid","iat","exp","cip","uname","agent"],"signingCerts":{"DN":"CN=StrongKey KeyAppliance,O=StrongKey","certsPerServer":3}}}}
but the registering still does not work. It shows a new error "WEBAUTHN-WS-ERR-1000: An unexpected error occurred. Please check server logs for details."
Any pointers?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/StrongKey/fido2/issues/170, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABWSVTX2MQJPOFD5Q4E3WYTUKORLRANCNFSM5HNNYJHA. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
wsideveloper
I am able to install a SKFS server with my internet domain. I can do a ping to my server too: java -jar skfsclient.jar P https://mydomain:8181 1 REST PASSWORD svcfidouser Abcd1234!
However when I install the Basic Java Sample Demo and launch it to my server https://mydomain:8181//basicdemo/
I get this error when I do a register: SecurityError: The relying party ID is not a registrable domain suffix of, nor equal to the current domain.
I have tried to change the policy for DID 1 in the database by only replacing "strongkey.com" to mydomain:
{"FidoPolicy":{"name":"MinimalPolicy","copyright":"","version":"1.0","startDate":"1635942582","endDate":"1760103870871","system":{"requireCounter":"mandatory","integritySignatures":false,"userVerification":["required","preferred","discouraged"],"userPresenceTimeout":0,"allowedAaguids":["all"],"jwtKeyValidity":365,"jwtRenewalWindow":30,"transport":["usb","internal"]},"algorithms":{"curves":["secp256r1","secp384r1","secp521r1","curve25519"],"rsa":["RS256","RS384","RS512","PS256","PS384","PS384"],"signatures":["ES256","ES384","ES512","EdDSA","ES256K"]},"attestation":{"conveyance":["none","indirect","direct","enterprise"],"formats":["fido-u2f","packed","tpm","android-key","android-safetynet","apple","none"]},"registration":{"displayName":"required","attachment":["platform","cross-platform"],"discoverableCredential":["required","preferred","discouraged"],"excludeCredentials":"enabled"},"authentication":{"allowCredentials":"enabled"},"authorization":{"maxdataLength":256,"preserve":true},"rp":{"id":"strongkey.com","name":"FIDOServer"},"extensions":{},"mds":{"authenticatorStatusReport":[{"status":"FIDO_CERTIFIED_L1","priority":"1","decision":"IGNORE"},{"status":"FIDO_CERTIFIED_L2","priority":"1","decision":"ACCEPT"},{"status":"UPDATE_AVAILABLE","priority":"5","decision":"IGNORE"},{"status":"REVOKED","priority":"10","decision":"DENY"}]},"jwt":{"algorithms":["ES256","ES384","ES521"],"duration":30,"required":["rpid","iat","exp","cip","uname","agent"],"signingCerts":{"DN":"CN=StrongKey KeyAppliance,O=StrongKey","certsPerServer":3}}}}
but the registering still does not work. It shows a new error "WEBAUTHN-WS-ERR-1000: An unexpected error occurred. Please check server logs for details."
Any pointers?