search

StrongKey / fido2

Open-source FIDO server, featuring the FIDO2 standard. https://demo4.strongkey.com/getstarted/#/openapi/fido
204 stars 59 forks source link

Windows 11 HELLO pin code fails on registration #217

Closed superbly closed 1 year ago

superbly commented 1 year ago

TPM logic fails when registering using pin in windows 11 HELLO. TPMCertifyInfofailed to unmarshal" in the log and the class is TPMCertifyInfo.class. As a result of debugging, it is an issue that occurs because the size of pos and the size of bytes are different, so what is the meaning of the variable pos?

pleung-strongkey commented 1 year ago

Hi @superbly,

Could you provide the Payara server logs for the error you are encountering? Additionally, are you using one of the sample applications to test registration against the SKFS, or are you using a custom application in your setup?

superbly commented 1 year ago

Hi @pleung-strongkey

Well, we're not using Payara server, we're using Spring Boot. Spring boot is used, but the logic is the same. Incorrect delivery of the class where the error occurs. The error occurrence part occurs when performing ECC algorithm logic in the unmarshal method of TPMPublicData.class. And it's the same issue that happens even if you test it in your demo.

your demo https://demo.strongkey.com/fidopolicy/#/registerAndLogin

image

pleung-strongkey commented 1 year ago

Hi @superbly,

I have set up a fresh Windows 11 machine with Windows Hello (PIN) enabled. I am to register successfully using our demo at https://demo.strongkey.com/fidopolicy with Windows Hello and the "Restricted-TPM" policy selected.

If possible, could you provide some info for the following: The TPM version of the machine you are using to register on our demo The policy you selected to test registration in the fidopolicy demo

Here are some other things I would recommend trying: If you have another machine running Windows 11 with Windows Hello enabled, try using that on the fidopolicy demo. Try testing with a different demo: https://demo.strongkey.com/basicdemo/

pleung-strongkey commented 1 year ago

Hi @superbly,

Windows 11 version 22H2 introduced EC support for TPM attestation, which revealed the bug that you have encountered in this issue. A patch will be made to the fido2 project soon. You can check out the new branch here.

push2085 commented 1 year ago

Closing this as the bug has been fixed with release 4.8 and is listed as Bug-8 in the release notes (https://docs.strongkey.com/index.php/skfs-home/skfs-release-notes/skfs-4-8-0)

PS: We have stopped using GitHub for our source repository and our supporters are encouraged to get SKFS, its updates and support at SourceForge.