Closed prateeknischal closed 2 years ago
Hi,
When verifying the credential, fido2-cred
needs to be told what extensions to expect in the authenticator data. If you try passing -h
and -c2
also to the fido2-cred -V
call, it should verify successfully.
Hi @LDVG ,
Ah!, that's a stupid miss on my part. I was under the impression that assertion payload would have those flags included. Another question on this, I am trying to verify something similar. I am able to perform a make credential call and I see the credential using fido2-token -L -r
but when I try to verify it using fido_cred_verify
, the step to set Authenticator data fails with FIDO_ERR_INVALID_ARGUMENT
.
char *b64_authdata = nullptr;
const unsigned char *auth = fido_cred_authdata_ptr(cred);
const size_t auth_len = fido_cred_authdata_len(cred);
base64_encode(reinterpret_cast<const void *>(auth), auth_len, &b64_authdata);
VLOG(1) << "Authdata: " << b64_authdata;
This works and prints the authdata.
Output:
Authdata: WLRUKjf0XLTxLltZWfgIB71+hXc8cLMR1G8J+zNID34Ab0UAAAAD7ogoeXIcSROXdT38zpcHKgAwbJG4faWiByP7ggZfS9/qkUnhQriWKVyuPvEzvKVKBnHZmWG2Y7XlUWti1fP0zlKlpQECAyYgASFYIGyRuH2logcj+4IGX0tOsk3UbFbwMBPRGmovbKBs2ZtZIlggoACpNQdTEioGTh2btgKGzGqn+ca5MJi05mv59/SKG1g=
When I try to perform a verification,
cred = fido_cred_new();
// setting up other values
VLOG(1) << fido_strerr(fido_cred_set_authdata(cred, auth, auth_len)); // returns FIDO_ERR_INVALID_ARGUMENT
Output with FIDO_DEBUG=1
cbor_bytestring_copy: cbor type
fido_cred_set_authdata: fido_blob_decode
I20220713 17:28:36.613642 2286912 fido2.cc:502] FIDO_ERR_INVALID_ARGUMENT
I have verified thatcbor_isa_bytestring
returns true and the length is _CBOR_METADATA_DEFINITE
.
Is there something I am missing.. I read the docs and it says I could pretty much use the same blob from the created cred and set for verification.
When I try to copy the information from the same registration into a file and send it to fido2-cred
to verify, it works with -h -c2
flags.
Got some leads, I am probably shooting myself with memory management.
const unsigned char *auth = fido_cred_authdata_ptr(cred);
const size_t auth_len = fido_cred_authdata_len(cred);
fido_cred_free(&cred);
cred = fido_cred_new();
fido_cred_set_authdata(cred, auth, auth_len); // fails with FIDO_ERR_INVALID_ARGUMENT
(I verified by trying to decode auth as a cbor object and it had worked)
vs
const unsigned char *auth = fido_cred_authdata_ptr(cred);
const size_t auth_len = fido_cred_authdata_len(cred);
// not calling free on the old cred
cred = fido_cred_new();
fido_cred_set_authdata(cred, auth, auth_len); // works!
Making a copy of the original *auth
works,
const unsigned char *auth_copy = static_cast<const unsigned char*>(malloc(auth_len));
memcpy((void *)auth_copy, (void *)auth, auth_len);
fido_cred_free(&cred);
// and then using auth_copy later
At this point I am replicating the PEM_write_PUBKEY which just segfaults, this issue is good to close.
What version of libfido2 are you using?
What operating system are you running?
What application are you using in conjunction with libfido2? Directly using the libfido2 library and
fido2-cred
.How does the problem manifest itself? When creating a resident credential with hmac-secret enabled, protection set to 0x2, the credential is created. When I try to verify the credential using
fido2-cred -V
to get the public key, it fails withfido2-cred: fido_cred_verify: FIDO_ERR_INVALID_PARAM
Is the problem reproducible? Yes
What are the steps that lead to the problem? What are the steps that lead to the problem?
This can be tried with any combination of
-h
or-c2
and it fails the verification and I am not able to get the public key out.Does the problem happen with different authenticators? Haven't tried.
Please include the output of
fido2-token -L
.fido2-token -L
Please include the output of
fido2-token -I
.fido2-token -I
Please include the output of
FIDO_DEBUG=1
.FIDO_DEBUG=1