search

Yubico / libfido2

Provides library functionality for FIDO2, including communication with a device over USB or NFC.
Other
590 stars 152 forks source link

Unable to generate fido2 ed25519-sk ssh keypair #686

Closed micah closed 1 year ago

micah commented 1 year ago

What version of libfido2 are you using? 1.12.0-2+b1

What operating system are you running? Debian bookworm

What application are you using in conjunction with libfido2? Openssh 1:9.2p1-2

How does the problem manifest itself?

$ ssh-keygen -t ed25519-sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator: 
You may need to touch your authenticator again to authorize key generation.
Key enrollment failed: invalid format

Is the problem reproducible? Yes

Please include the output of fido2-token -L.

fido2-token -L 
$ fido2-token -L
/dev/hidraw3: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)

Please include the output of fido2-token -I.

fido2-token -I 
$ fido2-token -I <device>
proto: 0x02
major: 0x05
minor: 0x04
build: 0x03
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
transport strings: nfc, usb
algorithms: es256 (public-key), eddsa (public-key)
aaguid: 2fc0579f811347eab116bb5a8db9202a
options: rk, up, noplat, clientPin, credentialMgmtPreview
fwversion: 0x50403
maxmsgsiz: 1200
maxcredcntlst: 8
maxcredlen: 128
maxlargeblob: 0
minpinlen: 4
pin protocols: 2, 1
pin retries: 5
pin change required: false
uv retries: undefined

Please include the output of FIDO_DEBUG=1.

FIDO_DEBUG=1 
$ export FIDO_DEBUG=1 fido2-token -I /dev/hidraw3
proto: 0x02
major: 0x05
minor: 0x04
build: 0x03
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
transport strings: nfc, usb
algorithms: es256 (public-key), eddsa (public-key)
aaguid: 2fc0579f811347eab116bb5a8db9202a
options: rk, up, noplat, clientPin, credentialMgmtPreview
fwversion: 0x50403
maxmsgsiz: 1200
maxcredcntlst: 8
maxcredlen: 128
maxlargeblob: 0
minpinlen: 4
pin protocols: 2, 1
pin retries: 5
pin change required: false
uv retries: undefined
micah@sarcodina:~$ FIDO_DEBUG=1 fido2-token -I /dev/hidraw3
fido_tx: dev=0x55e596caa2a0, cmd=0x06
fido_tx: buf=0x55e596caa2a0, len=8
0000: 5e 88 cd 78 1d c8 6f e4
fido_rx: dev=0x55e596caa2a0, cmd=0x06, ms=-1
rx_preamble: buf=0x7fff26b82960, len=64
0000: ff ff ff ff 86 00 11 5e 88 cd 78 1d c8 6f e4 21
0016: 33 e1 b9 02 05 04 03 05 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=17
fido_rx: buf=0x55e596caa2a8, len=17
0000: 5e 88 cd 78 1d c8 6f e4 21 33 e1 b9 02 05 04 03
0016: 05
fido_dev_get_cbor_info_tx: dev=0x55e596caa2a0
fido_tx: dev=0x55e596caa2a0, cmd=0x10
fido_tx: buf=0x7fff26b829b7, len=1
0000: 04
fido_dev_get_cbor_info_rx: dev=0x55e596caa2a0, ci=0x55e596caa3f0, ms=-1
fido_rx: dev=0x55e596caa2a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7fff26b82920, len=64
0000: 21 33 e1 b9 90 00 cc 00 ac 01 83 66 55 32 46 5f
0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
rx: payload_len=204
rx: buf=0x7fff26b82920, len=64
0000: 21 33 e1 b9 00 65 74 03 50 2f c0 57 9f 81 13 47
0016: ea b1 16 bb 5a 8d b9 20 2a 04 a5 62 72 6b f5 62
0032: 75 70 f5 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74
0048: 50 69 6e f5 75 63 72 65 64 65 6e 74 69 61 6c 4d
rx: buf=0x7fff26b82920, len=64
0000: 21 33 e1 b9 01 67 6d 74 50 72 65 76 69 65 77 f5
0016: 05 19 04 b0 06 82 02 01 07 08 08 18 80 09 82 63
0032: 6e 66 63 63 75 73 62 0a 82 a2 63 61 6c 67 26 64
0048: 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 a2
rx: buf=0x7fff26b82920, len=64
0000: 21 33 e1 b9 02 63 61 6c 67 27 64 74 79 70 65 6a
0016: 70 75 62 6c 69 63 2d 6b 65 79 0d 04 0e 1a 00 05
0032: 04 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x55e596caa4f0, len=204
0000: 00 ac 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 2f c0 57
0064: 9f 81 13 47 ea b1 16 bb 5a 8d b9 20 2a 04 a5 62
0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 69 63 6c
0096: 69 65 6e 74 50 69 6e f5 75 63 72 65 64 65 6e 74
0112: 69 61 6c 4d 67 6d 74 50 72 65 76 69 65 77 f5 05
0128: 19 04 b0 06 82 02 01 07 08 08 18 80 09 82 63 6e
0144: 66 63 63 75 73 62 0a 82 a2 63 61 6c 67 26 64 74
0160: 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 a2 63
0176: 61 6c 67 27 64 74 79 70 65 6a 70 75 62 6c 69 63
0192: 2d 6b 65 79 0d 04 0e 1a 00 05 04 03
fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=1200
proto: 0x02
major: 0x05
minor: 0x04
build: 0x03
caps: 0x05 (wink, cbor, msg)
fido_dev_get_cbor_info_tx: dev=0x55e596caa2a0
fido_tx: dev=0x55e596caa2a0, cmd=0x10
fido_tx: buf=0x7fff26b82a57, len=1
0000: 04
fido_dev_get_cbor_info_rx: dev=0x55e596caa2a0, ci=0x55e596cac020, ms=-1
fido_rx: dev=0x55e596caa2a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7fff26b829c0, len=64
0000: 21 33 e1 b9 90 00 cc 00 ac 01 83 66 55 32 46 5f
0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
rx: payload_len=204
rx: buf=0x7fff26b829c0, len=64
0000: 21 33 e1 b9 00 65 74 03 50 2f c0 57 9f 81 13 47
0016: ea b1 16 bb 5a 8d b9 20 2a 04 a5 62 72 6b f5 62
0032: 75 70 f5 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74
0048: 50 69 6e f5 75 63 72 65 64 65 6e 74 69 61 6c 4d
rx: buf=0x7fff26b829c0, len=64
0000: 21 33 e1 b9 01 67 6d 74 50 72 65 76 69 65 77 f5
0016: 05 19 04 b0 06 82 02 01 07 08 08 18 80 09 82 63
0032: 6e 66 63 63 75 73 62 0a 82 a2 63 61 6c 67 26 64
0048: 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 a2
rx: buf=0x7fff26b829c0, len=64
0000: 21 33 e1 b9 02 63 61 6c 67 27 64 74 79 70 65 6a
0016: 70 75 62 6c 69 63 2d 6b 65 79 0d 04 0e 1a 00 05
0032: 04 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x55e596caa4f0, len=204
0000: 00 ac 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 2f c0 57
0064: 9f 81 13 47 ea b1 16 bb 5a 8d b9 20 2a 04 a5 62
0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 69 63 6c
0096: 69 65 6e 74 50 69 6e f5 75 63 72 65 64 65 6e 74
0112: 69 61 6c 4d 67 6d 74 50 72 65 76 69 65 77 f5 05
0128: 19 04 b0 06 82 02 01 07 08 08 18 80 09 82 63 6e
0144: 66 63 63 75 73 62 0a 82 a2 63 61 6c 67 26 64 74
0160: 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 a2 63
0176: 61 6c 67 27 64 74 79 70 65 6a 70 75 62 6c 69 63
0192: 2d 6b 65 79 0d 04 0e 1a 00 05 04 03
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
transport strings: nfc, usb
algorithms: es256 (public-key), eddsa (public-key)
aaguid: 2fc0579f811347eab116bb5a8db9202a
options: rk, up, noplat, clientPin, credentialMgmtPreview
fwversion: 0x50403
maxmsgsiz: 1200
maxcredcntlst: 8
maxcredlen: 128
maxlargeblob: 0
minpinlen: 4
pin protocols: 2, 1
fido_tx: dev=0x55e596caa2a0, cmd=0x10
fido_tx: buf=0x55e596caaed0, len=6
0000: 06 a2 01 01 02 01
fido_rx: dev=0x55e596caa2a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7fff26b829e0, len=64
0000: 21 33 e1 b9 90 00 04 00 a1 03 05 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=4
fido_rx: buf=0x55e596caa4f0, len=4
0000: 00 a1 03 05
pin retries: 5
pin change required: false
fido_tx: dev=0x55e596caa2a0, cmd=0x10
fido_tx: buf=0x55e596caaed0, len=6
0000: 06 a2 01 01 02 07
fido_rx: dev=0x55e596caa2a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7fff26b829e0, len=64
0000: 21 33 e1 b9 90 00 01 33 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=1
fido_rx: buf=0x55e596caa4f0, len=1
0000: 33
cbor_parse_reply: blob[0]=0x33
fido_dev_get_uv_retry_count_rx: parse_uv_retry_count
uv retries: undefined
fido_tx: dev=0x55e596caa2a0, cmd=0x10
fido_tx: buf=0x55e596caaed0, len=6
0000: 40 a2 01 01 02 07
fido_rx: dev=0x55e596caa2a0, cmd=0x10, ms=-1
rx_preamble: buf=0x7fff26b829c0, len=64
0000: 21 33 e1 b9 90 00 01 01 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=1
fido_rx: buf=0x55e596caa4f0, len=1
0000: 01
cbor_parse_reply: blob[0]=0x01
bio_rx_info: bio_parse_info
bio_get_info_wait: tx/rx
micah commented 1 year ago

I used the yubikey-manager and went into the fido2 settings, and I reset the fido2 and now I'm able to generate the key.