Closed VedaviBalaji closed 5 months ago
Hi,
Please see the YubiKey FIPS 4-series technical manual, section 2.5 U2F. The device must have a PIN set, through a proprietary instruction, and then unlocked by the user (once per power-up). That functionality is available in ykman
. After unlocking, you should be able to communicate with the device without problem using libfido2.
From what I read, looks like we need to unlock the device only for registration. We can still use authentication in "locked" state (which is what I mostly need). But when there are multiple keys, we need to perform begin_touch
which internally seems to perform a dummy registration, which is not accepted by FIPS without unlocking, so my device selection does not work. This means to authenticate I can have only one FIPS device connected to the system.
Let me know if this is right.
Also, if sometimes, I am unable to open the device, when only FIPS key is connected to the machine. Fails with
fido_hid_open: IOHIDDeviceOpen
fido_dev_open_tx: dev->io.open
But, if multiple keys are present, it opens fine, but touch fails due to dummy registration. Can we replace registration with auth cmd? I can try it out locally, but what are your thoughts?
From what I read, looks like we need to unlock the device only for registration
Yes, that is correct.
But when there are multiple keys, we need to perform begin_touch which internally seems to perform a dummy registration, which is not accepted by FIPS without unlocking, so my device selection does not work.
Unfortunately, yes, fido_dev_get_touch_begin()
will not work if the FIPS device is not unlocked.
This means to authenticate I can have only one FIPS device connected to the system.
Since the device speaks U2F, you could also silently probe the device(s) using a "pre-flight" assertion to determine if it holds the credential you're trying to authenticate with.
Also, if sometimes, I am unable to open the device, when only FIPS key is connected to the machine.
I have not seen this before and we'd probably need more information to debug it. Does it happen under any particular circumstance? It would be nice to see what IOHIDDeviceOpen returns when it fails. The patch below should log the result if you're interested in helping out:
diff --git a/src/hid_osx.c b/src/hid_osx.c
index 41e9d171..60064951 100644
--- a/src/hid_osx.c
+++ b/src/hid_osx.c
@@ -395,6 +395,7 @@ get_ioreg_entry(const char *path)
void *
fido_hid_open(const char *path)
{
+ IOReturn ostatus;
struct hid_osx *ctx;
io_registry_entry_t entry = MACH_PORT_NULL;
char loop_id[32];
@@ -448,9 +449,9 @@ fido_hid_open(const char *path)
goto fail;
}
- if (IOHIDDeviceOpen(ctx->ref,
- kIOHIDOptionsTypeSeizeDevice) != kIOReturnSuccess) {
- fido_log_debug("%s: IOHIDDeviceOpen", __func__);
+ if ((ostatus = IOHIDDeviceOpen(ctx->ref,
+ kIOHIDOptionsTypeSeizeDevice)) != kIOReturnSuccess) {
+ fido_log_debug("%s: IOHIDDeviceOpen: %d", __func__, ostatus);
goto fail;
}
Can we replace registration with auth cmd? I can try it out locally, but what are your thoughts?
Are you referring to replacing the mechanism for how fido_dev_get_touch_*()
work? No, if you were to send an authenticate command instead, the device would return an error immediately instead of waiting for touch.
Closing this for now. Feel free to re-open if this is still an issue.
What version of libfido2 are you using? 1.14.0
What operating system are you running? macOS
What application are you using in conjunction with libfido2? Rust
How does the problem manifest itself? Always
Does the problem happen with different authenticators? Only on FIPS
I have couple of things happening. Sometimes, the device does not open. (\ are custom application logs)
Sometimes it opens but unable to get touch status Fails with
0x63c0
Does libfido2 work with FIPS key for macOS? I have 2 devices connected, one is FIPS (that doesn't work) and the other is FIDO2 device (works as expected).