Issuer is 'U2F Issuer' and not 'Yubico U2F Root CA Serial 457200631'

[hudecof]

Hi,

I own Yubico 4 key.

when trying to setup small web based application I got BadInputException: (u'Device attestation not trusted', None) excption.

My stack is

Package       Version
------------- ---------
certifi       2018.4.16
chardet       3.0.4
Flask         0.10.1
idna          2.7
itsdangerous  0.24
Jinja2        2.10
MarkupSafe    1.0
pip           10.0.1
pkg-resources 0.0.0
requests      2.19.1
setuptools    39.2.0
u2fval-client 2.0.0
urllib3       1.23
Werkzeug      0.14.1
wheel         0.31.1

I took as base https://github.com/dainnilsson/flask-u2f-tutorial and trying to update it to work with 2.0.0 version of libraries. As newer API JS library I took one from https://demo.yubico.com/js/u2f-api.js

If I turn off the attestation the registration works as expected.

As backed I have uf2val server. This servers works good with the OpenVPN setup and Viscosity as desribed on https://www.sparklabs.com/support/kb/article/yubikey-u2f-two-factor-authentication-with-openvpn-and-viscosity/

This key os working as expected on the https://demo.yubico.com/u2f

[hudecof]

I run the https://github.com/Yubico/java-u2flib-server/tree/master/u2flib-server-demo, the issuer is the same, see result from the app

Successfully registered device:

No vendor metadata present!

No device metadata present!

Device transports: USB

Registration data

 DeviceRegistration{Key handle=tl5xG4Zm6gaWRBV8jTHbHTRECbK7PXa6gm-fT294o51Y2MGI5n-G-dJsSl7LUE2jlnx0XYPA2Y5zIHdc0cI0xA, Public key=BAS2kF72HFampnPLLTeGhgW4P2dK4X0FrmtVd9wdPSFWmNkUF-4cbZxGroY5Z0-K0PgOMFFdRvU9dVL_-ItOvDo, Counter=-1, Attestation certificate=  [0]         Version: 3
         SerialNumber: 67203475762598045232052
             IssuerDN: CN=U2F Issuer
           Start Date: Sat Jan 01 01:00:00 CET 2000
           Final Date: Sat Jan 01 01:00:00 CET 2000
            SubjectDN: CN=U2F Device
           Public Key: EC Public Key
            X: 96074e1bdd6ad22d4187528a4389cab0f6ad2795b91eab2ad4608347ca665da1
            Y: bfb761569631a78f529baa559439b6fb208cb978464818e1dcbed6cc6efbf0b

  Signature Algorithm: SHA256WITHECDSA
            Signature: 3045022100c1a3a68e2f16a7214627057f62bb72
                       8c9e03e7a1ba62d046524e456d2c2f3f7302200b
                       5f78e511aa18129f6f236d9213227d92b4e67edf
                       53e816dfb05d9dc8b90fde
       Extensions: 
                       critical(false) 1.3.6.1.4.1.45724.2.1.1 value = DER Bit String[1, 5] 

} 

[dainnilsson]

There was a recent change in Chrome which changed the behavior of the browser for U2F registrations in the handling of attestation. This is described in detail here: https://www.chromium.org/security-keys

In short, for Chrome 66 and later, you need to add a parameter to the registrationRequests passed to u2f.register(), to add the attestation: "direct" field to get the same behavior as in Chrome <66.

[hudecof]

@dainnilsson I saw this attribute on demo page. I will try and let you known.

[hudecof]

it works, thanks:)

[hudecof]

@dainnilsson there is not note about attestation atribute in the API DOC https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html#idl-def-RegisterRequest

[dainnilsson]

Yeah, that's right. I don't believe this is part of the "official" api, rather something specific to Chrome.