search

Yubico / yubikit-ios

Yubico Mobile iOS SDK - YubiKit
Apache License 2.0
198 stars 44 forks source link

YubiKeySessionError - code: 43 "Unsupported option" #46

Closed ChrisSchinnerl closed 4 years ago

ChrisSchinnerl commented 4 years ago

Hi, I recently started experimenting with the yubikit-ios sdk and a Yubikey 5Ci with an iPhone XS running iOS 13.4.1.

When I tried to run the following code from the documentation in the repo I get the error mentioned in the title.

Not including YKFKeyFIDO2MakeCredentialRequestOptionUV in makeCredentialOptions fixes the problem but setting it to either true or false causes it to show up.

// Not a resident key and no PIN required.
let makeCredentialOptions = [YKFKeyFIDO2MakeCredentialRequestOptionRK: false, 
                                  YKFKeyFIDO2MakeCredentialRequestOptionUV: false]  
let alg = YKFFIDO2PublicKeyAlgorithmES256

guard let fido2Service = YubiKitManager.shared.accessorySession.fido2Service else {           
    return
}

let makeCredentialRequest = YKFKeyFIDO2MakeCredentialRequest()

// Some example data as a hash.     
let data = Data(repeating: 0, count: 32)
makeCredentialRequest.clientDataHash = data

// Set the request rp.
let rp = YKFFIDO2PublicKeyCredentialRpEntity()
rp.rpId = "yubico.com"
rp.rpName = "Yubico"
makeCredentialRequest.rp = rp

// Set the request user.  
let user = YKFFIDO2PublicKeyCredentialUserEntity()
user.userId = data
user.userName = "john.smith@yubico.com"
user.userDisplayName = "John Smith"
makeCredentialRequest.user = user

// Set the request pubKeyCredParams.
let param = YKFFIDO2PublicKeyCredentialParam()
param.alg = alg
makeCredentialRequest.pubKeyCredParams = [param]

// Set the request options.
makeCredentialRequest.options = makeCredentialOptions

fido2Service.execute(makeCredentialRequest) { (response, error) in
    guard error == nil else {
        // Handle the error
        return
    }
    // Handle the response
}
jensutbult commented 4 years ago

Yubikey 5Ci doesn't support the user verification key so it must not be set. We've updated the documentation and sample code to better reflect this.

jensutbult commented 4 years ago

Note that this is not the same as user verification in WebAuthn which is supported by all Yubikeys. In the YubiKit SDK the uv parameter tells the authenticator (Yubikey) to do a pin entry or fingerprint scan. In WebAuthn user verification instructs the client and the authenticator to do a pin entry. This pin entry is then handled by the client (browser).

If you are looking to implement a WebAuthn "passwordless" user experience a good starting point is the demo app.