rftemple
commented
1 year ago The issue was was resolved by ensuring device certificate chain created during DI passed java pkix. This issue can be closed.
Closed Sai-Anudeep47 closed 1 year ago
rftemple
commented
1 year ago The issue was was resolved by ensuring device certificate chain created during DI passed java pkix. This issue can be closed.
Sai-Anudeep47
commented
1 year ago Observing an error for a Client implemented in C, "Error decoding leaf certificate. x509: failed to unmarshal elliptic curve point". This is related to https://go-review.googlesource.com/c/go/+/1883
yackermann
commented
1 year ago @Sai-Anudeep47 is this issue related to voucher decoding using RSA2048?
Sai-Anudeep47
commented
1 year ago @herrjemand This is observed for ECDSA256 and ECDSA384 when using a FDO client that is implemented in C. The logs are attached above that includes csdk in the log name.
yackermann
commented
1 year ago 2023/05/15 11:51:16 ProveToRV32: Error verifying ProveToRV32 signature. Error verifying certificate chain! x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "FdoEntity")
Seems like your certificate PKI chain is bad. Check that you have correct BasicConstraints flags.
yackermann
commented
1 year ago failed to unmarshal elliptic curve point
Again. Bad certificate
GeofCooper
commented
1 year ago @Sai-Anudeep47 , Yuriy is saying that your root certificate is not really a root certificate, because it is missing some X.509 certificate options for a root. His code is probably checking for specific root flags in the certificate, rather than just accepting any self-signed certificate as the root. Please double-check.
Check that you have correct BasicConstraints flags.
yackermann
commented
1 year ago @GeofCooper
We accept any valid PKI. Self-signed or not.
But it has to follow rules and standards.
@Sai-Anudeep47 see https://knowledge.digicert.com/solution/SO16297.html
GeofCooper
commented
1 year ago To clarify, we have 2 errors from the tool --
"Error verifying certificate chain! x509: certificate signed by unknown authority" for a client implemented in JAVAThis issue is resolved. We agree with Yuriy's assessment.
"Error decoding leaf certificate. x509: failed to unmarshal elliptic curve point" for a client implemented in C.This issue is unresolved -- We are using standard openssl calls, and somehow the GO code is getting an error.
Hi @herrjemand
After building and starting the FIDO Conformance Server in onprem mode, server returns following errors when trying to verify device signature during message 32 in TO1, for different clients.
This is observed for both attestation types of ECDSA256 and ECDSA384.
Logs, vouchers for such errors are attached from both FIDO Conformance Server and from FDO clients.
csdk_client_to1_msg32_fail_logs.txt fdo_conformance_server_csdk_client_to1_msg32_fail_logs.txt fdo_conformance_server_java_client_to1_msg32_fail_logs.txt java_client_to1_msg32_fail_logs.txt csdk_interop_voucher_256.txt csdk_interop_voucher_384.txt java_client_interop_voucher_256.txt java_client_interop_voucher_384.txt