search

jocover / esp32_u2f

Create a FIDO2/U2F token using ESP32
GNU General Public License v3.0
95 stars 18 forks source link

Yubico Demo website throws "Attestation certificate must use version 3!" error #2

Open Kalrkloss opened 9 months ago

Kalrkloss commented 9 months ago

Used Chip: ESP32-S3 Board: Seeed Studio XIAO ESP32S3 OS: Windows 10 Enterprise 22H2 Browser: Google Chrome Version 121.0.6167.185

jocover commented 9 months ago

1.create v3.ext file look like this

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

2.modify 12 line code add -extfile v3.ext command https://github.com/jocover/esp32_u2f/blob/main/main/cert/u2f_genkeys.sh#L12

openssl x509 -req -in esp32cert.req -signkey esp32key.pem -days 3650 -out esp32cert.pem -extfile v3.ext

3.use the new certificate to package the firmware

my project uses opensk certificate by default usually, the attestation private key is shared between a batch of at least 100,000 security keys of the same model. if you build your own certificate, your private key is unique to you. This makes you identifiable across registrations: Two websites could collaborate to track if registrations were attested with the same key material.

Kalrkloss commented 9 months ago

Makes sense. Thanks for the explanation. BTW: Do you use the ESP32's flash encryption?

jocover commented 9 months ago

you can use espressif secure boot and flash encryption solutions, or use esp_secure_cert_mgr to manage certificates and keys, use the derived key generation algorithm based on esp_hmac but these will burn efuse, so my open source project did not add these codes

GenkaOk commented 9 months ago

1.create v3.ext file look like this

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

2.modify 12 line code add -extfile v3.ext command https://github.com/jocover/esp32_u2f/blob/main/main/cert/u2f_genkeys.sh#L12

openssl x509 -req -in esp32cert.req -signkey esp32key.pem -days 3650 -out esp32cert.pem -extfile v3.ext

3.use the new certificate to package the firmware

my project uses opensk certificate by default usually, the attestation private key is shared between a batch of at least 100,000 security keys of the same model. if you build your own certificate, your private key is unique to you. This makes you identifiable across registrations: Two websites could collaborate to track if registrations were attested with the same key material.

I generate certificates, but sites already display error "Attestation certificate must use version 3!"

jocover commented 9 months ago 
#!/bin/bash
set -e

if [ \! -e esp32key.pem ]; then
    openssl ecparam -genkey -out esp32key.pem -name prime256v1
fi

openssl ec -in esp32key.pem -outform DER -no_public | tail -c +8 | head -c 32  > u2f_cert_key.bin

openssl req -new -key esp32key.pem -out esp32cert.req -subj "/C=US/O=TEST/OU=Authenticator Attestation/CN=ESP32 U2F"
openssl x509 -req -in esp32cert.req -signkey esp32key.pem -days 3650 -out esp32cert.pem -extfile v3.ext
openssl x509 -in esp32cert.pem -outform der -out u2f_cert.bin

rm esp32cert.req esp32cert.pem

I use this script to generate certificate and private key, which can pass the test on the yubico demo website