mskonovalov
commented
3 years ago try setting FIDO_DEBUG=1 to see debug output from native lib
Closed rgl closed 3 years ago
mskonovalov
commented
3 years ago try setting FIDO_DEBUG=1 to see debug output from native lib
rgl
commented
3 years ago Here's the output with FIDO_DEBUG=1:
How should I go from here?
BTW, this authenticator also had a problem and https://github.com/flynn/u2f/pull/12/commits/b785fc116b41f54e0ba4a415d972faf9150a8599 fixed it in the flynn/u2f library, maybe that's the problem here too?
mskonovalov
commented
3 years ago I would say if you have the device you are the nly person to test that it works properly. Try to apply the same fix as in flynn/u2f
rgl
commented
3 years ago Thanks! I've managed to make it work. It was due to UP: libfido2.True,. We cannot set that in AssertionOpts.
For future reference, I've decoded the FIDO_DEBUG=1 hexdump using the u2f library as:
func decodeHexDump(hexDump string) ([]byte, error) {
re1 := regexp.MustCompile(`\s*([0-9a-f]{4}:)? ([0-9a-f]{2})\n?`)
x := string(re1.ReplaceAll([]byte(hexDump), []byte("$2")))
return hex.DecodeString(x)
}
func main() {
d, err := decodeHexDump(`0000: 02 a5 01 68 6b 65 79 73 2e 70 75 62 02 58 20 3c
0016: f0 c7 ac 51 d6 1e c9 3c b2 3f 41 ba b0 12 36 c7
0032: 44 85 46 67 d2 1e 3d 21 34 50 21 a0 8a b6 ee 03
0048: 81 a2 62 69 64 58 20 2d e6 a2 ef 74 9a 4b 77 e7
0064: 10 a7 8d c3 ca b5 13 60 d0 01 40 86 9b a9 f5 04
0080: e1 08 a3 56 33 24 e0 64 74 79 70 65 6a 70 75 62
0096: 6c 69 63 2d 6b 65 79 04 a1 6b 68 6d 61 63 2d 73
0112: 65 63 72 65 74 a3 01 a5 01 02 03 38 18 20 01 21
0128: 58 20 70 7b eb d6 8f 64 6a ce 03 e0 d3 c2 65 8d
0144: 79 e0 b5 72 f4 58 c8 29 5e 5c 5b 83 ed fc eb 5e
0160: 87 1d 22 58 20 6a 92 e2 54 c5 54 1c be 0c 70 4d
0176: 91 92 e0 7e af 66 ad f9 bd bf 19 7f 05 a3 a2 2e
0192: 8b 2a f9 69 57 02 58 20 df db b2 1c c4 47 a6 0a
0208: 63 92 67 9e 5c cd c9 1f c3 42 84 3a 4e 20 2f 74
0224: 4c 25 a3 4e 35 2f 72 26 03 50 a9 c3 b6 9f 85 aa
0240: 5e 0b cb 14 cb a0 df 75 8c a5 05 a2 62 75 70 f5
0256: 62 75 76 f5
`)
fmt.Println(hex.EncodeToString(d))
o := &ctap2token.GetAssertionRequest{}
if err := cbor.Unmarshal(d[1:], o); err != nil {
log.Fatal(err)
}
fmt.Printf("%#v", o)
}
gabriel
commented
3 years ago Yeah unfortunately I don't think there is a way to get a more specific error message?
rgl
commented
3 years ago Indeed, there is no apparent way to known which field is wrong, because this particular authenticator only returns:
fido_rx: buf=000000AF35BFEFE0, len=1
0000: 2bThis makes me wonder how chrome/firefox deals with this, perhaps they are adding workarounds for each vendor/product.
gabriel
commented
3 years ago Maybe should remove that setting from the example, since I guess it should only be used to override the default device setting and might trip up other people in the future?
rgl
commented
3 years ago I think that would be a good change.
Maybe we should also check for the hmac secret support and only enable it when it's supported by the authenticator?
I'm trying a HyperFIDO Pro Mini authenticator (amazon buy link) with a slightly modified
ExampleDevice_Assertioncode from https://github.com/keys-pub/go-libfido2/blob/51981ad278cd016feb4ff07c5af2512f2d92105a/examples_test.go#L103-L177 and its failing with aget assertion: unsupported optionafter I press the authenticator button.Please note that I'm using the new version of the HyperFIDO Pro Mini authenticator (which is supposed to support FIDO2/CTAP2).
Please note that I've disabled the pin (set it to an empty string) because this authenticator has the
{Name:clientPin Value:false}option, the entire code is at https://github.com/rgl/go-libfido2-example/blob/master/main.go.This is the example output:
Can you help me troubleshoot this? Is there something else I should try?