search

token2 / fido2-manage

This library is partially forked from libfido2 to provide a FIDO2.1 key management tool (with a GUI) under the Linux platform
Other
16 stars 3 forks source link

listing resident keys fails #12

Open leapfog opened 1 month ago

leapfog commented 1 month ago

I'm testing with an Authenton#1 key, trying to manage resident keys/passkeys.

$ bash ./fido2-manage.sh -residentKeys -device 1 -domain passkey.org

shows that there is a passkey for passkey.org, but the command

$ bash ./fido2-manage.sh -residentKeys -device 1

fails listing any relying parties with:

fido2-token2: fido_credman_get_dev_rp: FIDO_ERR_MISSING_PARAMETER

token2 commented 1 month ago

Hello. We tested with our keys and cannot replicate the issue:

-residentKeys -device 1

00: 5Yaf4EYzO6ALp/K7s+p+BQLPSCYVYcKLZptoXwxqQzs= passkey.org
01: NWye1KCTIblpXx6vkYID8bVfaJ2mH7yWGEwVfdpoDIE= login.microsoft.com

We are not familiar with that brand, can you issue -info -device 1 command and show the output?

leapfog commented 1 month ago 
$ bash ./fido2-manage.sh -list
Device [1] : authenton authenton#1- CTAP2.1
$ bash ./fido2-manage.sh -info -device 1
[Info] Device 1 Information:
proto: 0x02
major: 0x00
minor: 0x00
build: 0x01
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0, FIDO_2_1
extension strings: credBlob, credProtect, hmac-secret, largeBlobKey, minPinLength
aaguid: b267239b954f4041a01bee4f33c145b6
options: noep, rk, up, noalwaysUv, credMgmt, authnrCfg, clientPin, largeBlobs, setMinPINLength
fwversion: 0x0
maxmsgsiz: 1200
maxcredcntlst: 0
maxcredlen: 0
maxcredblob: 32
maxlargeblob: 1024
maxrpids in minpinlen: 8
minpinlen: 4
pin protocols: 1, 2
pin retries: 8
pin change required: false
uv retries: undefined
leapfog commented 1 month ago

I successfully use libfido2 to list/manage resident keys on my Yubikey, but I cannot list them on the Authenton key:

$ fido2-token -L -r /dev/hidraw1
Enter PIN for /dev/hidraw1: 
fido2-token: fido_credman_get_dev_rp: FIDO_ERR_INVALID_CBOR

So I asked the Authenton support and they replied, they do not yet offer (Linux) software to manage their keys and pointed to your repo as a workaround. As your software can't list resident keys either, it seems the issue might be with their firmware.

In that case this issue could be closed/removed.

token2 commented 1 month ago

That is very strange, as it lists as FIDO_2_1, which means passkeys are supported. Are they FIDO-certified?

leapfog commented 1 month ago

https://authenton.com/authentons-fido-certifications-.html

token2 commented 1 month ago

https://authenton.com/authentons-fido-certifications-.html

Thanks, just to make sure the issue is not with libfido2, are you able to manage passkeys using Chromium tools? https://www.token2.com/site/page/managing-t2f2-fido2-keys-under-macos-or-linux

leapfog commented 1 month ago

Chromium tools are also unable to manage the Authenton's passkeys.

So Authenton seems to support creating and using passkeys, but does not support listing existing passkeys.

token2 commented 1 month ago

Chromium tools are also unable to manage the Authenton's passkeys.

So Authenton seems to support creating and using passkeys, but does not support listing existing passkeys.

So this means that their firmware is actually FIDO2.0 , but they somehow got certified as 2.1.FINAL

leapfog commented 1 month ago

Asking the stick for details, FIDO_2_1 is mentioned. -> I just asked (them) for a firmware upgrade.