canokeys / canokey-core Goto Github PK
View Code? Open in Web Editor NEWCore implementations of an open-source secure key
Home Page: https://canokeys.org/
License: Apache License 2.0
canokey-core's People
Contributors
Stargazers
Watchers
Forkers
sztsian harriet-muggle ilyoungkim yangyouyong jiegec fossabot dramforever hexchain felixonmars jesseytang webstorage119 fidokey inksong github-qiangjian chuangzhu hko-s optdyn zenithalhourlyrate emvuys xieren58 capuanob dragocytus lbthomsen 66hh ccnano zhtweer gmh5225 agreenbhm vgiscinfosec joyqat alingooo tdautc19841202canokey-core's Issues
Inconsistent behaviour with UV=discouraged during registration and assertion
Hi there,
It was reported on kanidm/webauthn-rs#91 that the behaviour of canokeys and userverification is inconsistent between registration and assertion.
I've had a look at the code, and it appears that there is different login being followed for the two.
In ctap_make_credential, the following is used:
if (has_pin() && (mc.parsedParams & PARAM_pinAuth) == 0) return CTAP2_ERR_PIN_REQUIRED;
if (mc.parsedParams & PARAM_pinAuth) {
if (mc.pinAuthLength == 0) {
WAIT();
if (has_pin())
return CTAP2_ERR_PIN_INVALID;
else
return CTAP2_ERR_PIN_NOT_SET;
}
if ((mc.parsedParams & PARAM_pinProtocol) == 0) return CTAP2_ERR_PIN_AUTH_INVALID;
hmac_sha256(pin_token, PIN_TOKEN_SIZE, mc.clientDataHash, sizeof(mc.clientDataHash), params);
if (memcmp(params, mc.pinAuth, PIN_AUTH_SIZE) != 0) return CTAP2_ERR_PIN_AUTH_INVALID;
}
In ctap_get_assertion the following is used:
if (ga.parsedParams & PARAM_pinAuth) {
if (ga.pinAuthLength == 0) {
WAIT();
if (has_pin())
return CTAP2_ERR_PIN_INVALID;
else
return CTAP2_ERR_PIN_NOT_SET;
}
if ((ga.parsedParams & PARAM_pinProtocol) == 0) return CTAP2_ERR_PIN_AUTH_INVALID;
hmac_sha256(pin_token, PIN_TOKEN_SIZE, ga.clientDataHash, sizeof(ga.clientDataHash), pinAuth);
#ifndef FUZZ
if (memcmp(pinAuth, ga.pinAuth, PIN_AUTH_SIZE) != 0) return CTAP2_ERR_PIN_AUTH_INVALID;
#endif
}
The key difference is this line here in make credential:
if (has_pin() && (mc.parsedParams & PARAM_pinAuth) == 0) return CTAP2_ERR_PIN_REQUIRED;
This causes the pin to always be required when UV is set to discouraged/preferred/required during a registration. This creates an association to the user that "the credential I am creating requires user verification.
However, this logic is not followed in get_assertion, meaning that in discouraged/preferred contexts, since pin_auth isn't set, the assertion will be created without user verification.
There are two ways to potentially resolve this:
- Always require UV regardless of input, by adding
CTAP2_ERR_PIN_REQUIREDto the logic in get_assertion. (edit: this is a valid behaviour and many tokens already do this such as touchid from apple ) - Remove the
CTAP2_ERR_PIN_REQUIREDlogic in make_credential, and follow the same logic as get_assertion so that you only act as a verified credential when UV=required is set by the browser. (edit: this is how a yubikey behaves)
Thanks,
CMake: missing dependency to `gitrev` target
A fresh build fails as the gitrev target is not executed.
Test RSA4096 support in GPG
GPG import nistp256 failed on CI
Log
sec rsa2048/E9E05C046262F92A
created: 2020-05-21 expires: never usage: SCEA
trust: ultimate validity: ultimate
ssb rsa2048/2C43A0F96F6FE7A2
created: 2020-05-21 expires: never usage: SEA
card-no: 8086 A1B2C3D4
ssb* nistp256/E6E80D308BF54351
created: 2020-05-21 expires: never usage: E
ssb nistp256/1EFA048E57D5DCEB
created: 2020-05-21 expires: never usage: S
[ultimate] (1). Someone <[email protected]>
Please select where to store the key:
(2) Encryption key
gpg: KEYTOCARD failed: Invalid value
APDU
[DBG] PC_to_RDR_XfrBlock(136): O: 00DB3FFF2B4D29B8007F4802921F5F481F610E5010A7E48AC6A0DB147B2583D6D2AB6414B5CB293A2DCF5CE769691E3D
[DBG] PC_to_RDR_XfrBlock(155): I: 6A80
Store personal data of OpenPGP card in a file instead of file attrs
Uncomment the following test after fixing this issue:
canokey-core/.github/workflows/tests.yml
Line 199 in 0210554
Request for Adding Support for HMAC-SHA1 Challenge-Response Protocol
Issue Description:
Currently, I have encountered some limitations while using the canokeys hardware key. I have found that many tools I need to use, such as the keepassxc password manager, require support for the HMAC-SHA1 Challenge-Response protocol. However, it seems that the current canokeys hardware key does not support this protocol, which prevents me from using these tools effectively.
Request:
I would like to request the addition of support for the HMAC-SHA1 Challenge-Response protocol in the canokeys hardware key. This enhancement would enable me to seamlessly use the tools I require and would improve the compatibility of the canokeys hardware key.
Additional Information:
I have encountered this issue in practical usage, and I believe that this improvement would be beneficial not only for me but also for other users. I hope to receive your prompt response and support on this matter.
Check the length of data objects in piv_put_data
Set length limit for certificates, CCC and CHUID as per specification.
fail to use ssh resident keys
SSH private keys can be store on fido2 devices using ssh-keygen -t ed25519-sk -O resident (https://man.openbsd.org/ssh-keygen.1). However, when I tried this on my canokey, the key just can't be store.
In detail:
$ ssh-keygen -vvv -t ed25519-sk -O resident
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=13326
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/hidraw1
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_REQUIRED
debug1: sshsk_enroll: provider "internal" returned failure -3
debug1: ssh-sk-helper: Enrollment failed: incorrect passphrase supplied to decrypt private key
debug1: ssh-sk-helper: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -43
debug3: reap_helper: pid=13326
Enter PIN for authenticator:
debug3: start_helper: started pid=13336
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0 with-pin
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/hidraw1
debug3: ssh_sk_enroll: attestation cert len=443
debug1: ssh-sk-helper: reply len 713
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=13336
Enter file in which to save the key (/root/.ssh/id_ed25519_sk):
/root/.ssh/id_ed25519_sk already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519_sk
Your public key has been saved in /root/.ssh/id_ed25519_sk.pub
The key fingerprint is:
SHA256:xxx root@xxx
The key's randomart image is:
xxx
then I try to download the private key:
$ ssh-keygen -K
Enter PIN for authenticator:
No keys to download
or
$ ssh-add -K
Enter PIN for authenticator:
$ ssh-add -L
The agent has no identities.
no keys found on canokey. I wonder if canokey just can't support this?
my canokey's version and firmware:
In addition: I can't find a way to manage fido resident keys. When using ykman:
$ ./ykman -r "Canokeys" info
Device type: Security Key NFC
Serial number: xxx
Firmware version: 5.5.5
Form factor: Keychain (USB-A)
NFC transport is enabled.
Applications USB NFC
FIDO2 Enabled Enabled
OTP Not available Not available
FIDO U2F Enabled Enabled
OATH Enabled Enabled
YubiHSM Auth Not available Not available
OpenPGP Enabled Enabled
PIV Enabled Enabled
$ ./ykman -r "Canokeys" fido credentials list
Enter your PIN:
Error: Authenticator does not support Credential Management
and also, bitlocker report that this key is not compatible:
What's wrong with my key?
[Feature request] Does CanoKey have the opportunity to support the RSA4096 algorithm in PIV mode
I have noticed that RSA-4096 is supported in GPG mode. Can the algorithm of RSA-4096 also be supported in PIV mode?
Unfortunately, I am not familiar with the code and related encryption algorithms of this project and do not know how to add them.
If you would like to add RSA-4096, I would greatly appreciate it.
Implement metadata for PIV applet
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.