-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SKFS register failed. An error happened: "FIDO-ERR-2001: FIDO 2 Error Message : {0}Registration Signature verification : false" #201
Comments
Lighthope,
If I understand your flow, it sounds like you are NOT using FIDO for
authenticating users through a web-browser - you are using the Python
library to relay messages between the Authenticator and the SKFS; is
that correct?
…On 8/14/22 1:55 AM, Lighthope wrote:
I wrote a C-language program which does FIDO register flow on a private
SKFS. My preregister flow works well but meet the "FIDO-ERR-2001: FIDO 2
Error Message : {0}Registration Signature verification : false" error. I
don't know why.
This program calls pregister and register APIs by using system call on
curl command.
When the program receives the preregister response (such as challenge,
rp info, user info, etc), it sends to the external FIDO authenticator
(Yubico USB key) by python-libfido2
<https://github.com/Yubico/python-fido2> library. I also wrote a python
code to do this. The partial code is as below.
|client = Fido2Client(dev, origin, user_interaction=CliInteraction())
create_options = { "publicKey": PublicKeyCredentialCreationOptions(
**pub_key_cred_creation_options ) } result =
client.make_credential(create_options["publicKey"]) |
The program receives the information such as client data and attestation
object.
Next, I need to create the clientDataJSON and attestationObject strings.
The clientDataJSON is as below.
|client_data = {} client_data["type"] = result.client_data.type
client_data["challenge"] = result.client_data.challenge.decode('utf-8')
client_data["origin"] = result.client_data.origin
client_data["cross_origin"] = result.client_data.cross_origin
clientDataJSON =
base64UrlEncode(json.dumps(client_data).encode('utf-8')).decode('utf-8') |
The attestationObject is as below. It consists of different parts of
information (fmt, authData, attStmt).
attStmt is a dictionary object.
|att_stmt["alg"] = result.attestation_object.att_stmt['alg']
att_stmt["sig"] = result.attestation_object.att_stmt['sig']
att_stmt["x5c"] = result.attestation_object.att_stmt['x5c']
attestation_object["attStmt"] = att_stmt |
fmt is a string.
|attestation_object["fmt"] = result.attestation_object.fmt |
authData is a bytes-type object. Because python-libfido2 returns a class
object, I need to combine the bytes data by referring to the webauthn spec.
|str_aaguid =
result.attestation_object.auth_data.credential_data.aaguid.__str__().replace('-',
'') intlist_aaguid = [ int(str_aaguid[2*i:2*i+2], 16) for i in range(0,
int(len(str_aaguid)/2)) ] bytes_aaguid = bytes(intlist_aaguid)
credential_data = bytes_aaguid credential_data += \
len(list(result.attestation_object.auth_data.credential_data.credential_id)).to_bytes(2,
byteorder='big') credential_data +=
result.attestation_object.auth_data.credential_data.credential_id if
result.attestation_object.auth_data.credential_data.public_key[1] == 2:
credential_data +=
createCOSEEC2PublicKey(result.attestation_object.auth_data.credential_data.public_key)
auth_data = result.attestation_object.auth_data.rp_id_hash auth_data +=
result.attestation_object.auth_data.flags.to_bytes(1, byteorder='big')
auth_data += result.attestation_object.auth_data.counter.to_bytes(4,
byteorder='big') auth_data += credential_data
attestation_object["authData"] = auth_data |
Finally, CBOR-encode the atteestationObject.
|cbor_data = cbor2.dumps(attestation_object) atteestationObject=
base64UrlEncode(cbor_data).decode('utf-8') |
The problem is when the C program sends origin, credential id,
clientDataJSON, and attestationObject to the register endpoint of SKFS,
the "Registration Signature verification : false" error happens.
I've checked the glassfish log of SKFS, but I still don't know why
because I'm not familiar with Java language and the source code of SKFS.
A part of the glassfish log is as below.
|[2022-08-04T03:11:05.049-0400] [Payara 5.2020.7] [INFO] [] [] [tid:
_ThreadID=71 _ThreadName=http-thread-pool::http-listener-2(9)]
[timeMillis: 1659597065049] [levelValue: 800] [[ rpidhashfrompolicy =
S/ybIkMj6soGXSAwVHmFMPZKG+S8Gt+tqPZJWxgsodc=]]
[2022-08-04T03:11:05.057-0400] [Payara 5.2020.7] [SEVERE]
[FIDO-ERR-0015] [SKFS] [tid: _ThreadID=71
_ThreadName=http-thread-pool::http-listener-2(9)] [timeMillis:
1659597065057] [levelValue: 1000] [[ FIDO-ERR-0015: User signature could
not be verified: Failed to verify Packed signature]]
[2022-08-04T03:11:05.057-0400] [Payara 5.2020.7] [SEVERE]
[FIDO-MSG-2001] [SKFS] [tid: _ThreadID=71
_ThreadName=http-thread-pool::http-listener-2(9)] [timeMillis:
1659597065057] [levelValue: 1000] [[ FIDO-MSG-2001: FIDO 2 Debug Message
: Registration Signature verification : false]]
[2022-08-04T03:11:05.058-0400] [Payara 5.2020.7] [SEVERE] [] [SKFS]
[tid: _ThreadID=71 _ThreadName=http-thread-pool::http-listener-2(9)]
[timeMillis: 1659597065058] [levelValue: 1000] [[ FIDO-ERR-2001: FIDO 2
Error Message : {"Response":"FIDO-ERR-2001: FIDO 2 Error Message :
{0}Registration Signature verification : false"}]]
[2022-08-04T03:11:05.058-0400] [Payara 5.2020.7] [SEVERE] [] [] [tid:
_ThreadID=71 _ThreadName=http-thread-pool::http-listener-2(9)]
[timeMillis: 1659597065058] [levelValue: 1000] [[
com.strongkey.skfs.utilities.SKIllegalArgumentException:
{"Response":"FIDO-ERR-2001: FIDO 2 Error Message : {0}Registration
Signature verification : false"} at
com.strongkey.skfs.txbeans.FIDO2RegistrationBean.execute(FIDO2RegistrationBean.java:127)
at sun.reflect.GeneratedMethodAccessor272.invoke(Unknown Source) at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
|
Thus, can anyone help to solve the problem?
Thanks!
—
Reply to this email directly, view it on GitHub
<#201>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABWSVTR7N5S5F2WXRRZLZJ3VZCYBDANCNFSM56PQJJRQ>.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
@arshadnoor hi Yes, I am not using a web browser to authenticate with FIDO authenticator. I've also tried to hardcode the clientDataJSON and attestationObject, but still have the signature verification error. |
hi @kimo6416337, While we are trying to figure out what might be the problem based on your code snippets above, can you also do the following and give us more details logs from the server log so that we can see if we get more details from it. On the FIDO server:
Thank you |
@push2085 A part of glassfish log is as attached. |
Hi |
@push2085 Sure.
And the content of Class PublicKeyCredentialCreationOptions, which is defined by python-libfido2 library.
As I said, I still meet the error even if I hardcode the client data nad attestation object with the ones in a real-world working register request payload of a StrongKey policy module demo. |
We are still debugging this to figure out what's wrong. Also what you I suggest you also do is to follow these steps (https://docs.strongkey.com/index.php/skfs-home/skfs-usage/policy-module-demo/skfs-installation-with-fido2-same) on your local fido server machine to install the sample app locally to make sure the fido key works on this sample app on a browser based application. This will eliminate any problems with the install itself and will come down to debugging the right format of the data being sent. |
@push2085 I can register/login with the policy module demo based on my local SKFS. |
So, this indicates that the Authenticator and the SKFS are working correctly when the browser and the FIDOPolicy webapp are used for registration/authentication. This narrows down the problem to either the Python library you are using, or the C-code you've written that integrates with the Python library. To determine which one is causing the problem - and since you seem to know Python better than we do - have you tried testing your Python library configuration with the tests shown here - and in particular, this test? If the tests pass correctly, then the Python library is probably not the problem; you may then want to look at the way the test code is passing its parameters to the Authenticator and compare it to the way your C-code is passing similar parameters to the Python library. You may also want to post an issue on the Python library forum to see if they have ideas on what's causing your response to be rejected by our FIDO server. In general, the SKFS has rarely had issues with FIDO Certified Authenticators when used with supported browsers - most Authenticator programmers are familiar with SKFS since 2015 when the SKFS was one of the official FIDO servers used by the FIDO Alliance for certifying U2F Security Keys. |
@arshadnoor @push2085 Now back to focus on my C code. I need some help to check the correction of the client data and attestation object.
The content of posted json file (/tmp/fido-register-999999.json) is:
After beautifying the format,
But still meet signature verification error. Could you help to check if this calling restful API is legal? are the content of attestation object and client data json legal? |
Could anyone answer my restful api problem?
|
Hi Is there any way to get more debug logs from the python library on what it does when it recieves the create call from your application? I was trying to set up something internal for trying out the yubico library but I couldn't get it working. |
Hi @kimo6416337, I think I may have found the problem in the input that is being sent to the fido server. I looked at the detailed input again to see if something doesnt match and i found that the clientDataJson that is being sent in has one thing wrong. Can you modify this part of your code "client_data["cross_origin"] = result.client_data.cross_origin" and change it to "client_data["crossOrigin"] = result.client_data.cross_origin" and try again to see if the registration succeeds. Thank you |
@push2085 Hi, thanks for your help. I will try your solution later and tell the result. |
@push2085 After trying your solution, the error still happens. |
Have you posted an issue in the Python library's forum with a reference
to this thread?
…On 8/22/22 1:36 AM, Lighthope wrote:
@push2085 <https://github.com/push2085> After trying your solution,
the error still happens.
I am seeing the source code of python-libfido2 to figure out what it
sends to the authenticator and how it handles the clientDataJSON and
attestationObject.
—
Reply to this email directly, view it on GitHub
<#201 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABWSVTWSAIZOWQU6TJEOHTLV2M3Y5ANCNFSM56PQJJRQ>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@arshadnoor pls see Yubico/python-fido2#152 |
Lets wait and see what Yubico has to say, Lighthope. We can respond to
them if they need to know anything else. Thanks.
…On 8/23/22 01:43, Lighthope wrote:
@arshadnoor <https://github.com/arshadnoor> pls see
Yubico/python-fido2#152
<Yubico/python-fido2#152>
—
Reply to this email directly, view it on GitHub
<#201 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALLPGO3YOSWVCODHZUZ2U63V2SFLTANCNFSM56PQJJRQ>.
You are receiving this because you are subscribed to this
thread.Message ID: ***@***.***>
|
After I survey how python-fido2 sends a make-credential request to the authenticator, I find it's using CTAP2 cmd authenticatorMakeCredential (0x01). The request data is a dictionary structure with int keys and values containing sha256 hash of client data, rp info, user info, etc. I am wondering if it's different between the signature/x509 certificate of webauthn attestation and of CTAP2? |
I wrote a C-language program which does FIDO register flow on a private SKFS. My preregister flow works well but meet the "FIDO-ERR-2001: FIDO 2 Error Message : {0}Registration Signature verification : false" error. I don't know why.
This program calls pregister and register APIs by using system call on curl command.
When the program receives the preregister response (such as challenge, rp info, user info, etc), it sends to the external FIDO authenticator (Yubico USB key) by python-libfido2 library. I also wrote a python code to do this. The partial code is as below.
The program receives the information such as client data and attestation object.
Next, I need to create the clientDataJSON and attestationObject strings.
The clientDataJSON is as below.
The attestationObject is as below. It consists of different parts of information (fmt, authData, attStmt).
attStmt is a dictionary object.
fmt is a string.
authData is a bytes-type object. Because python-libfido2 returns a class object, I need to combine the bytes data by referring to the webauthn spec.
Finally, CBOR-encode the atteestationObject.
The problem is when the C program sends origin, credential id, clientDataJSON, and attestationObject to the register endpoint of SKFS, the "Registration Signature verification : false" error happens.
I've checked the glassfish log of SKFS, but I still don't know why because I'm not familiar with Java language and the source code of SKFS. A part of the glassfish log is as below.
Thus, can anyone help to solve the problem?
Thanks!
The text was updated successfully, but these errors were encountered: