Comments (36)
That would be great!
- Checkout the develop branch of a clean OpenSK in a temporary directory:
cd /tmp git clone -b develop https://github.com/google/OpenSK.git cd OpenSK ./setup.sh
- Plug the dev-kit to your computer through the JTAG port (see this picture).
- Compile, flash, and configure OpenSK with debugging:
./deploy.py --board=nrf52840dk_opensk --opensk --debug --panic-console --clear-storage ./tools/configure.py --certificate=crypto_data/opensk_cert.pem --private-key=crypto_data/opensk.key
- Plug the dev-kit to your phone through the USB port, keeping the JTAG port connected to your computer.
- In one terminal run
JLinkExe -device nrf52 -if swd -speed 1000 -autoconnect 1
. - In another (new) terminal run
JLinkRTTClient
. Make sure you have infinite scrolling, there will be a lot of input. - Try to add a security key on your phone.
- Ctrl-C the second terminal and copy the full content of the terminal in a gist or some other place and share the link here.
Thanks!
from opensk.
It's possible that they whitelist AAGUID to the FIDO certified ones.
But my first guess would be to say that they're simply more pedantic about the attestation certificate.
IIRC I haven't patched the certificate generation to include the x509v3 extensions they need (it needs to embed the AAGUID, the supported transports, etc.).
It works 99% of the cases because nobody cares about it, but with CTAP2.1 they seem to do more checks :)
from opensk.
Sorry for the wait (and more waiting is to be expected, see below). A few observations:
- I downloaded the metadata blob from FIDO Alliance to double check, and I can't find OpenSK. The file
metadata/metadata.json
in our repository should be contained. - We are still listed as a certified product, i.e., search for OpenSK as the product name.
So if we are indeed rejected because of attestation problems, then this could be related. I'll reach out to FIDO.
from opensk.
Turns out I missed a step to submit an OpenSK entry to the MDS. So we likely have to fix #457 and / or add register OpenSK correctly to FIDO.
from opensk.
Hi, thanks for the report!
Could you provide the following information to help debug further:
- How did you compile, flash, and configure OpenSK on the dongle?
- How do you connect the dongle to your phone?
- Does it work with iOS 16?
Thanks!
from opensk.
Thank you for swift response @ia0 ,
How did you compile, flash, and configure OpenSK on the dongle?
I followed exact steps mentioned in install.md and nrf52840_dongle.md i.e DFU flashing
How do you connect the dongle to your phone?
Using Lightning to USB A adaptor
Does it work with iOS 16?
No, just checked on iPad running ios16 with USB C to USB A dongle
FYI, my Yubikey 5 worked flawlessly on both.
from opensk.
Thanks! We will need to find a way to reproduce to be able to debug (unless you happen to also have a dev-board). This may take some time.
from opensk.
I do have a NRF52840DK dev board. But it’s not handy atm. If you could guide me thru the process I could give it a try next week.
from opensk.
Hi @ia0 , I tried this today. Unfortunately getting some errors during flashing. Please note I've copied udev rules and replugged the device. Any idea what else can I do ?
info: Generating Tock TAB file for application/example ctap2
info: Erasing the persistent storage
info: Erasing all installed applications
WARNING:root:Unknown TLV block in TBF header.
WARNING:root:You might want to update tockloader.
info: Flashing padding application
info: Installing Tock application ctap2
WARNING:root:Unknown TLV block in TBF header.
WARNING:root:You might want to update tockloader.
WARNING:root:Unknown TLV block in TBF header.
WARNING:root:You might want to update tockloader.
info: Configuring device.
info: Your device is not yet configured, and lacks some functionality. You can check its configuration status with:
./tools/configure.py
If you run into issues, this command might help:
./tools/configure.py \
--certificate=crypto_data/opensk_cert.pem \
--private-key=crypto_data/opensk.key
Please read the Certificate considerations in docs/customization.md to understand the privacy trade-off.
fatal: No device to configure found.
lsusb output shows SEGGER J-Link connected
from opensk.
That's the expected output. You may ignore those warnings. I have them too and it's not a problem.
You should be able to follow up with the instructions continuing from ./tools/configure.py
.
Note that the device is extremely slow with debug enabled, so you may have to wait longer than expected for some steps.
from opensk.
Thanks @ia0 , I was able to reproduce this issue using the NRF52840 DK dev board. You can find the logs in public gist here. I'm looking forward to learn from your diagnosis, many thanks!
from opensk.
Thanks a lot! So it looks like we send a MakeCredential response which makes me believe that iOS is probably refusing our AAGUID or certificate. @jmichelp what do you think?
from opensk.
Apple has a page talking about Keys specifications : https://support.apple.com/en-in/HT213154
from opensk.
I'm happy to work on a PR if you could guide me thru.
from opensk.
Thanks for the update @kaczmarczyck , happy to test it over once we've the fix.
from opensk.
Update: OpenSK is now listed in the MDS with
AAGUID 664d9f67-84a2-412a-9ff7-b4f7d8ee6d05
For some reason, it still lists the status as NOT_FIDO_CERTIFIED
.
We could test if this already satisfies Apple. I am sceptical it does, but if you want to try, open the file crypto_data/aaguid.txt
and paste the above AAGUID into it. Note that the MDS entry lists the properties from our 2.0 version, not sure if that causes problems.
If that does not work, the next 2 tests would be:
A) Activate batch attestation.
B) Wait for the MDS to acknowledge our certification status, and that to propagate to Apple.
To try A), you can edit libraries/opensk/src/api/customization.rs
so that DEFAULT_CUSTOMIZATION
says:
use_batch_attestation: true,
You will have to configure after deploying to enable batch attestation:
./tools/configure.py \
--certificate=crypto_data/opensk_cert.pem \
--private-key=crypto_data/opensk.key
Note: Our documentation has some info on privacy implications of batch attestation if you want to use that key outside of experimentation.
The attestation certificate you are going to use doesn't match the MDS entry though. That is because you just generated it, and you can't attest yourself. This is basically the open source nature of OpenSK.
If Apple does require batch attestation and checking them through the MDS, then there is intentionally no way you can build your own security key and make it work with them I think.
from opensk.
The MDS blob (downloaded here) still lists us as not certified. We merged #668 , so anyone with a Mac could try Apple ID with OpenSK. Steps:
- checkout
develop
and pull ./reset.sh && ./setup.sh
(save pending changes before this step)- edit
crypto_data/aaguid.txt
and change it to664d9f67-84a2-412a-9ff7-b4f7d8ee6d05
- edit
DEFAULT_CUSTOMIZATION
inlibraries/opensk/src/api/customization.rs
as explained above - deploy
- configure
For debugging purposes, if that works, we coud also try with a random AAGUID (write something else in step 3). That should inform us whether Apple supports self-made security keys.
from opensk.
@iayanpahwa If you are interested in trying, feel free to report all observations here!
from opensk.
I’ll try and test it in soon.
from opensk.
Related Issues (20)
- MakeCredentialPinAuthProtocolTest return code mismatch HOT 3
- MakeCredentialMissingParameterTest fails HOT 5
- GetAssertionOptionUvTrueTest test fails HOT 3
- pip install --user is unnecessary HOT 2
- Setup instructions should specify nrfutil version HOT 8
- versions in develop should include FIDO_2_1 HOT 1
- "configuring device" step needs a confirmation prompt to replug device on nrf52840_dongle_dfu HOT 5
- AuthenticatorConfigParameters swaps pinUvAuthProtocol and pinUvAuthParam field IDs HOT 1
- error: failed to get `arrayref` as a dependency of package `ctap2 v1.0.0 (/home/USER/OpenSK)` HOT 6
- WebUSB compatible? HOT 4
- How to change pin in Makerdiary nRF52840-MDK USB dongle HOT 2
- Improve Tock patches
- Move storage syscalls
- Edit the readme to link to the Quantum paper and point to the implementation file.
- Setup script can't install pip packages to the user's environment on Arch Linux HOT 2
- nordic dfu in develop fails to configure HOT 4
- wrong board type in flashing command in install.md HOT 1
- Suggested environment to be able to build/compile HOT 10
- nrf52840_dongle: deploy.py succeeds programming but testing board not recognised by testing webpages. HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensk.