Key not supported on ios for Apple Id 2fa about opensk HOT 36 OPEN

That would be great!

1. Checkout the develop branch of a clean OpenSK in a temporary directory:

   cd /tmp
   git clone -b develop https://github.com/google/OpenSK.git
   cd OpenSK
   ./setup.sh
   

2. Plug the dev-kit to your computer through the JTAG port (see this picture).
3. Compile, flash, and configure OpenSK with debugging:

   ./deploy.py --board=nrf52840dk_opensk --opensk --debug --panic-console --clear-storage
   ./tools/configure.py --certificate=crypto_data/opensk_cert.pem --private-key=crypto_data/opensk.key
   

4. Plug the dev-kit to your phone through the USB port, keeping the JTAG port connected to your computer.
5. In one terminal run JLinkExe -device nrf52 -if swd -speed 1000 -autoconnect 1.
6. In another (new) terminal run JLinkRTTClient. Make sure you have infinite scrolling, there will be a lot of input.
7. Try to add a security key on your phone.
8. Ctrl-C the second terminal and copy the full content of the terminal in a gist or some other place and share the link here.

Thanks!

from opensk.

It's possible that they whitelist AAGUID to the FIDO certified ones.
But my first guess would be to say that they're simply more pedantic about the attestation certificate.
IIRC I haven't patched the certificate generation to include the x509v3 extensions they need (it needs to embed the AAGUID, the supported transports, etc.).
It works 99% of the cases because nobody cares about it, but with CTAP2.1 they seem to do more checks :)

from opensk.

Sorry for the wait (and more waiting is to be expected, see below). A few observations:

• I downloaded the metadata blob from FIDO Alliance to double check, and I can't find OpenSK. The file metadata/metadata.json in our repository should be contained.
• We are still listed as a certified product, i.e., search for OpenSK as the product name.

So if we are indeed rejected because of attestation problems, then this could be related. I'll reach out to FIDO.

from opensk.

Turns out I missed a step to submit an OpenSK entry to the MDS. So we likely have to fix #457 and / or add register OpenSK correctly to FIDO.

from opensk.

Hi, thanks for the report!

Could you provide the following information to help debug further:

• How did you compile, flash, and configure OpenSK on the dongle?
• How do you connect the dongle to your phone?
• Does it work with iOS 16?

Thanks!

from opensk.

Thank you for swift response @ia0 ,

How did you compile, flash, and configure OpenSK on the dongle?

I followed exact steps mentioned in install.md and nrf52840_dongle.md i.e DFU flashing

How do you connect the dongle to your phone?

Using Lightning to USB A adaptor

Does it work with iOS 16?

No, just checked on iPad running ios16 with USB C to USB A dongle

FYI, my Yubikey 5 worked flawlessly on both.

from opensk.

Thanks! We will need to find a way to reproduce to be able to debug (unless you happen to also have a dev-board). This may take some time.

from opensk.

I do have a NRF52840DK dev board. But it’s not handy atm. If you could guide me thru the process I could give it a try next week.

from opensk.

Hi @ia0 , I tried this today. Unfortunately getting some errors during flashing. Please note I've copied udev rules and replugged the device. Any idea what else can I do ?

info: Generating Tock TAB file for application/example ctap2
info: Erasing the persistent storage
info: Erasing all installed applications
WARNING:root:Unknown TLV block in TBF header.
WARNING:root:You might want to update tockloader.
info: Flashing padding application
info: Installing Tock application ctap2
WARNING:root:Unknown TLV block in TBF header.
WARNING:root:You might want to update tockloader.
WARNING:root:Unknown TLV block in TBF header.
WARNING:root:You might want to update tockloader.
info: Configuring device.
info: Your device is not yet configured, and lacks some functionality. You can check its configuration status with:

./tools/configure.py

If you run into issues, this command might help:

./tools/configure.py \
    --certificate=crypto_data/opensk_cert.pem \
    --private-key=crypto_data/opensk.key

Please read the Certificate considerations in docs/customization.md to understand the privacy trade-off.
fatal: No device to configure found.

lsusb output shows SEGGER J-Link connected

from opensk.

That's the expected output. You may ignore those warnings. I have them too and it's not a problem.

You should be able to follow up with the instructions continuing from ./tools/configure.py .

Note that the device is extremely slow with debug enabled, so you may have to wait longer than expected for some steps.

from opensk.

Thanks @ia0 , I was able to reproduce this issue using the NRF52840 DK dev board. You can find the logs in public gist here. I'm looking forward to learn from your diagnosis, many thanks!

from opensk.

Thanks a lot! So it looks like we send a MakeCredential response which makes me believe that iOS is probably refusing our AAGUID or certificate. @jmichelp what do you think?

from opensk.

Apple has a page talking about Keys specifications : https://support.apple.com/en-in/HT213154

from opensk.

I'm happy to work on a PR if you could guide me thru.

from opensk.

Thanks for the update @kaczmarczyck , happy to test it over once we've the fix.

from opensk.

Update: OpenSK is now listed in the MDS with
AAGUID 664d9f67-84a2-412a-9ff7-b4f7d8ee6d05
For some reason, it still lists the status as NOT_FIDO_CERTIFIED.

We could test if this already satisfies Apple. I am sceptical it does, but if you want to try, open the file crypto_data/aaguid.txt and paste the above AAGUID into it. Note that the MDS entry lists the properties from our 2.0 version, not sure if that causes problems.

If that does not work, the next 2 tests would be:
A) Activate batch attestation.
B) Wait for the MDS to acknowledge our certification status, and that to propagate to Apple.

To try A), you can edit libraries/opensk/src/api/customization.rs so that DEFAULT_CUSTOMIZATION says:
use_batch_attestation: true,
You will have to configure after deploying to enable batch attestation:

    ./tools/configure.py \
        --certificate=crypto_data/opensk_cert.pem \
        --private-key=crypto_data/opensk.key

Note: Our documentation has some info on privacy implications of batch attestation if you want to use that key outside of experimentation.
The attestation certificate you are going to use doesn't match the MDS entry though. That is because you just generated it, and you can't attest yourself. This is basically the open source nature of OpenSK.

If Apple does require batch attestation and checking them through the MDS, then there is intentionally no way you can build your own security key and make it work with them I think.

from opensk.

The MDS blob (downloaded here) still lists us as not certified. We merged #668 , so anyone with a Mac could try Apple ID with OpenSK. Steps:

1. checkout develop and pull
2. ./reset.sh && ./setup.sh (save pending changes before this step)
3. edit crypto_data/aaguid.txt and change it to 664d9f67-84a2-412a-9ff7-b4f7d8ee6d05
4. edit DEFAULT_CUSTOMIZATION in libraries/opensk/src/api/customization.rs as explained above
5. deploy
6. configure

For debugging purposes, if that works, we coud also try with a random AAGUID (write something else in step 3). That should inform us whether Apple supports self-made security keys.

from opensk.

@iayanpahwa If you are interested in trying, feel free to report all observations here!

from opensk.

I’ll try and test it in soon.

from opensk.