Bridging FIDO2 BLE devices to the HID bus via /dev/uhid so they can be used in browsers
The easiest way to install is by using the .deb
from the releases page. This can the be installed through apt install
. This will then add the release page to the repositores and it can then be updated through apt update && apt upgrade
The second option would be to running it manually from the reposistory as instructed below.
For development on the python code you need to run
pip install uhid dbus-fast
Run the following command in a new shell:
fido2ble_to_uhid/fido2ble_to_uhid.py
The above needs some elevated privileges, either through running as root, sudo or by granting python the capabilities needed.
The code can also be built as a debian package and installed that way. It requires a minimum of Debian Bullseye (11) or Ubuntu Manic Minotaur (23) to build and install.
Running debuild
in the base folder will create the needed files.
The system can be verified to work through either libfido2 or just testing it in a browser. Below is an example of how this would be done
$ fido2-token -L
/dev/hidraw0: vendor=0xaaaa, product=0xaaaa ( )
$ fido2-token -I /dev/hidraw0
proto: 0x02
major: 0x00
minor: 0x01
build: 0x01
caps: 0x0c (nowink, cbor, nomsg)
version strings: FIDO_2_0, FIDO_2_1
extension strings: hmac-secret, credProtect
transport strings: ble
algorithms: es256 (public-key), rs256 (public-key)
aaguid: 69700f79d1fb472ebd9ba3a3b9a9eda0
options: rk, up, uv, noplat, noalwaysUv, credMgmt, clientPin, pinUvAuthToken, makeCredUvNotRqd
maxmsgsiz: 1024
maxcredcntlst: 0
maxcredlen: 0
maxlargeblob: 0
fwversion: 0x1
pin protocols: 1, 2
pin retries: 8
uv retries: 8
A complete registration cycle would look like this
echo credential challenge | openssl sha256 -binary | base64 > cred_param
echo my-party >> cred_param
echo my-user >> cred_param
dd if=/dev/urandom bs=1 count=32 | base64 >> cred_param
fido2-cred -M -i cred_param /dev/hidraw0 | fido2-cred -V -o cred
echo assertion challenge | openssl sha256 -binary | base64 > assert_param
echo my-party >> assert_param
head -1 cred >> assert_param
tail -n +2 cred > pubkey
fido2-assert -G -i assert_param /dev/hidraw0 | fido2-assert -V pubkey es256
The easiest way to pair a new OFFPAD is through a terminal with bluetoothctl
Turning on scanning can be done through
bluetoothctl scan on
This will then list all devices found as they get found and will run in the foreground. The job can be either backgrounded or the rest of the commands run in a new terminal.
Devices can then be listed with bluetoothctl devices
which will display all found devices. To easily pair the OFFPAD running
bluetoothctl devices | grep OFFPAD
Will list any OFFPADs found. The OFFPAD will show as something like
Device 12:34:56:78:9A:BC OFFPAD
It is important to note the MAC address here as by doing
bluetoothctl pair 12:34:56:78:9A:BC
The OFFPAD will prompt for a pairing code and after that the OFFPAD is paired. We can then turn of the scan that we either sent to the background or have in a different tab. If we backgrounded it, running fg
will bring it to the foreground before we terminate it with CTRL+C
It currently only works, if the OFFPAD is previously paired. The code is also set to find OFFPADs as FIDO devices only. If any changes happen to pairings, either new pairing or a removal, the python application must be restarted to updates the UHID devices available.
/dev/uhid
handling took a lot of notes from https://github.com/BryanJacobs/fido2-hid-bridge but was rewritten significantly.