fido2-cred verify fails when enabling hmac-secret or credential protection options

Question

fido2-cred verify fails when enabling hmac-secret or credential protection options

prateeknischal opened this issue 2 years ago · 4 comments

What version of libfido2 are you using?

$ brew list --versions libfido2
libfido2 1.11.0

What operating system are you running?

$ uname -sv
Darwin Darwin Kernel Version 21.5.0: Tue Apr 26 21:08:22 PDT 2022; root:xnu-8020.121.3~4/RELEASE_X86_64

What application are you using in conjunction with libfido2?
Directly using the libfido2 library and fido2-cred.

How does the problem manifest itself?
When creating a resident credential with hmac-secret enabled, protection set to 0x2, the credential is created. When I try to verify the credential using fido2-cred -V to get the public key, it fails with fido2-cred: fido_cred_verify: FIDO_ERR_INVALID_PARAM

Is the problem reproducible?
Yes

What are the steps that lead to the problem?
What are the steps that lead to the problem?

$ DEVICE="ioreg://$(fido2-token -L  | grep FIDO | cut -d':' -f 2 | tr -d '/')"   
$ echo credential challenge | openssl sha256 -binary | base64 > cred_param
$ echo relying party >> cred_param
$ echo user name >> cred_param
$ dd if=/dev/urandom bs=1 count=32 | base64 >> cred_param
$ fido2-cred -M -i cred_param -h -r -c2 $DEVICE | fido2-cred -V -o cred

This can be tried with any combination of -h or -c2 and it fails the verification and I am not able to get the public key out.

Does the problem happen with different authenticators?
Haven't tried.

Please include the output of fido2-token -L.

fido2-token -L

$ fido2-token -L
ioreg://4294969446: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)

Please include the output of fido2-token -I.

fido2-token -I

$ fido2-token -I <device>
proto: 0x02
major: 0x05
minor: 0x04
build: 0x03
caps: 0x0d (wink, cbor, nomsg)
version strings: FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
transport strings: usb
algorithms: es256 (public-key), eddsa (public-key)
aaguid: ee882879721c491397753dfcce97072a
options: rk, up, noplat, clientPin, credentialMgmtPreview
maxmsgsiz: 1200
maxcredcntlst: 8
maxcredlen: 128
maxlargeblob: 0
fwversion: 0x50403
pin protocols: 2, 1
pin retries: 8
uv retries: undefined

Please include the output of FIDO_DEBUG=1.

FIDO_DEBUG=1

# fido-cred is the file created above
$ FIDO_DEBUG=1 fido2-cred -M -i cred_param -h -r -c2 ioreg://4294969446 | FIDO_DEBUG=1 fido2-cred -V -o cred
fido_tx: dev=0x600003080000, cmd=0x06
fido_tx: buf=0x600003080000, len=8
0000: 5d 0d 3a 26 47 3e f6 10
fido_rx: dev=0x600003080000, cmd=0x06, ms=-1
rx_preamble: buf=0x7ff7b6573880, len=64
0000: ff ff ff ff 86 00 11 5d 0d 3a 26 47 3e f6 10 1e
0016: 6a 67 e4 02 05 04 03 0d 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=17
fido_rx: buf=0x600003080008, len=17
0000: 5d 0d 3a 26 47 3e f6 10 1e 6a 67 e4 02 05 04 03
0016: 0d
fido_dev_get_cbor_info_tx: dev=0x600003080000
fido_tx: dev=0x600003080000, cmd=0x10
fido_tx: buf=0x7ff7b65730c0, len=1
0000: 04
fido_dev_get_cbor_info_rx: dev=0x600003080000, ci=0x6000035882c0, ms=-1
fido_rx: dev=0x600003080000, cmd=0x10, ms=-1
rx_preamble: buf=0x7ff7b6573040, len=64
0000: 1e 6a 67 e4 90 00 c1 00 ac 01 82 68 46 49 44 4f
0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 ee 88 28
rx: payload_len=193
rx: buf=0x7ff7b6573040, len=64
0000: 1e 6a 67 e4 00 79 72 1c 49 13 97 75 3d fc ce 97
0016: 07 2a 04 a5 62 72 6b f5 62 75 70 f5 64 70 6c 61
0032: 74 f4 69 63 6c 69 65 6e 74 50 69 6e f5 75 63 72
0048: 65 64 65 6e 74 69 61 6c 4d 67 6d 74 50 72 65 76
rx: buf=0x7ff7b6573040, len=64
0000: 1e 6a 67 e4 01 69 65 77 f5 05 19 04 b0 06 82 02
0016: 01 07 08 08 18 80 09 81 63 75 73 62 0a 82 a2 63
0032: 61 6c 67 26 64 74 79 70 65 6a 70 75 62 6c 69 63
0048: 2d 6b 65 79 a2 63 61 6c 67 27 64 74 79 70 65 6a
rx: buf=0x7ff7b6573040, len=64
0000: 1e 6a 67 e4 02 70 75 62 6c 69 63 2d 6b 65 79 0d
0016: 08 0e 1a 00 05 04 03 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x7ff7b65730c0, len=193
0000: 00 ac 01 82 68 46 49 44 4f 5f 32 5f 30 6c 46 49
0016: 44 4f 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65
0032: 64 50 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65
0048: 63 72 65 74 03 50 ee 88 28 79 72 1c 49 13 97 75
0064: 3d fc ce 97 07 2a 04 a5 62 72 6b f5 62 75 70 f5
0080: 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74 50 69 6e
0096: f5 75 63 72 65 64 65 6e 74 69 61 6c 4d 67 6d 74
0112: 50 72 65 76 69 65 77 f5 05 19 04 b0 06 82 02 01
0128: 07 08 08 18 80 09 81 63 75 73 62 0a 82 a2 63 61
0144: 6c 67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d
0160: 6b 65 79 a2 63 61 6c 67 27 64 74 79 70 65 6a 70
0176: 75 62 6c 69 63 2d 6b 65 79 0d 08 0e 1a 00 05 04
0192: 03
parse_reply_element: cbor type
fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=1200
fido_tx: dev=0x600003080000, cmd=0x10
fido_tx: buf=0x60000358c000, len=168
0000: 01 a6 01 58 20 61 2e ef 12 ca 69 87 b3 16 c0 61
0016: 8b 3a 24 21 a4 3c 7e 59 8c 8a 99 2f 3a 44 e1 85
0032: 3c 3f 7d 02 71 02 a1 62 69 64 6d 72 65 6c 79 69
0048: 6e 67 20 70 61 72 74 79 03 a2 62 69 64 58 20 52
0064: c1 e5 88 1a 9f f5 98 70 7b 03 b9 74 3a 8c d2 ee
0080: 1e fd fe 7b da 24 eb 2d 71 88 ab ee 7f 00 86 64
0096: 6e 61 6d 65 69 75 73 65 72 20 6e 61 6d 65 04 81
0112: a2 63 61 6c 67 26 64 74 79 70 65 6a 70 75 62 6c
0128: 69 63 2d 6b 65 79 06 a2 6b 63 72 65 64 50 72 6f
0144: 74 65 63 74 02 6b 68 6d 61 63 2d 73 65 63 72 65
0160: 74 f5 07 a1 62 72 6b f5
fido_rx: dev=0x600003080000, cmd=0x10, ms=-1
rx_preamble: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 90 00 01 36 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=1
fido_rx: buf=0x7ff27100b400, len=1
0000: 36
cbor_parse_reply: blob[0]=0x36
fido_dev_make_cred_rx: parse_makecred_reply
Enter PIN for ioreg://4294969446:
fido_dev_authkey_tx: dev=0x600003080000
fido_tx: dev=0x600003080000, cmd=0x10
fido_tx: buf=0x6000000881a0, len=6
0000: 06 a2 01 02 02 02
fido_dev_authkey_rx: dev=0x600003080000, authkey=0x600001784400, ms=-1
fido_rx: dev=0x600003080000, cmd=0x10, ms=-1
rx_preamble: buf=0x7ff7b6572f80, len=64
0000: 1e 6a 67 e4 90 00 51 00 a1 01 a5 01 02 03 38 18
0016: 20 01 21 58 20 f7 af 0c 9c ec 2a c6 d4 88 ae f7
0032: 5c 5f 7f 5d 98 e1 f8 34 7e e0 6a a7 25 08 28 f9
0048: 85 ee cd 30 09 22 58 20 bc 3d 07 8f 80 04 31 b4
rx: payload_len=81
rx: buf=0x7ff7b6572f80, len=64
0000: 1e 6a 67 e4 00 39 79 d8 b1 e9 6c 4a 30 8a cf e7
0016: be a7 c4 55 bd 84 53 b6 6d 2a d8 a3 93 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x7ff7b6573010, len=81
0000: 00 a1 01 a5 01 02 03 38 18 20 01 21 58 20 f7 af
0016: 0c 9c ec 2a c6 d4 88 ae f7 5c 5f 7f 5d 98 e1 f8
0032: 34 7e e0 6a a7 25 08 28 f9 85 ee cd 30 09 22 58
0048: 20 bc 3d 07 8f 80 04 31 b4 39 79 d8 b1 e9 6c 4a
0064: 30 8a cf e7 be a7 c4 55 bd 84 53 b6 6d 2a d8 a3
0080: 93
fido_tx: dev=0x600003080000, cmd=0x10
fido_tx: buf=0x600002c90200, len=120
0000: 06 a4 01 02 02 05 03 a5 01 02 03 38 18 20 01 21
0016: 58 20 4e a8 96 9a 9c 72 6c 4b e9 75 f2 3e ae 2c
0032: b7 9d 8a 3f 86 b6 b1 fb 88 5a bb ad b6 ab a9 a4
0048: e1 01 22 58 20 f6 91 b8 f7 51 93 a4 c7 0e 94 13
0064: 90 73 08 84 48 bd 21 07 50 8d 0b 10 06 14 fd 38
0080: 07 f9 f9 ab c0 06 58 20 f8 fe 56 4a 93 6b ce 41
0096: 1d a1 00 b3 04 49 b0 cf c0 03 b9 e3 47 9f 7e 5a
0112: f8 13 57 37 21 87 a9 43
fido_rx: dev=0x600003080000, cmd=0x10, ms=-1
rx_preamble: buf=0x7ff7b6572f60, len=64
0000: 1e 6a 67 e4 90 00 35 00 a1 02 58 30 be 33 89 67
0016: 59 d5 e9 58 a0 f3 eb 62 40 a9 46 67 3c be c0 9d
0032: 28 61 82 3c fd 78 e9 40 54 5e c4 f5 da 6d 6c 24
0048: aa ad cb ce 86 4b 7f ef dc 3b b2 51 00 00 00 00
rx: payload_len=53
fido_rx: buf=0x7ff7b6573020, len=53
0000: 00 a1 02 58 30 be 33 89 67 59 d5 e9 58 a0 f3 eb
0016: 62 40 a9 46 67 3c be c0 9d 28 61 82 3c fd 78 e9
0032: 40 54 5e c4 f5 da 6d 6c 24 aa ad cb ce 86 4b 7f
0048: ef dc 3b b2 51
fido_tx: dev=0x600003080000, cmd=0x10
fido_tx: buf=0x600003988000, len=205
0000: 01 a8 01 58 20 61 2e ef 12 ca 69 87 b3 16 c0 61
0016: 8b 3a 24 21 a4 3c 7e 59 8c 8a 99 2f 3a 44 e1 85
0032: 3c 3f 7d 02 71 02 a1 62 69 64 6d 72 65 6c 79 69
0048: 6e 67 20 70 61 72 74 79 03 a2 62 69 64 58 20 52
0064: c1 e5 88 1a 9f f5 98 70 7b 03 b9 74 3a 8c d2 ee
0080: 1e fd fe 7b da 24 eb 2d 71 88 ab ee 7f 00 86 64
0096: 6e 61 6d 65 69 75 73 65 72 20 6e 61 6d 65 04 81
0112: a2 63 61 6c 67 26 64 74 79 70 65 6a 70 75 62 6c
0128: 69 63 2d 6b 65 79 06 a2 6b 63 72 65 64 50 72 6f
0144: 74 65 63 74 02 6b 68 6d 61 63 2d 73 65 63 72 65
0160: 74 f5 07 a1 62 72 6b f5 08 58 20 8b dc a0 a8 9f
0176: 13 57 12 0f 40 bb 14 4e 62 e7 70 2c 2c 06 72 a0
0192: 0b 3f f7 7b 7c ec 5c 92 f4 73 79 09 02
fido_rx: dev=0x600003080000, cmd=0x10, ms=-1
rx_preamble: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 90 04 15 00 a3 01 66 70 61 63 6b 65
0016: 64 02 58 cf ae b0 38 84 97 c8 c3 d3 75 c1 57 ee
0032: 72 06 98 ac 78 78 be 87 0a d8 f1 aa 99 37 2f ac
0048: 5d b4 5b 54 c5 00 00 00 02 ee 88 28 79 72 1c 49
rx: payload_len=1045
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 00 13 97 75 3d fc ce 97 07 2a 00 30
0016: 25 16 75 4c 81 7d c5 aa d5 e2 28 5c 38 b1 92 b1
0032: bd 04 1f 07 cd 31 11 4c 69 b8 99 26 09 94 99 ad
0048: ba 17 76 9d ff c5 e0 9f bc 09 34 92 70 5e 25 ad
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 01 a5 01 02 03 26 20 01 21 58 20 25
0016: 16 75 4c 81 7d c5 aa d5 e2 28 5c 38 3a 9c 9a 72
0032: 67 35 47 11 6c d5 12 8f 68 a8 47 e8 08 49 c8 22
0048: 58 20 50 f6 53 69 0b 02 72 93 e9 a3 f7 20 a2 c9
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 02 00 02 06 cd 62 fe 13 1f ac d9 23
0016: d6 fb 11 02 a9 21 a7 a2 6b 63 72 65 64 50 72 6f
0032: 74 65 63 74 02 6b 68 6d 61 63 2d 73 65 63 72 65
0048: 74 f5 03 a3 63 61 6c 67 26 63 73 69 67 58 47 30
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 03 45 02 20 04 80 04 27 8e 66 a5 a9
0016: ed ec 3a e6 21 48 83 5b 7e b2 3c c6 45 47 5a 43
0032: fb e9 63 48 42 00 7e 39 02 21 00 c7 5e c5 40 2c
0048: 1b 8a 74 a5 e5 6b 32 bb 03 6d 97 ae 90 2c e4 0f
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 04 13 17 6d 79 2f 24 55 af 75 29 44
0016: 63 78 35 63 81 59 02 dd 30 82 02 d9 30 82 01 c1
0032: a0 03 02 01 02 02 09 00 c8 e7 89 45 77 89 9d fc
0048: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 05 2e 31 2c 30 2a 06 03 55 04 03 13
0016: 23 59 75 62 69 63 6f 20 55 32 46 20 52 6f 6f 74
0032: 20 43 41 20 53 65 72 69 61 6c 20 34 35 37 32 30
0048: 30 36 33 31 30 20 17 0d 31 34 30 38 30 31 30 30
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 06 30 30 30 30 5a 18 0f 32 30 35 30
0016: 30 39 30 34 30 30 30 30 30 30 5a 30 6f 31 0b 30
0032: 09 06 03 55 04 06 13 02 53 45 31 12 30 10 06 03
0048: 55 04 0a 0c 09 59 75 62 69 63 6f 20 41 42 31 22
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 07 30 20 06 03 55 04 0b 0c 19 41 75
0016: 74 68 65 6e 74 69 63 61 74 6f 72 20 41 74 74 65
0032: 73 74 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03
0048: 0c 1f 59 75 62 69 63 6f 20 55 32 46 20 45 45 20
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 08 53 65 72 69 61 6c 20 31 31 36 36
0016: 36 36 35 36 37 32 30 59 30 13 06 07 2a 86 48 ce
0032: 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00
0048: 04 72 96 bd 1c 37 93 01 3f 96 9f 26 ac f1 33 0d
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 09 d4 2f b0 b3 1c ca e7 ab 21 09 7f
0016: 63 b9 d2 a8 d4 0c b0 a4 f9 03 52 13 82 f4 3f af
0032: 69 7c ea 36 98 41 53 9e 08 1c 2f c0 a4 0d c8 3f
0048: 67 fa f8 ed ae dd a3 81 81 30 7f 30 13 06 0a 2b
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 0a 06 01 04 01 82 c4 0a 0d 01 04 05
0016: 04 03 05 04 03 30 22 06 09 2b 06 01 04 01 82 c4
0032: 0a 02 04 15 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e
0048: 34 31 34 38 32 2e 31 2e 37 30 13 06 0b 2b 06 01
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 0b 04 01 82 e5 1c 02 01 01 04 04 03
0016: 02 05 20 30 21 06 0b 2b 06 01 04 01 82 e5 1c 01
0032: 01 04 04 12 04 10 ee 88 28 79 72 1c 49 13 97 75
0048: 3d fc ce 97 07 2a 30 0c 06 03 55 1d 13 01 01 ff
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 0c 04 02 30 00 30 0d 06 09 2a 86 48
0016: 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 95 80 3a
0032: 85 42 74 58 b6 70 e0 84 38 55 40 b9 4a ab ef 1d
0048: a7 ff 67 6d ae 5c 09 76 92 7a ae 91 5d d0 fc 74
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 0d 7b 8a 0a 52 f8 01 63 27 16 83 ce
0016: 1f df 0a 20 82 bb 4c 6a 2a c9 3a 70 12 30 a4 64
0032: 51 a8 31 93 0a 10 a2 dd ca 75 10 8f c9 9e 03 83
0048: ac a9 e7 62 24 d4 9c 33 27 6d 65 6e 4b d8 9f 9d
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 0e 2d 63 2c cd 11 61 36 f9 30 cc 3c
0016: 7c dc f2 5d af e5 be 4d b0 8e 96 9d 7f 1e 4e b7
0032: e1 de fc 31 83 62 6a 8f 3f 4a f3 33 cc c0 20 4c
0048: f4 05 6e b8 fb 3c 70 ae 6d 91 ac 8a 56 c9 17 cc
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 0f 0a ef ae 00 e2 09 70 42 7d c1 d2
0016: da 65 bb a1 23 78 7f ab 35 32 11 20 a7 e1 b1 8f
0032: 9d 7e 91 27 20 31 2b fa 4b 2e 15 03 2d 18 2f fb
0048: 84 03 28 23 73 a3 77 ec 2c 2a 1a 2f 93 1c 82 15
rx: buf=0x7ff7b6573870, len=64
0000: 1e 6a 67 e4 10 dc ac 28 9b 2d 89 72 8e 2c b8 d6
0016: 66 38 7b 1e 64 e5 6a 99 60 5d 8e df f5 81 27 f0
0032: b4 24 bb 6d 3b 8e af 1a 37 f3 86 b5 74 de e1 ea
0048: e9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x7ff27200b200, len=1045
0000: 00 a3 01 66 70 61 63 6b 65 64 02 58 cf ae b0 38
0016: 84 97 c8 c3 d3 75 c1 57 ee 72 06 98 ac 78 78 be
0032: 87 0a d8 f1 aa 99 37 2f ac 5d b4 5b 54 c5 00 00
0048: 00 02 ee 88 28 79 72 1c 49 13 97 75 3d fc ce 97
0064: 07 2a 00 30 25 16 75 4c 81 7d c5 aa d5 e2 28 5c
0080: 38 b1 92 b1 bd 04 1f 07 cd 31 11 4c 69 b8 99 26
0096: 09 94 99 ad ba 17 76 9d ff c5 e0 9f bc 09 34 92
0112: 70 5e 25 ad a5 01 02 03 26 20 01 21 58 20 25 16
0128: 75 4c 81 7d c5 aa d5 e2 28 5c 38 3a 9c 9a 72 67
0144: 35 47 11 6c d5 12 8f 68 a8 47 e8 08 49 c8 22 58
0160: 20 50 f6 53 69 0b 02 72 93 e9 a3 f7 20 a2 c9 00
0176: 02 06 cd 62 fe 13 1f ac d9 23 d6 fb 11 02 a9 21
0192: a7 a2 6b 63 72 65 64 50 72 6f 74 65 63 74 02 6b
0208: 68 6d 61 63 2d 73 65 63 72 65 74 f5 03 a3 63 61
0224: 6c 67 26 63 73 69 67 58 47 30 45 02 20 04 80 04
0240: 27 8e 66 a5 a9 ed ec 3a e6 21 48 83 5b 7e b2 3c
0256: c6 45 47 5a 43 fb e9 63 48 42 00 7e 39 02 21 00
0272: c7 5e c5 40 2c 1b 8a 74 a5 e5 6b 32 bb 03 6d 97
0288: ae 90 2c e4 0f 13 17 6d 79 2f 24 55 af 75 29 44
0304: 63 78 35 63 81 59 02 dd 30 82 02 d9 30 82 01 c1
0320: a0 03 02 01 02 02 09 00 c8 e7 89 45 77 89 9d fc
0336: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
0352: 2e 31 2c 30 2a 06 03 55 04 03 13 23 59 75 62 69
0368: 63 6f 20 55 32 46 20 52 6f 6f 74 20 43 41 20 53
0384: 65 72 69 61 6c 20 34 35 37 32 30 30 36 33 31 30
0400: 20 17 0d 31 34 30 38 30 31 30 30 30 30 30 30 5a
0416: 18 0f 32 30 35 30 30 39 30 34 30 30 30 30 30 30
0432: 5a 30 6f 31 0b 30 09 06 03 55 04 06 13 02 53 45
0448: 31 12 30 10 06 03 55 04 0a 0c 09 59 75 62 69 63
0464: 6f 20 41 42 31 22 30 20 06 03 55 04 0b 0c 19 41
0480: 75 74 68 65 6e 74 69 63 61 74 6f 72 20 41 74 74
0496: 65 73 74 61 74 69 6f 6e 31 28 30 26 06 03 55 04
0512: 03 0c 1f 59 75 62 69 63 6f 20 55 32 46 20 45 45
0528: 20 53 65 72 69 61 6c 20 31 31 36 36 36 36 35 36
0544: 37 32 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06
0560: 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 72 96 bd
0576: 1c 37 93 01 3f 96 9f 26 ac f1 33 0d d4 2f b0 b3
0592: 1c ca e7 ab 21 09 7f 63 b9 d2 a8 d4 0c b0 a4 f9
0608: 03 52 13 82 f4 3f af 69 7c ea 36 98 41 53 9e 08
0624: 1c 2f c0 a4 0d c8 3f 67 fa f8 ed ae dd a3 81 81
0640: 30 7f 30 13 06 0a 2b 06 01 04 01 82 c4 0a 0d 01
0656: 04 05 04 03 05 04 03 30 22 06 09 2b 06 01 04 01
0672: 82 c4 0a 02 04 15 31 2e 33 2e 36 2e 31 2e 34 2e
0688: 31 2e 34 31 34 38 32 2e 31 2e 37 30 13 06 0b 2b
0704: 06 01 04 01 82 e5 1c 02 01 01 04 04 03 02 05 20
0720: 30 21 06 0b 2b 06 01 04 01 82 e5 1c 01 01 04 04
0736: 12 04 10 ee 88 28 79 72 1c 49 13 97 75 3d fc ce
0752: 97 07 2a 30 0c 06 03 55 1d 13 01 01 ff 04 02 30
0768: 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00
0784: 03 82 01 01 00 95 80 3a 85 42 74 58 b6 70 e0 84
0800: 38 55 40 b9 4a ab ef 1d a7 ff 67 6d ae 5c 09 76
0816: 92 7a ae 91 5d d0 fc 74 7b 8a 0a 52 f8 01 63 27
0832: 16 83 ce 1f df 0a 20 82 bb 4c 6a 2a c9 3a 70 12
0848: 30 a4 64 51 a8 31 93 0a 10 a2 dd ca 75 10 8f c9
0864: 9e 03 83 ac a9 e7 62 24 d4 9c 33 27 6d 65 6e 4b
0880: d8 9f 9d 2d 63 2c cd 11 61 36 f9 30 cc 3c 7c dc
0896: f2 5d af e5 be 4d b0 8e 96 9d 7f 1e 4e b7 e1 de
0912: fc 31 83 62 6a 8f 3f 4a f3 33 cc c0 20 4c f4 05
0928: 6e b8 fb 3c 70 ae 6d 91 ac 8a 56 c9 17 cc 0a ef
0944: ae 00 e2 09 70 42 7d c1 d2 da 65 bb a1 23 78 7f
0960: ab 35 32 11 20 a7 e1 b1 8f 9d 7e 91 27 20 31 2b
0976: fa 4b 2e 15 03 2d 18 2f fb 84 03 28 23 73 a3 77
0992: ec 2c 2a 1a 2f 93 1c 82 15 dc ac 28 9b 2d 89 72
1008: 8e 2c b8 d6 66 38 7b 1e 64 e5 6a 99 60 5d 8e df
1024: f5 81 27 f0 b4 24 bb 6d 3b 8e af 1a 37 f3 86 b5
1040: 74 de e1 ea e9
cbor_decode_cred_authdata: buf=0x600003990000, len=207
0000: ae b0 38 84 97 c8 c3 d3 75 c1 57 ee 72 06 98 ac
0016: 78 78 be 87 0a d8 f1 aa 99 37 2f ac 5d b4 5b 54
0032: c5 00 00 00 02 ee 88 28 79 72 1c 49 13 97 75 3d
0048: fc ce 97 07 2a 00 30 25 16 75 4c 81 7d c5 aa d5
0064: e2 28 5c 38 b1 92 b1 bd 04 1f 07 cd 31 11 4c 69
0080: b8 99 26 09 94 99 ad ba 17 76 9d ff c5 e0 9f bc
0096: 09 34 92 70 5e 25 ad a5 01 02 03 26 20 01 21 58
0112: 20 25 16 75 4c 81 7d c5 aa d5 e2 28 5c 38 3a 9c
0128: 9a 72 67 35 47 11 6c d5 12 8f 68 a8 47 e8 08 49
0144: c8 22 58 20 50 f6 53 69 0b 02 72 93 e9 a3 f7 20
0160: a2 c9 00 02 06 cd 62 fe 13 1f ac d9 23 d6 fb 11
0176: 02 a9 21 a7 a2 6b 63 72 65 64 50 72 6f 74 65 63
0192: 74 02 6b 68 6d 61 63 2d 73 65 63 72 65 74 f5
decode_attcred: buf=0x600003990025, len=170
0000: ee 88 28 79 72 1c 49 13 97 75 3d fc ce 97 07 2a
0016: 00 30 25 16 75 4c 81 7d c5 aa d5 e2 28 5c 38 b1
0032: 92 b1 bd 04 1f 07 cd 31 11 4c 69 b8 99 26 09 94
0048: 99 ad ba 17 76 9d ff c5 e0 9f bc 09 34 92 70 5e
0064: 25 ad a5 01 02 03 26 20 01 21 58 20 25 16 75 4c
0080: 81 7d c5 aa d5 e2 28 5c 38 3a 9c 9a 72 67 35 47
0096: 11 6c d5 12 8f 68 a8 47 e8 08 49 c8 22 58 20 50
0112: f6 53 69 0b 02 72 93 e9 a3 f7 20 a2 c9 00 02 06
0128: cd 62 fe 13 1f ac d9 23 d6 fb 11 02 a9 21 a7 a2
0144: 6b 63 72 65 64 50 72 6f 74 65 63 74 02 6b 68 6d
0160: 61 63 2d 73 65 63 72 65 74 f5
decode_attcred: attcred->id.len=48
decode_cred_extensions: buf=0x6000039900b4, len=27
0000: a2 6b 63 72 65 64 50 72 6f 74 65 63 74 02 6b 68
0016: 6d 61 63 2d 73 65 63 72 65 74 f5
cbor_decode_cred_authdata: buf=0x600002338270, len=207
0000: ae b0 38 84 97 c8 c3 d3 75 c1 57 ee 72 06 98 ac
0016: 78 78 be 87 0a d8 f1 aa 99 37 2f ac 5d b4 5b 54
0032: c5 00 00 00 02 ee 88 28 79 72 1c 49 13 97 75 3d
0048: fc ce 97 07 2a 00 30 25 16 75 4c 81 7d c5 aa d5
0064: e2 28 5c 38 b1 92 b1 bd 04 1f 07 cd 31 11 4c 69
0080: b8 99 26 09 94 99 ad ba 17 76 9d ff c5 e0 9f bc
0096: 09 34 92 70 5e 25 ad a5 01 02 03 26 20 01 21 58
0112: 20 25 16 75 4c 81 7d c5 aa d5 e2 28 5c 38 3a 9c
0128: 9a 72 67 35 47 11 6c d5 12 8f 68 a8 47 e8 08 49
0144: c8 22 58 20 50 f6 53 69 0b 02 72 93 e9 a3 f7 20
0160: a2 c9 00 02 06 cd 62 fe 13 1f ac d9 23 d6 fb 11
0176: 02 a9 21 a7 a2 6b 63 72 65 64 50 72 6f 74 65 63
0192: 74 02 6b 68 6d 61 63 2d 73 65 63 72 65 74 f5
decode_attcred: buf=0x600002338295, len=170
0000: ee 88 28 79 72 1c 49 13 97 75 3d fc ce 97 07 2a
0016: 00 30 25 16 75 4c 81 7d c5 aa d5 e2 28 5c 38 b1
0032: 92 b1 bd 04 1f 07 cd 31 11 4c 69 b8 99 26 09 94
0048: 99 ad ba 17 76 9d ff c5 e0 9f bc 09 34 92 70 5e
0064: 25 ad a5 01 02 03 26 20 01 21 58 20 25 16 75 4c
0080: 81 7d c5 aa d5 e2 28 5c 38 3a 9c 9a 72 67 35 47
0096: 11 6c d5 12 8f 68 a8 47 e8 08 49 c8 22 58 20 50
0112: f6 53 69 0b 02 72 93 e9 a3 f7 20 a2 c9 00 02 06
0128: cd 62 fe 13 1f ac d9 23 d6 fb 11 02 a9 21 a7 a2
0144: 6b 63 72 65 64 50 72 6f 74 65 63 74 02 6b 68 6d
0160: 61 63 2d 73 65 63 72 65 74 f5
decode_attcred: attcred->id.len=48
decode_cred_extensions: buf=0x600002338324, len=27
0000: a2 6b 63 72 65 64 50 72 6f 74 65 63 74 02 6b 68
0016: 6d 61 63 2d 73 65 63 72 65 74 f5
fido_check_flags: flags=c5
fido_check_flags: up=2, uv=0
fido_cred_verify: check_extensions
fido2-cred: fido_cred_verify: FIDO_ERR_INVALID_PARAM

Answer 1 · 2022-07-13T13:33:32.000Z

Hi,

When verifying the credential, fido2-cred needs to be told what extensions to expect in the authenticator data. If you try passing -h and -c2 also to the fido2-cred -V call, it should verify successfully.

Answer 2 · 2022-07-13T13:47:01.000Z

Hi @LDVG ,
Ah!, that's a stupid miss on my part. I was under the impression that assertion payload would have those flags included. Another question on this, I am trying to verify something similar. I am able to perform a make credential call and I see the credential using fido2-token -L -r but when I try to verify it using fido_cred_verify, the step to set Authenticator data fails with FIDO_ERR_INVALID_ARGUMENT.

char *b64_authdata = nullptr;
const unsigned char *auth = fido_cred_authdata_ptr(cred);
const size_t auth_len = fido_cred_authdata_len(cred);
base64_encode(reinterpret_cast<const void *>(auth), auth_len, &b64_authdata);
VLOG(1) << "Authdata: " << b64_authdata;

This works and prints the authdata.

Output:

Authdata: WLRUKjf0XLTxLltZWfgIB71+hXc8cLMR1G8J+zNID34Ab0UAAAAD7ogoeXIcSROXdT38zpcHKgAwbJG4faWiByP7ggZfS9/qkUnhQriWKVyuPvEzvKVKBnHZmWG2Y7XlUWti1fP0zlKlpQECAyYgASFYIGyRuH2logcj+4IGX0tOsk3UbFbwMBPRGmovbKBs2ZtZIlggoACpNQdTEioGTh2btgKGzGqn+ca5MJi05mv59/SKG1g=

When I try to perform a verification,

cred = fido_cred_new();
// setting up other values
VLOG(1) << fido_strerr(fido_cred_set_authdata(cred, auth, auth_len)); // returns FIDO_ERR_INVALID_ARGUMENT

Output with FIDO_DEBUG=1

cbor_bytestring_copy: cbor type
fido_cred_set_authdata: fido_blob_decode
I20220713 17:28:36.613642 2286912 fido2.cc:502] FIDO_ERR_INVALID_ARGUMENT

I have verified thatcbor_isa_bytestring returns true and the length is _CBOR_METADATA_DEFINITE.
Is there something I am missing.. I read the docs and it says I could pretty much use the same blob from the created cred and set for verification.

UPDATE

When I try to copy the information from the same registration into a file and send it to fido2-cred to verify, it works with -h -c2 flags.

Answer 3 · 2022-07-13T14:26:17.000Z

Got some leads, I am probably shooting myself with memory management.

const unsigned char *auth = fido_cred_authdata_ptr(cred);
const size_t auth_len = fido_cred_authdata_len(cred);

fido_cred_free(&cred);

cred = fido_cred_new();
fido_cred_set_authdata(cred, auth, auth_len); // fails with FIDO_ERR_INVALID_ARGUMENT

(I verified by trying to decode auth as a cbor object and it had worked)

vs

const unsigned char *auth = fido_cred_authdata_ptr(cred);
const size_t auth_len = fido_cred_authdata_len(cred);

// not calling free on the old cred

cred = fido_cred_new();
fido_cred_set_authdata(cred, auth, auth_len); // works!

Making a copy of the original *auth works,

const unsigned char *auth_copy = static_cast<const unsigned char*>(malloc(auth_len));
memcpy((void *)auth_copy, (void *)auth, auth_len);
fido_cred_free(&cred);
// and then using auth_copy later

Answer 4 · 2022-07-13T14:38:47.000Z

At this point I am replicating the PEM_write_PUBKEY which just segfaults, this issue is good to close.