Yubico/libfido2

Using 0x0a as credential management command instead of 0x41

Jun-Amane opened this issue · 4 comments

Hey there,
When I am using Google OpenSK with this library, it turns to me that this library uses 0x41 as credential management command(CTAP_CBOR_CRED_MGMT_PRE) instead of 0x0a(authenticatorCredentialManagement command of CTAP).
I am wondering if “CTAP_CBOR_CRED_MGMT_PRE” could be changed from 0x41 to 0x0a to avoid command-conflicting to support more devices.
Looking forward to your earliest convenience.

Jun.

Transitioning from 0x41 to 0x0a is unlikely, as there are devices in the field that understand 0x41 but not 0x0a. We should ideally adapt the command byte according to what the key advertises (0x41 for CTAP FIDO_2_1_PRE, and 0x0a for FIDO_2_1, which I suppose is the case of OpenSK). That said, it would probably make sense for OpenSK to understand 0x41 as well, for similar reasons (in the understanding that 0x41 is effectively burnt forever).

ia0 commented

Thanks for your response @martelletto ! Do I understand correctly that the only difference in credential management when using libfido2 compared to the standard, is from the command byte ? In other words, handling 0x0a and 0x41 with the same logic (same CBOR request, response, and processing) would make a FIDO_2_1-compliant device work with libfido2 credential management?

Hi @ia0, yes, that should be the case (modulo a bug in libfido2's credman.c).

ia0 commented

Sounds good, thanks for the quick response!