Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fido-authenticator: authenticatorGetAssertion does not work with hmac-secret extension #14

Closed
robin-nitrokey opened this issue Nov 4, 2021 · 1 comment · Fixed by #16
Closed

fido-authenticator: authenticatorGetAssertion does not work with hmac-secret extension #14

robin-nitrokey opened this issue Nov 4, 2021 · 1 comment · Fixed by #16
Assignees
@robin-nitrokey
Labels
bug Something isn't working

Comments

@robin-nitrokey
Copy link
Member

Trying to use the authenticatorGetAssertion command with the hmac-secret extension causes a CTAP2_ERR_INVALID_CBOR error.

For example using the hmac-secret.py example from python-fido2:

$ python3 hmac_secret.py 
no pin

Touch your authenticator device now...

New credential created, with the HmacSecret extension.
Authenticate with salt: b'9b17deb11321cdb10b56d8b75c85125a0e5627440892ef067fdd9f052c1ffd22'

Touch your authenticator device now...

Traceback (most recent call last):
 File "/home/robin/reps/python-fido2/fido2/client.py", line 690, in get_assertion
   assertions, used_extensions = self._do_get_assertion(
 File "/home/robin/reps/python-fido2/fido2/client.py", line 754, in _ctap2_get_assertion
   assertions = self.ctap2.get_assertions(
 File "/home/robin/reps/python-fido2/fido2/ctap2/base.py", line 857, in get_assertions
   first = self.get_assertion(*args, **kwargs)
 File "/home/robin/reps/python-fido2/fido2/ctap2/base.py", line 829, in get_assertion
   return self.send_cbor(
 File "/home/robin/reps/python-fido2/fido2/ctap2/base.py", line 675, in send_cbor
   raise CtapError(status)
fido2.ctap.CtapError: CTAP error: 0x12 - INVALID_CBOR

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
 File "/home/robin/reps/python-fido2/examples/hmac_secret.py", line 113, in <module>
   result = client.get_assertion(
 File "/home/robin/reps/python-fido2/fido2/client.py", line 704, in get_assertion
   raise _ctap2client_err(e)
fido2.client.ClientError: (<ERR.BAD_REQUEST: 2>, CtapError('CTAP error: 0x12 - INVALID_CBOR'))
@robin-nitrokey robin-nitrokey added the bug Something isn't working label Nov 4, 2021
@robin-nitrokey robin-nitrokey self-assigned this Nov 4, 2021
@robin-nitrokey
Copy link
Member Author

The problem is that ctap-types does not yet support the new pinUvAuthProtocol(0x04) field in the extension data, see trussed-dev/ctap-types#1.

@robin-nitrokey robin-nitrokey mentioned this issue Nov 4, 2021
Merged
robin-nitrokey added a commit that referenced this issue Dec 1, 2021
@robin-nitrokey
Update ctap-types and fido-authenticator
c3c56c8 
This patch updates the ctap-types and fido-authenticator dependencies to
add support for the pin protocol field in the hmac-secret extension data
so that the authenticatorGetAssertion command works with newer clients.

Fixes #14.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robin-nitrokey robin-nitrokey

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update ctap-types and fido-authenticator robin-nitrokey/solo2
1 participant
@robin-nitrokey