-
-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verifying assertion #27
Comments
I've only used the hmac-secret extension part, so I'm not sure. The library is meant to wrap and follow the libfido2 library as closely as possible, so you might want to look there? |
FWIW, I saw a strange thing parsing AuthDataCBOR. So, For v1.5.3 of go-libfido2, the auth data from an assertion is released as,
Where This is all fine, but for the same yubikey, when I try to get assertions via python-fido2 and libfido2, I see that the auth data bytes are released as,
Notice that the first 2 bytes are missing. I looked around and this seems like the diagnostic representation, without the header. I am not sure if this is intentional for fido2. From what I can tell, the go-libfido2 is doing what's write with annotating the type and length before the value. What's more confusing is that, from the code, all I see is CGO passing the bytes to Go from the libfido2 bindings. So supposedly Go runtime isn't doing anything funky with the output. I had faced similar problem when trying to decode the public key exported from libfido2. The EC256 points were just stacked on top of each other without any information or encoding. I had to add a byte to tell the Go stdlib that it's an EC key and is in the uncompressed format with the 0x04 preceding byte. |
So I went around the libfido2 code, I think the data serialization on the interface between the security key and the platform is CBOR. The platform can then decide to do whatever with it. So, assuming that the output from libfido2 is CBOR is incorrect. The question still remains though, how is go-libfido2 producing valid CBOR with type and length information when it's just FFI calling libfido2. |
Hi,
Do you have any examples or pointers on verifying assertion ?
If i understand correctly, AuthDataCBOR needs to be decoded from CBOR, but im unsure how to parse the data structure is inside.
Also since there is no challenge being generated when we make the assertion, what do we verify ?
Do i also need to ed25519.Verify something using .Sig and the public key ?
I was under assumption that there is random challenge that gets provided to the token, which then returns the encrypted challenge which gets verified afterwards.
Thanks in advance!
The text was updated successfully, but these errors were encountered: