bryanjacobs / fido2-hid-bridge Goto Github PK
View Code? Open in Web Editor NEWHID -> PC/SC Bridge for FIDO2 Device Use
License: MIT License
fido2-hid-bridge's People
Stargazers
Watchers
fido2-hid-bridge's Issues
Cannot get bridge to work when security key is protected by a PIN
Hi,
first of all I want to thank you for your great work and for making it publicly available to everyone! It brings me a huge step closer to using my YubiKey via NFC on Linux where this setup is unfortunately still not supported by any browser.
I am able to use the bridge with Chrome on Linux as long as the YubiKey (v5, NFC + USB-C) FIDO2 sign-in data is not protected with a PIN. When protected with a PIN (as login providers such as Microsoft Azure AD enforce it), the PIN protected key cannot be used at all. I am 100% sure that the PIN I enter is correct.
When the YubiKey is connected via USB I can access the stored FIDO2 data without problems:
[root@localhost ~]# fido2-token -L -r /dev/hidraw14
Enter PIN for /dev/hidraw14:
00: dKbqkhPJnC90siSSsyDPQCYqlMGpUKA5fyklC2CEHvA= webauthn.io
When I use the fido2-hid-bridge:
[root@localhost ~]# fido2-token -L -r /dev/hidraw12
Enter PIN for /dev/hidraw12:
fido2-token: fido_credman_get_dev_rp: FIDO_ERR_PIN_AUTH_INVALID
Similar issues arise when I test FIDO2 using https://webauthn.io. When the credentials are not PIN-protected I can register and authenticate without issues using the bridge. When a PIN is set I can neither register nor authenticate using the bridge. I get asked for the PIN in the browser, press next. Then it takes a second (or a fraction of a second) and I get the message on the website: "The operation either timed out or was not allowed."
Trying to use Chrome to manage the stored sign-in data also fails with "Your security key couldn't be read" when a PIN is set. When I connect it via USB it works as expected. If then I enter a wrong PIN I do get the message that the PIN is incorrect (as expected)
Here is the log output of the bridge with a successful authorization at webauthn.io using a key without PIN protection:
DEBUG:AsyncioBlockingUHID:device was opened (it now has 1 open instances)
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00ffffffff860008d3f7b904e9c34bb100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:Initial packet 00ffffffff860008d3f7b904e9c34bb100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:CMD INIT CHANNEL ffffffff len 8 (recvd 8) data d3f7b904e9c34bb1
DEBUG:root:INIT on channel b'\xff\xff\xff\xff'
INFO:UHIDDevice:(UHID_INPUT2) send ffffffff860011d3f7b904e9c34bb1f23f485a020100000c00000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00f23f485a900001040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:Initial packet 00f23f485a900001040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:CMD CBOR CHANNEL f23f485a len 1 (recvd 1) data 04
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:root:Sending CBOR to device CtapPcscDevice(PN7362au CCID (1.00) 00 00): b'\x04'
INFO:UHIDDevice:(UHID_INPUT2) send f23f485a9000cc00ac0183665532465f5632684649444f5f325f306c4649444f5f325f315f50524502826b6372656450726f746563746b686d61632d73656372
INFO:UHIDDevice:(UHID_INPUT2) send f23f485a00657403502fc0579f811347eab116bb5a8db9202a04a562726bf5627570f564706c6174f469636c69656e7450696ef47563726564656e7469616c4d
INFO:UHIDDevice:(UHID_INPUT2) send f23f485a01676d7450726576696577f5051904b00682020107080818800982636e6663637573620a82a263616c672664747970656a7075626c69632d6b6579a2
INFO:UHIDDevice:(UHID_INPUT2) send f23f485a0263616c672764747970656a7075626c69632d6b65790d040e1a00050403000000000000000000000000000000000000000000000000000000000000
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00f23f485a90010602a3016b776562617574686e2e696f025820a5a59256a2d8500d3cd824dc2678f8586a6b6125ce128653a1807c2767749aa90383a262696458
DEBUG:root:Initial packet 00f23f485a90010602a3016b776562617574686e2e696f025820a5a59256a2d8500d3cd824dc2678f8586a6b6125ce128653a1807c2767749aa90383a262696458
DEBUG:root:CMD CBOR CHANNEL f23f485a len 262 (recvd 57) data 02a3016b776562617574686e2e696f025820a5a59256a2d8500d3cd824dc2678f8586a6b6125ce128653a1807c2767749aa90383a262696458
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00f23f485a00303733bc51e32c7ac74e6225fd6ac83f29b510c348b008af3ed1ab28106a87e078bee5d79f09e60cdd91f7f6608bcf946964747970656a7075626c
DEBUG:root:After receive, we have 116 bytes out of 262
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00f23f485a0169632d6b6579a2626964583081dc3f85561038f51063e04d9b3b0d3b5446599dc4933bf9f22044178690ff681acd248279b648bf919a4f1093d85e
DEBUG:root:After receive, we have 175 bytes out of 262
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00f23f485a02c064747970656a7075626c69632d6b6579a26269645830e60b4d8169d8c3c3d020efd3b6a4b185732ff34f96fbceffc0473dd79dadb94dda54fc7b
DEBUG:root:After receive, we have 234 bytes out of 262
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00f23f485a030c18c7d7fda2cabef195d74264747970656a7075626c69632d6b657900000000000000000000000000000000000000000000000000000000000000
DEBUG:root:After receive, we have 262 bytes out of 262
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:root:Sending CBOR to device CtapPcscDevice(PN7362au CCID (1.00) 00 00): b"\x02\xa3\x01kwebauthn.io\x02X \xa5\xa5\x92V\xa2\xd8P\r<\xd8$\xdc&x\xf8Xjka%\xce\x12\x86S\xa1\x80|'gt\x9a\xa9\x03\x83\xa2bidX073\xbcQ\xe3,z\xc7Nb%\xfdj\xc8?)\xb5\x10\xc3H\xb0\x08\xaf>\xd1\xab(\x10j\x87\xe0x\xbe\xe5\xd7\x9f\t\xe6\x0c\xdd\x91\xf7\xf6`\x8b\xcf\x94idtypejpublic-key\xa2bidX0\x81\xdc?\x85V\x108\xf5\x10c\xe0M\x9b;\r;TFY\x9d\xc4\x93;\xf9\xf2 D\x17\x86\x90\xffh\x1a\xcd$\x82y\xb6H\xbf\x91\x9aO\x10\x93\xd8^\xc0dtypejpublic-key\xa2bidX0\xe6\x0bM\x81i\xd8\xc3\xc3\xd0 \xef\xd3\xb6\xa4\xb1\x85s/\xf3O\x96\xfb\xce\xff\xc0G=\xd7\x9d\xad\xb9M\xdaT\xfc{\x0c\x18\xc7\xd7\xfd\xa2\xca\xbe\xf1\x95\xd7Bdtypejpublic-key"
INFO:UHIDDevice:(UHID_INPUT2) send f23f485a9000c500a401a2626964583081dc3f85561038f51063e04d9b3b0d3b5446599dc4933bf9f22044178690ff681acd248279b648bf919a4f1093d85ec0
INFO:UHIDDevice:(UHID_INPUT2) send f23f485a0064747970656a7075626c69632d6b657902582574a6ea9213c99c2f74b22492b320cf40262a94c1a950a0397f29250b60841ef00100000015035847
INFO:UHIDDevice:(UHID_INPUT2) send f23f485a01304502204b53d1d5df0ac0676f2661e420f17bc6f54fd8b96cfb41f1ecec430a41a6774d022100baf542f329b67e1355b5961c1322329697d10b5a
INFO:UHIDDevice:(UHID_INPUT2) send f23f485a02ec89290e80c2273277cfaa8504a1626964445a6d397600000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:AsyncioBlockingUHID:device was closed (it now has 0 open instances)
And the failed authorization when using PIN protection:
DEBUG:AsyncioBlockingUHID:device was opened (it now has 1 open instances)
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00ffffffff8600085f91e6242ea9c90b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:Initial packet 00ffffffff8600085f91e6242ea9c90b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:CMD INIT CHANNEL ffffffff len 8 (recvd 8) data 5f91e6242ea9c90b
DEBUG:root:INIT on channel b'\xff\xff\xff\xff'
INFO:UHIDDevice:(UHID_INPUT2) send ffffffff8600115f91e6242ea9c90bfbe8abeb020100000c00000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00fbe8abeb900001040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:Initial packet 00fbe8abeb900001040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:CMD CBOR CHANNEL fbe8abeb len 1 (recvd 1) data 04
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:root:Sending CBOR to device CtapPcscDevice(PN7362au CCID (1.00) 00 00): b'\x04'
INFO:UHIDDevice:(UHID_INPUT2) send fbe8abeb9000cc00ac0183665532465f5632684649444f5f325f306c4649444f5f325f315f50524502826b6372656450726f746563746b686d61632d73656372
INFO:UHIDDevice:(UHID_INPUT2) send fbe8abeb00657403502fc0579f811347eab116bb5a8db9202a04a562726bf5627570f564706c6174f469636c69656e7450696ef57563726564656e7469616c4d
INFO:UHIDDevice:(UHID_INPUT2) send fbe8abeb01676d7450726576696577f5051904b00682020107080818800982636e6663637573620a82a263616c672664747970656a7075626c69632d6b6579a2
INFO:UHIDDevice:(UHID_INPUT2) send fbe8abeb0263616c672764747970656a7075626c69632d6b65790d040e1a00050403000000000000000000000000000000000000000000000000000000000000
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00fbe8abeb90000606a201020201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:Initial packet 00fbe8abeb90000606a201020201000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:CMD CBOR CHANNEL fbe8abeb len 6 (recvd 6) data 06a201020201
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:root:Sending CBOR to device CtapPcscDevice(PN7362au CCID (1.00) 00 00): b'\x06\xa2\x01\x02\x02\x01'
INFO:UHIDDevice:(UHID_INPUT2) send fbe8abeb90000400a103080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00fbe8abeb90000606a201020202000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:Initial packet 00fbe8abeb90000606a201020202000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:CMD CBOR CHANNEL fbe8abeb len 6 (recvd 6) data 06a201020202
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:root:Sending CBOR to device CtapPcscDevice(PN7362au CCID (1.00) 00 00): b'\x06\xa2\x01\x02\x02\x02'
INFO:UHIDDevice:(UHID_INPUT2) send fbe8abeb90005100a101a501020338182001215820b440277a22df9b934d226422eefb2c4e80ac236ecff30b4614a2f9168aaefaf1225820edbb22834e4350d4
INFO:UHIDDevice:(UHID_INPUT2) send fbe8abeb00a70ee33673974f348aa0ba2f999f1e79bc072338341b12460000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00fbe8abeb90007806a40102020503a5010203381820012158208ddb71a8307e52958de5c155647c058d54d62595d84b6885b81f6408ae34c4972258201891dc18
DEBUG:root:Initial packet 00fbe8abeb90007806a40102020503a5010203381820012158208ddb71a8307e52958de5c155647c058d54d62595d84b6885b81f6408ae34c4972258201891dc18
DEBUG:root:CMD CBOR CHANNEL fbe8abeb len 120 (recvd 57) data 06a40102020503a5010203381820012158208ddb71a8307e52958de5c155647c058d54d62595d84b6885b81f6408ae34c4972258201891dc18
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00fbe8abeb006725225e8045d81d9141a62424a570beb79b84eaf101f6917edff3e60658205d19fed945165ef7dd7dbf3e030a1018f5d3ae2b833ebe31aba841e1
DEBUG:root:After receive, we have 116 bytes out of 120
DEBUG:root:GOT MESSAGE (type _ReportType.UHID_OUTPUT_REPORT): 00fbe8abeb01c1757aaa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:root:After receive, we have 120 bytes out of 120
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:fido2.pcsc:Error CardConnectionException('Unable to connect with protocol: T0 or T1. Card is unpowered.')
DEBUG:root:Sending CBOR to device CtapPcscDevice(PN7362au CCID (1.00) 00 00): b'\x06\xa4\x01\x02\x02\x05\x03\xa5\x01\x02\x038\x18 \x01!X \x8d\xdbq\xa80~R\x95\x8d\xe5\xc1Ud|\x05\x8dT\xd6%\x95\xd8Kh\x85\xb8\x1fd\x08\xae4\xc4\x97"X \x18\x91\xdc\x18g%"^\x80E\xd8\x1d\x91A\xa6$$\xa5p\xbe\xb7\x9b\x84\xea\xf1\x01\xf6\x91~\xdf\xf3\xe6\x06X ]\x19\xfe\xd9E\x16^\xf7\xdd}\xbf>\x03\n\x10\x18\xf5\xd3\xae+\x83>\xbe1\xab\xa8A\xe1\xc1uz\xaa'
INFO:UHIDDevice:(UHID_INPUT2) send fbe8abeb900001330000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DEBUG:AsyncioBlockingUHID:device was closed (it now has 0 open instances)
I'd be very happy if you could point me to an idea of what I might be doing wrong here. I can also provide more logs and test scenarios if needed.
Bridge (or card?) not working anymore
In September, I had installed and setup this bridge for use with my Badgeo FIDO2 card. It had been working quite nicely from within Firefox on Linux. Namely, I used it for 2FA on Github, Gitlab, dropbox, etc. Only for Microsoft services (Office 365) I got an error.
A few months ago (January, I think), Github stopped working in the sense that I could register the card as a 2FA device, but it gave an error on login. At that point Gitlab and Dropbox were still working. Recently, also Gitlab and Dropbox stopped working in the same way Github did: registration of the card as a 2FA device works, but I get an error on usage. (Gitlab says There was a problem communicating with your device. (NotAllowedError).)
I updated the bridge to the latest revision today, but the issue persists. I'm assuming this means either the websites or Firefox (currently at 124.0) changed in a way that make the setup break. I do not know whether this bridge is in any way involved, but I would like to investigate that. Any help is appreciated.
Support for BLE
I'm working on something very similar, where I'm building a bridge from fido2-hid to Bluetooth Low Energy
Is that something where you would be willing to join forces/accept a PR so that there is a bridge that supports PCSC and BLE?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.