tstranex / u2f Goto Github PK

I'm a student researching the current new authentication technology FIDO, please help.

I tried to run the example, everything is fine until the authentication through yubikey, until the javascript sending the POST request to the server to sign the challenge.
But the server returns error 500 because of the u2f.Register error: x509: certificate signed by unknown authority Error.

This is the log in the browser:
Object {registrationData: "BQTwrTCRkOgUqTX9biuxvzpcowTbLUoNrwhuy87skfQ5cUfUz7…Up5wIgOkV3RF_k3INbPfEsAa4ay-7k96FUFe5tZns3YTDbIsk", version: "U2F_V2", challenge: "mK7SSh-n9wicGkBM2hX5RlgD45p6tkZfZajeCSrl-2E", appId: "https://localhost:3483", clientData: "eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudC…vY2FsaG9zdDozNDgzIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9"}
jquery-1.11.2.min.js:4 POST https://localhost:3483/registerResponse 500 ()

This is the log in the server:
2016/12/05 17:40:02 registerRequest: &{Version:U2F_V2 Challenge:mK7SSh-n9wicGkBM2hX5RlgD45p6tkZfZajeCSrl-2E AppID:https://localhost:3483}
2016/12/05 17:40:15 u2f.Register error: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Yubico U2F Root CA Serial 457200631")

Thank you very much!! Any help is appreciated!

Per conversation at: Yubico/php-u2flib-server#5 (comment)

applications should be specifically aware if the provided counter is too low. The application may want to disable the account or raise a specific event to the larger security structure.

I recommend something like:

var (
  ErrCounterLow = errors.New("u2f: counter not increasing")
)

Then return that error in the counter check.

I am trying to register a u2fzero token and I get the error above. However the device does seem to work with Google and other sites that support u2f. Any idea what a code 9210 might be?

Looks like u2f.register is the source of the error, the u2fRegistered callback is being called with a resp object containing the error.

This code

compares the facetID to be equal to the Origin, as reported by the client. However, the specs say:

If the caller's FacetID is an https:// Origin sharing the same host as the AppID, (e.g. if an application hosted at https://fido.example.com/myApp set an AppID of https://fido.example.com/myAppId), no additional processing is necessary and the operation may proceed.

The check should be modified to reflect that, i.e. accept an Origin shareing the same host as the AppID.

The issue came up here: go-gitea/gitea#10231

The README and LICENSE for the repository are MIT. However, the files themselves say "all rights reserved" ("ARR"). Those are incompatible; the ARR should be removed if the intention is to license the code under the MIT terms.

Cheers.

Hi,
While compiling the code, i get the following error message:
DOC Rebuilding template files
/bin/bash: gtkdoc-mktmpl: command not found
Makefile:812: recipe for target 'tmpl-build.stamp' failed
make[2]: *** [tmpl-build.stamp] Error 127
make[2]: Leaving directory '/root/libu2f-host/gtk-doc'
Makefile:641: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/root/libu2f-host'
Makefile:552: recipe for target 'all' failed
make: *** [all] Error 2

Hey there,

I see you have elected to make a breaking API change to support the new U2F API format, are you open to other breaking changes?

Would be super useful if the objects returned from the API only used go primitives to simplify serialisation into session or data stores.

For example, the public key and attestation certificates in the Registration structure have to be manually coerced into ASN1 strings to store in a relational database.
This could be wrapped in the API to make the library simpler to use.

I am happy to open a PR if you're open to that idea?

Cheers,

Ryan

Backward compatible:

• Feature: virtual u2f device package for integration testing

Incompatible, need major version increment:

• Disable attestation cert verification by default (impossible to keep certs up to date, disabled by default in Chrome)
• Ability to inject time to aid testing (see #13)

Research:

• Changes needed for WebAuthn

Using Chrome 66, we are not longer able to call: u2f.Register. We can login fine, but the registration fails. Is anyone else experiencing the same thing?

Hi, I just wanted to let you know that I used your library for a project that I wrote:

https://github.com/bruj0/vault-plugin-auth-u2f

Thanks for making it available!
Cheers,
Rodrigo