Opensource U2F USB token implementation
512 views
Skip to first unread message
Aviv Greenberg
May 30, 2016, 2:59:21 AM5/30/16
to FIDO Dev (fido-dev)
Hi,
I am working on a "weekend project" to implement a USB u2f token using STM32 discovery board.
I used mbedtls library for all the crypto stuff (EC signing, sha256, AES etc)... i already have the device enumerating, and register/authenticate/version messages working fine (as far as i can tell)
2 questions:
1) Is there interest in releasing the code to the public?
2) How should i test my token given that my attestation public key is not CA signed (does not verify)?
Right now register fails on the server with:
raise Exception('Attestation signature verification failed!')Is there a test cert i can use for testing? Any suggestions are welcome.
Fred Le Tamanoir
Jun 1, 2016, 5:28:46 AM6/1/16
to Aviv Greenberg, FIDO Dev (fido-dev)
Hi, thanx for promoting opensource on your weekends :)
IMHO, there is always interest in releasing code, but that may be a personal view...
Regarding attestation signature:
You can test your "homemade" token on nearly every already deployed U2F servers since nearly no service will reject your token because there is a problem with the attestation certificate (nobody seems to really care about that for now... and there is no central/official space to post/pick manufacturers pub keys...). So... you can generate your own keys or for fun, you can even use attestation keys/cert example from the raw data document, some servers may identify you as an old "gnubby" key :https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-raw-message-formats.html
By the way, I own a few discovery ST cards too... so I'll be pleased to test your released code.
IMHO, there is always interest in releasing code, but that may be a personal view...
Regarding attestation signature:
You can test your "homemade" token on nearly every already deployed U2F servers since nearly no service will reject your token because there is a problem with the attestation certificate (nobody seems to really care about that for now... and there is no central/official space to post/pick manufacturers pub keys...). So... you can generate your own keys or for fun, you can even use attestation keys/cert example from the raw data document, some servers may identify you as an old "gnubby" key :https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-raw-message-formats.html
By the way, I own a few discovery ST cards too... so I'll be pleased to test your released code.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/029268f0-f0d3-4694-ae85-02537c589cb6%40fidoalliance.org.
Fred Le Tamanoir
Jun 1, 2016, 5:29:49 AM6/1/16
to Aviv Greenberg, FIDO Dev (fido-dev)
Hi, thanx for promoting opensource on your weekends :)
IMHO, there is always interest in releasing code, but that may be a personal view...
Regarding attestation signature:
------------------------------------------
------------------------------------------
You can test your "homemade" token on nearly every already deployed U2F servers since nearly no service will reject your token because there is a problem with the attestation certificate (nobody seems to really care about that for now... and there is no central/official space to post/pick manufacturers pub keys...). So... you can generate your own keys or for fun, you can even use attestation keys/cert example from the raw data document, some servers may identify you as an old "gnubby" key:
https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-raw-message-formats.html
https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-raw-message-formats.html
By the way, I own a few discovery ST cards too... so I'll be pleased to test it :)
On Mon, May 30, 2016 at 8:59 AM, Aviv Greenberg <avi...@gmail.com> wrote:
--
Ackermann Yuriy
Jun 1, 2016, 5:39:09 AM6/1/16
to Fred Le Tamanoir, Aviv Greenberg, FIDO Dev (fido-dev)
I am interested in source code*) I think generally we need to put more U2F related code online, so newbies can come and try. When I started to play with U2F I found there is no good U2F server examples. So I made my own https://github.com/herrniemand/Flask-U2F-DEMO
I would be keen to look at controller implementation
As to key attestation, you just have to generate x.509 cert for your key, and sign every response. There is no authority for checking certs yet in place, so no verification will be done.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAEg85VxuBewUAcJK6T5LpcqRx5eWuEWziaJPv77sm3H_AE7yvg%40mail.gmail.com.
Aviv Greenberg
Jun 1, 2016, 3:07:51 PM6/1/16
to Ackermann Yuriy, Fred Le Tamanoir, FIDO Dev (fido-dev)
Thanks!
I will post the code on github this weekend and send the details to the mailing list.
Thanks to some of the comments and email i got - i was able to test my code and fix some bugs :) and now the device can successfully register and authenticate using the various online testers.
The problem wasn't my attestation key, it was just a badly formatted response.
--Aviv
--
Thanks,
Aviv
Aviv
Aviv Greenberg
Jun 5, 2016, 4:23:59 AM6/5/16
to Ackermann Yuriy, Fred Le Tamanoir, FIDO Dev (fido-dev)
Here we go:
https://github.com/avivgr/stm32-u2f/The readme has details about the HW setup. Patches and comments are welcome!
Thanks,
--Aviv
--
Thanks,
Aviv
Aviv
Reply all
Reply to author
Forward
0 new messages