Concatenated certs in single cert of the FIDO blob jwt

362 views
Skip to first unread message

Josh Peachey

unread,
May 19, 2025, 3:15:08 PMMay 19
to FIDO Dev (fido-dev)
We routinely fetch the FIDO Metadata blob to formulate an allowlist/denylist for FIDO authenticators (e.g. security keys) and use keytool as part of our automated job, however this fails when there is a cert consisting of multiple concatenated certs with only one ----BEGIN CERTIFICATE ---- start line & respective end line.

I believe there's a cert for the Feitian FIDO Root CA (perhaps one for Country: US, and another for CN?) in the blob - can you separate these into two separate certs so we can use keytool?

My1

unread,
May 19, 2025, 5:40:47 PMMay 19
to Josh Peachey, FIDO Dev (fido-dev)
the Metadata blob does not even contain these lines last time I checked, they only have the part inside, additionally with newlines stripped too.
you sure that it's not your library doing this?


however there certainly are authenticators with multiple certs listed, but then it is usually in the form of an array.

according to the docs each of these represents a valid trust anchor, so you should take the certificates from your authenticator, and check if any of these fit.

do note that some authenticators can have more than one x5c in their chain, which if you didnt grab will cause issues with validating the attestation.

Am Mo., 19. Mai 2025 um 22:17 Uhr schrieb Josh Peachey <joshpe...@gmail.com>:
We routinely fetch the FIDO Metadata blob to formulate an allowlist/denylist for FIDO authenticators (e.g. security keys) and use keytool as part of our automated job, however this fails when there is a cert consisting of multiple concatenated certs with only one ----BEGIN CERTIFICATE ---- start line & respective end line.

I believe there's a cert for the Feitian FIDO Root CA (perhaps one for Country: US, and another for CN?) in the blob - can you separate these into two separate certs so we can use keytool?

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d562d317-4abc-4cff-b4e8-819c41b23680n%40fidoalliance.org.

Josh Peachey

unread,
May 20, 2025, 7:40:36 AMMay 20
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), Josh Peachey
Good point. Taking a closer look, I've found the attestationRootCertificate which is failing, in the decoded blob.jwt:

"MIIB2TCCAX6gAwIBAgIQFQNKW+7zbg/7d+lTyrIWwDAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEdMBsGA1UECgwURmVpdGlhbiBUZWNobm9sb2dpZXMxHTAbBgNVBAMMFEZlaXRpYW4gRklETyBSb290IENBMCAXDTIyMDYwODAwMDAwMFoYDzIwNTIwNjA3MjM1OTU5WjBLMQswCQYDVQQGEwJVUzEdMBsGA1UECgwURmVpdGlhbiBUZWNobm9sb2dpZXMxHTAbBgNVBAMMFEZlaXRpYW4gRklETyBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsFYEEhiJuqqnMgQjSiivBjV7DGCTf4XBBH/B7uvZsKxXShF0L8uDISWUvcExixRs6gB3oldSrjox6L8T94NOzqNCMEAwHQYDVR0OBBYEFEu9hyYRrRyJzwRYvnDSCIxrFiO3MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMCA0kAMEYCIQCB0NFQSN0z4lWz/yc36ewrTCzttK/qFvlaPOKh+T1o6wIhAP0oKKA+cicsDy3Y3n+VlP8eB3PBzMkhvW/9ISXCw+VBMIIB2DCCAX6gAwIBAgIQBTmk3ZwilFXjsZywHDnMgDAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJDTjEdMBsGA1UECgwURmVpdGlhbiBUZWNobm9sb2dpZXMxHTAbBgNVBAMMFEZlaXRpYW4gRklETyBSb290IENBMCAXDTIyMDYwODAwMDAwMFoYDzIwNTIwNjA3MjM1OTU5WjBLMQswCQYDVQQGEwJDTjEdMBsGA1UECgwURmVpdGlhbiBUZWNobm9sb2dpZXMxHTAbBgNVBAMMFEZlaXRpYW4gRklETyBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnfAKbjvMX1Ey1b6k+WQQdNVMt9JgGWyJ3PvM4BSK5XqTfo++0oAj/4tnwyIL0HFBR9St+ktjqSXDfjiXAurs86NCMEAwHQYDVR0OBBYEFNGhmE2Bf8O5a/YHZ71QEv6QRfFUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMCA0gAMEUCIByRz4OAlRZ9Hz9KV7g2QNtC0C8JxH/xLJY8FZEmtJ3sAiEAsreT0+eNkNcUjI9h5OPCoH6NmsOkgvEABJZrF07ADkY=",

When I try and parse certs from this base64 data, I'm unable to. See my test script for this attached:
decode_cert.py

My1

unread,
May 20, 2025, 8:57:58 AMMay 20
to Josh Peachey, FIDO Dev (fido-dev)
seems to decode in ASN1.
maybe there is a difference between "minified PEM" and DER I am not aware of. the parser I use just formats them to proper pem and them reads them that way.

Skybird Le

unread,
May 21, 2025, 12:32:22 PMMay 21
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), Josh Peachey
Sorry for this issue. I have asked help from FIDO Alliance, hope can solve this rapidly.
Message has been deleted

Skybird Le

unread,
May 22, 2025, 3:39:55 AMMay 22
to FIDO Dev (fido-dev), Skybird Le, My1, FIDO Dev (fido-dev), Josh Peachey
MDS has been updated, please check again.

J P

unread,
May 22, 2025, 7:20:57 AMMay 22
to FIDO Dev (fido-dev), Skybird Le, My1, FIDO Dev (fido-dev)
Great. Our pipeline is now working, with some amendments to alert if this happens again. Will let you know if it does.

Thank you!

小老虎

unread,
Jun 10, 2025, 3:13:16 AMJun 10
to skybi...@gmail.com, fido...@fidoalliance.org, teamhyd...@gmail.com, joshpe...@gmail.com

😂

老虎透過 Gmail 回應


To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e497c412-da37-4194-af6f-f7dbfeb70bden%40fidoalliance.org.

Oracle X

unread,
Jun 19, 2025, 10:04:00 AMJun 19
to 小老虎, skybi...@gmail.com, fido...@fidoalliance.org, teamhyd...@gmail.com, joshpe...@gmail.com
Nice 💯 🙂 

From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of 小老虎 <lin09...@gmail.com>
Sent: Sunday, June 8, 2025 11:15:21 PM
To: skybi...@gmail.com <skybi...@gmail.com>
Cc: fido...@fidoalliance.org <fido...@fidoalliance.org>; teamhyd...@gmail.com <teamhyd...@gmail.com>; joshpe...@gmail.com <joshpe...@gmail.com>
Subject: Re: [FIDO-DEV] Concatenated certs in single cert of the FIDO blob jwt
 
Reply all
Reply to author
Forward
0 new messages