FIDO2 support in RIOT #16489
Merged
FIDO2 support in RIOT #16489
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ollrogge
requested review from
aabadie,
cgundogan,
fjmolinas,
jia200x,
leandrolanzieri,
MichelRottleuthner and
smlng
as code owners
github-actions
bot
added
Area: build system
leandrolanzieri
added
Area: security
|
thanks @Ollrogge for this nice contribution! |
My implementation doesn't support all the features yet that the solokeys testcases test. |
PeterKietzmann
requested changes
May 25, 2021
PeterKietzmann
requested changes
May 26, 2021
PeterKietzmann
requested changes
May 26, 2021
|
Initial testing:
this output |
I only ever got this error when I didn't wait long enough before pressing enter after a device reboot. The connection between authenticator and host has not been reestablished yet, therefore no device can be found. Could you run the tests again and wait a little longer after a reboot ? |
|
Okay, much better! I waited ~10 seconds now after each reboot. One failure remaining, can you check: this output |
github-actions
bot
added
Area: doc
I also get this error. This one originates in the USB layer I think. I have not yet been able to fix this one. |
There was a problem hiding this comment.
@Ollrogge thanks for addressing my comments! Here are some responses to the open discussions. Next, I will run the tests again, and start a fresh review round
| /** | ||
| * @brief MakeCredential method | ||
| * | ||
| * CTAP specification (version 20190130) section 5.1 |
There was a problem hiding this comment.
There are (still) multiple occurrences of "CTAP2" in your code (for example in line 35 of this file). Please correct them. I wanted to say that you should also check new files&folders for usage of "CTAP2" instead of "CTAP"
|
Short notice: I've tested again with the nrf52840dk.
this output |
Will do today :) In my opinion the second solution you proposed is the best ? |
|
I would like to merge this PR soon, knowing that there is follow-up work. What is the state of this discussion? @benpicco, do you see your other comments addressed? @Ollrogge I think you can squash already your latest commits. |
PeterKietzmann
removed
the
CI: ready for build
|
Tested kconfig with nrf52840dk with this change applied to the test file: diff --git a/tests/sys_fido2_ctap/main.c b/tests/sys_fido2_ctap/main.c
index 31ffbc44ef..ac5f5b24da 100644
--- a/tests/sys_fido2_ctap/main.c
+++ b/tests/sys_fido2_ctap/main.c
@@ -25,12 +25,35 @@
#include "xtimer.h"
-#include "fido2/ctap.h"
+#include "fido2/ctap/ctap.h"
+#include "fido2/ctap/ctap_mem.h"
+#include "fido2/ctap/transport/hid/ctap_hid.h"
#include "fido2/ctap/transport/ctap_transport.h"
int main(void)
{
/* sleep in order to see early DEBUG outputs */
xtimer_sleep(3);
+ printf("CTAP_STACKSIZE: %i\n", CTAP_STACKSIZE);
+ printf("CTAP_AAGUID: %s\n", CTAP_AAGUID);
+#if IS_ACTIVE(CONFIG_FIDO2_CTAP_DISABLE_UP)
+ printf("CONFIG_FIDO2_CTAP_DISABLE_UP: %i\n", CONFIG_FIDO2_CTAP_DISABLE_UP);
+#endif
+#if IS_ACTIVE(CONFIG_FIDO2_CTAP_DISABLE_LED)
+ printf("CONFIG_FIDO2_CTAP_DISABLE_LED: %i\n", CONFIG_FIDO2_CTAP_DISABLE_LED);
+#endif
+ printf("CTAP_UP_TIMEOUT: %lu\n", CTAP_UP_TIMEOUT);
+#if IS_ACTIVE(CONFIG_FIDO2_CTAP_UP_BUTTON_PORT)
+ printf("CONFIG_FIDO2_CTAP_UP_BUTTON_PORT: %i\n", CONFIG_FIDO2_CTAP_UP_BUTTON_PORT);
+#endif
+#if IS_ACTIVE(CONFIG_FIDO2_CTAP_UP_BUTTON_PIN)
+ printf("CONFIG_FIDO2_CTAP_UP_BUTTON_PIN: %i\n", CONFIG_FIDO2_CTAP_UP_BUTTON_PIN);
+#endif
+ printf("CTAP_UP_BUTTON: %i\n", CTAP_UP_BUTTON);
+ printf("CTAP_UP_BUTTON_MODE: %i\n", CTAP_UP_BUTTON_MODE);
+ printf("CTAP_UP_BUTTON_FLANK: %i\n", CTAP_UP_BUTTON_FLANK);
+ printf("CTAP_FLASH_START_PAGE: %i\n", CTAP_FLASH_START_PAGE);
+ printf("CTAP_HID_TRANSACTION_TIMEOUT: %lu\n", CTAP_HID_TRANSACTION_TIMEOUT);
+
fido2_ctap_transport_init();
}
Before config change After config change (had to fix this to make compile) |
|
For the HID part |
|
Registration and login works with webauthn.io (using chrome). I've created 6 accounts exemplarily, un-powered the device, powered it up again and successfully logged in. Registration: |
|
nrf52840dk unit test with disabled user presence ( outputnrf52840dk unit test with enabled user presence ( output--> pass |
PeterKietzmann
added
Reviewed: 1-fundamentals
|
ACK from my side. Please address the latest documentation fixes (in a single commit). You can squash the rest already |
|
OK, please squash |
PeterKietzmann
added
CI: ready for build
|
I executed again some functional tests on webauthn.io and the solokeys tests (without user presence) after the squash -> everything still works well. My ACK holds if Murdock agrees. |
PeterKietzmann
approved these changes
Sep 8, 2021
|
So many green lights, finally! Lets do this, ACK and go |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contribution description
This PR adds support for the Fast Identity Online 2 (FIDO2) specification in RIOT. FIDO2 is an authentication standard that seeks to solve the password problem by enabling passwordless authentication. FIDO2 consists of the W3C Web Authentication specification (WebAuthn) and the Client to Authenticator Protocol (CTAP).
This PR adds a basic implementation of the CTAP protocol. CTAP is an application layer protocol for the communication between an authenticator and host. Most of the time an authenticator is either a mobile device or security key like YubiKey.
As of now not many websites support the passwordless login flow added by the second version of the FIDO standard. Therefore future PR's will add the backward compatibility to FIDO1 in order to enable the usage of this implementation as part of 2FA authentication flows.
Testing procedure
tests/sys_fido2_ctapIssues/PRs references