Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error while decoding CBOR from device when using Yubikey 5 Nano #10

Closed
arianvp opened this issue Apr 24, 2020 · 9 comments
Closed

Error while decoding CBOR from device when using Yubikey 5 Nano #10

arianvp opened this issue Apr 24, 2020 · 9 comments

Comments

@arianvp
Copy link

arianvp commented Apr 24, 2020
edited
Loading

This sounds the same as #4 , however for me it's even failing at step 1; generating the credential

fido2luks credential
authenticator error: Error while decoding CBOR from device.


Device type: YubiKey 5 Nano
Serial number: xxxxxxxxx
Firmware version: 5.2.4
Form factor: Nano (USB-A)
Enabled USB interfaces: OTP+FIDO+CCID

Applications
OTP     	Enabled	
FIDO U2F	Enabled	
OpenPGP 	Enabled	
PIV     	Enabled	
OATH    	Enabled	
FIDO2   	Enabled	

getrandom("\xe7\x29\x0b\x6c\x13\xe4\x98\x49\x7d\xe0\xb3\x8c\xfb\x6a\x70\x27", 16, GRND_NONBLOCK) = 16
openat(AT_FDCWD, "/sys/class/hidraw", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
getdents64(3, /* 9 entries */, 32768)   = 272
openat(AT_FDCWD, "/sys/class/hidraw/hidraw6/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
fcntl(6, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
statx(0, NULL, AT_STATX_SYNC_AS_STAT, STATX_ALL, NULL) = -1 EFAULT (Bad address)
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\f\t\1\241\1\205\1\25\0%\1u\1\t\351\t\352\225\2\201\2\t\265\t\315\t\266\225\3\201\6"..., 4097) = 85
read(6, "", 4012)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw4/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\2\241\1\t\1\241\0\5\t\31\1)\20\25\0%\1\225\20u\1\201\2\5\1\26\1\200&"..., 4097) = 67
read(6, "", 4030)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw2/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\6\241\1\5\7\31\340)\347\25\0%\1u\1\225\10\201\2\225\1u\10\201\1\225\5u\1"..., 4097) = 65
read(6, "", 4032)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw0/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\6\241\1\5\7\31\340)\347\25\0%\1u\1\225\10\201\2\225\1u\10\201\1\225\5u\1"..., 4097) = 71
read(6, "", 4026)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw5/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\6\241\1\205\1\5\7\31\340)\347\25\0%\1u\1\225\10\201\2\201\3\225\6u\10\25\0"..., 4097) = 151
read(6, "", 3946)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw3/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\5\f\t\1\241\1\205\1\25\0%\1u\1\225\7\t\315\t\267\t\266\t\265\t\342\t\352\t\351"..., 4097) = 74
read(6, "", 4023)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw1/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\6\320\361\t\1\241\1\t \25\0&\377\0u\10\225@\201\2\t!\25\0&\377\0u\10\225@\221"..., 4097) = 34
read(6, "", 4063)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/dev/hidraw1", O_RDWR|O_CLOEXEC) = 6
getrandom("", 0, GRND_NONBLOCK)         = 0
getrandom("\x6d\xd2\xdd\xa5\x37\x2a\x98\x7a\xbb\xad\xb4\xbc\xcc\x18\xbf\x42\x2b\x6f\xfc\x8d\xba\xf1\x61\xa0\x6c\xf8\xa5\xea\x77\xf9\x31\xbc", 32, GRND_NONBLOCK) = 32
write(6, "\0\377\377\377\377\206\0\10\203\350\351I\37\"\372\251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
read(6, "\377\377\377\377\206\0\21\203\350\351I\37\"\372\251\0'\0\2\2\5\2\4\5\0\0\0\0\0\0\0\0"..., 64) = 64
write(6, "\0\0'\0\2\220\0\1\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
read(6, "\0'\0\2\220\0\277\0\252\1\203fU2F_V2hFIDO_2_0lFIDO"..., 64) = 64
read(6, "\0'\0\2\0et\3P\356\210(yr\34I\23\227u=\374\316\227\7*\4\245brk\365b"..., 64) = 64
read(6, "\0'\0\2\1gmtPreview\365\5\31\4\260\6\201\1\7\10\10\30\200\t\201cu"..., 64) = 64
read(6, "\0'\0\2\2dtypejpublic-key\0\0\0\0\0\0\0\0\0\0\0"..., 64) = 64
close(6)                                = 0
close(3)                                = 0
write(2, "authenticator error: ", 21authenticator error: )   = 21
write(2, "Error while decoding CBOR from d"..., 38Error while decoding CBOR from device.) = 38
write(2, "\n", 1
)                       = 1
sigaltstack({ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=8192}, NULL) = 0
munmap(0x7f037e337000, 8192)            = 0
exit_group(3)                           = ?
+++ exited with 3 +++
@arianvp
Copy link
Author

arianvp commented Apr 24, 2020

Note that this firmware version does indeed support the hmac-secret extension:

https://support.yubico.com/support/solutions/articles/15000027138-yubikey-5-2-3-enhancements-to-fido-2-support

@arianvp arianvp mentioned this issue Apr 24, 2020
Merged
10 tasks
@arianvp
Copy link
Author

arianvp commented Apr 24, 2020

Let me know if I can be of any help to debug this. Happy to donate funds for a Yubikey 5 if this helps you

@shimunn
Copy link
Owner

shimunn commented Apr 24, 2020
edited
Loading

Thanks for your report, I've got an Yubico Security Key on hand. I'm assuming that Yubicos FIDO implementation is consistent over their range of devices. So I've made some changes to the ctap implementation and would like you to try them out by running:

git clone https://github.com/shimunn/ctap -b text_keys
cd ctap
cargo run --all-features --example=hmac
cargo run --all-features --example=multiple

@arianvp
Copy link
Author

arianvp commented Apr 24, 2020
edited
Loading

In both cases I get the following error; which looks like a good sign? (if it knows it requires the pin it recognises the device)

[nix-shell:~/ctap]$ cargo run --all-features --example=hmac
    Finished dev [unoptimized + debuginfo] target(s) in 0.03s
     Running `target/debug/examples/hmac`
Authorize using your device
thread 'main' panicked at 'Failed to request credential: FidoError(

This operating requires a PIN but none was provided.)', examples/hmac.rs:35:24
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrac

[nix-shell:~/ctap]$ cargo run --all-features --example=multiple
    Finished dev [unoptimized + debuginfo] target(s) in 0.03s
     Running `target/debug/examples/multiple`
Error: FidoError(

This operating requires a PIN but none was provided.)

@shimunn
Copy link
Owner

shimunn commented Apr 24, 2020

It is indeed! I'd guess those examples would work if you would insert:

device.unlock("<your pin>").unwrap();

at line 19. But unfortunately that won't get you much further atm since fido2luks at present won't ask for your PIN and thus won't allow PIN protected devices to be used.

@shimunn
Copy link
Owner

shimunn commented Apr 26, 2020

Everything has been updated and should work as long as you don't use a PIN

@shimunn shimunn closed this as completed Apr 26, 2020
@arianvp
Copy link
Author

arianvp commented Apr 26, 2020
edited
Loading

Shall I open a new issue about PIN support?

I'd be happy to try contribute support for it; it doesn't sound like a very big change right?

Any website can cause the PIN prompt using the webauthn javascript library and once your PIN is enabled this operation can not be undone without resetting the Yubikey to factory settings. This means that I can get locked out of my LUKS partition by someone's javascript code; which is not ideal.

@shimunn
Copy link
Owner

shimunn commented Apr 26, 2020
edited
Loading

I'd be happy to try contribute support for it; it doesn't sound like a very big change right?

Well the implementation should be quite trivial, but the main reason why I haven't implemented PIN input yet is that I don't see a nice way to query for the PIN during boot, but the cli should be easy to adapt. So yes please open a new issue/pr if you've got an idea on how to solve this.

@shimunn
Copy link
Owner

shimunn commented May 5, 2020

I've made changes to support PIN in the cli, you may want to checkout:
https://github.com/shimunn/fido2luks/tree/cli_reorg

@saravanan30erd saravanan30erd mentioned this issue Aug 25, 2020
Closed
suhancz added a commit to suhancz/fido2luks that referenced this issue Nov 17, 2020
@suhancz
# This is a combination of 13 commits.
5e2d3c7 
# This is the 1st commit message:

Added an helper script to be used with pam_mount

# This is the commit message shimunn#2:

successful RPM build

# This is the commit message shimunn#3:

correct license

# This is the commit message shimunn#4:

add Makefile

# This is the commit message shimunn#5:

install cargo-rpm

# This is the commit message shimunn#6:

fix outdir

# This is the commit message shimunn#7:

include all the rest beside of teh binary to RPM

# This is the commit message shimunn#8:

test commit to figure out the failure reason

# This is the commit message shimunn#9:

don't force Rust library versions

# This is the commit message shimunn#10:

update build dependencies

# This is the commit message shimunn#11:

force-install cargo

# This is the commit message shimunn#12:

clean up debug info

# This is the commit message shimunn#13:

add cryptsetup-libs to build spec
suhancz added a commit to suhancz/fido2luks that referenced this issue Nov 17, 2020
@suhancz
# This is a combination of 16 commits.
f64d4fc 
# This is the 1st commit message:

Added an helper script to be used with pam_mount

# This is the commit message shimunn#2:

successful RPM build

# This is the commit message shimunn#3:

correct license

# This is the commit message shimunn#4:

add Makefile

# This is the commit message shimunn#5:

install cargo-rpm

# This is the commit message shimunn#6:

fix outdir

# This is the commit message shimunn#7:

include all the rest beside of teh binary to RPM

# This is the commit message shimunn#8:

test commit to figure out the failure reason

# This is the commit message shimunn#9:

don't force Rust library versions

# This is the commit message shimunn#10:

update build dependencies

# This is the commit message shimunn#11:

force-install cargo

# This is the commit message shimunn#12:

clean up debug info

# This is the commit message shimunn#13:

add cryptsetup-libs to build spec

# This is the commit message shimunn#14:

force libcryptsetup-rs-sys version due to build error on COPR machines

# This is the commit message shimunn#15:

force cargo-rpm versin due to COPR build errors

# This is the commit message shimunn#16:

force lincryptsetup-rs version due to COPR build errors
suhancz added a commit to suhancz/fido2luks that referenced this issue Nov 17, 2020
@suhancz
# This is a combination of 18 commits.
4447ca1 
# This is the 1st commit message:

Added an helper script to be used with pam_mount

# This is the commit message shimunn#2:

successful RPM build

# This is the commit message shimunn#3:

correct license

# This is the commit message shimunn#4:

add Makefile

# This is the commit message shimunn#5:

install cargo-rpm

# This is the commit message shimunn#6:

fix outdir

# This is the commit message shimunn#7:

include all the rest beside of teh binary to RPM

# This is the commit message shimunn#8:

test commit to figure out the failure reason

# This is the commit message shimunn#9:

don't force Rust library versions

# This is the commit message shimunn#10:

update build dependencies

# This is the commit message shimunn#11:

force-install cargo

# This is the commit message shimunn#12:

clean up debug info

# This is the commit message shimunn#13:

add cryptsetup-libs to build spec

# This is the commit message shimunn#14:

force libcryptsetup-rs-sys version due to build error on COPR machines

# This is the commit message shimunn#15:

force cargo-rpm versin due to COPR build errors

# This is the commit message shimunn#16:

force lincryptsetup-rs version due to COPR build errors

# This is the commit message shimunn#17:

fix conf-files location

# This is the commit message shimunn#18:

debug output
@geneerik geneerik mentioned this issue Jul 12, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arianvp @shimunn