You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/applets/5-fido.md
+23-15Lines changed: 23 additions & 15 deletions
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,9 @@ The attestation certificate is used to sign certificates for transport when you
8
8
9
9
**FIDO2 CTAP2** (Client to Authenticator Protocol) is an extension and improvement over FIDO U2F, and remains backwards-compatible to U2F.
10
10
11
-
The FIDO2 applet is still in development, and not completely finished. For example, Windows Hello is not supported yet. The attestation certificate loading procedure is not yet properly documented, and neither is the generation of such a certificate. Stay tuned.
11
+
The FIDO2 applet is still in development, and not completely finished. For example, Windows Hello is not supported yet. Stay tuned. It is also not officially certified.
12
+
13
+
If you are feeling lucky, you can however already test the FIDO2 applet.
12
14
13
15
## Applet Information
14
16
@@ -17,7 +19,7 @@ The FIDO2 applet is still in development, and not completely finished. For examp
@@ -42,12 +44,6 @@ You can not use the U2F applet at the same time as the FIDO2 one because they us
42
44
43
45
Loading the attestation certificate requires manual steps as of now, but Vivokey and I are planning to release tools for U2F and FIDO2 attestation certificate loading sometime in the future.
44
46
45
-
### Default Attestation Certificate
46
-
47
-
You can use the default example U2F attestation certificate, which you can extract from https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#examples and convert to the OpenSSL x509 / ECC DER format. Note that it is no longer valid according to its date, but it still works. Then again, it was never signed by any company, so it was never seen as valid in the first place. It is also missing a few extensions. I recommend creating a custom one, or getting one signed by Vivokey (maybe in the future).
48
-
49
-
The instructions at https://gist.github.com/darconeous/adb1b2c4b15d3d8fbc72a5097270cdaf use this certificate.
50
-
51
47
### Generate Attestation Certificate
52
48
53
49
You can also generate your own attestation certificate. This makes your token unique, which is maybe not something you want - but then again, I recon the number of tokens using the default key can be counted on maybe two hands maximum.
@@ -56,7 +52,7 @@ In the future, Vivokey plans offer signed certificates using their own certifica
56
52
57
53
Creating certificates used to be quite the involved task requiring advanced knowledge of `openssl` commands, but I have written a small tool to simplify the process. Install Python3, and the `cryptography`, `asn1`, and `pyscard` modules (e.g. using Pip). Then, clone or download https://github.com/StarGate01/fido-attestation-loader .
58
54
59
-
If you specify no flags, the script will use the default file names `attestation.der`, `attestation_key.p8`, `ca.der`, and `ca_key.p8`.
55
+
If you specify no flags, the script will use the default file names `attestation.der`, `attestation_key.p8`, `ca.der`, `ca_key.p8`, and `settings.ini`. If you want to, you can edit the metadata in `settings.ini`.
60
56
61
57
First, generate a certificate authority, the script will ask you for a passphrase to secure the private key.
62
58
@@ -70,18 +66,24 @@ Next, generate an attestation certificate and sign it using the CA. You have to
70
66
./attestation.py cert create
71
67
```
72
68
73
-
Then, you can derive the applet installation parameter by running:
69
+
Then, you can derive the applet installation parameter by running, for FIDO U2F:
70
+
71
+
```
72
+
./attestation.py cert show -m u2f
73
+
```
74
+
75
+
For FIDO2:
74
76
75
77
```
76
-
./attestation.py cert show
78
+
./attestation.py cert show -m fido2
77
79
```
78
80
79
81
The attestation script has a lot more flags to control which files to use, and to provide passphrases via the arguments instead of interactively typing them. It also provides functionality to validate a certificate gainst an certificate authority. See the `-h` help command for more details.
80
82
81
83
Use GlobalPlatformPro (GPP) from https://github.com/martinpaljak/GlobalPlatformPro/releases to install the applet:
82
84
83
85
```
84
-
gp -install U2FApplet.cap --create A0000006472F0001 --params INSTALLPARAM
86
+
gp -install U2FApplet.cap --params INSTALLPARAM
85
87
```
86
88
87
89
The parameter data (`INSTALLPARAM`) is `00`, joined to the length in bytes of the public attestation certificate (16 bit integer = 2 bytes), and joined to the private key (32 bytes). See https://github.com/darconeous/u2f-javacard/blob/master/README.md for more info. You can copy it from the last line of the output of `./attestation.py cert show`.
Next, you have to load the public attestation certificate by sending a few chained APDUs. The DER encoded public certificate has to be chopped into `128` byte chunks, which are sent attached to a small header. The header is `80 01 HHLL KK`, with `HHLL` being a 16 bit integer offset of that chunk, and `KK` being the chunk length (hex `80`, usually smaller for the last chunk). Before sending the certificate, selecting the applet is required.
103
105
104
-
This task is covered by the attestation script as well:
106
+
This task is covered by the attestation script as well, for FIDO U2F:
107
+
108
+
```
109
+
./attestation.py cert upload -m u2f
110
+
```
111
+
112
+
For FIDO2:
105
113
106
114
```
107
-
./attestation.py cert upload
115
+
./attestation.py cert upload -m fido2
108
116
```
109
117
110
118
You might have to specify your PCSC reader index using `-r`, use `-l` to list all readers.
0 commit comments