FIDO testers wanted

Truly incredible work, well done and thank you.

6 Likes

Thanks for all of your work on this.

Stupid question though: is there a way I can download my current u2f credentials and then reinstall them after I update?

1 Like

No, there is no way to export credentials, by design. FIDO mandates that the secrets keys are generated on the device and never leave the device (in a cleartext format).

Usually a service should enable you to just register a new key.

Thanks. That’s what I thought but so was not sure. Really appreciate your work on the updates.

2 Likes

I just pushed an update to Fidesmo which includes a workaround for the aforementioned bug in the FIDO2 / WebAuthN Example App. Same warnings as always apply, update will delete your keys, etc.

Please report any issues you find.

As to why I even bothered to fix this issue even though it is caused by a third party misinterpreting the specification - this mistake is easy to make and I don’t know which services include the bugged SDK or make the same mistake.

6 Likes

Just to be clear, after a short conversation about this issue, it just made sense to make this modification. It doesn’t restrict our compatibility with any other compliant services and it doesn’t limit our utility either… This update just ensures we can operate with the buggy SDK at no real expense or cost to our utility or interoperability with other services.

4 Likes

Correct, all I did was to invest more time into optimization to reduce the size of the generated credential metadata. This of course is still fully compatible to everything else.

3 Likes

A small update has been released, which fixes some edge-cases in regards to very large credentials.

The applet now properly reports once the chip runs out of persistent memory to store resident credentials, but keeps on working for server-type credentials which don’t require persistent memory.

image

Persistent memory is now only ever allocated once for any credential if and only if it is required (i.e. to store a resident credential), all other (server-type / non-resident) credentials are handled completely in RAM. RAM is statically allocated, which means the applet never uses more than the ~2kB of RAM it initially allocates at installation. Memory and RAM usage is subject to future optimization.

Please report any issues you find, and feel free to test! (You have to re-install the applet via Fidesmo, which will delete your keys). This update is a small once and probably won’t add anything to your usage if you already use the FIDO2 applet, so feel free to skip it. This update is really just something to comply with the spec and get closer to certification.

The CTAP-Bridge (GitHub - StarGate01/CTAP-bridge: FIDO2 PC/SC CTAPHID Bridge) and the FIDO2 docs (https://github.com/DangerousThings/flexsecure-applets/blob/master/docs/applets/6-fido2.md) have also received small updates.

1 Like