Closed
Bug 1267247
Opened 8 years ago
Closed 6 years ago
Add U2F v1.1 support to Firefox for iOS
Categories
(Firefox for iOS :: Browser, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: rbarnes, Unassigned)
References
Details
Attachments
(1 file)
U2F requires a token that holds a private/symmetric key securely and provides a test of user presence. On iOS, we can provide these functions with Keychain and TouchID, respectively. I will post a PR for this shortly.
Reporter | ||
Comment 1•8 years ago
|
||
This is a first cut at U2F implementation. Would love feedback from the iOS team about whether it should be factored differently (Stefan, I assume you can dispatch as appropriate). For example, we could certainly handle the ECDSA and crypto testing stuff as a separate bug, or the OpenSSLToken parts could be split out into a separate Swift file.
Attachment #8744942 -
Flags: feedback?(sarentz)
Attachment #8744942 -
Flags: feedback?(jjones)
Comment 2•8 years ago
|
||
This is pretty good for a first iteration. Bad news: we are trying to get rid of the OpenSSL dependency :-) Does iOS provide the crypto needed? Is ECDSA something it supports? Is there another (lightweight) implementation that we could use? We can hold to OpenSSL for a while, but for various reasons we want to get rid of it in the future. Anything at https://developer.apple.com/cryptography/ that we can use or import?
Flags: needinfo?(rlb)
Comment 3•8 years ago
|
||
How do we test this? How do we see this in action? Can you post a link to a (test) site that supports this and some guidance on how to get it going? From a user perspective.
Comment 4•8 years ago
|
||
https://www.noknok.com/product/sdk has a "canned demo" of what this can look like based on their SDK. As for Testing, https://fidoalliance.org/certification/conformance-self-validation-testing/ is the link to official info on the FIDO Alliance's certification service. There is a detailed document available that explains all the errors that might be encountered during verification.
Comment 5•8 years ago
|
||
:st3fan - The simplest, most turn-key test/compliance tool is probably this one: https://u2fdemo.appspot.com/ I have a very trivial tool online at https://usr.bin.coffee/u2f/ as well.
Reporter | ||
Comment 6•8 years ago
|
||
Note that I don't think https://usr.bin.coffee/u2f/ works with Fx/iOS because it relies on WebCrypto (which is missing there). I have been using https://u2fdemo.appspot.com/ for my interop testing. :st3fan - It looks like there might be some stuff there that does ECDSA sign/verify [1], but it's not clear that it does everything we need (e.g., Certificate stuff). Perhaps we could meet half-way by formatting the ECDSA keys we export in a way that's compatible with what Apple crypto wants to do, but punting the actual use of it to a follow-up? [1] http://opensource.apple.com/source/CommonCrypto/CommonCrypto-60075.20.1/include/CommonECCryptor.h
Flags: needinfo?(rlb)
Comment 7•8 years ago
|
||
Comment on attachment 8744942 [details] [review] Pull request Thanks, Richard! I put comments on the Github-side, and this meta-comment: > I've completed a crypto / spec review of this code; several nits, only a > couple non-nitty things. I should probably take another look after any > rework from the iOS review though. I'm going to feedback+, but I'd like to get an r? after any rework from the other reviews. Thanks!
Attachment #8744942 -
Flags: feedback?(jjones) → feedback+
Updated•7 years ago
|
Attachment #8744942 -
Flags: feedback?(sarentz)
Updated•7 years ago
|
Whiteboard: [NeedsTrelloCard]
Updated•7 years ago
|
Whiteboard: [NeedsTrelloCard]
Comment 8•6 years ago
|
||
There is BLE tests https://github.com/fido-alliance/u2f-ble-test-ios. I think if we can use that codes base, we might be able to add BLE support for U2F tokens
Comment 9•6 years ago
|
||
Apple released the access to NFC API on iOS 11, so now it's possible to use U2F via NFC on iOS.
Updated•6 years ago
|
tracking-fxios:
--- → ?
Comment 10•6 years ago
|
||
Closing this for now.
Comment 11•5 years ago
|
||
What’s the status on this? I’d love to be able to use my USB-C Yubikey on my USB-C iOS devices, completely independent of BLE considerations! Is this blocked on crypto work still, or has it officially been sunsetted in favour of WebAuthn?
Comment 12•5 years ago
|
||
I think at this point we'd prefer to hook into the Safari API for WebAuthn that appears to be in development. [1] [1] https://webkit.org/status/#feature-web-authentication
Comment 13•4 years ago
|
||
iOS 13.3 these days supports fido u2f now.
It is possible for Firefox now?
Flags: needinfo?(gkeeley)
Comment 14•4 years ago
|
||
https://developer.apple.com/documentation/ios_ipados_release_notes/ios_ipados_13_3_release_notes
Gotha release note here
Comment 15•4 years ago
|
||
I don't see it implemented for WKWebView so I am not sure.
Flags: needinfo?(gkeeley)
Comment 16•4 years ago
|
||
Yeah, it's not yet in WKWebView, so one has to hack around it. It's been strongly implied by the Apple folks that it's coming [0], and I would recommend we wait for actual platform support there.
[0] https://twitter.com/flamsmark/status/1194413871835971585
You need to log in
before you can comment on or make changes to this bug.
Description
•