U2F requires a token that holds a private/symmetric key securely and provides a test of user presence. On iOS, we can provide these functions with Keychain and TouchID, respectively. I will post a PR for this shortly.
Created attachment 8744942 [details] [review] Pull request This is a first cut at U2F implementation. Would love feedback from the iOS team about whether it should be factored differently (Stefan, I assume you can dispatch as appropriate). For example, we could certainly handle the ECDSA and crypto testing stuff as a separate bug, or the OpenSSLToken parts could be split out into a separate Swift file.
This is pretty good for a first iteration. Bad news: we are trying to get rid of the OpenSSL dependency :-) Does iOS provide the crypto needed? Is ECDSA something it supports? Is there another (lightweight) implementation that we could use? We can hold to OpenSSL for a while, but for various reasons we want to get rid of it in the future. Anything at https://developer.apple.com/cryptography/ that we can use or import?
How do we test this? How do we see this in action? Can you post a link to a (test) site that supports this and some guidance on how to get it going? From a user perspective.
https://www.noknok.com/product/sdk has a "canned demo" of what this can look like based on their SDK. As for Testing, https://fidoalliance.org/certification/conformance-self-validation-testing/ is the link to official info on the FIDO Alliance's certification service. There is a detailed document available that explains all the errors that might be encountered during verification.
:st3fan - The simplest, most turn-key test/compliance tool is probably this one: https://u2fdemo.appspot.com/ I have a very trivial tool online at https://usr.bin.coffee/u2f/ as well.
Note that I don't think https://usr.bin.coffee/u2f/ works with Fx/iOS because it relies on WebCrypto (which is missing there). I have been using https://u2fdemo.appspot.com/ for my interop testing. :st3fan - It looks like there might be some stuff there that does ECDSA sign/verify , but it's not clear that it does everything we need (e.g., Certificate stuff). Perhaps we could meet half-way by formatting the ECDSA keys we export in a way that's compatible with what Apple crypto wants to do, but punting the actual use of it to a follow-up?  http://opensource.apple.com/source/CommonCrypto/CommonCrypto-60075.20.1/include/CommonECCryptor.h
Comment on attachment 8744942 [details] [review] Pull request Thanks, Richard! I put comments on the Github-side, and this meta-comment: > I've completed a crypto / spec review of this code; several nits, only a > couple non-nitty things. I should probably take another look after any > rework from the iOS review though. I'm going to feedback+, but I'd like to get an r? after any rework from the other reviews. Thanks!
Attachment #8744942 - Flags: feedback?(jjones) → feedback+
There is BLE tests https://github.com/fido-alliance/u2f-ble-test-ios. I think if we can use that codes base, we might be able to add BLE support for U2F tokens
Apple released the access to NFC API on iOS 11, so now it's possible to use U2F via NFC on iOS.
Closing this for now.
Status: NEW → RESOLVED
Last Resolved: 9 months ago
tracking-fxios: ? → ---
Resolution: --- → INVALID
What’s the status on this? I’d love to be able to use my USB-C Yubikey on my USB-C iOS devices, completely independent of BLE considerations! Is this blocked on crypto work still, or has it officially been sunsetted in favour of WebAuthn?
I think at this point we'd prefer to hook into the Safari API for WebAuthn that appears to be in development.   https://webkit.org/status/#feature-web-authentication
You need to log in before you can comment on or make changes to this bug.