Add U2F v1.1 support to Firefox for iOS

NEW
Unassigned

Status

()

Firefox for iOS
Browser
a year ago
4 days ago

People

(Reporter: rbarnes, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
U2F requires a token that holds a private/symmetric key securely and provides a test of user presence.  On iOS, we can provide these functions with Keychain and TouchID, respectively.

I will post a PR for this shortly.
(Reporter)

Updated

a year ago
Blocks: 1065729
(Reporter)

Comment 1

a year ago
Created attachment 8744942 [details] [review]
Pull request

This is a first cut at U2F implementation.  Would love feedback from the iOS team about whether it should be factored differently (Stefan, I assume you can dispatch as appropriate).  For example, we could certainly handle the ECDSA and crypto testing stuff as a separate bug, or the OpenSSLToken parts could be split out into a separate Swift file.
Attachment #8744942 - Flags: feedback?(sarentz)
Attachment #8744942 - Flags: feedback?(jjones)
This is pretty good for a first iteration.

Bad news: we are trying to get rid of the OpenSSL dependency :-)

Does iOS provide the crypto needed? Is ECDSA something it supports?

Is there another (lightweight) implementation that we could use?

We can hold to OpenSSL for a while, but for various reasons we want to get rid of it in the future.

Anything at https://developer.apple.com/cryptography/ that we can use or import?
Flags: needinfo?(rlb)
How do we test this? How do we see this in action? Can you post a link to a (test) site that supports this and some guidance on how to get it going? From a user perspective.

Comment 4

a year ago
https://www.noknok.com/product/sdk has a "canned demo" of what this can look like based on their SDK. As for Testing, https://fidoalliance.org/certification/conformance-self-validation-testing/ is the link to official info on the FIDO Alliance's certification service. There is a detailed document available that explains all the errors that might be encountered during verification.

Comment 5

a year ago
:st3fan - The simplest, most turn-key test/compliance tool is probably this one: https://u2fdemo.appspot.com/

I have a very trivial tool online at https://usr.bin.coffee/u2f/ as well.
(Reporter)

Comment 6

a year ago
Note that I don't think https://usr.bin.coffee/u2f/ works with Fx/iOS because it relies on WebCrypto (which is missing there).  I have been using https://u2fdemo.appspot.com/ for my interop testing.

:st3fan - It looks like there might be some stuff there that does ECDSA sign/verify [1], but it's not clear that it does everything we need (e.g., Certificate stuff).  Perhaps we could meet half-way by formatting the ECDSA keys we export in a way that's compatible with what Apple crypto wants to do, but punting the actual use of it to a follow-up?

[1] http://opensource.apple.com/source/CommonCrypto/CommonCrypto-60075.20.1/include/CommonECCryptor.h
Flags: needinfo?(rlb)

Comment 7

a year ago
Comment on attachment 8744942 [details] [review]
Pull request

Thanks, Richard!

I put comments on the Github-side, and this meta-comment:

> I've completed a crypto / spec review of this code; several nits, only a
> couple non-nitty things. I should probably take another look after any
> rework from the iOS review though.

I'm going to feedback+, but I'd like to get an r? after any rework from the other reviews. Thanks!
Attachment #8744942 - Flags: feedback?(jjones) → feedback+

Updated

5 months ago
Attachment #8744942 - Flags: feedback?(sarentz)

Updated

5 months ago
Whiteboard: [NeedsTrelloCard]
Whiteboard: [NeedsTrelloCard]

Updated

4 days ago
See Also: → bug 1391438
You need to log in before you can comment on or make changes to this bug.