Closed Bug 1298838 Opened 8 years ago Closed 7 years ago

Implement (initial) USB HID support for U2F Security Keys

Categories

(Core :: DOM: Device Interfaces, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED

People

(Reporter: jcj, Assigned: ttaubert)

References

Details

(Whiteboard: [webauthn])

USB Human-Interface Device support is necessary for FIDO and WebAuthn USB token support. This is a redirection of Bug 1198330 which sought to implement this support by integrating the hidapi library into Gecko; :grobinson deemed that inappropriate, after experimentation, and so this bug is to implement per-platform hooks for the USB HID API for Gecko. This bug should implement a single platform, and further platforms should be follow-on bugs.

There is some initial work for OSX available here:
https://github.com/mozilla/gecko-dev/compare/master...garrettr:hid-stubs

Requirements:
* Device enumeration and add/remove listeners
* Enough feature discovery to detect FIDO U2F
* Send and Receive APDU methods
* Multiple device, multiple thread semantics
Blocks: 1065729, 1245527
Apologies; the correct link for initial OSX native stubs is actually this one:

https://github.com/mozilla/gecko-dev/compare/master...garrettr:hid-native
Hi :jcj,
I guess this is something around P2, i.e. planning to fix it in a few months/next release. Am I right?
Flags: needinfo?(jjones)
(In reply to Hsin-Yi Tsai [:hsinyi] from comment #3)
> Hi :jcj,
> I guess this is something around P2, i.e. planning to fix it in a few
> months/next release. Am I right?

That's correct. Marking P2.
Flags: needinfo?(jjones)
Priority: -- → P2
Assignee: nobody → kyle
qdot: Does this have a dependency on any UI that we need to plan for?
Flags: needinfo?(kyle)
No idea, I'm just doing the low level platform USB stuff. Forwarding to :jcj.
Flags: needinfo?(kyle) → needinfo?(jjones)
(In reply to Peter Dolanjski [:pdol] from comment #5)
> qdot: Does this have a dependency on any UI that we need to plan for?

No; U2F doesn't have a user-facing UI. The Relying Party provides prompts themselves, so no op for UI on our side. :)
Flags: needinfo?(jjones)
We occasionally get feedback about lack of FIDO support or similar:

https://twitter.com/DrSynAck/status/783957757053562880

While clearly the number of users who use these types of 2FA are small, they are also clearly lead users, potentially influential, and quite often involved in the security industry. P2 Sounds about right to me.
(In reply to J.C. Jones [:jcj] from comment #7)
> (In reply to Peter Dolanjski [:pdol] from comment #5)
> > qdot: Does this have a dependency on any UI that we need to plan for?
> 
> No; U2F doesn't have a user-facing UI. The Relying Party provides prompts
> themselves, so no op for UI on our side. :)

Great, carry on then :)
Whiteboard: [webauthn]
Summary: Implement (initial) USB HID support → Implement (initial) USB HID support for U2F Security Keys
No longer blocks: 1323339
Depends on: 1323339
Depends on: 1380270
I'm really just doing reviews on this now and either :ttaubert or :jcj are heading this up, so handing off to :ttaubert for now.
Assignee: kyle → ttaubert
Depends on: 1388843
Depends on: 1388851
Enable by setting these prefs to true:

security.webauth.u2f
security.webauth.webauthn_enable_usbtoken

and setting this one to false:

security.webauth.webauthn_enable_softtoken
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Does security.webauth.webauthn need to be set to true as well?
(In reply to Richard Soderberg  [:atoll] [:�] from comment #12)
> Does security.webauth.webauthn need to be set to true as well?

Not for U2F support. That adds our (currently) Draft 5 support for W3C Web Authentication, the spiritual successor to U2F.
Is work for a generic HID API being tracked?  

This works for U2F, but for features like HMAC-SHA1 Challenge Response eg. https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html, an API like https://developer.chrome.com/apps/hid would be necessary.  It appears this exists but is abstracted by window.u2f - are there plans to expose this as well?  Thank you.
You need to log in before you can comment on or make changes to this bug.