Closed Bug 1440805 Opened 7 years ago Closed 7 years ago

U2FZero USB authenticator token doesn't work with Firefox

Categories

(Core :: DOM: Device Interfaces, defect, P3)

Product:
Core
Component:
DOM: Device Interfaces
Version:
59 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: tdsmith, Assigned: jcj)

Details

(Whiteboard: [webauthn][webauthn-hw])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36 Steps to reproduce: 0. Configured security.webauth.u2f and security.webauth.webauthn to `true` 1. Visited https://u2f.bin.coffee/ 2. Pressed "U2F Register", inserted U2Fzero token, pressed its button 3. Pressed "U2F Sign", inserted U2Fzero token, pressed its button Actual results: "Create credential" succeeded, but "get assertion" failed with a timeout. The same process succeeds in Firefox with a Yubico U2F token. The U2Fzero token works with u2f.bin.coffee in Chrome. U2F register output: Sending request with appId: https://u2f.bin.coffee { "version": "U2F_V2", "challenge": "nJRalSSJVr2m4WziGfMNDvv2q9o" } Got response: { "clientData": "eyJjaGFsbGVuZ2UiOiJuSlJhbFNTSlZyMm00V3ppR2ZNTkR2djJxOW8iLCJvcmlnaW4iOiJodHRwczovL3UyZi5iaW4uY29mZmVlIiwidHlwIjoibmF2aWdhdG9yLmlkLmZpbmlzaEVucm9sbG1lbnQifQ", "errorCode": 0, "registrationData": "BQR_OqfZQfFG1ZUAWIz3cLlMRykeQ9kXVD7dhaociJKQ_73BG407LkSHOHC1FLV_ks8Y-01xzLBEF_HDJaEWfC8KJOMa3ibrgcWUn11PgS1aWH3dznuNRc-6lwvSm64uKH5Nt33XijCCAd4wggGFAgEAMAoGCCqGSM49BAMCMHsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTETMBEGA1UEBwwKQmxhY2tzYnVyZzEQMA4GA1UECgwHQ29ub3JDbzEUMBIGA1UEAwwLY29ub3Jjby5jb20xIjAgBgkqhkiG9w0BCQEWE2Nvbm9yY29AY29ub3Jjby5jb20wHhcNMTcwMjAyMjIwNDI0WhcNMTcwMzA0MjIwNDI0WjB8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCVkExEzARBgNVBAcMCkJsYWNrc2J1cmcxETAPBgNVBAoMCFUyRiBaZXJvMRQwEgYDVQQDDAt1MmZ6ZXJvLmNvbTEiMCAGCSqGSIb3DQEJARYTY29ub3Jjb0Bjb25vcmNvLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKEVXmNyw0Xsl8EqwrqE-GPxrm_xfYAEAqGfhgbkIqfAK-TjRGEVPvvUEyTshLJU7FhSkQ1VsZswefWI2_MFg5owCgYIKoZIzj0EAwIDRwAwRAIgIFyeHQ1XzC8LJfCXHL85jqOyD5yXcfv-iPT5oQMTTLYCICbu2q7Yv3yTcA_NGiZMUvrjhikzULF6IREsAzmN_eJWMEQCIHtaeR0J5AC5xcwaJl6rQB_cAXBovrGZc9lDM06ELcQVAiAW5hFkHEQ1_SuLZTXtmK9374Q3ZJ3GX0dRhRer0TPbhw", "version": "U2F_V2" } Key Handle: 040x0r0e0J0u0u0B0x0Z0S0f0X0U0-0B0L0V0p0Y0f0d030O0e04010F0z070q0X0C090K0b0r0i040o0f0k02030f0d0e0K Certificate: 308201de30820185020100300a06082a8648ce3d040302307b310b3009060355040613025553310b300906035504080c0256413113301106035504070c0a426c61636b73627572673110300e060355040a0c07436f6e6f72436f3114301206035504030c0b636f6e6f72636f2e636f6d3122302006092a864886f70d0109011613636f6e6f72636f40636f6e6f72636f2e636f6d301e170d3137303230323232303432345a170d3137303330343232303432345a307c310b3009060355040613025553310b300906035504080c0256413113301106035504070c0a426c61636b73627572673111300f060355040a0c08553246205a65726f3114301206035504030c0b7532667a65726f2e636f6d3122302006092a864886f70d0109011613636f6e6f72636f40636f6e6f72636f2e636f6d3059301306072a8648ce3d020106082a8648ce3d03010703420004a1155e6372c345ec97c12ac2ba84f863f1ae6ff17d800402a19f8606e422a7c02be4e34461153efbd41324ec84b254ec5852910d55b19b3079f588dbf305839a300a06082a8648ce3d04030203470030440220205c9e1d0d57cc2f0b25f0971cbf398ea3b20f9c9771fbfe88f4f9a103134cb6022026eedaaed8bf7c93700fcd1a264c52fae386293350b17a21112c03398dfde256304402207b5a791d09e400b9c5cc1a265eab401fdc017068beb19973d943334e842dc415022016e611641c4435fd2b8b6535ed98af77ef8437649dc65f47518517abd133db87 Attestation Cert Subject: US Issuer: US Validity (in millis): 2592000000 Attestation Signature R: 7b5a791d09e400b9c5cc1a265eab401fdc017068beb19973d943334e842dc415 S: 16e611641c4435fd2b8b6535ed98af77ef8437649dc65f47518517abd133db87 [PASS] Signature buffer has no unnecessary bytes.: 70 == 70 [PASS] navigator.id.finishEnrollment == navigator.id.finishEnrollment [PASS] nJRalSSJVr2m4WziGfMNDvv2q9o == nJRalSSJVr2m4WziGfMNDvv2q9o [PASS] https://u2f.bin.coffee == https://u2f.bin.coffee [PASS] Verified certificate attestation signature [PASS] Imported credential public key Failures: 0 TODOs: 0 U2F sign output: Sending request: { "version": "U2F_V2", "keyHandle": "4xreJuuBxZSfXU-BLVpYfd3Oe41Fz7qXC9Kbri4ofk23fdeK" } Got response: { "errorCode": 1 } [FAIL] Verified signature Failures: 1 TODOs: 0 Expected results: "U2F sign" should not fail. The platform is Firefox 59.0b12 on OS X.
One incidentally true but probably? irrelevant thing about the U2Fzero authenticator token is that it ships an expired attestation certificate: $ pbpaste | xxd -r -p | openssl x509 -inform der -in - -text Certificate: Data: Version: 1 (0x0) Serial Number: 0 (0x0) Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = VA, L = Blacksburg, O = ConorCo, CN = conorco.com, emailAddress = conorco@conorco.com Validity Not Before: Feb 2 22:04:24 2017 GMT Not After : Mar 4 22:04:24 2017 GMT Subject: C = US, ST = VA, L = Blacksburg, O = U2F Zero, CN = u2fzero.com, emailAddress = conorco@conorco.com ... In addition to the coffee.bin test site, the U2Fzero token also fails in Firefox with Github (although the Yubico token works).
Component: Untriaged → DOM: Device Interfaces
Flags: needinfo?(jjones)
Product: Firefox → Core
Thanks for the report, Tim! The certificate being expired wouldn't cause a Get / Sign failure; it's never validated by Firefox or our Rust code. This sounds like something we'll want to debug at the Rust-layer using u2f-hid-rs. Let me (or ttaubert) get you some debug commands...
Flags: needinfo?(jjones)
Actually, this looks hard to make a debug build for. For expedience-sake, I'm buying a u2f-zero device and will debug it locally.
Assignee: nobody → jjones
Whiteboard: [webauthn][webauthn-hw]
Priority: -- → P3
The device I received reports as: U2F Zero: Product ID: 0x8acf Vendor ID: 0x10c4 (Silicon Laboratories, Inc.) Version: 1.00 Serial Number: DAFE1E29475834 Speed: Up to 12 Mb/sec Manufacturer: Silicon Labs Location ID: 0x14600000 / 40 Current Available (mA): 500 Current Required (mA): 100 Extra Operating Current (mA): 0 When I try it, I have no issues, even with multiple registrations: (u2f) Pass https://u2f.bin.coffee/ Pass https://u2fdemo.appspot.com/ (webauthn) Pass https://webauthn.bin.coffee/ Pass https://webauthndemo.appspot.com/ Pass https://webauthn.io/ :tdsmith: Is it possible that maybe your u2fzero device has an out-of-date firmware? There was a fix to the firmware in November that looks to me like it might be the source of the issue, but I am in no way familiar with the u2fzero codebase [1]. [1] https://github.com/conorpp/u2f-zero/commit/255c520e016caee914cfa878514cb60a126e6e0b
Flags: needinfo?(mozillabugs)
Hmm; mine reports the same product, vendor, and version, but I bought mine last October so it definitely antedates that firmware update. It looks like the lifetime of the certificates was bumped at the same time that PR landed, so if you see a longer-lived certificate on yours, that may be a way to discriminate between batches. I don't know why it works in Chrome but I'm happy to blame the token for non-compliance. I guess this is my excuse to upgrade to a token with NFC. Sorry for the goose chase!
Flags: needinfo?(mozillabugs)
(In reply to Tim Smith [:tdsmith] from comment #6) > Hmm; mine reports the same product, vendor, and version, but I bought mine > last October so it definitely antedates that firmware update. > > It looks like the lifetime of the certificates was bumped at the same time > that PR landed, so if you see a longer-lived certificate on yours, that may > be a way to discriminate between batches. > > I don't know why it works in Chrome but I'm happy to blame the token for > non-compliance. I guess this is my excuse to upgrade to a token with NFC. > Sorry for the goose chase! Oh, not to worry! Our implementation is by no means perfect. I'm sad that there's a sad token out there. :( Also, there may be a way to update the firmware [1] if you want. :) [1] https://github.com/conorpp/u2f-zero/wiki/Building-a-U2F-Token
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.