nitrokey-3-firmware icon indicating copy to clipboard operation
nitrokey-3-firmware copied to clipboard

Published 20 hours ago verified publisher icon Nitrokey

Fido2luks does not work

Open szszszsz opened this issue 2 years ago • 5 comments

Fido2luks fails with setting up LUKS device. This works with Nitrokey FIDO2.

Dev returns: Device returned error: CborError: 0x14: Missing non-optional parameter.) If I have not made mistake during the early retest, this was the kty field, as reported by serde.

Logs with full traffic attached, as well as the used Makefile. Sim version: v1.2.2-alpha.20221130-111-ga1d9dd0 (current main), with updated dependencies to the latest (cargo update; see attached Cargo lock file).

PS I expect the same problem occurs, while running example of the responsible for the ctap communication underlying ctap_hmac crate. Might be easier for the debugging.

cc @robin-nitrokey

szszszsz avatar Feb 16 '23 11:02 szszszsz

This is caused by a bug in a Deserialize implementation in ctap-types: https://github.com/solokeys/ctap-types/issues/7.

robin-nitrokey avatar Feb 16 '23 20:02 robin-nitrokey

Though the algorithm field is really missing:

https://github.com/shimunn/ctap/blob/bf862f6a4bbc007263cbe679db33c8dd3c2ffc79/src/cbor.rs#L589-L590

I’m not sure whether this is valid.

robin-nitrokey avatar Feb 16 '23 22:02 robin-nitrokey

Okay, it’s optional:

   COSE_Key = {
       1 => tstr / int,          ; kty
       ? 2 => bstr,              ; kid
       ? 3 => tstr / int,        ; alg
       ? 4 => [+ (tstr / int) ], ; key_ops
       ? 5 => bstr,              ; Base IV
       * label => values
   }

https://www.rfc-editor.org/rfc/rfc8152#section-7

alg: This parameter is used to restrict the algorithm that is used with the key. If this parameter is present in the key structure, the application MUST verify that this algorithm matches the algorithm for which the key is being used.

https://www.rfc-editor.org/rfc/rfc8152#section-7.1

robin-nitrokey avatar Feb 16 '23 22:02 robin-nitrokey

Hi, sorry to bump this, but I'm curious about the state of this issue. Since the fido2luks project seems unmaintained/dead (although the software still works fine with the NK FIDO2), I'm wondering if this can be resolved from this side of the fence.

intr-cx avatar May 09 '23 07:05 intr-cx

@intr-cx The CTAP2 issues described above are fixed in the firmware, although we might revert some of the fixes in the future because the specification requires a strict implementation that rejects invalid data. Additionally, there is a bug in the USB descriptor parser used by fido2luks. We don’t want to work around that bug in the firmware. I’ve submitted patches to fix the parser. They might work for you, though I have only tested the device selection, not the entire LUKS setup:

  • https://github.com/ArdaXi/ctap/pull/5
  • https://github.com/shimunn/ctap/pull/8

robin-nitrokey avatar May 16 '23 15:05 robin-nitrokey