windows-fido-bridge
windows-fido-bridge copied to clipboard
Published
20 hours ago •
mgbowen
mgbowen
Failed to parse attestation object
Hello. Hopefully you can help me get this working. I'm trying to use Windows Hello (fingerprint, specifically) to an SSH to use with Github.
I built from source, following the instructions and installed with sudo make install.
To generate a key pair, I ran:
SSH_SK_PROVIDER=/usr/local/lib/libwindowsfidobridge.so ssh-keygen -t ecdsa-sk
After a fairly long wait (#21?), I was prompted by the Windows Hello screen and touched the fingerprint reader. Unfortunately, the result was unsuccessful:
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
[2023-09-01 21:39:59.472] [win32-bridge] [critical] Failed to parse attestation object: Invalid or unknown attestation object format
Key enrollment failed: invalid format
Please let me know if there's any debuggint information I can provide. I'm quite stuck. :(
Versions:
- OpenSSH_8.9p1 Ubuntu-3ubuntu0.3, OpenSSL 3.0.2 15 Mar 2022
- Ubuntu 22.04.3 LTS
- WSL version: 1.2.5.0
- Windows version: 10.0.22621.2134
Same issue here.
- OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022
- Ubuntu 22.04.3 LTS
- WSL version: 1.2.5.0
- Windows version: 10.0.22621.2283
Compiled with the correct release flag (-DSK_API_VERSION=9)
Debug info:
[2023-10-07 15:12:27.494] [win32-bridge] [debug] Parsing CBOR attestation object
[2023-10-07 15:12:27.494] [win32-bridge] [debug] Map keys in CBOR attestation object: ["attStmt", "authData", "fmt"]
[2023-10-07 15:12:27.494] [win32-bridge] [debug] Attestation object format: "none"
[2023-10-07 15:12:27.495] [win32-bridge] [critical] Failed to parse attestation object: Invalid or unknown attestation object format
Same thing here, first suffered #21, now stumbling into this. Fix this as described (copied the so file to /mnt/c/temp temporarily and ln it back to /usr/local/lib).
- OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
- Ubuntu 22.04.4 LTS
- WSL version: 2.0.9.0
- Windows version: 10.0.22631.3235
Debug ssh-keygen
$ SSH_SK_PROVIDER=/usr/local/lib/libwindowsfidobridge.so sshkeygen -t ecdsa-sk -C sk -vvv
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=122630
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "/usr/local/lib/libwindowsfidobridge.so", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: sshsk_open: provider /usr/local/lib/libwindowsfidobridge.so implements version 0x00090000
[2024-03-10 18:36:31.673] [win32-bridge] [critical] Failed to parse attestation object: Invalid or unknown attestation object format
debug1: sshsk_enroll: provider "/usr/local/lib/libwindowsfidobridge.so" failure -1
debug1: ssh-sk-helper: Enrollment failed: invalid format
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -4
debug3: reap_helper: pid=122630
Key enrollment failed: invalid format
EDIT:
Running with WINDOWS_FIDO_BRIDGE_DEBUG=1 adds the following information:
[2024-03-10 18:56:02.945] [linux-middleware] [debug] Parameters from OpenSSH:
[2024-03-10 18:56:02.945] [linux-middleware] [debug] Algorithm: 0
[2024-03-10 18:56:02.945] [linux-middleware] [debug] Challenge:
[2024-03-10 18:56:02.945] [linux-middleware] [debug] | 0 1 2 3 4 5 6 7 8 9 a b c d e f
[2024-03-10 18:56:02.945] [linux-middleware] [debug] | 0000: a9 a7 c5 ab 44 3d 52 c7 c1 0e 57 c8 15 ad 4c 6a ....D=R...W...Lj
[2024-03-10 18:56:02.945] [linux-middleware] [debug] | 0010: 14 a3 a7 53 1f 9b a3 c4 17 e7 d2 ee 76 b6 7a 15 ...S........v.z.
[2024-03-10 18:56:02.946] [linux-middleware] [debug] Application: "ssh:"
[2024-03-10 18:56:02.946] [linux-middleware] [debug] Flags: 0b00000001
[2024-03-10 18:56:02.946] [linux-middleware] [debug] PIN: (not present)
[2024-03-10 18:56:02.946] [linux-middleware] [debug] Options:
[2024-03-10 18:56:02.946] [linux-middleware] [debug] (No options provided)
[2024-03-10 18:56:02.946] [linux-middleware] [debug] Sending CBOR to bridge: {"request_parameters": {"alg": 0, "application": "ssh:", "challenge": b"a9a7c5ab443d52c7c10e57c815ad4c6a14a3a7531f9ba3c417e7d2ee76b67a15", "flags": 1, "sk_options": []}, "request_type": "sk_enroll"}
[2024-03-10 18:56:02.946] [linux-middleware] [debug] Invoking Windows bridge with the following parameters:
[2024-03-10 18:56:02.946] [linux-middleware] [debug] | 0 1 2 3 4 5 6 7 8 9 a b c d e f
[2024-03-10 18:56:02.946] [linux-middleware] [debug] | 0000: a2 72 72 65 71 75 65 73 74 5f 70 61 72 61 6d 65 .rrequest_parame
[2024-03-10 18:56:02.946] [linux-middleware] [debug] | 0010: 74 65 72 73 a5 63 61 6c 67 00 6b 61 70 70 6c 69 ters.calg.kappli
[2024-03-10 18:56:02.946] [linux-middleware] [debug] | 0020: 63 61 74 69 6f 6e 64 73 73 68 3a 69 63 68 61 6c cationdssh:ichal
[2024-03-10 18:56:02.946] [linux-middleware] [debug] | 0030: 6c 65 6e 67 65 58 20 a9 a7 c5 ab 44 3d 52 c7 c1 lengeX ....D=R..
[2024-03-10 18:56:02.946] [linux-middleware] [debug] | 0040: 0e 57 c8 15 ad 4c 6a 14 a3 a7 53 1f 9b a3 c4 17 .W...Lj...S.....
[2024-03-10 18:56:02.946] [linux-middleware] [debug] | 0050: e7 d2 ee 76 b6 7a 15 65 66 6c 61 67 73 01 6a 73 ...v.z.eflags.js
[2024-03-10 18:56:02.946] [linux-middleware] [debug] | 0060: 6b 5f 6f 70 74 69 6f 6e 73 80 6c 72 65 71 75 65 k_options.lreque
[2024-03-10 18:56:02.946] [linux-middleware] [debug] | 0070: 73 74 5f 74 79 70 65 69 73 6b 5f 65 6e 72 6f 6c st_typeisk_enrol
[2024-03-10 18:56:02.946] [linux-middleware] [debug] | 0080: 6c l
[2024-03-10 18:56:02.946] [linux-middleware] [debug] Forking.
[2024-03-10 18:56:02.946] [linux-middleware] [debug] Child process PID = 128418
[2024-03-10 18:56:02.946] [linux-middleware] [debug] Sending parameters to child process.
[2024-03-10 18:56:02.946] [linux-middleware] [debug] Parameters sent to child process, waiting for reply.
[2024-03-10 18:56:02.946] [linux-middleware] [debug] [Windows bridge child] Detected own library file path is "/usr/local/lib/libwindowsfidobridge.so".
[2024-03-10 18:56:02.946] [linux-middleware] [debug] [Windows bridge child] Using Windows bridge at "/usr/local/lib/windowsfidobridge.exe".
[2024-03-10 18:56:02.946] [linux-middleware] [debug] [Windows bridge child] Setting WSLENV environment variable to "WT_SESSION:WT_PROFILE_ID::WINDOWS_FIDO_BRIDGE_DEBUG:WINDOWS_FIDO_BRIDGE_FORCE_USER_VERIFICATION".
[2024-03-10 18:56:02.946] [linux-middleware] [debug] [Windows bridge child] Execing.
[2024-03-10 18:56:02.972] [win32-bridge] [debug] Received CBOR from caller: {"request_parameters": {"alg": 0, "application": "ssh:", "challenge": b"a9a7c5ab443d52c7c10e57c815ad4c6a14a3a7531f9ba3c417e7d2ee76b67a15", "flags": 1, "sk_options": []}, "request_type": "sk_enroll"}
[2024-03-10 18:56:02.986] [win32-bridge] [debug] Spawning background thread
[2024-03-10 18:56:30.937] [win32-bridge] [debug] Parsing CBOR attestation object
[2024-03-10 18:56:30.937] [win32-bridge] [debug] Map keys in CBOR attestation object: ["attStmt", "authData", "fmt"]
[2024-03-10 18:56:30.937] [win32-bridge] [debug] Attestation object format: "none"
[2024-03-10 18:56:30.937] [win32-bridge] [critical] Failed to parse attestation object: Invalid or unknown attestation object format
[2024-03-10 18:56:30.937] [win32-bridge] [debug] Sending CBOR to caller: {"return_code": -1}
[2024-03-10 18:56:30.938] [linux-middleware] [debug] Reply received from child process:
[2024-03-10 18:56:30.938] [linux-middleware] [debug] | 0 1 2 3 4 5 6 7 8 9 a b c d e f
[2024-03-10 18:56:30.938] [linux-middleware] [debug] | 0000: a1 6b 72 65 74 75 72 6e 5f 63 6f 64 65 20 .kreturn_code
[2024-03-10 18:56:30.938] [linux-middleware] [debug] Waiting for child process to exit.
[2024-03-10 18:56:30.945] [linux-middleware] [debug] Received CBOR from bridge: {"return_code": -1}
[2024-03-10 18:56:30.945] [linux-middleware] [debug] Bridge return code: -1
I think it's a hardware issue. For example, going to this website (webauthn.io) and selecting the "security key" advanced option leads to this pop-up:
So the issue could be due to the device not supporting security keys.