Comments

• 

  over 1 year ago by jzerebecki | Reply

  There are fido2 implementations for various stm32 boards, like the nitrokey start is one. But sadly I know of none that combine a fido2 and gpg implementation, though it is theoretically possible. E.g. https://github.com/solokeys/solo1 and there is also one in rust https://github.com/google/OpenSK

  If you can't get your hardware key to cooperate with the fido2 protocol, then there are fido2 implementations using the tpm2 most laptops have available. E.g. https://github.com/psanford/tpm-fido

×
Edit Comment 5933
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
There are fido2 implementations for various stm32 boards, like the nitrokey start is one. But sadly I know of none that combine a fido2 and gpg implementation, though it is theoretically possible. E.g. https://github.com/solokeys/solo1 and there is also one in rust https://github.com/google/OpenSK If you can't get your hardware key to cooperate with the fido2 protocol, then there are fido2 implementations using the tpm2 most laptops have available. E.g. https://github.com/psanford/tpm-fido
 
×
Reply to jzerebecki
There are fido2 implementations for various stm32 boards, like the nitrokey start is one. But sadly I know of none that combine a fido2 and gpg implementation, though it is theoretically possible. E.g. https://github.com/solokeys/solo1 and there is also one in rust https://github.com/google/OpenSK
If you can't get your hardware key to cooperate with the fido2 protocol, then there are fido2 implementations using the tpm2 most laptops have available. E.g. https://github.com/psanford/tpm-fido
---
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
 
• 

  over 1 year ago by mkoutny | Reply

  Report after Hackweek

  • I started decomposition by studying FF
    • the most important part is implemented in authenticator-rs
  • later I found related projects
    • https://github.com/ellerh/softfido
    • https://blog.hansenpartnership.com/webauthn-in-linux-with-a-tpm-via-the-hid-gadget/ (Git repo)
  • I've used the latter as a base for my experiment
  • I decided to use GPGME library to interact with GPG (it's as convenient to use as gpg itself :-/)
  • https://github.com/seiyak/GPGME-sample-code proved more useful that docs
  • I manually generated nistp256 GPG subkey with Authenticate capability to honor U2F specification (that's predecessor of FIDO2 that allows only this particular signing algo)
  • I suspect upstream kernel has inconsistent config definitions to build USB gadget for Tumbleweed, I applied following patch locally:

  --- a/drivers/usb/gadget/udc/Kconfig
  +++ b/drivers/usb/gadget/udc/Kconfig
  @@ -471,7 +471,7 @@ source "drivers/usb/gadget/udc/aspeed-vhub/Kconfig"
  
   config USB_DUMMY_HCD
          tristate "Dummy HCD (DEVELOPMENT)"
  -       depends on USB=y || (USB=m && USB_GADGET=m)
  +       depends on USB=y || (USB=m && USB_GADGET=y)
          help
            This host controller driver emulates USB, looping all data transfer
            requests back to a USB "gadget driver" in the same host.  The host
  

  • my quickly hacked program was able to register (aka provide public key) against https://webauthn.io/ but it's not able to authenticate (aka sign challenges)
  • my joy was stopped by RFC4880 that defines GPG signatures as follows (highlight mine):

  The concatenation of the data being signed and the signature data from the version number through the hashed subpacket data (inclusive) is hashed. The resulting hash value is what is signed.

  • that's where I stopped but I realize ssh-keygen -Y sign ... is the way forward (preferred to low-level communications with ssh-agent)
    • the point is that gpg-agent can act as ssh-agent too
  • the goal of this project should be achieved with the ssh-agent detour

×
Edit Comment 6515
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
## Report after Hackweek - I started decomposition by studying FF - the most important part is implemented in [authenticator-rs](https://github.com/mozilla/authenticator-rs) - later I found related projects - https://github.com/ellerh/softfido - https://blog.hansenpartnership.com/webauthn-in-linux-with-a-tpm-via-the-hid-gadget/ ([Git repo](https://git.kernel.org/pub/scm/linux/kernel/git/jejb/fido2-ctap-gadget.git)) - I've used the latter as a base for my experiment - I decided to use GPGME library to interact with GPG (it's as convenient to use as gpg itself :-/) - https://github.com/seiyak/GPGME-sample-code proved more useful that docs - I manually generated nistp256 GPG subkey with Authenticate capability to honor U2F specification (that's predecessor of FIDO2 that allows only this particular signing algo) - I suspect upstream kernel has inconsistent config definitions to build USB gadget for Tumbleweed, I applied following patch locally: ``` --- a/drivers/usb/gadget/udc/Kconfig +++ b/drivers/usb/gadget/udc/Kconfig @@ -471,7 +471,7 @@ source "drivers/usb/gadget/udc/aspeed-vhub/Kconfig" config USB_DUMMY_HCD tristate "Dummy HCD (DEVELOPMENT)" - depends on USB=y || (USB=m && USB_GADGET=m) + depends on USB=y || (USB=m && USB_GADGET=y) help This host controller driver emulates USB, looping all data transfer requests back to a USB "gadget driver" in the same host. The host ``` - my [quickly hacked program](https://gitlab.suse.de/mkoutny/hackweek-21) was able to register (aka provide public key) against https://webauthn.io/ but it's not able to authenticate (aka sign challenges) - my joy was stopped by RFC4880 that defines GPG signatures as follows (highlight mine): > The _concatenation of the data being signed and the signature data_ > from the version number through the hashed subpacket data (inclusive) > is hashed. The resulting hash value is what is signed. - that's where I stopped but I realize `ssh-keygen -Y sign ...` is the way forward (preferred to low-level communications with ssh-agent) - the point is that gpg-agent can act as ssh-agent too - the goal of this project should be achieved with the ssh-agent detour
 
×
Reply to mkoutny
Report after Hackweek
• I started decomposition by studying FF
  • the most important part is implemented in authenticator-rs
• later I found related projects
  • https://github.com/ellerh/softfido
  • https://blog.hansenpartnership.com/webauthn-in-linux-with-a-tpm-via-the-hid-gadget/ (Git repo)
• I've used the latter as a base for my experiment
• I decided to use GPGME library to interact with GPG (it's as convenient to use as gpg itself :-/)
• https://github.com/seiyak/GPGME-sample-code proved more useful that docs
• I manually generated nistp256 GPG subkey with Authenticate capability to honor U2F specification (that's predecessor of FIDO2 that allows only this particular signing algo)
• I suspect upstream kernel has inconsistent config definitions to build USB gadget for Tumbleweed, I applied following patch locally:
--- a/drivers/usb/gadget/udc/Kconfig
+++ b/drivers/usb/gadget/udc/Kconfig
@@ -471,7 +471,7 @@ source "drivers/usb/gadget/udc/aspeed-vhub/Kconfig"

 config USB_DUMMY_HCD
        tristate "Dummy HCD (DEVELOPMENT)"
-       depends on USB=y || (USB=m && USB_GADGET=m)
+       depends on USB=y || (USB=m && USB_GADGET=y)
        help
          This host controller driver emulates USB, looping all data transfer
          requests back to a USB "gadget driver" in the same host.  The host
• my quickly hacked program was able to register (aka provide public key) against https://webauthn.io/ but it's not able to authenticate (aka sign challenges)
• my joy was stopped by RFC4880 that defines GPG signatures as follows (highlight mine):
The concatenation of the data being signed and the signature data from the version number through the hashed subpacket data (inclusive) is hashed. The resulting hash value is what is signed.
• that's where I stopped but I realize ssh-keygen -Y sign ... is the way forward (preferred to low-level communications with ssh-agent)
  • the point is that gpg-agent can act as ssh-agent too
• the goal of this project should be achieved with the ssh-agent detour
---
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview