SUSE Hack Week: FIDO2 emulation

# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title

More Complex Markdown Help

Formatting Help

# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title

More Complex Markdown Help

Formatting Help

Edit
Preview

## Report after Hackweek

- I started decomposition by studying FF
  - the most important part is implemented in [authenticator-rs](https://github.com/mozilla/authenticator-rs)
- later I found related projects
  - https://github.com/ellerh/softfido
  - https://blog.hansenpartnership.com/webauthn-in-linux-with-a-tpm-via-the-hid-gadget/ ([Git repo](https://git.kernel.org/pub/scm/linux/kernel/git/jejb/fido2-ctap-gadget.git))
- I've used the latter as a base for my experiment
- I decided to use GPGME library to interact with GPG (it's as convenient to use as gpg itself :-/)
- https://github.com/seiyak/GPGME-sample-code proved more useful that docs
- I manually generated nistp256 GPG subkey with Authenticate capability to honor U2F specification (that's predecessor of FIDO2 that allows only this particular signing algo)
- I suspect upstream kernel has inconsistent config definitions to build USB gadget for Tumbleweed, I applied following patch locally:

```
--- a/drivers/usb/gadget/udc/Kconfig
+++ b/drivers/usb/gadget/udc/Kconfig
@@ -471,7 +471,7 @@ source "drivers/usb/gadget/udc/aspeed-vhub/Kconfig"
 
 config USB_DUMMY_HCD
        tristate "Dummy HCD (DEVELOPMENT)"
-       depends on USB=y || (USB=m && USB_GADGET=m)
+       depends on USB=y || (USB=m && USB_GADGET=y)
        help
          This host controller driver emulates USB, looping all data transfer
          requests back to a USB "gadget driver" in the same host.  The host
```
- my [quickly hacked program](https://gitlab.suse.de/mkoutny/hackweek-21) was able to register (aka provide public key) against https://webauthn.io/ but it's not able to authenticate (aka sign challenges)
- my joy was stopped by RFC4880 that defines GPG signatures as follows (highlight mine):

> The _concatenation of the data being signed and the signature data_
> from the version number through the hashed subpacket data (inclusive)
> is hashed.  The resulting hash value is what is signed.

- that's where I stopped but I realize `ssh-keygen -Y sign ...` is the way forward (preferred to low-level communications with ssh-agent)
  - the point is that gpg-agent can act as ssh-agent too
- the goal of this project should be achieved with the ssh-agent detour

Report after Hackweek

I started decomposition by studying FF
- the most important part is implemented in authenticator-rs
later I found related projects
- https://github.com/ellerh/softfido
- https://blog.hansenpartnership.com/webauthn-in-linux-with-a-tpm-via-the-hid-gadget/ (Git repo)
I've used the latter as a base for my experiment
I decided to use GPGME library to interact with GPG (it's as convenient to use as gpg itself :-/)
https://github.com/seiyak/GPGME-sample-code proved more useful that docs
I manually generated nistp256 GPG subkey with Authenticate capability to honor U2F specification (that's predecessor of FIDO2 that allows only this particular signing algo)
I suspect upstream kernel has inconsistent config definitions to build USB gadget for Tumbleweed, I applied following patch locally:

``` --- a/drivers/usb/gadget/udc/Kconfig +++ b/drivers/usb/gadget/udc/Kconfig @@ -471,7 +471,7 @@ source "drivers/usb/gadget/udc/aspeed-vhub/Kconfig"

config USBDUMMYHCD tristate "Dummy HCD (DEVELOPMENT)" - depends on USB=y || (USB=m && USBGADGET=m) + depends on USB=y || (USB=m && USBGADGET=y) help This host controller driver emulates USB, looping all data transfer requests back to a USB "gadget driver" in the same host. The host ``` - my quickly hacked program was able to register (aka provide public key) against https://webauthn.io/ but it's not able to authenticate (aka sign challenges) - my joy was stopped by RFC4880 that defines GPG signatures as follows (highlight mine):

> The concatenation of the data being signed and the signature data > from the version number through the hashed subpacket data (inclusive) > is hashed. The resulting hash value is what is signed.

that's where I stopped but I realize ssh-keygen -Y sign ... is the way forward (preferred to low-level communications with ssh-agent)
- the point is that gpg-agent can act as ssh-agent too
the goal of this project should be achieved with the ssh-agent detour

# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title

More Complex Markdown Help

Formatting Help

Project Description

Goal for this Hackweek

Resources

Looking for hackers with the skills:

This project is part of:

Activity

Comments

almost 3 years ago by jzerebecki | Reply

almost 3 years ago by mkoutny | Reply

Report after Hackweek

Similar Projects