Manually signing a challenge using credential stored on Yubikey #683

apantina · 2023-03-15T18:20:19Z

apantina
Mar 15, 2023

Hi all!

First of all - thanks for the work being done and for actively answering questions here, it's very much appreciated.

I am learning how to use FIDO2 and libfido2 itself, and so far I understand how to create and assert credentials using this library thanks to the useful examples provided. However, I was wondering if it's possible to leverage the library to sign a challenge manually using the private key stored in the authenticator and then return it to the caller for verification. The caller would be able to verify the validity of the signed challenge using the public key generated when the credential was made.
So far I was able to use the cred and assert examples in conjunction but I want to be able to return a signed challenge and offload the verification to an external entity as described above.

If my approach makes sense, what would be the library call(s) necessary? Also, is it possible to do this using the available CLI tools (fido2-assert, fido2-cred, fido2-token) or do I need to make my own wrapper that calls the library?

Thanks in advance.

Answered by LDVG

Mar 16, 2023

Hi,

In essence, yes, this is the intended usage.

If you have a look at the examples you will find that they have separate verification steps, passing in only the required data as extracted from the previous communication with the authenticator. Assuming you'll want to do this for both "registration" and "authentication" steps, you'll be particularly interested in the manual pages for fido_cred_authdata_ptr(3), fido_cred_verify(3), fido_assert_authdata_ptr(3), fido_assert_verify(3), and related functions/pages.

Our fido2-cred(1) and fido2-assert(1) tools work much in the same way and may serve as even better examples: Calling fido2-cred -M creates a new credential and fido2-cred -V verifie…

View full answer

LDVG · 2023-03-16T08:37:53Z

LDVG
Mar 16, 2023
Maintainer

Hi,

In essence, yes, this is the intended usage.

If you have a look at the examples you will find that they have separate verification steps, passing in only the required data as extracted from the previous communication with the authenticator. Assuming you'll want to do this for both "registration" and "authentication" steps, you'll be particularly interested in the manual pages for fido_cred_authdata_ptr(3), fido_cred_verify(3), fido_assert_authdata_ptr(3), fido_assert_verify(3), and related functions/pages.

Our fido2-cred(1) and fido2-assert(1) tools work much in the same way and may serve as even better examples: Calling fido2-cred -M creates a new credential and fido2-cred -V verifies it. Similarly, fido2-assert -G obtains an assertion from the authenticator and fido2-assert -V verifies it.

Finally, you will want to familiarize yourself with attestation and assertion signatures as defined by WebAuthn.

Hope this helps!

1 reply

apantina Mar 16, 2023
Author

This is great, thank you!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Manually signing a challenge using credential stored on Yubikey #683

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Manually signing a challenge using credential stored on Yubikey #683

Uh oh!

apantina Mar 15, 2023

Replies: 1 comment · 1 reply

Uh oh!

Uh oh!

LDVG Mar 16, 2023 Maintainer

Uh oh!

apantina Mar 16, 2023 Author

apantina
Mar 15, 2023

Replies: 1 comment 1 reply

LDVG
Mar 16, 2023
Maintainer

apantina Mar 16, 2023
Author