brucedog / u2f_core Goto Github PK

Would you be open to dumping the bouncy castle dependency in favor of standard framework crypto or are you trying to keep everything 1-1 with the java implementation? With .NET Core 2.0 we should be able to do all of the needed crypto.

bfoster.me does not work with generic U2F device. Tried these:
https://www.ftsafe.com/products/FIDO/NFC
https://hypersecu.com/products/hyperfido

Works fine with github, google and hypersecu demo app (https://u2fdemo.hypersecu.com/signup <- has a glass mode for debugging).

Does your lib works only with Yubikey?

When register an account and pair my Solokey, the following error is shown on screen:
exception of type 'U2F.Core.Exceptions.U2fException' was thrown.

https://solokeys.com/

Hi Bryce,

My Yubico FIDO U2F key is working with the Yubico's test site (https://demo.yubico.com/u2f) using both Chrome 63 and FF 57.0.2.

I also have your U2F test application working with Chrome 63. However, I've not been able to get it to work with FF 57.0.2. With FF, the Finish Authentication page displays but the key never starts blinking. I also tried using the latest u2f-api (https://demo.yubico.com/js/u2f-api.js) but neither Chrome or FF works with the test app with the latest api--the key never starts blinking on the Finish Authentication page.

Maybe you've run into this sort of thing before? Thanks for any help or ideas you have.

Best,

• Jeff

When attempting to register a device on the demo site in Safari 13.1.2, I get the model pop-up prompting U2F interaction but my U2F key does not begin blinking for interaction.

I am using Yubikey 5C Nano.

Registration/Authentication works from most other U2F compatible sites (GitHub, Yubico Demo Site).

NuGet package does not seem to work.

1. Create a new, blank ASP.NET Core website project. (my test was with a Full Framework project).
2. Launch website. Observe it works just fine.
3. Run Install-Package U2F.Core
4. Launch website. Observe error on startup:

System.IO.FileNotFoundException: 'Could not load file or assembly 'System.Runtime, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.'
Inner Exception:
FileNotFoundException: Could not load file or assembly 'System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.

When adding the package from NuGet it shows that there are no dependencies, which definitely isn't right either. https://www.nuget.org/packages/U2F.Core

Just upgraded to v2.0.0 and am testing it out. It works great on Windows, however, fails on Linux (maybe macOS too, have not tested that).

Trying to call FinishRegistration on a Linux (Debian) host causes U2fException (Error when verifying signature). Stack trace shows it coming from the CheckSignature method.

Reverting back to v1.0.4 resolves the problem.

U2F.Core.Exceptions.U2fException: Error when verifying signature
   at U2F.Core.Crypto.CryptoService.CheckSignature(X509Certificate2 attestationCertificate, Byte[] signedBytes, Byte[] signature)
   at U2F.Core.Models.RawRegisterResponse.CheckSignature(String appId, String clientData)
   at U2F.Core.Crypto.U2F.FinishRegistration(StartedRegistration startedRegistration, RegisterResponse tokenResponse, HashSet`1 facets)
   at Bit.Core.Services.UserService.CompleteU2fRegistrationAsync(User user, Int32 id, String name, String deviceResponse) in /home/bitwarden/Projects/bitwarden/core/src/Core/Services/Implementations/UserService.cs:line 330
   at Bit.Api.Controllers.TwoFactorController.PutU2f(TwoFactorU2fRequestModel model) in /home/bitwarden/Projects/bitwarden/core/src/Api/Controllers/TwoFactorController.cs:line 221
   at lambda_method(Closure , Object )
   at Microsoft.Extensions.Internal.ObjectMethodExecutorAwaitable.Awaiter.GetResult()
   at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeActionMethodAsync()
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeNextActionFilterAsync()
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow(ActionExecutedContext context)
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync()
   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextExceptionFilterAsync()

My guess is some break in the new crypto libs being used.

Bryce, just a heads-up that this 12/12/17 reported problem might affect Bouncy Castle crypto apis being used by U2F_Core. I believe a Bouncy Castle fix is currently in beta.
https://nvd.nist.gov/vuln/detail/CVE-2017-13098
https://robotattack.org/
http://www.securityweek.com/old-crypto-vulnerability-hits-major-tech-firms

I am unable to open the solution source code in VS2015 because the VS2017 csproj files are not backwards compatible with VS2015.

Thinking about creating a new empty ASP.Core project in VS2015 and trying to manually copy the U2F_Core source files into the empty VS2015 project. Do you think manually porting the source to VS2015 would work? Can you offer any guidance or suggestions on reconstructing from a new project?

I realize I could get the compiled U2F_Core DLL via NuGet but I'd really like to work directly with the source to understand how it works.

The overall goal is investigate using the library with a VS2015 ASP.Core 1.1 web application (full-framework 4.5.2) with ASP.NET Core Identity.

Thanks!

Should this work in Firefox?

I am using U2F.Core in my own application and it works great in Chrome. I see odd behavior in Firefox. Device registration works fine, but Authenticating with the device gives an errorCode 2.

When trying to use your demo site in Firefox, it does not work for me at all (device does not enable for input).

GitHub, Facebook, other U2F implementations work fine.

Do you know if it is possible to use U2F_Core on the server for performing the same U2F operations while using WenAuthn APIs on the client? We are looking to migrate our clients to WebAuthn and I am not sure if it will work.