Comments (6)
The underlying issue seems to be this: https://lists.fedoraproject.org/archives/list/[email protected]/thread/VVLHQAWI3IQ7NRLKMUHJ27JV3V2JAFDP/
The easiest fix would be to detect this and skip those tests, but it doesn't solve the bigger problem of TPM attestation using SHA1 not being verifiable on RHEL. I'm on vacation this coming week, but will take a look at it when I'm back. In the meantime I'd welcome suggestions on how we should tackle this!
from python-fido2.
You can switch RHEL 9 to still accept SHA-1 by running update-crypto-policies --set DEFAULT:SHA1
. Obviously that's a very temporary measure, and won't solve the issue for systems in FIPS mode, for example, which no longer allow SHA-1 in signatures without a toggle to re-enable them.
Given that the writing is on the wall for SHA-1 (https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm), the proper solution is to use a newer digest algorithm where available.
from python-fido2.
It seems to me that the only thing we can do here is to skip the relevant tests if SHA1 is disabled. If you need to validate attestation using SHA1 signatures, then you'll need to use the update-crypto-policies
command mentioned above. Unfortunately since we're not creating these signatures, only validating them, there's no way for us to switch algorithms.
from python-fido2.
I pushed a potential fix (to skip the test) here: https://github.com/Yubico/python-fido2/tree/fix/sha1-test-skip
Could someone with RHEL9 verify that it works as intended?
from python-fido2.
The fix has now been released in version 1.1.2. Hopefully that resolves this.
from python-fido2.
LGTM, thanks!
from python-fido2.
Related Issues (20)
- Cache of HIDs which failed to open is not thread-safe
- <class 'OverflowError'>exception during authentication HOT 5
- WinError 2 exception while checking for security key HOT 3
- > Create gh pr checkout 76 #228
- Please support `cryptography` version `>=40` HOT 1
- secret retrieval part of `hmac_secret.py` example doesn't work with GoTrust Idem webauthn key
- multiple device selection errors out with `PIN_NOT_SET` HOT 1
- `WinAPI` does not implement extensions HOT 3
- Login with fingerprint HOT 6
- Simple files from examples directory do not work on Trezor model T HOT 8
- Token2 throws PIN_AUTH_INVALID when PIN Auth Protocol V2 and hmac-secret are used HOT 5
- How to mimic `navigator.credentials.get` HOT 2
- ES384 and ES512 fail on verify() HOT 1
- FIDO2 over PCSC HOT 3
- fido2.webauthn.AttestedCredentialData.__init__ is missing type annotation HOT 3
- Doc string out of sync
- No Serial number in dev property HOT 1
- CBOR_UNEXPECTED_TYPE HOT 1
- occasional `Unexpected run loop exit code: 3` printed to stderr when prompting for UP HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-fido2.