Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIDO2 list-credentials fails #336

Closed
zimward opened this issue Mar 13, 2023 · 4 comments · Fixed by #360
Closed

FIDO2 list-credentials fails #336

zimward opened this issue Mar 13, 2023 · 4 comments · Fixed by #360
Labels
bug Something isn't working device/Nitrokey FIDO2 Concerns Nitrokey FIDO2 UI

Comments

@zimward
Copy link

zimward commented Mar 13, 2023

like the title says, running nitropy fido2 list-crdentials fails.

I've installed the udev rules and can normally use the key, but managing the credentails is not working. The firmware of the FIDO2 key is the newest version.
I also tried to use chromium but it only offers me an empty list so it might also be a firmware bug.

Here is the log-file (host- and username as well as other usb-devices have been censored):
nitropy.log
@robin-nitrokey
Copy link
Member

The error occurs inside fido2/ctap2/credman.py:

  File "/home/user/.local/pipx/venvs/pynitrokey/lib/python3.10/site-packages/pynitrokey/cli/fido2.py", l
ine 221, in list_credentials
    reliable_party_list = cred_manager.enumerate_rps()
  File "/home/user/.local/pipx/venvs/pynitrokey/lib/python3.10/site-packages/fido2/ctap2/credman.py", li
ne 159, in enumerate_rps
    n_rps = first[CredentialManagement.RESULT.TOTAL_RPS]
KeyError: <RESULT.TOTAL_RPS: 5>

https://github.com/Yubico/python-fido2/blob/1.1.0/fido2/ctap2/credman.py#L159

The totalRPs field is missing from the enumerateRPsBegin response although it is required (§ 6.8.3 of the spec). Looking at the source code, it is omitted if zero:

https://github.com/Nitrokey/nitrokey-fido2-firmware/blob/12f2c14c6d7752293385c4c2f5317f16b0b63e61/fido2/ctap.c#L1456-L1462

So my understanding is that there really are no credentials to be listed. Note that not all credentials are discoverable with this command. In fact, most credentials used for 2FA are not. Typically, you’ll only have discoverable credentials (“resident keys”) if you use pasword-less login, e. g. with Google or Microsoft. Are you sure this is the case for your device?

@zimward
Copy link
Author

zimward commented Mar 14, 2023

Ah so there is a difference between those credentials. I do in fact have no passwordless logins configured. although there should still be a proper message to the user instead of a KeyError.

@szszszsz szszszsz added the device/Nitrokey FIDO2 Concerns Nitrokey FIDO2 label Mar 27, 2023
@szszszsz szszszsz mentioned this issue Mar 27, 2023
Open
@szszszsz szszszsz added bug Something isn't working UI labels Mar 27, 2023
@szszszsz
Copy link
Member

To do:

1 similar comment
@szszszsz

This comment was marked as duplicate.

Sign in to view
robin-nitrokey added a commit that referenced this issue Mar 28, 2023
@robin-nitrokey
fido2 list-credentials: Skip enumerating RPs when empty
7f0bad5 
If we know that the credentials count is zero, we don’t have to
enumerate RPs.  This works around an issue with the Nitrokey FIDO2 not
including the totalRPs field in the enumeration response if it is zero.

Fixes: #336
robin-nitrokey added a commit that referenced this issue Mar 28, 2023
@robin-nitrokey
fido2 list-credentials: Skip enumerating RPs when empty
4679869 
If we know that the credentials count is zero, we don’t have to
enumerate RPs.  This works around an issue with the Nitrokey FIDO2 not
including the totalRPs field in the enumeration response if it is zero.

Fixes: #336
@robin-nitrokey robin-nitrokey mentioned this issue Mar 28, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working device/Nitrokey FIDO2 Concerns Nitrokey FIDO2 UI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fido2 list-credentials: Skip enumerating RPs when empty Nitrokey/pynitrokey
3 participants
@szszszsz @robin-nitrokey @zimward