Struggling to use the "assert" example: FIDO_ERR_NO_CREDENTIALS

[JonasVautherin]

I am trying to use the assert example, but it fails with assert: fido_dev_get_assert: FIDO_ERR_NO_CREDENTIALS (0x2e).

I tried this:

build/examples/assert -t eddsa -a ~/.ssh/id_ed25519_sk -P "<my FIDO pin>" /path/to/id_ed25519_sk.pub.pem /dev/hidraw7

Reading from the sources, I assumed that:

• The "credential" is the path to the handle file ("private key")
• <pubkey> is expected in PEM format. I created the PEM file from my public key file with:

echo "-----BEGIN PUBLIC KEY-----" > id_ed25519_sk.pub.pem
openssl base64 -in ~/.ssh/id_ed25519_sk.pub >> id_ed25519_sk.pub.pem
echo "-----END PUBLIC KEY-----" >> id_ed25519_sk.pub.pem

The example README also says that [-a cred_id] can be omitted for the resident key, but I get the same error when I omit it.

What am I doing wrong? 😕

[LDVG]

Hi,

Are you trying to use an SSH credential with our examples? That will not work without further modifications due to several reasons:

1. The example is hard-coded to use localhost as the RP (your SSH credential is probably bound to something else);
2. The -a option expects a base64-encoded credential ID, not a SSH private key file;
3. The pubkey argument expects a PEM-encoded public key in X.509's Subject Public Key format, not a wrapped SSH public key file.

If you extract the corresponding parts from the SSH key files, and recreate the expected input format, you could probably get a successful assertion using tools/fido2-assert rather than the example.

What are you trying to accomplish though? If you're just trying to figure out how our API works, I recommend looking at and using examples/cred and examples/assert together instead of mixing in third-party credentials. 🙂

[JonasVautherin]

Thanks a lot, that's already helpful!

What are you trying to accomplish though?

Sure I can give more context 😊.

For the learning experience, I am playing with libgit2 and trying to use my Yubikeys for SSH. At some point I get a git_credential_sign_cb called, that looks like this:

typedef int git_credential_sign_cb(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len, const unsigned char *data, size_t data_len, void **abstract); 

My understanding is that I need to "sign" the challenge (*data), and that in FIDO2 this is called "getting an assertion". Note that I am guessing a bit because all the docs I find are about WebAuthn (and generally seem higher level than what I'm trying to do) and SSH seems slightly different, e.g. the RP seems to be hardcoded to "ssh:", and the credential is defined as follows:

credential_id,rp_id,user_name,user_display_name,user_id
38f78a029...,ssh:,openssh,openssh,0000000000000000000000000000000000000000000000000000000000000000

So my plan was to first get the assert example to work and then figure out how to pass the challenge to the assert function (because the example doesn't take a challenge as an argument, that's also something I will need to understand 😇).

The pubkey argument expects a PEM-encoded public key in X.509's Subject Public Key format, not a wrapped SSH public key file.

I guess this might be hard too: I have been struggling to convert the public key to PEM (it works with a "normal"/non-sk public key, but with the Yubikey public key I can't seem to make the conversion with tools like openssl).

[LDVG]

Having limited experience with libgit2, I unfortunately don't know what that callback expects.

If you really want to try to get an assertion with our tooling instead of our library functions first, and really want to experiment with OpenSSH keys directly, here's an example of crudely extracting information out of the SSH private key file:

$ ssh-keygen -q -t ecdsa-sk -C '' -O application=ssh://foo -f /tmp/key
Enter passphrase for "/tmp/key" (empty for no passphrase):
Enter same passphrase again:

Let's have a look at the raw contents:

$ grep -v SSH /tmp/key | base64 -d | xxd
00000000: 6f70 656e 7373 682d 6b65 792d 7631 0000  openssh-key-v1..
00000010: 0000 046e 6f6e 6500 0000 046e 6f6e 6500  ...none....none.
00000020: 0000 0000 0000 0100 0000 8400 0000 2273  .............."s
00000030: 6b2d 6563 6473 612d 7368 6132 2d6e 6973  k-ecdsa-sha2-nis
00000040: 7470 3235 3640 6f70 656e 7373 682e 636f  [email protected]
00000050: 6d00 0000 086e 6973 7470 3235 3600 0000  m....nistp256...
00000060: 4104 4d45 a3c2 95e3 f8ae 1f3b f02b b4c4  A.ME.......;.+..
00000070: 0602 50b7 6601 37a6 d6d5 f46c 17e3 95b0  ..P.f.7....l....
00000080: 735d 737c 2065 0b04 0d61 376a 8332 24ae  s]s| e...a7j.2$.
00000090: 6d2f f1e3 0180 8cd0 c540 ba4c c00f c9a3  m/[email protected]....
000000a0: 2191 0000 0009 7373 683a 2f2f 666f 6f00  !.....ssh://foo.
000000b0: 0000 e0f9 f1f1 b7f9 f1f1 b700 0000 2273  .............."s
000000c0: 6b2d 6563 6473 612d 7368 6132 2d6e 6973  k-ecdsa-sha2-nis
000000d0: 7470 3235 3640 6f70 656e 7373 682e 636f  [email protected]
000000e0: 6d00 0000 086e 6973 7470 3235 3600 0000  m....nistp256...
000000f0: 4104 4d45 a3c2 95e3 f8ae 1f3b f02b b4c4  A.ME.......;.+..
00000100: 0602 50b7 6601 37a6 d6d5 f46c 17e3 95b0  ..P.f.7....l....
00000110: 735d 737c 2065 0b04 0d61 376a 8332 24ae  s]s| e...a7j.2$.
00000120: 6d2f f1e3 0180 8cd0 c540 ba4c c00f c9a3  m/[email protected]....
00000130: 2191 0000 0009 7373 683a 2f2f 666f 6f01  !.....ssh://foo.
00000140: 0000 0040 35be cf67 1b92 6cd7 d8c7 0952  [email protected]
00000150: 90e6 6c11 1100 5725 1e23 b98f 8d09 44c4  ..l...W%.#....D.
00000160: f65b e8f5 0e11 f8ef 5d4d 0095 b023 eab4  .[......]M...#..
00000170: 347b 852f 9f60 9a2d a373 3edd ab29 65e8  4{./.`.-.s>..)e.
00000180: 9f87 d619 0000 0000 0000 0000 0102 0304  ................
00000190: 0506 07

We only really need to extract the private key bits here (which also contain the public key), cross-referencing
the OpenSSH specification ¹² we can see that in this case it looks like it starts at offset 187:

$ grep -v SSH /tmp/key | base64 -d | xxd -s +187
000000bb: 0000 0022 736b 2d65 6364 7361 2d73 6861  ..."sk-ecdsa-sha
000000cb: 322d 6e69 7374 7032 3536 406f 7065 6e73  2-nistp256@opens
000000db: 7368 2e63 6f6d 0000 0008 6e69 7374 7032  sh.com....nistp2
000000eb: 3536 0000 0041 044d 45a3 c295 e3f8 ae1f  56...A.ME.......
000000fb: 3bf0 2bb4 c406 0250 b766 0137 a6d6 d5f4  ;.+....P.f.7....
0000010b: 6c17 e395 b073 5d73 7c20 650b 040d 6137  l....s]s| e...a7
0000011b: 6a83 3224 ae6d 2ff1 e301 808c d0c5 40ba  j.2$.m/.......@.
0000012b: 4cc0 0fc9 a321 9100 0000 0973 7368 3a2f  L....!.....ssh:/
0000013b: 2f66 6f6f 0100 0000 4035 becf 671b 926c  /[email protected]
0000014b: d7d8 c709 5290 e66c 1111 0057 251e 23b9  ....R..l...W%.#.
0000015b: 8f8d 0944 c4f6 5be8 f50e 11f8 ef5d 4d00  ...D..[......]M.
0000016b: 95b0 23ea b434 7b85 2f9f 609a 2da3 733e  ..#..4{./.`.-.s>
0000017b: ddab 2965 e89f 87d6 1900 0000 0000 0000  ..)e............
0000018b: 0001 0203 0405 0607                      ........

We can see that

1. The curve is P-256, the public key is 65 bytes long, and the public key octets start at offset 241. It's an uncompressed point and I'll reach for Python for the conversion (as ssh-keygen -e -m pem does not appear to work with *-sk keys):

$  grep -v SSH /tmp/key | base64 -d | xxd -s +241 -l 65 -p -c0 | python -c "
import sys
from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
from cryptography.hazmat.primitives.asymmetric import ec
pubkey = ec.EllipticCurvePublicKey.from_encoded_point(ec.SECP256R1(), bytes.fromhex(sys.stdin.read()))
print(pubkey.public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo).decode())
" | tee pubkey.pem
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETUWjwpXj+K4fO/ArtMQGAlC3ZgE3
ptbV9GwX45Wwc11zfCBlCwQNYTdqgzIkrm0v8eMBgIzQxUC6TMAPyaMhkQ==
-----END PUBLIC KEY-----

2. The "application" indeed changed to ssh://foo; and
3. The key handle (credential ID) is 64 bytes long starting at offset 324:

$ grep -v SSH /tmp/key | base64 -d | xxd -s +324 -l 64 -p -c0 | xxd -r -p | base64 -w0
Nb7PZxuSbNfYxwlSkOZsEREAVyUeI7mPjQlExPZb6PUOEfjvXU0AlbAj6rQ0e4Uvn2CaLaNzPt2rKWXon4fWGQ==

This can be used in conjunction with fido2-assert to get an assertion as well as verifying the resulting signature:

$ echo assertion challenge | openssl sha256 -binary | base64 > assert_param
$ echo "ssh://foo" >> assert_param
$ echo Nb7PZxuSbNfYxwlSkOZsEREAVyUeI7mPjQlExPZb6PUOEfjvXU0AlbAj6rQ0e4Uvn2CaLaNzPt2rKWXon4fWGQ== >> assert_param
$ fido2-token -L
/dev/hidraw10: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
$ fido2-assert -G -i assert_param /dev/hidraw10 | fido2-assert -V pubkey.pem es256
$ echo $?
0

This is certainly not very convenient, but it "works". 🙂

I'd highly recommend learning each of the protocols separately before attempting to combine them though... 😉

Footnotes

1. https://github.com/openssh/openssh-portable/blob/8460aaa4e1f8680f03cc5334556b9440b401f010/PROTOCOL.key#L8-L19 ↩

2. https://github.com/openssh/openssh-portable/blob/8460aaa4e1f8680f03cc5334556b9440b401f010/PROTOCOL.u2f#L71-L79 ↩

[JonasVautherin]

Thank you so much, that gives me a lot of pointers to move forward! I'll come back when I have news, but I believe this is enough to unblock me for a while!

I'd highly recommend learning each of the protocols separately before attempting to combine them though... 😉

I'm all for that, but to be honest I am finding it a bit hard, maybe because I don't know where to find the documentation I need. For libgit2, I end up reading the source code and trying a lot of things. But in this case, I get "some challenge bytes" and need to respond with "some signature", which depend on the protocol being used and that is not implemented in libgit2 (which means I can't find it in the sources).

Knowing that it is SSH, I read about the ssh1 authentication where the client "combines" the session id with the challenge, hashes that with MD5 and returns the result, but never found a definition of what "combines" means (I looked for RFCs and didn't find that information). It feels like I should read the source code of OpenSSH to learn how it's done, but that's steeper than reading RFCs 😅.

Of course, ssh1 authentication is older than ssh2, so I tried to find how ssh2 does it. I just can't seem to find where it is defined 🙈.

Finally, in my case I am interested in FIDO2. I find a lot of high-level documentation that to me sounds like "the REST API gives you an RP, you pass that to your Javascript library in the field called 'RP' and that's it". Except that for SSH, it's different: it feels like the RP is just useless because we get an SSH fingerprint of the server and can check that instead 🤔. And I don't have a high-level API that just gives me everything the way I need it, as proven e.g. by the need to manually convert keys. Some conversions seem relatively easy, but when I need something in X509 format, it gets overwhelming: should I learn X509 to write my own tool to convert stuff? That's a whole project in its own...

Even if the C code takes a "pubkeydata" parameter, the documentation usually doesn't say in which format. Unless someone like you kindly links to e.g. this and shows how it relates to the raw content with an example, I find it extremely difficult to learn.

All that to say, I feel like it's one of those examples where reading the specifications becomes a lot easier when you already know pretty well how it works and where to look 😇.

[LDVG]

Glad to hear it helped unblock you and happy to help with libfido2 specifics (for OpenSSH and libgit2, I think I'll have to refer you to their support channels). As a final note, I can add that libfido2 is more closely modeled after the CTAP2 specification rather than WebAuthn, so it may help to have a look at that as well. 🙂

[JonasVautherin]

I made it work with my Yubikey that has a resident key ( 🎉 ), but somehow it doesn't work for the other that doesn't have a resident key. Though I'm using both for SSH everyday, so it should work even if it doesn't have a resident key, right?

EDIT: ooooh, actually I think it doesn't work because my private key is encrypted with a passphrase on disk. I should decrypt it first!

[LDVG]

I made it work with my Yubikey that has a resident key ( 🎉 ), but somehow it doesn't work for the other that doesn't have a resident key. Though I'm using both for SSH everyday, so it should work even if it doesn't have a resident key, right?

The above example is using a non-resident key.

EDIT: ooooh, actually I think it doesn't work because my private key is encrypted with a passphrase on disk. I should decrypt it first!

That would make it easier. 🙂