Yubico Forum ...visit our web-store at 2014-12-08T10:45:12+01:00 https://forum.yubico.com/feed.php?f=33&t=1650 2014-12-08T10:45:12+01:00 2014-12-08T10:45:12+01:00 https://forum.yubico.com/viewtopic.php?t=1650&p=6473#p6473 <![CDATA[Re: [BUG] Attestation certificate is incorrectly encoded]]>
Thanks for looking at this aspect, and thanks for your report. I believe you are right -- we'll look into changing the value part into a DER NULL.

The bigger question about the meaning of the extension is something we should document further. The idea is that the RP use the extension to find out what kind of Yubico U2F device was used. We are working on getting a page up on https://developers.yubico.com/ describing this.

If you have any further comments, feedback or ideas on the attestation part, please let us know. This is an area of the U2F specs that are somewhat underspecified at the moment, and that we hope to improve.

/Simon

Statistics: Posted by Simon — Mon Dec 08, 2014 10:45 am

]]> 2014-12-05T06:30:41+01:00 2014-12-05T06:30:41+01:00 https://forum.yubico.com/viewtopic.php?t=1650&p=6459#p6459 <![CDATA[[BUG] Attestation certificate is incorrectly encoded]]>
My guess is that this extension acts as a flag (defined by Yubico or FIDO?). Presumably the presence of this extension has a meaning, but there is no extra data to convey. However, every extension must consist of an id and a value. The value cannot be nothing. ASN.1 has a NULL value that is suitable when there is no other info to convey. The value is DER-encoded and embedded in an OCTET STRING. It is not valid to have an empty OCTET STRING with nothing embedded, which is what the attestation certificate does.

Invalid attestation certificate:
-----BEGIN CERTIFICATE-----
MIICHDCCAQagAwIBAgIEJNurQDALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXVi
aWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAw
WhgPMjA1MDA5MDQwMDAwMDBaMCsxKTAnBgNVBAMMIFl1YmljbyBVMkYgRUUgU2Vy
aWFsIDEzNTAzMjc3ODg4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEArCUvjR9
R3lBxHeOvsXKTe0qR5+qHm/sOa/r3gwgcMtb1L1pyWp447+HUf61eRuN+srClAF1
HLFXuXwJ5DkaNqMSMBAwDgYKKwYBBAGCxAoBAQQAMAsGCSqGSIb3DQEBCwOCAQEA
o2OuDpg68wu68SyLLfNaWb8cu0obD8toxIRVhJD2hzRYZbjbAmnDRuVTiEwsVgev
DqJ7kKyM8e9DH3KsGJ2yHIJJFL8XiKVRGjPQe0yONGR86fYeFRapqbNukApAIGH2
mqRuEsUyuZP5Qj76qkz5o7ZUtN3e8pJKVI/VmZVRDdT39Nmk1SGThzxxybh+hoU+
ni2nXo8MbSgwU3TU791eFJb4wzkGEHvWi9Y1DarSw3gR7KPKQ7yTC3NAl972nWiN
lFUMTPsYqeJLhqLl2I9JmJmgm85bgQxTbK85Dci93pYN8zDKyrwFIaGDI5V//ryl
nKkLILENCbUjHFjCfrpngw==
-----END CERTIFICATE-----

The invalid DER-encoded extension (in hex) is:
30 10
30 0E
06 0A 2B0601040182C40A0101
04 00
A valid version would be:
30 12
30 10
06 0A 2B0601040182C40A0101
04 02 05 00

Statistics: Posted by jamesmanger — Fri Dec 05, 2014 6:30 am

]]>