Yubico Forum https://forum.yubico.com/ |
|
[BUG] Attestation certificate is incorrectly encoded https://forum.yubico.com/viewtopic.php?f=33&t=1650 |
Page 1 of 1 |
Author: | jamesmanger [ Fri Dec 05, 2014 6:30 am ] |
Post subject: | [BUG] Attestation certificate is incorrectly encoded |
The attestation certificate from a Yubikey U2F token (blue) includes a certificate extension (1.3.6.1.4.1.41482.1.1) with no content. This is not valid. While some (common) certificate parsers may ignore this error, it is still an error that other software does notice. My guess is that this extension acts as a flag (defined by Yubico or FIDO?). Presumably the presence of this extension has a meaning, but there is no extra data to convey. However, every extension must consist of an id and a value. The value cannot be nothing. ASN.1 has a NULL value that is suitable when there is no other info to convey. The value is DER-encoded and embedded in an OCTET STRING. It is not valid to have an empty OCTET STRING with nothing embedded, which is what the attestation certificate does. Invalid attestation certificate: -----BEGIN CERTIFICATE----- MIICHDCCAQagAwIBAgIEJNurQDALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXVi aWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAw WhgPMjA1MDA5MDQwMDAwMDBaMCsxKTAnBgNVBAMMIFl1YmljbyBVMkYgRUUgU2Vy aWFsIDEzNTAzMjc3ODg4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEArCUvjR9 R3lBxHeOvsXKTe0qR5+qHm/sOa/r3gwgcMtb1L1pyWp447+HUf61eRuN+srClAF1 HLFXuXwJ5DkaNqMSMBAwDgYKKwYBBAGCxAoBAQQAMAsGCSqGSIb3DQEBCwOCAQEA o2OuDpg68wu68SyLLfNaWb8cu0obD8toxIRVhJD2hzRYZbjbAmnDRuVTiEwsVgev DqJ7kKyM8e9DH3KsGJ2yHIJJFL8XiKVRGjPQe0yONGR86fYeFRapqbNukApAIGH2 mqRuEsUyuZP5Qj76qkz5o7ZUtN3e8pJKVI/VmZVRDdT39Nmk1SGThzxxybh+hoU+ ni2nXo8MbSgwU3TU791eFJb4wzkGEHvWi9Y1DarSw3gR7KPKQ7yTC3NAl972nWiN lFUMTPsYqeJLhqLl2I9JmJmgm85bgQxTbK85Dci93pYN8zDKyrwFIaGDI5V//ryl nKkLILENCbUjHFjCfrpngw== -----END CERTIFICATE----- The invalid DER-encoded extension (in hex) is: 30 10 30 0E 06 0A 2B0601040182C40A0101 04 00 A valid version would be: 30 12 30 10 06 0A 2B0601040182C40A0101 04 02 05 00 |
Author: | Simon [ Mon Dec 08, 2014 10:45 am ] |
Post subject: | Re: [BUG] Attestation certificate is incorrectly encoded |
Hi James, Thanks for looking at this aspect, and thanks for your report. I believe you are right -- we'll look into changing the value part into a DER NULL. The bigger question about the meaning of the extension is something we should document further. The idea is that the RP use the extension to find out what kind of Yubico U2F device was used. We are working on getting a page up on https://developers.yubico.com/ describing this. If you have any further comments, feedback or ideas on the attestation part, please let us know. This is an area of the U2F specs that are somewhat underspecified at the moment, and that we hope to improve. /Simon |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |