Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:32 am

View unanswered posts | View active topics


Board index » FIDO - U2F

All times are UTC + 1 hour




Post new topic Reply to topic  Page 1 of 1
  [ 2 posts ] 
  Print view Previous topic | Next topic 
Author Message
jamesmanger
PostPosted: Fri Dec 05, 2014 6:30 am 
Offline

Joined: Fri Dec 05, 2014 6:03 am
Posts: 3
The attestation certificate from a Yubikey U2F token (blue) includes a certificate extension (1.3.6.1.4.1.41482.1.1) with no content. This is not valid. While some (common) certificate parsers may ignore this error, it is still an error that other software does notice.

My guess is that this extension acts as a flag (defined by Yubico or FIDO?). Presumably the presence of this extension has a meaning, but there is no extra data to convey. However, every extension must consist of an id and a value. The value cannot be nothing. ASN.1 has a NULL value that is suitable when there is no other info to convey. The value is DER-encoded and embedded in an OCTET STRING. It is not valid to have an empty OCTET STRING with nothing embedded, which is what the attestation certificate does.

Invalid attestation certificate:
-----BEGIN CERTIFICATE-----
MIICHDCCAQagAwIBAgIEJNurQDALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXVi
aWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAw
WhgPMjA1MDA5MDQwMDAwMDBaMCsxKTAnBgNVBAMMIFl1YmljbyBVMkYgRUUgU2Vy
aWFsIDEzNTAzMjc3ODg4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEArCUvjR9
R3lBxHeOvsXKTe0qR5+qHm/sOa/r3gwgcMtb1L1pyWp447+HUf61eRuN+srClAF1
HLFXuXwJ5DkaNqMSMBAwDgYKKwYBBAGCxAoBAQQAMAsGCSqGSIb3DQEBCwOCAQEA
o2OuDpg68wu68SyLLfNaWb8cu0obD8toxIRVhJD2hzRYZbjbAmnDRuVTiEwsVgev
DqJ7kKyM8e9DH3KsGJ2yHIJJFL8XiKVRGjPQe0yONGR86fYeFRapqbNukApAIGH2
mqRuEsUyuZP5Qj76qkz5o7ZUtN3e8pJKVI/VmZVRDdT39Nmk1SGThzxxybh+hoU+
ni2nXo8MbSgwU3TU791eFJb4wzkGEHvWi9Y1DarSw3gR7KPKQ7yTC3NAl972nWiN
lFUMTPsYqeJLhqLl2I9JmJmgm85bgQxTbK85Dci93pYN8zDKyrwFIaGDI5V//ryl
nKkLILENCbUjHFjCfrpngw==
-----END CERTIFICATE-----

The invalid DER-encoded extension (in hex) is:
30 10
30 0E
06 0A 2B0601040182C40A0101
04 00
A valid version would be:
30 12
30 10
06 0A 2B0601040182C40A0101
04 02 05 00
Top
 Profile  
Reply with quote  

Share On:
Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Simon
PostPosted: Mon Dec 08, 2014 10:45 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
Hi James,

Thanks for looking at this aspect, and thanks for your report. I believe you are right -- we'll look into changing the value part into a DER NULL.

The bigger question about the meaning of the extension is something we should document further. The idea is that the RP use the extension to find out what kind of Yubico U2F device was used. We are working on getting a page up on https://developers.yubico.com/ describing this.

If you have any further comments, feedback or ideas on the attestation part, please let us know. This is an area of the U2F specs that are somewhat underspecified at the moment, and that we hope to improve.

/Simon
Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 2 posts ] 

Board index » FIDO - U2F

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group