U2F not working with krypt.co provider

[ellie-idb]

I'm using bitwarden_rs on docker, and whenever I try to register my U2F provider (Kryptonite), it errors, first, saying that "Error activating u2f", then, "Unable to recover challenge".
Looking in the logs, I see this:

POST /api/two-factor/get-u2f application/json; charset=utf-8:

    => Matched: POST /api/two-factor/get-u2f

    => Outcome: Success

    => Response succeeded.

GET /app-id.json:

    => Matched: GET /app-id.json

    => Outcome: Success

    => Response succeeded.

POST /api/two-factor/u2f application/json; charset=utf-8:

    => Matched: POST /api/two-factor/u2f

Error: BadCertificate

ERROR: Error activating u2f

    => Outcome: Success

    => Response succeeded.

I have enabled HTTPS on my server, and set the DOMAIN environment variable to the URL, including 'https'.

[dani-garcia]

I've tested this with the Krypt iOS app and I can reproduce it. The issue seems to originate in the webpki library (the exact error is BadDER, which seems to indicate problems parsing the DER certificate).

I'm not sure there is much I can do about it, as I'm not a cryptography expert by any means, but I'll look into it a bit more.

[mannp]

Is this U2F or Authenticator App, as I didn't think U2F was implemented in bitwarden_rs?

[beatgammit]

@mannp It looks like U2F is implemented: https://github.com/dani-garcia/bitwarden_rs#enabling-u2f-authentication

[mannp]

@beatgammit cool thanks, just that I thought that was TOTP Authentication with an Authenticator app, whereas U2F was using a Yubico key or similar.

My misunderstanding.

[mannp]

My error is different but the exact same setup on v1 works fine.

PUT /api/two-factor/authenticator application/json; charset=utf-8:
=> Error: No matching routes for PUT /api/two-factor/authenticator application/json; charset=utf-8.
=> Warning: Responding with 404 Not Found catcher.
=> Response succeeded.

[mprasil]

@mannp this sounds like different issue, I've created #124 to handle that.

[rezhajulio]

I just test U2F with SoloKeys and it works just fine.

[jkaberg]

@dani-garcia which lib is that? I'm asking because I haven't came across this issue with any other U2F compatible service out there (tested on atleast 20+ different ones), just bitwarden_rs

This is/was tested/used with Krypton. Perhaps @kcking is able to share some light on the issue?

[dani-garcia]

We are using the U2F-rs library, which uses Webpki for cert validation, which is where it fails.

I'm not sure what the cause of the error is to be honest, looking for BadDER in webpki's issue tracker lists a couple of issues, like not supporting V1 certificates, or requiring certificates to have the subjectAltName extension field, but not sure if those are related.

[kcking]

Thanks for digging into this a bit -- we don't set any SAN extension on the cert, so if webpki requires it that would be at least one issue. Is there a rationale for why they require one or is it considered a bug?

[dani-garcia]

Mostly that webpki is focused on certificates for TLS use, and every mayor browser requires those extensions. The u2f support is more of a happy coincidence, as it is.

briansmith/webpki#90 (comment)

[jkaberg]

@kcking Would it be feasible to do add SAN to the Kryptonite certificate?

[raf924]

Just doing a health-check on this issue as I just tried and failed to use Krypton as a u2f security key with Bitwarden. @kcking Is setting SAN out of the question then ?

[dani-garcia]

I've tested this again with the latest image, with the new version of the u2f crate, which now uses openssl instead of ring/webpki and the krypt app seems to work for me for a basic register/login test.

I'd appreciate if someone else could also test it too.

[raf924]

Just tested it, with bitwarden-rs v1.13.1-d212dfe7, Firefox v72.0.1 with the Krypton extension v1.0.16 on Windows and the Krypton Android App v2.5.5. Registered the app as a U2F key for Bitwarden and successfully logged in with it. Nice work!

[dani-garcia]

Great, I've got some other confirmations that this works now, so I'll close the issue. If any problems appear again, it can be reopened/a new one can be created.

[mustanggb]

Seems like this is broken again.

There was a problem reading the security key. Try again.

[BlackDex]

@mustanggb if you are referring to krypt.co, then I can confirm that it doesn't work.
But it also doesn't work on https://webauthn.io/ or https://www.token2.com/tools/fido2-test/

Since Kryptco hasn't been updated for a long time since it has been acquired by Akamai, i think there are many issues with it using modern browsers and maybe even Android/iOS devices.

This is not something we can fix on our side.

[mustanggb]

Yes, referring to krypt.co/krypton.

The same issue exists for Akamai by the way, I tried both.

Testing the two links you gave, https://webauthn.io/ registers, but at login gives the error:
The 'allowCredentials' attribute exceeds the maximum allowed size (64).

Whereas https://www.token2.com/tools/fido2-test/index.php actually works fine.

Both get "stuck" on the registering, as it appears to the user, but seemingly do actually perform the register behind the scenes (on both webauthn and token2), then the login works (on token2).

Whereas with vaultwarden it similarly appears to get "stuck" as the same point on registering, but doesn't save the information sent back.

So yes like you said it's not been updated in a while, and what it sends back might not be 100% "in spec", but it shouldn't be impossible to "fix on our side".

Perhaps you use a library for U2F support, so it's something that could be raised upstream?

[BlackDex]

Well, if you want to get it fixed in upstream, i would suggest to check the library for the details.
They do have some mentions about this.

The library: https://github.com/kanidm/webauthn-rs/
There test site: https://webauthn.firstyear.id.au/compat_test

Though, vaultwarden currently uses an older version of that library, i think there main site uses the latest version, and it doesn't work there either.