Token2 PIN+: bio-enrollment, on-device OTP, FIDO MDS, friendlier CTAP…#30
Closed
token2 wants to merge 1 commit into
Closed
Token2 PIN+: bio-enrollment, on-device OTP, FIDO MDS, friendlier CTAP…#30token2 wants to merge 1 commit into
token2 wants to merge 1 commit into
Conversation
framefilter
added a commit
that referenced
this pull request
Jun 18, 2026
Token2's PR #30 was CI-red on clippy::needless_return (token2otp.rs detect_debug) and rustfmt (otp_pane.rs and friends). Fix both so the integrated branch is green; the feature commit keeps Token2's authorship.
framefilter
added a commit
that referenced
this pull request
Jun 18, 2026
framefilter
added a commit
that referenced
this pull request
Jun 18, 2026
Owner
|
Folded into the v0.6.0 release — your work is in as commit 7c76a6b with your authorship preserved, and it ships in v0.6.0 (fingerprint enroll → fido fingerprint-*, FIDO MDS in the GUI, on-device OTP, friendlier CTAP errors). During integration I re-nested the CLI under the new fido … groups and adapted it to the shared device model. Closing since the commits are already on main — thank you @token2, this was a substantial contribution. The CTAP 2.1 authenticatorConfig follow-up is tracked in #33. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Token2 PIN+: fingerprint management, on-device OTP, FIDO MDS, friendlier errors, and docs
Closes #29.
This delivers the two features announced in #29 — fingerprint enrolling/management on bio keys and MDS data on the Overview tab — and rounds out Token2 PIN+ support with on-device OTP (TOTP + HID-HOTP) management, a protocol-level fix to device-config reads, clearer CTAP2 error messages, and HTML docs for the new features.
Each commit is self-contained; the series applies in order on current
main. Validated on a Token2 PIN+ FIDO2 key (AAGUIDeabb46cc-…, PIN+ ) on Windows and Linux.What's included
1. Fingerprint management (bio keys) — addresses #29
Enroll, rename, and delete fingerprints over CTAP2
authenticatorBioEnrollment, so a bio key can satisfy user verification by touch instead of the PIN.fido-fingerprint-list,-enroll,-rename,-delete.2. Device metadata (FIDO MDS) on the Overview tab — addresses #29
A compact card that looks up the key's AAGUID and shows the vendor name + icon, certification level (e.g. FIDO Certified L2) and date, protocol family, and supported versions.
.exe/.dmg) can be refreshed without rebuilding. Lookup order:$KEYROOST_MDS_FILE-> platform config dir (~/.config/keyroost/,~/Library/Application Support/keyroost/,%APPDATA%\keyroost\) -> next to the executable -> embedded.tools/gen_mds_data.pyregenerates the dataset from the live BLOB (or a local--blob file.jwtfor offline use); hardened against the MDS endpoint's rate-limiting with a browser User-Agent and retry/backoff.3. On-device OTP (TOTP + HID-HOTP) management
4. Protocol fix:
READ_CONFIG/GET_ECDH_PUBKEYwere missing theirLebyteThis is the substantive protocol contribution and it underpins #2/#3 working over PC/SC.
READ_CONFIG(80 C5 02 00) andGET_ECDH_PUBKEY(80 C5 01 00) were built without a trailingLebyte. Over PC/SC the device then answeredREAD_CONFIGwith a 1-byte stub (61 01), so every config flag decoded asfalse— e.g. a provisioned HID-HOTP seed showed as "empty", and the pubkey read (the first step of any seed write, and the HID probe) returned a stub that forced a CCID fallback.Building them as the spec's short case-2 form —
80 C5 02 00 <Le>and80 C5 01 00 00, matching Token2's OTP-on-FIDO command manual — makes the device return the full 10-byte device-info block over CCID.Hardware-confirmed:
READ_CONFIGnow returns 64 bytes and the HID-HOTP slot status reads correctly over CCID/NFC, with no USB-HID access or elevation required. A unit test locks both APDU forms. (Note: this change also sits on the seed-write path via the pubkey read — seed writes were re-verified and still succeed.)A defensive
has_config_byte()guard treats any short read as "status unknown" rather than reporting a misleading "empty".5. Friendlier CTAP2 error messages
Opaque status codes now lead with a plain-English explanation, keeping the spec name + hex for reference. For example, a failed PIN change on a PIN+ key now reads:
Hints are added for the PIN-domain codes users most commonly hit (0x31/0x32/0x33/0x34/0x35/0x36/0x3B/0x3C/0x2F). Touches only
keyroost-ctap.6. Linux OTP "stuck on Reading" fix
On Linux, when the keyboard-HID interface is enabled, the hidraw
read()could block forever instead of falling back to CCID. The HID probe is now time-bounded so detection fails over cleanly.7. Documentation
Native-template
docs/fingerprint.html,docs/otp.html(with a#hid-hotpsection), anddocs/mds.html, wired into the site nav on every page. The in-app "?" help dots already point at these slugs.Commit list
LefixTesting
cargo fmt --all,cargo clippy --all-targets -- -D warnings,cargo test --workspace— clean.READ_CONFIGfix (rawkeyroostctl --debug otp configshows the full 64-byte block andHOTP-on-touch slot: configured); seed write re-verified after the pubkey APDU change.