-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd-cryptenroll not requesting a PIN when enrolling a token using fido2-with-client-pin #31443
Comments
Relevant sections from https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-hmac-secret-extension :
and from the
In other words, if a The authenticator has two keys per credential, key A and key B. Using the client PIN or a built-in UV method (EITHER!) gets key A. Using neither gets key B. |
Note: you can work around this issue and make the unlock succeed by enabling the |
One more comment: I'd recommend sending the credProtect extension with the value |
When enrolling a new FIDO2 token with a client PIN, this tells the authenticator to require the PIN on all uses. It also collects a PIN before attempting to create a credential. Works around #31443 in most (not all) scenarios.
systemd version the issue has been seen with
255.3-1-arch
Used distribution
Arch
Linux kernel version used
6.6.17-1-lts
CPU architectures issue was seen on
x86_64
Component
systemd-cryptsetup
Expected behaviour you didn't see
When enrolling a token with the --fido2-with-client-pin=yes option, systemd-cryptenroll must ask for the token PIN, but it does not.
The reason it needs to ask for the token PIN is because the way the CTAP2.1 hmac-secret extension is defined, the key used inside the authenticator is different depending on whether user verification was performed (such as by a client PIN). So if the device is to be unlocked with a client PIN, it also needs to be locked with a client PIN.
Unexpected behaviour you saw
Because of the above, unlocking the volume fails - and tries twice, prompting for the PIN each time!
Debug output:
The keyslot is actually locked using the authenticator's no-client-PIN key, despite what was requested.
Steps to reproduce the problem
Additional program output to the terminal or log subsystem illustrating the issue
No response
The text was updated successfully, but these errors were encountered: