Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

u2f.Register error: x509: certificate signed by unknown authority #8

Closed
sunderipranata opened this issue Dec 5, 2016 · 3 comments
Closed

u2f.Register error: x509: certificate signed by unknown authority #8

sunderipranata opened this issue Dec 5, 2016 · 3 comments

Comments

@sunderipranata
Copy link

I'm a student researching the current new authentication technology FIDO, please help.

I tried to run the example, everything is fine until the authentication through yubikey, until the javascript sending the POST request to the server to sign the challenge.
But the server returns error 500 because of the u2f.Register error: x509: certificate signed by unknown authority Error.

This is the log in the browser:
Object {registrationData: "BQTwrTCRkOgUqTX9biuxvzpcowTbLUoNrwhuy87skfQ5cUfUz7…Up5wIgOkV3RF_k3INbPfEsAa4ay-7k96FUFe5tZns3YTDbIsk", version: "U2F_V2", challenge: "mK7SSh-n9wicGkBM2hX5RlgD45p6tkZfZajeCSrl-2E", appId: "https://localhost:3483", clientData: "eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudC…vY2FsaG9zdDozNDgzIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9"}
jquery-1.11.2.min.js:4 POST https://localhost:3483/registerResponse 500 ()

This is the log in the server:
2016/12/05 17:40:02 registerRequest: &{Version:U2F_V2 Challenge:mK7SSh-n9wicGkBM2hX5RlgD45p6tkZfZajeCSrl-2E AppID:https://localhost:3483}
2016/12/05 17:40:15 u2f.Register error: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Yubico U2F Root CA Serial 457200631")

Thank you very much!! Any help is appreciated!
@tstranex
Copy link
Owner

Hi @sunderipranata

Could you try setting SkipAttestationVerify=true in the Config parameter to Register? That will disable attestation certificate validation. If that works, it indicates that the attestation certification of your token is currently whitelisted. If it doesn't work, then it indicates a different problem. :)

@p-kraszewski
Copy link

Same error, same CA key (device is YubiKey Neo)
2017/02/03 07:14:41 u2f.Register error: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Yubico U2F Root CA Serial 457200631")

They key mentioned is available at Yubico and is the same as one in certs.go at yubicoRootCert. Cert is not expired (valid to 2050) and has no other symptoms of invalidity. Token is used daily, including GitHub and Google.

u2fdemo works after suggested modification:

...
 cfg := &u2f.Config{
   SkipAttestationVerify: true,
 }
 reg, err := u2f.Register(regResp, *challenge, cfg)
...

@stephen-soltesz
Copy link

stephen-soltesz commented Feb 20, 2018
edited
Loading

After I confirmed that my yubikey is one with broken attestation certs, these references helped me figure out how to modify tstranex/u2f/register.go:

Between lines

u2f/register.go

Lines 126 to 127 in c46b9c6

buf = buf[:len(buf)-len(sig)]
cert, err := x509.ParseCertificate(buf)
add:

buf[len(buf)-257] = 0

@okzk okzk mentioned this issue Apr 27, 2018
Merged
@tstranex tstranex closed this as completed May 5, 2018
@Jellyfrog Jellyfrog mentioned this issue Nov 28, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stephen-soltesz @p-kraszewski @tstranex @sunderipranata