-
-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't create Google passkey in pico_fido_pico-5.12.uf2 & pico_fido_pico-6.0.uf2 #72
Comments
Does it work with webauthn.io ? |
Yes i did test it on the 6.0, 5.12 & 5.8 with webauthn.io or https://www.token2.com/tools/fido2-demo and it always worked flawless |
I've tried right now with Chrome in macOS and worked. Perhaps is the middle layer that Windows use. Can you try with macOS or Linux? |
For being recognized by OpenSC, you must commission it with known VID & PID. More info at https://www.picokeys.com/pico-commissioner/ Pico Fido has FIDO, Keyboard, CCID and WebCCID interfaces, so yes, it is normal. When I said "try with macOS or Linux" I referred to create Google passkey using Chrome in macOS or Linux. |
Thanks for the explanation So i tried to troubleshoot it with pamu2fcfg. |
Ok now also tested on linux mint with chromium. Again tested with version 6.0 and 5.8 6.0: 5.8: |
But do you press the BOOT button to confirm? Not the reset one. |
Are you using Pico board? The same as the pic. |
Exactly, it is the same. |
Seems a problem of timeout.
Can you confirm you press BOOTsel button twice in less than 10 seconds after click on Register/Authenticate and PIN input? |
But do you press twice the button? One after click on "Register" and one after introducing the PIN. |
After entering the PIN for the security key, the system will get stuck in |
I tested if i can login in google after creating the key on windows 11. But if i try to create the key it fails. Also it (creating the key) doesn't work in linux mint with firefox or chromium |
Update: I tested it today it on a PICO 2 with the firmware 6.0 On Windows 10: Edit: Linux Mint: |
Hello, Also i used chrome to gather additional data I hope these are use full |
|
Anyway even after flashing the file onto the pico and afterwards using the commission tool to set the timeout to 0 In linux it works with webauthn.io but google still has the problem where it loads without any end in sight. In windows 10 it sometimes works on webauthn.io? but only once then i could not replicate it. i added here the chrome logs from windows 10 chrome
Also checked if it's not the pico which may be damaged but with the 5.8 version it's working just fine. Tested on two windows 10 pc PS: |
What happens if you run the tests?
|
Done Enviroment is windows and scripts are run with admin privs. |
Try using the nightly build and disable the Power cycle after reboot option in the Commissioner. |
Hi Here the logs and i wasn't sure which nightly so i did both: Thanks |
hey i am facing the same problem when using on discord or webauth.io it works but when trying to use it on binance or google it get stuck in "getting things ready phase" |
There seems to be a problem with the handling of the excludelist in the cbor_make_credential function. webauthn.io does not allow multiple keys to be registered. As a result, it works because excludelist is never used. For a quick check, I was able to register a key by deleting the range shown below. pico-fido/src/fido/cbor_make_credential.c Lines 282 to 298 in 7a59b51
https://w3c.github.io/webauthn/#dom-scopedcredentialoptions-excludelist |
But this is the expected behavior. If a credential is already created and relayed by the RP, then it fails creating a new one (because it has been already created). It is described here: I already created passkeys in google without problems. |
Sorry for the poor explanation. pico-fido/src/fido/credential.c Lines 146 to 160 in 7a59b51
/src/fido/cbor_make_credential.c Credential ecred = {0}; // Add initialization
if (credential_load(excludeList[e].id.data, excludeList[e].id.len, rp_id_hash,
&ecred) == 0 &&
(ecred.extensions.credProtect != CRED_PROT_UV_REQUIRED ||
(flags & FIDO2_AUT_FLAG_UV))) {
credential_free(&ecred);
CBOR_ERROR(CTAP2_ERR_CREDENTIAL_EXCLUDED);
}
credential_free(&ecred); |
You're right @jcodeth . If it is not properly initialized, it might crash on credential_free() afterwards. I'll push a fix. |
…ent sends commands to know the status. Fixes #72. Signed-off-by: Pol Henarejos <[email protected]>
I found the bug and it is related with the timeout/keepalive procedure. By specified in the FIDO documents, the authenticator must send keepalive commands regularly, to inform the client the command is still being processed. But taking the old U2F specifications, no keepalive was specified. So, it is in the client side the procedure to check the timeout. Depending on the platform, google may decide to use CTAP2 (FIDO) protocol or CTAP1 (U2F). If it chooses CTAP2 (my above examples), it works normally. But if it chooses CTAP1, then it does not expect any keepalive command, regardless the specification. Once the keepalive is sent, it throws an error about "unknown command" and closes the connection. I put a fix which mainly sends a keepalive command only if we are in a middle of CTAP2 transaction. Hopefully it will fix all these errors you have. I pushed the fix to |
oh thanks for the update this issue i was facing with |
@samsell how can i update my pico ? where can i get the new file? |
@79812b it's in the releases section, click the nightly development build and look for the pico-fido .uf2 file. Or the link is here if you have the standard pico: https://github.com/polhenarejos/pico-fido/releases/download/nightly-development/pico_fido_pico-6.0.uf2 |
Hello I was trying this project out on my pico on Firefox and Chromium on Linux and was having this exact issue, so I started to go trough this thread and found this message, tried it out and now it works, I'm now able to use my pico to authenticate for me, I was only able to register the device on Chromium though but that's already been mentioned elsewhere if I'm not mistaken. Thanks a lot! |
Hello,
And first i would like to thank you for this awesome project
I noticed an error/bug (or my fault?) which doesn't allow me to create a google passkey in version 5.12 and 6.0 (not nightly) but in 5.8 it is working
I tested it on waterfox and chrome on my windows 10 pc
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.19045 N/A Build 19045
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
After clicking "create passkey" and entering my security pin
I was stuck for some minutes at this step
Before i finally get the message "Couldn't complete singup" or something similar
(I couldn't catch a screenshot because it's so fast gone)
I hope this information is in someway helpful and wish you a nice evening/morning/day (where ever you are)
(this is my first time writing an issue so i hope it's at least somewhat usable)
The text was updated successfully, but these errors were encountered: