Testing FIDO2 with libfido2

libfido2-test.md

Install libfido2 package from copr

$ sudo dnf copr enable gtb/libfido2

Create a credential (a keypair on the token)

Create a parameters file

$ echo credential challenge | openssl sha256 -binary | base64 > cred_param
$ echo relying party >> cred_param
$ echo user name >> cred_param
$ dd if=/dev/urandom bs=1 count=32 | base64 >> cred_param
$ cat cred_param
YS7vEspph7MWwGGLOiQhpDx+WYyKmS86ROGFPD99AnE=
relying party
user name
HcPOB7Mm+8iQcT3NgD5rBEDctb5aZ51VQsu3XKeUXbE=

Create a credential

$ fido2-cred -M -i cred_param /dev/hidraw5 > cred # tap the token
$ cat cred
YS7vEspph7MWwGGLOiQhpDx+WYyKmS86ROGFPD99AnE=
relying party
packed
...
$ fido2-cred -V -i cred -o cred.pem
$ cat cred.pem
B2/TPJ2ETj+GD7btHTksveJlxAmwWo9If5/8hx50Uym4yCrsQm4q8nqW00VJ2yO1zb7npELTZTPLXf+KDqgaxw==
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQAgq3+cLOXClo58AtZhSotSpv8Xu
C7mAjHJEvXlSHrVzjHT6+iU0XkVZ7Vbc2JpaukkfRnJDwuwzOsA1A1/SHA==
-----END PUBLIC KEY-----

Sign and verify a challenge

Create a parameters file

$ echo assertion challenge | openssl sha256 -binary | base64 > assert_param
$ echo relying party >> assert_param
$ head -1 cred.pem >> assert_param
$ cat assert_param
mZmBWUaJGwEjSNQvkFaicpCzDKhap2pQlfi8FXsv68k=
relying party
B2/TPJ2ETj+GD7btHTksveJlxAmwWo9If5/8hx50Uym4yCrsQm4q8nqW00VJ2yO1zb7npELTZTPLXf+KDqgaxw==

Sign a challenge

$ fido2-assert -G -i assert_param /dev/hidraw5 > assert # tap the token
$ cat assert
mZmBWUaJGwEjSNQvkFaicpCzDKhap2pQlfi8FXsv68k=
relying party
WCWusDiEl8jD03XBV+5yBpiseHi+hwrY8aqZNy+sXbRbVAEAAABa
MEQCIDoHgDORYWqeGOjSCxdNwYFSxfSaQcqi6q/Uzv2gPRpLAiB8VB/U1z70NlzOSs8te4D/0t8M3uvZGYtYAgsc6Bp7Ew==

Verify the signature with OpenSSL

$ sed -n 3p assert | base64 -d | tail -c +3 > challenge
$ sed -n 1p assert | base64 -d >> challenge
$ sed -n 4p assert | base64 -d > signature
$ openssl dgst -sha256 -verify cred.pem -signature signature challenge
Verified OK