Thanks for the demo program, that helps.
Turns out the OpenSSL version I was using was too old, and when upgrading
to 1.0.1j, your suggestion (and demo program) work fine.
I’ve attached a patch to fix my code.
On Mon, Dec 15, 2014 at 2:23 PM, Klaus Keppler <kk@xxxxxxxxxxxxx> wrote:
>
> If I do that, EVP_VerifyFinal() will result in EVP_R_WRONG_PUBLIC_KEY_TYPE.
>>
>
> This is strange... I don't get any error here, though I use the (same?)
> ECDSA public key from the attestation certificate (using OpenSSL 1.0.1i,
> but that shouldn't matter).
>
> Looking at the OpenSSL source, I can see that in crypto/evp/m_sha1.c, the
>> sha* digests are defined with EVP_PKEY_RSA_method, which requires an RSA
>> publickey, but we have an ECDSA publickey. The only digest working with
>> ECDSA publickeys is crypto/evp/m_ecdsa.c AFAICT.
>>
>
> Both EVP_PKEY_RSA_method and EVP_PKEY_ECDSA_method are #defined there as
> "EVP_PKEY_NULL_method". (don't ask me why... I don't understand most of
> that macro mess...)
>
> Unfortunately not. Could you share the code that you have please? Or is it
>> not yet working?
>>
>
> Voila: https://github.com/keppler/fido-u2f/blob/master/fido-example.c
> It uses the example messages from the official specs, so should be easy to
> reproduce.
>
> If I'm wrong at any point there, please let me know.
>
> Best regards
>
> -Klaus
>
From b569b35ee5a328507bc07fc760978983241511c7 Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <michael@xxxxxxxxxxxxx>
Date: Fri, 19 Dec 2014 09:45:16 +0100
Subject: [PATCH] Bugfix: use EVP_sha256(), properly check verification result
(Thanks Klaus Keppler)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Note that this requires a recent version of openssl. The one that Apple
ships with OS X Yosemite is too old (“OpenSSL 0.9.8za 5 Jun 2014”). I’ve
successfully tested it with OpenSSL 1.0.1j
---
auth-u2f.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/auth-u2f.c b/auth-u2f.c
index 07b8523..9830f37 100644
--- a/auth-u2f.c
+++ b/auth-u2f.c
@@ -375,7 +375,7 @@ input_userauth_u2f_register_response(int type, u_int32_t seq, void *ctxt)
cdecodedlen = urlsafe_base64_decode(clientdata, cdecoded, BASE64_DECODED_SIZE(strlen(clientdata)));
pkey = X509_get_pubkey(x509);
- if ((err = EVP_VerifyInit(&mdctx, EVP_ecdsa())) != 1) {
+ if ((err = EVP_VerifyInit(&mdctx, EVP_sha256())) != 1) {
ERR_error_string(ERR_get_error(), errorbuf);
fatal("EVP_VerifyInit() failed: %s (reason: %s)",
errorbuf, ERR_reason_error_string(err));
@@ -388,10 +388,15 @@ input_userauth_u2f_register_response(int type, u_int32_t seq, void *ctxt)
EVP_VerifyUpdate(&mdctx, keyhandle, khlen);
EVP_VerifyUpdate(&mdctx, pubkey, U2F_PUBKEY_LEN);
- if ((err = EVP_VerifyFinal(&mdctx, walk, restlen, pkey)) == -1) {
- ERR_error_string(ERR_get_error(), errorbuf);
- error("Verifying the U2F registration signature failed: %s (reason: %s)",
- errorbuf, ERR_reason_error_string(err));
+ err = EVP_VerifyFinal(&mdctx, walk, restlen, pkey);
+ if (err == 0) {
+ error("Verifying the U2F registration signature failed: invalid signature");
+ goto out;
+ } else if (err == -1) {
+ long e = ERR_get_error();
+ ERR_error_string(e, errorbuf);
+ error("Verifying the U2F registration signature failed: %s (raw %lu) (reason: %s)",
+ errorbuf, e, ERR_reason_error_string(err));
goto out;
}
--
2.2.1
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
