Skip to content

Add support for new Yubico FIDO and PIV attestation root CA #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
obelisk merged 6 commits into from
Apr 17, 2025
Merged

Add support for new Yubico FIDO and PIV attestation root CA #26

obelisk merged 6 commits into from
Apr 17, 2025

Conversation

@timweri
Copy link
Collaborator

@timweri timweri commented Apr 10, 2025
edited
Loading

Add support for the new FIDO and PIV Root CA: https://developers.yubico.com/PKI/yubico-ca-certs.txt. These new chains contain a few more intermediates from: https://developers.yubico.com/PKI/yubico-intermediate.pem

These new chains were rolled out for Yubikey 5c 5.7.4.

@timweri timweri added the fido For issues around the usage of FIDO/U2F keys label Apr 10, 2025
@timweri timweri force-pushed the add-new-yubico-root-ca branch from 0b53d5b to 2627bf3 Compare April 10, 2025 09:04
@timweri timweri requested a review from Copilot April 11, 2025 22:02
Copilot AI reviewed Apr 11, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (1)

src/fido/verification.rs:193

  • The naming of the two root CA constants (YUBICO_FIDO_ROOT_CA_450203556 and YUBICO_U2F_ROOT_CA_457200631) may be confusing given the fallback logic in verify_auth_data. Consider renaming them to clearly indicate which certificate is preferred and which is the fallback.
else if verify_intermediate(&parsed_intermediate, YUBICO_FIDO_ROOT_CA_450203556).is_err() {

@obelisk
Copy link
Owner

obelisk commented Apr 12, 2025

I was testing this myself but it seems Yubico has added a bunch of new intermediates and roots to their new Yubikeys. Here is the data from a 5.7.4 Yubikey 5C NFC for testing

Auth Data: [18, d7, 09, 3d, b7, ca, 79, ad, ef, 6f, 5f, 4a, 59, 88, c3, 2f, 79, ec, 9b, 47, 3b, c3, 8e, 5d, 1f, 64, 31, 13, 2b, 49, 79, df, 41, 00, 00, 00, 02, d7, 78, 1e, 5d, e3, 53, 46, aa, af, e2, 3c, a4, 9f, 13, 33, 2a, 00, 80, b5, 6b, 3e, c7, a0, 6a, 13, bb, 9e, f7, 0d, f5, 5f, b5, 51, ae, 75, a6, ff, ce, 53, d7, 36, 58, eb, 20, 54, 11, d8, 35, a3, c5, ca, 50, 97, 20, 66, eb, 97, e5, e9, 3f, b4, ff, 63, 03, 2f, ff, 81, 46, 66, ec, 71, b2, 56, bc, 0a, f1, 24, 00, 5e, f3, 04, 56, 8c, 66, d7, 47, 38, 75, b9, 31, 70, e8, d1, d9, 86, fd, 25, 84, 8b, c4, 27, 30, ad, 5d, 9f, 08, 48, 67, f4, 62, 8f, 65, 6e, 5e, 51, d1, 43, c8, 8b, c6, 0d, ed, 6e, 38, 26, a6, c4, 71, a9, 98, cd, d2, 5a, 53, d0, 78, a7, dc, 16, 52, 45, ee, 81, e9, 64, 10, a4, 01, 01, 03, 27, 20, 06, 21, 58, 20, c1, 11, 5f, b6, da, 9a, d7, 17, 79, 5c, 09, 93, 51, af, 75, 5c, a4, f0, 75, cd, 9c, d9, bd, db, d5, 4f, 5a, 4c, b8, 46, 47, 5d]
Auth Dat Signature: [30, 44, 02, 20, 44, e0, 52, 46, ef, 84, 4e, 1a, 2e, 91, 07, ce, 78, 6b, ed, 7b, b2, 44, 39, 0e, c7, ab, ef, 1f, 04, 44, bb, 2b, 54, 70, e3, e3, 02, 20, 07, 3c, 81, 6e, 8d, 27, fd, ee, e9, 66, d4, d5, 56, bc, ce, 1a, c9, 0d, 7f, 45, 67, 4f, c8, 70, c6, cf, 50, 4d, 37, 49, 6e, 2e]
Challenge: [20, 2a, eb, a6, 3b, ec, 7a, f4, b8, 19, 3e, 41, a3, 93, 58, 32, a0, 4a, db, 0e, cb, 2e, 1a, e4, 32, ee, 07, fe, 3f, e9, 9a, a1]
Alg: -7
Intermediate: [30, 82, 02, d7, 30, 82, 01, bf, a0, 03, 02, 01, 02, 02, 09, 00, b5, 1f, 46, 7f, 5c, 92, 81, 39, 30, 0d, 06, 09, 2a, 86, 48, 86, f7, 0d, 01, 01, 0b, 05, 00, 30, 26, 31, 24, 30, 22, 06, 03, 55, 04, 03, 0c, 1b, 59, 75, 62, 69, 63, 6f, 20, 46, 49, 44, 4f, 20, 41, 74, 74, 65, 73, 74, 61, 74, 69, 6f, 6e, 20, 42, 20, 31, 30, 20, 17, 0d, 32, 34, 31, 32, 30, 31, 30, 30, 30, 30, 30, 30, 5a, 18, 0f, 39, 39, 39, 39, 31, 32, 33, 31, 32, 33, 35, 39, 35, 39, 5a, 30, 75, 31, 0b, 30, 09, 06, 03, 55, 04, 06, 13, 02, 53, 45, 31, 12, 30, 10, 06, 03, 55, 04, 0a, 0c, 09, 59, 75, 62, 69, 63, 6f, 20, 41, 42, 31, 22, 30, 20, 06, 03, 55, 04, 0b, 0c, 19, 41, 75, 74, 68, 65, 6e, 74, 69, 63, 61, 74, 6f, 72, 20, 41, 74, 74, 65, 73, 74, 61, 74, 69, 6f, 6e, 31, 2e, 30, 2c, 06, 03, 55, 04, 03, 0c, 25, 59, 75, 62, 69, 63, 6f, 20, 46, 49, 44, 4f, 20, 45, 45, 20, 53, 65, 72, 69, 61, 6c, 20, 31, 34, 30, 36, 39, 36, 36, 37, 33, 39, 38, 34, 34, 33, 37, 30, 59, 30, 13, 06, 07, 2a, 86, 48, ce, 3d, 02, 01, 06, 08, 2a, 86, 48, ce, 3d, 03, 01, 07, 03, 42, 00, 04, 5b, 31, 44, f9, c8, 18, 00, 5f, 0f, 68, d8, 1e, d8, cc, 4b, 32, 15, 8b, c1, 26, 15, ed, eb, 56, 13, 24, 2e, 1e, b5, e3, 87, d3, f7, 16, b9, 2d, f3, 3b, b6, ac, bc, e9, 5d, e7, 69, 3f, 03, 1c, 56, 3f, f3, 07, 4c, de, 49, 21, 26, 7f, be, c1, 6e, 56, 90, e9, a3, 81, 81, 30, 7f, 30, 13, 06, 0a, 2b, 06, 01, 04, 01, 82, c4, 0a, 0d, 01, 04, 05, 04, 03, 05, 07, 04, 30, 22, 06, 09, 2b, 06, 01, 04, 01, 82, c4, 0a, 02, 04, 15, 31, 2e, 33, 2e, 36, 2e, 31, 2e, 34, 2e, 31, 2e, 34, 31, 34, 38, 32, 2e, 31, 2e, 37, 30, 13, 06, 0b, 2b, 06, 01, 04, 01, 82, e5, 1c, 02, 01, 01, 04, 04, 03, 02, 04, 30, 30, 21, 06, 0b, 2b, 06, 01, 04, 01, 82, e5, 1c, 01, 01, 04, 04, 12, 04, 10, d7, 78, 1e, 5d, e3, 53, 46, aa, af, e2, 3c, a4, 9f, 13, 33, 2a, 30, 0c, 06, 03, 55, 1d, 13, 01, 01, ff, 04, 02, 30, 00, 30, 0d, 06, 09, 2a, 86, 48, 86, f7, 0d, 01, 01, 0b, 05, 00, 03, 82, 01, 01, 00, 0d, f5, 3a, 58, c7, 11, 46, 3a, 12, 0a, 07, bb, c4, 9b, 03, 04, 2d, 3c, f9, a5, 00, 2d, ef, 0b, 71, 22, bc, e1, 6c, 3b, 94, b1, 53, 58, 96, 30, 79, c4, 4b, 10, ec, 1e, 1b, 9d, b4, e9, 0c, 51, aa, 8e, 9e, 7c, 39, aa, 80, 22, 0a, 2f, f0, e0, 89, f3, 88, 82, cc, a5, 31, c9, 7e, ea, 08, 4f, f8, 87, c1, c2, 49, b2, ae, 75, 49, 7d, 73, 96, be, f5, 2c, dc, 01, c8, a1, 19, ef, 71, 52, 10, 55, 42, af, 87, 20, 92, 07, d0, d7, 24, 25, 0e, 58, 21, d4, 10, be, a5, f4, 00, 6a, d0, e9, dd, fe, 0f, 37, 66, 43, 04, be, 5e, b7, 60, b3, 1d, 13, f6, c9, df, 52, 6b, b8, f6, 03, c0, 82, d2, ae, 79, ea, 5b, f4, bf, ec, 8d, 5c, ac, c1, fe, b6, dd, 9a, 6c, 3c, 3b, 08, ff, 64, c5, 17, eb, c9, 47, 58, d5, 4c, 53, e8, 66, 79, 9a, b3, b4, eb, ce, 79, 94, d7, bc, 6f, df, 3b, c5, 0e, 29, c5, 16, c6, b4, 60, a2, b6, f4, 9d, a1, 6b, 0f, 19, 4c, 91, ab, 8b, b5, 40, 06, 30, ac, 6d, 05, e6, 94, c1, 16, b4, f6, 95, a9, b4, d1, 8b, 5f, 30, c2, 86, 25, 71, a3, 42, dd, e4, 6c, 2b, 13, 94, f6, d2, 26, df, e0, f6, d0, 44, ff, 0b, 18, 52, 4a, c3, 51]

Additionally, I think we need all the intermediates from here: https://developers.yubico.com/U2F/Attestation_and_Metadata/ under intermediate certificates, the third last certificate there is the intermediate for the one above which then I think goes up to the new root (but I haven't had a chance to validate that yet).

@timweri timweri requested a review from Copilot April 13, 2025 00:45
Copilot AI reviewed Apr 13, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (1)

src/fido/verification.rs:310

  • The comment references YUBICO_FIDO_ROOT_CA_450203556 while the fallback verification uses YUBICO_U2F_ROOT_CA_457200631. Please clarify and align the constant names to avoid confusion.
                // YUBICO_FIDO_ROOT_CA_450203556 was added later in 2025

timweri
timweri commented Apr 13, 2025
View reviewed changes
@timweri timweri changed the title Add Yubico FIDO Root CA Serial 450203556 Add new FIDO attestation root CA Apr 13, 2025
obelisk and others added 3 commits April 13, 2025 18:47
@obelisk
Make Tests Consistent
7a5de1d 
When I was originally writing the Mozilla handler for this library, I
didn't implement hashing of the challenge because there is no way to
take in a challenge from a remote host. This is why @timweri had to
remove the hashing from the test in his earlier commits.

We now generate random data first, then hash it such that we can get the
preimage to test it properly. This also will allow us to extend the API
into the future to allow remote challenges for key generation
verification.
@obelisk
Bump version
9e3f61a
@timweri
Add new PIV root CA and intermediates
393f3ef
@timweri timweri added piv bug Something isn't working labels Apr 16, 2025
@timweri timweri changed the title Add new FIDO attestation root CA Add new Yubico FIDO and PIV attestation root CA Apr 16, 2025
@timweri timweri changed the title Add new Yubico FIDO and PIV attestation root CA Add support for new Yubico FIDO and PIV attestation root CA Apr 16, 2025
@timweri timweri requested a review from obelisk April 16, 2025 23:57
@obelisk obelisk merged commit c4ffc4c into main Apr 17, 2025
5 checks passed
@timweri timweri deleted the add-new-yubico-root-ca branch April 17, 2025 01:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@obelisk obelisk obelisk approved these changes

Assignees

No one assigned

Labels

bug Something isn't working fido For issues around the usage of FIDO/U2F keys piv

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timweri @obelisk