Need help on Basic Java Sample Demo

Question

Need help on Basic Java Sample Demo

wsideveloper opened this issue 3 years ago · comments

I am able to install a SKFS server with my internet domain. I can do a ping to my server too:
java -jar skfsclient.jar P https://mydomain:8181 1 REST PASSWORD svcfidouser Abcd1234!

However when I install the Basic Java Sample Demo and launch it to my server https://mydomain:8181//basicdemo/

I get this error when I do a register:
SecurityError: The relying party ID is not a registrable domain suffix of, nor equal to the current domain.

I have tried to change the policy for DID 1 in the database by only replacing "strongkey.com" to mydomain:

{"FidoPolicy":{"name":"MinimalPolicy","copyright":"","version":"1.0","startDate":"1635942582","endDate":"1760103870871","system":{"requireCounter":"mandatory","integritySignatures":false,"userVerification":["required","preferred","discouraged"],"userPresenceTimeout":0,"allowedAaguids":["all"],"jwtKeyValidity":365,"jwtRenewalWindow":30,"transport":["usb","internal"]},"algorithms":{"curves":["secp256r1","secp384r1","secp521r1","curve25519"],"rsa":["RS256","RS384","RS512","PS256","PS384","PS384"],"signatures":["ES256","ES384","ES512","EdDSA","ES256K"]},"attestation":{"conveyance":["none","indirect","direct","enterprise"],"formats":["fido-u2f","packed","tpm","android-key","android-safetynet","apple","none"]},"registration":{"displayName":"required","attachment":["platform","cross-platform"],"discoverableCredential":["required","preferred","discouraged"],"excludeCredentials":"enabled"},"authentication":{"allowCredentials":"enabled"},"authorization":{"maxdataLength":256,"preserve":true},"rp":{"id":"strongkey.com","name":"FIDOServer"},"extensions":{},"mds":{"authenticatorStatusReport":[{"status":"FIDO_CERTIFIED_L1","priority":"1","decision":"IGNORE"},{"status":"FIDO_CERTIFIED_L2","priority":"1","decision":"ACCEPT"},{"status":"UPDATE_AVAILABLE","priority":"5","decision":"IGNORE"},{"status":"REVOKED","priority":"10","decision":"DENY"}]},"jwt":{"algorithms":["ES256","ES384","ES521"],"duration":30,"required":["rpid","iat","exp","cip","uname","agent"],"signingCerts":{"DN":"CN=StrongKey KeyAppliance,O=StrongKey","certsPerServer":3}}}}

but the registering still does not work. It shows a new error "WEBAUTHN-WS-ERR-1000: An unexpected error occurred. Please check server logs for details."

Any pointers?

Arshad Noor · Answer 1 · Fri Nov 05 2021 20:11:50 GMT+0800 (China Standard Time)

You cannot use *mydomain* as your FQDN. It has to be a "top-level domain" (TLD) + 1 sub-domain. *.com* is a TLD. *.org* is a TLD. *.gov *or *.edu* is a TLD. The subdomain is something like "*strongkey*" or "*fidoalliance*". So a valid TLD+1 is "*strongkey.com*" or "*fidoalliance.org*". You need to set your machine's FQDN to a valid hostname + TLD + 1 - such as *demo.strongkey.com*, where *demo* is the hostname and *strongkey.com* is the TLD+1. Once you do that, the Relying Party ID (RPID) will be set correctly and you can use your FIDO server correctly. Also, if you are authenticated into a Shell session in your SKFS machine, and if it is Linux, just type *aslg* and it will take you to the directory of your SKFS logs. The log file is *server.log* and you can see the error messages there. You can also type *tsl* in a Shell window separately on the SKFS machine and you'll see a running log of your FIDO server. Hope that helps.

…

On 11/5/21 2:43 AM, wsideveloper wrote: I am able to install a SKFS server with my internet domain. I can do a ping to my server too: java -jar skfsclient.jar P https://mydomain:8181 <https://mydomain:8181> 1 REST PASSWORD svcfidouser Abcd1234! However when I install the Basic Java Sample Demo and launch it to my server https://mydomain:8181//basicdemo/ <https://mydomain:8181//basicdemo/> I get this error when I do a register: SecurityError: The relying party ID is not a registrable domain suffix of, nor equal to the current domain. I have tried to change the policy for DID 1 in the database by only replacing "strongkey.com" to mydomain: {"FidoPolicy":{"name":"MinimalPolicy","copyright":"","version":"1.0","startDate":"1635942582","endDate":"1760103870871","system":{"requireCounter":"mandatory","integritySignatures":false,"userVerification":["required","preferred","discouraged"],"userPresenceTimeout":0,"allowedAaguids":["all"],"jwtKeyValidity":365,"jwtRenewalWindow":30,"transport":["usb","internal"]},"algorithms":{"curves":["secp256r1","secp384r1","secp521r1","curve25519"],"rsa":["RS256","RS384","RS512","PS256","PS384","PS384"],"signatures":["ES256","ES384","ES512","EdDSA","ES256K"]},"attestation":{"conveyance":["none","indirect","direct","enterprise"],"formats":["fido-u2f","packed","tpm","android-key","android-safetynet","apple","none"]},"registration":{"displayName":"required","attachment":["platform","cross-platform"],"discoverableCredential":["required","preferred","discouraged"],"excludeCredentials":"enabled"},"authentication":{"allowCredentials":"enabled"},"authorization":{"maxdataLength":256,"preserve":true},"rp":{"id":"strongkey.com","name":"FIDOServer"},"extensions":{},"mds":{"authenticatorStatusReport":[{"status":"FIDO_CERTIFIED_L1","priority":"1","decision":"IGNORE"},{"status":"FIDO_CERTIFIED_L2","priority":"1","decision":"ACCEPT"},{"status":"UPDATE_AVAILABLE","priority":"5","decision":"IGNORE"},{"status":"REVOKED","priority":"10","decision":"DENY"}]},"jwt":{"algorithms":["ES256","ES384","ES521"],"duration":30,"required":["rpid","iat","exp","cip","uname","agent"],"signingCerts":{"DN":"CN=StrongKey KeyAppliance,O=StrongKey","certsPerServer":3}}}} but the registering still does not work. It shows a new error "WEBAUTHN-WS-ERR-1000: An unexpected error occurred. Please check server logs for details." Any pointers? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#170>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWSVTX2MQJPOFD5Q4E3WYTUKORLRANCNFSM5HNNYJHA>. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

wsideveloper · Answer 2 · Fri Nov 05 2021 21:20:46 GMT+0800 (China Standard Time)

Thank you for your quick reply. mydomain is just a representation of my FDQN.

I managed to solve the problem. A \n is needed at the end of the policy string.

{"FidoPolicy":{"name":"MinimalPolicy","copyright":"","version":"1.0","startDate":"1635942582","endDate":"1760103870871","system":{"requireCounter":"mandatory","integritySignatures":false,"userVerification":["required","preferred","discouraged"],"userPresenceTimeout":0,"allowedAaguids":["all"],"jwtKeyValidity":365,"jwtRenewalWindow":30,"transport":["usb","internal"]},"algorithms":{"curves":["secp256r1","secp384r1","secp521r1","curve25519"],"rsa":["RS256","RS384","RS512","PS256","PS384","PS384"],"signatures":["ES256","ES384","ES512","EdDSA","ES256K"]},"attestation":{"conveyance":["none","indirect","direct","enterprise"],"formats":["fido-u2f","packed","tpm","android-key","android-safetynet","apple","none"]},"registration":{"displayName":"required","attachment":["platform","cross-platform"],"discoverableCredential":["required","preferred","discouraged"],"excludeCredentials":"enabled"},"authentication":{"allowCredentials":"enabled"},"authorization":{"maxdataLength":256,"preserve":true},"rp":{"id":"strongkey.com","name":"FIDOServer"},"extensions":{},"mds":{"authenticatorStatusReport":[{"status":"FIDO_CERTIFIED_L1","priority":"1","decision":"IGNORE"},{"status":"FIDO_CERTIFIED_L2","priority":"1","decision":"ACCEPT"},{"status":"UPDATE_AVAILABLE","priority":"5","decision":"IGNORE"},{"status":"REVOKED","priority":"10","decision":"DENY"}]},"jwt":{"algorithms":["ES256","ES384","ES521"],"duration":30,"required":["rpid","iat","exp","cip","uname","agent"],"signingCerts":{"DN":"CN=StrongKey KeyAppliance,O=StrongKey","certsPerServer":3}}}} \n