Fido MDS Bug?
My1 opened this issue · comments
so I had some tries with the new version that supports the MDS which is pretty nice.
but apparently for some reason, the idem Card gets rejected as allegedly not matching any root.
however I pulled a copy and looked for the AAGUID and pulled the root certs from that (there are 2), and it definitely matched one of them.
rpId | webauthn.lubu.ch |
---|---|
attestationFormat | packed |
credentialId | e6d9cc39397894258a3261e05c9e991b4608263b0a020227c8ac53281a9d7863 b67b137911aee841c39f02e126e1d3505936533b9f8b881ffab2dae051000ac0 8ba9445bdabe39455feaa7fd7d77fdccb60821dfdc6dbe83a2b0c52bf8538945 eb070057 |
credentialPublicKey | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEHiNGDylG9qniUs76pNguD+SZsci ao5iSyPCJR2qd/VXB51CJUpg65GShHNd1kne+iyTgpIJcIZZFdFfr15C3g== -----END PUBLIC KEY----- |
certificateChain | null |
certificate | -----BEGIN CERTIFICATE----- MIICYjCCAgigAwIBAgIBATAKBggqhkjOPQQDAjA7MSAwHgYDVQQDDBdHb1RydXN0 IEZJRE8yIFJvb3QgQ0EgMjEXMBUGA1UECgwOR29UcnVzdElEIEluYy4wHhcNMTkx MjIzMDMzNTI1WhcNMjkxMjIwMDMzNTI1WjCBrTEuMCwGA1UEAwwlR29UcnVzdCBJ ZGVtIENhcmQgRklETzIgQXV0aGVudGljYXRvcjELMAkGA1UEBhMCVVMxJDAiBgkq hkiG9w0BCQEWFXN1cHBvcnRAZ290cnVzdGlkLmNvbTELMAkGA1UEBwwCQ0ExFzAV BgNVBAoMDkdvVHJ1c3RJRCBJbmMuMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0 dGVzdGF0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcErb4zA2Ddh1bdCA YV+0YeGT1UBZ4bbdF9O7zUmAJMhVsYAJZimUldaa2T6l6ZMkSeQT5sJPaFAt/kOt fi09f6OBiTCBhjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTFX3THDGjo3OW3/bTN 2ncq2SlMZzAfBgNVHSMEGDAWgBRgLXWdWer1kSGppgPliZi1HsYPhDATBgsrBgEE AYLlHAIBAQQEAwIEcDAhBgsrBgEEAYLlHAEBBAQSBBCfDYFQuqVMAJKZrWLIu06H MAoGCCqGSM49BAMCA0gAMEUCIQC8ycqPyZjCOKQiHZ/iZ8yVxK8WeP+CfvWklO0S ft8M3wIgbvLx/3roaLeKsnMpB5orFFjmhbni6yNVQ9tnHoi3qyk= -----END CERTIFICATE----- |
certificateIssuer | GoTrust FIDO2 Root CA 2 (GoTrustID Inc.) |
certificateSubject | GoTrust Idem Card FIDO2 Authenticator (GoTrustID Inc. Authenticator Attestation) |
signatureCounter | 17 |
AAGUID | 9f0d8150baa54c009299ad62c8bb4e87 |
rootValid | no |
userPresent | yes |
userVerified | yes |
userId | 64656d6f64656d6f |
userName | demo |
userDisplayName | Demo Demolin |
there are 2 certificates in the MDS matching the certificate issuer name:
-- CN: GoTrust FIDO2 Root CA 2
-- Serial Number: 1 (0x1)
-----BEGIN CERTIFICATE-----
MIIBqDCCAU+gAwIBAgIBATAKBggqhkjOPQQDAjA7MSAwHgYDVQQDDBdHb1RydXN0
IEZJRE8yIFJvb3QgQ0EgMjEXMBUGA1UECgwOR29UcnVzdElEIEluYy4wIBcNMjEw
MzAyMDYyMzE3WhgPMjA1MTAyMjMwNjIzMTdaMDsxIDAeBgNVBAMMF0dvVHJ1c3Qg
RklETzIgUm9vdCBDQSAyMRcwFQYDVQQKDA5Hb1RydXN0SUQgSW5jLjBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABA76ZyG3e+DZoW/KvM36XJAJ6BL9kXMNjEv4qGID
5lA8Z8uReM1YfMio5nEHLU2SZLQ3qXRRvxGN4I+H5+6fVw2jQjBAMA8GA1UdEwQI
MAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRs+UkmM5xUk6/z5QNt
WB26i4w77DAKBggqhkjOPQQDAgNHADBEAiBA+IX5F/87W/emZkiJTHqriLFZOa79
7zsE/0KP7AU5QgIgB64xFqPSBC4Ki1UrrNX9V2thb+45RbtSVmi66WV+glE=
-----END CERTIFICATE-----
-- CN: GoTrust FIDO2 Root CA 2
-- Serial Number: c855fef418bb8280
-----BEGIN CERTIFICATE-----
MIIBzjCCAXOgAwIBAgIJAMhV/vQYu4KAMAoGCCqGSM49BAMCMDsxIDAeBgNVBAMM
F0dvVHJ1c3QgRklETzIgUm9vdCBDQSAyMRcwFQYDVQQKDA5Hb1RydXN0SUQgSW5j
LjAeFw0xOTEyMDQwNzAzMDFaFw00OTExMjYwNzAzMDFaMDsxIDAeBgNVBAMMF0dv
VHJ1c3QgRklETzIgUm9vdCBDQSAyMRcwFQYDVQQKDA5Hb1RydXN0SUQgSW5jLjBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABJHgK9fNqNEWIYTsZ/gNi17zpErK7FC1
Yo+FzqRVMYGUJgAJ9vg31iTCJ1VYxbAKMQblLGkVn/dfP73geTKed9OjYDBeMAwG
A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRgLXWdWer1kSGp
pgPliZi1HsYPhDAfBgNVHSMEGDAWgBRgLXWdWer1kSGppgPliZi1HsYPhDAKBggq
hkjOPQQDAgNJADBGAiEAujrKWZw+S0TfG1bJJcsqmGu5WLbB2EgorD2hA2q6BoIC
IQCiyxnvAn6Mi+DdRnw3SQGQZoLKFKwHr4XGNIO5pAHAHA==
-----END CERTIFICATE-----
But none of them is the issuer of your certificate above - you can simply check it with open ssl:
> openssl verify -verbose -CAfile root.pem ca.pem
It looks like the correct root is not distributed via MDS. Same problem for SoloKeys, their root is missing too: solokeys/solo1#565
okay I found something interesting, the one with the correct key fingerprint of 60-2d-75... (the second one you listed ending in NIO5pAHAHA==
) is apparently marked CA: false
I'd assume that might be a problem, I wonder why it was made that way
ask support@gotrustid.com 😉