Created
March 29, 2021 21:10
-
-
Save antelle/20981b15dcac5d131d44f25108ea10b9 to your computer and use it in GitHub Desktop.
PoC of using FIDO2 hmac-secret with a YubiKey
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://github.com/trezor/trezor-firmware/blob/master/tests/fido_tests/libfido2/hmac-secret.sh | |
| # DEVICE=$(fido2-token -L | cut -d : -f 1) | |
| DEVICE=$(fido2-token -L | cut -d : -f 1-2) | |
| if [ -z "$DEVICE" ] ; then | |
| echo "No FIDO2 token found" | |
| exit 1 | |
| fi | |
| # taken from https://github.com/Yubico/libfido2/issues/58 | |
| echo credential challenge | openssl sha256 -binary | base64 > cred_param | |
| echo relying party >> cred_param | |
| echo user name >> cred_param | |
| dd if=/dev/urandom bs=1 count=32 | base64 >> cred_param | |
| fido2-cred -M -h -i cred_param "$DEVICE" | fido2-cred -V -h -o cred | |
| # taken from https://github.com/Yubico/libfido2/issues/58 | |
| echo assertion challenge | openssl sha256 -binary | base64 > assert_param | |
| echo relying party >> assert_param | |
| head -1 cred >> assert_param | |
| tail -n +2 cred > pubkey | |
| #dd if=/dev/urandom bs=1 count=64 | base64 -w0 >> assert_param # hmac salt | |
| dd if=/dev/urandom bs=1 count=64 | base64 >> assert_param # hmac salt | |
| fido2-assert -G -h -i assert_param "$DEVICE" > hmac_assert | |
| fido2-assert -V -h -i hmac_assert pubkey es256 | |
| tail -1 hmac_assert | base64 -d | xxd # hmac secret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment