Trying to perform registration using my YubiKey 5C Nano device. I have a YubiKey 5C Nano device with PIN set. Product details - YubiKey OTP+FIDO+CCID.
I tried to use fido_dev_make_cred(device, cred, pin), this returns a FIDO_ERR_SUCCESS but the attstmt and authdata are null. AFAIK, this device requires a touch to generate credentials, however, the UV support is FALSE and when fido_dev_make_cred is called, it bypasses the wait for touch and returns SUCCESS.
libfido2::fido_dev_open(device, libfido2::fido_dev_info_path(di));
let cred = libfido2::fido_cred_new();
libfido2::fido_cred_set_type(cred, alg);
libfido2::fido_cred_set_clientdata(
cred,
client_data_json.as_ptr() as *const u8,
client_data_json.len(),
);
libfido2::fido_cred_set_rp(cred, rp_id.as_ptr(), rp_name.as_ptr());
libfido2::fido_cred_set_user(
cred,
user_id.as_ptr(),
user_id.len(),
user_name_c.as_ptr(),
user_display_name_c.as_ptr(),
std::ptr::null(),
);
libfido2::fido_cred_set_rk(cred, libfido2::fido_opt_t_FIDO_OPT_OMIT);
let mut fido_uv = libfido2::fido_opt_t_FIDO_OPT_OMIT;
let has_pin = libfido2::fido_dev_has_pin(device);
trace!{"Uv support: {:?}", libfido2::fido_dev_supports_uv(device)}; // false
trace!{"pin support: {:?}", libfido2::fido_dev_supports_pin(device)}; // true
trace!{"is fido: {:?}", libfido2::fido_dev_is_fido2(device)}; // true
libfido2::fido_cred_set_uv(cred, fido_uv);
libfido2::fido_cred_set_extensions(cred, 0);
let s = String::from("0000");
let cs = CString::new(s).unwrap();
let cv: Vec<u8> = cs.into_bytes_with_nul();
let mut tmp: Vec<i8> = cv.into_iter().map(|c| c as i8).collect::<_>();
let _cptr: *mut i8 = tmp.as_mut_ptr();
let r = libfido2::fido_cred_set_pin_minlen(cred, 9);
if has_pin {
let r = libfido2::fido_dev_make_cred(device, cred, _cptr);
} else {
let r = libfido2::fido_dev_make_cred(device, cred, std::ptr::null() as *const i8);
}
libfido2::fido_dev_close(device);
if r != libfido2::FIDO_OK {
trace!(
"fido_dev_make_cred failed {:?}",
CStr::from_ptr(libfido2::fido_strerr(r))
);
libfido2::fido_dev_cancel(device);
} else {
trace!("fido_dev_make_cred SUCCESS!");
let att_len = libfido2::fido_cred_attstmt_len(cred);
let att_ptr = libfido2::fido_cred_attstmt_ptr(cred);
let attstmt = std::slice::from_raw_parts(att_ptr, att_len);
trace!("ATT len={}", att_len);
let auth_len = libfido2::fido_cred_authdata_len(cred);
let auth_ptr = libfido2::fido_cred_authdata_ptr(cred);
let auth = std::slice::from_raw_parts(auth_ptr, auth_len);
trace!("AUTH len={}", auth_len);
}
If I set the UV to fido_opt_t_FIDO_OPT_TRUE, it fails with UNSUPPORTED error, but that is because the fido_dev_supports_uv returns false.
Why is the touch bypassed and how can I get credentials with a device with PIN.
I am able to get this code to work with a device without PIN (setting the pin to NULL). Is PIN not supported for this device in libfido? What devices are supported with PIN ?
Platform: OSX Language: libfido2 rust
Thanks.
