yubico / python-u2flib-host Goto Github PK

Porting python-u2flib-server to cryptography I noticed that a few modules are duplicated in this project, and they're starting to diverge. Two examples are

• u2flib_host.utils and u2flib_server.utils
• u2flib_host.soft and python-u2flib-server/test/soft_u2f_v2.py

Are these intentional tradeoffs that you'd like to keep? Or mistakes you'd like fixed?

The options I see are

1. Keep it as is, try to keep them in sync by hand.
2. Make u2flib-server use the implementation in u2flib-host, and depend on it.
3. Vice versa
4. Create a third package that provides the common parts of u2flib-host and u2flib-server.

1 could allow bugs fixed in one package to go unfixed in the other. 2, 3 & 4 increase the complexity of making/keeping track of/declaring dependencies when releasing.

The following exception (which is silently ignored) prevent the Yubikey Nano 4 to be listed by u2f.list_devices() on MacOSX (not sure about the other OS):

Python 2.7:

Python 2.7.10 (default, Feb  7 2017, 00:08:15) 
[GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from u2flib_host import hid_transport
>>> hid_transport.list_devices()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/prousset/Library/Python/2.7/lib/python/site-packages/u2flib_host/hid_transport.py", line 81, in list_devices
    device.open()
  File "/Users/prousset/Library/Python/2.7/lib/python/site-packages/u2flib_host/hid_transport.py", line 116, in open
    self.handle.open_path(self.path)
  File "hid.pyx", line 72, in hid.device.open_path (hid.c:1909)
IOError: open failed

Python 3:

Python 3.6.1 (default, Apr  4 2017, 09:40:21) 
[GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.38)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from u2flib_host import hid_transport
>>> hid_transport.list_devices()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/u2flib_host/hid_transport.py", line 81, in list_devices
    device.open()
  File "/usr/local/lib/python3.6/site-packages/u2flib_host/hid_transport.py", line 116, in open
    self.handle.open_path(self.path)
  File "hid.pyx", line 72, in hid.device.open_path (hid.c:1909)
OSError: open failed

I have a real Yubikey,but I don't know how to take the place of the soft-u2f during the registration....

Hello~I have followed the steps given above,but when I run the command "u2f-register -s soft_device.json http://localhost:8081",the result is"u2f-register: command not found".I don't know how to solve it ?Can you help me ?

From https://thetis.io/collections/frontpage

idVendor=1ea8, idProduct=f025

[24833.970506] usb 2-6: USB disconnect, device number 16
[24835.896984] usb 2-6: new full-speed USB device number 17 using xhci_hcd
[24836.046010] usb 2-6: New USB device found, idVendor=1ea8, idProduct=f025
[24836.046012] usb 2-6: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[24836.046013] usb 2-6: Product: EsecuFIDO HID
[24836.046014] usb 2-6: Manufacturer: ExcelSecu
[24836.047735] hid-generic 0003:1EA8:F025.000C: hiddev2,hidraw10: USB HID v1.10 Device [ExcelSecu EsecuFIDO HID] on usb-0000:00:14.0-6/input0

Since d89ef7e changed the license to BSD, the 2 scripts still contain a GPL licence header e.g. u2f-authenticate

Is this intentional?

I’m developing a medical device that needs to communicate with a server to function. I need to secure this communication, and I’m trying to use u2f. The server is running Labview Web Services, but I’m able to make things work on the server side using the .Net server library. Where I’m stuck is in the trustedFacet stage. I output json according to the specification at FIDO:

{"trustedFacets":[{"version":{"major”:1,"minor":0},"ids":["https://myserver.example.com/u2f/AppID"]}]}

This gets rejected by appid.py verify_facet(self, app_id, facet, version=(2, 0))

I looked for a 2.0 version of FIDO AppID and Facet Specification v1.0, and can’t find it. No matter, I change the AppID to version 2.0 and it proceeds, but dies with:

File "register.py", line 23, in register return u2f.register(device, params, facet)
File "build/bdist.macosx-10.10-x86_64/egg/u2flib_host/u2f.py", line 52, in register
File "build/bdist.macosx-10.10-x86_64/egg/u2flib_host/u2f_v2.py", line 43, in register
File "build/bdist.macosx-10.10-x86_64/egg/u2flib_host/appid.py", line 140, in verify_facet
TypeError: valid_facets() takes exactly 3 arguments (2 given)

Looking at the code it seems like valid_facets is being called with:

 trustedFacets = self.valid_facets(entry['ids'])

but is defined as:

 valid_facets(self, app_id, facets):

This suggests that ids shouldn't be an array of strings, but rather an array of dicts. Am I missing something?

Thanks,

Jeff E Mandel MD MS
Assistant Professor of Anesthesiology & Critical Care
Perelman School of Medicine at the University of Pennsylvania

Update:

I changed the line

 trustedFacets = self.valid_facets(entry['ids'])

to

 trustedFacets = self.valid_facets(app_id, entry['ids'])

and

verify_facet(self, app_id, facet, version=(2, 0))

to

verify_facet(self, app_id, facet, version=(1, 0))

u2f.register works now.

pthon-u2flib-host currently only Python 2.x (in particular CPython 2.x). The limiting factor is the required libraries. Porting python-u2flib-host would first require porting, or replacing

• M2Crypto
• python-hidapi

I'd like to propose M2Crypto be replaced, the project appears to be stalled (with no commits since May 2015) and it's written using SWIG which isn't compatible with PyPy. I'd like to propose cryptography

• Apache/BSD dual licensed
• Supports Python 2.6-2.7, Python 3.3+ and PyPy
• Tested on Windows, Mac OSX and Linux
• Ships pre-built wheels for Python 32-bit and 64-bit on Windows
• Has multiple maintainers i.e. a bus factor > 1

I'm happy to do the work and provide a PR, but first I'd like to check you're happy with the concept. Would Yubico be willing to use cryptography instead of M2Crypto for python-u2flib-host?

I find that there is no code in this project sending data to the server. is it because that i'm not carefully enough, or that there is really no communication between the host and the server in this project, and we need to complete it?

Can you add
(0x24dc, 0x0501), # JaCarta U2F

to DEVICES in u2flib_host/hid_transport.py?

Thank you.

There are numerous things broken related to strings.

This line ( https://github.com/Yubico/python-u2flib-host/blob/master/u2flib_host/register.py#L98 ) will fail because str() (with an encoding) on something which is already a str raises a TypeError.

In the JSON parsing, all values are bytes. this causes lookups using strings to fail, like here: https://github.com/Yubico/python-u2flib-host/blob/master/u2flib_host/u2f.py#L58

When attempting to use u2f-register on Mavericks, I get the following error:

Traceback (most recent call last):
  File "/usr/local/bin/u2f-register", line 4, in <module>
    __import__('pkg_resources').run_script('python-u2flib-host==2.0.0', 'u2f-register')
  File "build/bdist.macosx-10.9-x86_64/egg/pkg_resources.py", line 534, in run_script
  File "build/bdist.macosx-10.9-x86_64/egg/pkg_resources.py", line 1445, in run_script
  File "/usr/local/Cellar/python/2.7.8_2/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/python_u2flib_host-2.0.0-py2.7.egg/EGG-INFO/scripts/u2f-register", line 95, in <module>

  File "build/bdist.macosx-10.9-x86_64/egg/u2flib_host/u2f.py", line 31, in list_devices
  File "build/bdist.macosx-10.9-x86_64/egg/u2flib_host/ccid_transport.py", line 30, in list_devices
  File "/usr/local/lib/python2.7/site-packages/smartcard/System.py", line 41, in readers
    return smartcard.reader.ReaderFactory.ReaderFactory.readers(groups)
  File "/usr/local/lib/python2.7/site-packages/smartcard/reader/ReaderFactory.py", line 59, in readers
    zreaders += fm(groups)
  File "/usr/local/lib/python2.7/site-packages/smartcard/pcsc/PCSCReader.py", line 107, in readers
    hcontext = PCSCContext().getContext()
  File "/usr/local/lib/python2.7/site-packages/smartcard/pcsc/PCSCContext.py", line 53, in __init__
    PCSCContext.instance = PCSCContext.__PCSCContextSingleton()
  File "/usr/local/lib/python2.7/site-packages/smartcard/pcsc/PCSCContext.py", line 40, in __init__
    raise EstablishContextException(hresult)
smartcard.pcsc.PCSCExceptions.EstablishContextException: 'Failure to establish context: Service not available.'

I'm using the test data from the README on the Yubico/u2f-host repo feeding in from a file. It appears to be something jacked up with the usage or my install of the smartcard library, but I can't figure out exactly what could be going on.

On line 71 in hid_transport.py only the following line is implemented:
devices.append(HIDDevice)
whereas I would expect that an object of the class HIDDevice would be implemented, like below:
devices.append(HIDDevice(d['path']))

Is there another way to obtain a list of actual HIDDevice objects? Or am I doing something wrong?

From the use of argparse in the scripts I infer only Python 2.7 (and possibly 3.2+) is supported, but that may be a bug.

• What 2.x versions of Python does this package officially support?
• Would you be interested in a patch to support Python 2.6?

Let me know the answer and I'll submit a pull request to document it, and if necessary fix missing 2.6 support.

Using the aws-google-auth app (which makes use of this library) along with my Yubikey 5 NFC

I was getting U2F device not found errors, digging deeper and this library was throwing an error on the send_apdu call with error code 0X6A80 being returned which points to an error in the data that the library is sending to the device.

Unfortunately i don't have enough experience with the APDU spec in order to debug this any further

hi,
with this code :

from u2flib_host import u2f
device = u2f.list_devices()
device = device.pop()
# next dictionary come from u2fval_client
registrationRequest = {u'challenge': u'-X0I9Cor1oh3ZoRff1F1h2cA_O9zeQtLMwIYXTMBHJo', u'version': u'U2F_V2', u'appId': u'https://localhost.localdomain'}
with device as yubikey:
 registrationResponse = u2f.register(yubikey, registrationRequest, 'https://localhost.localdomain')

I've this error :

Traceback (most recent call last):
  File "<stdin>", line 2, in <module>
  File "/home/pascal/yubico/yubihost/lib/python2.7/site-packages/u2flib_host/u2f.py", line 63, in register
    return lib.register(device, data, facet)
  File "/home/pascal/yubico/yubihost/lib/python2.7/site-packages/u2flib_host/u2f_v2.py", line 70, in register
    response = device.send_apdu(INS_ENROLL, p1, p2, request)
  File "/home/pascal/yubico/yubihost/lib/python2.7/site-packages/u2flib_host/device.py", line 113, in send_apdu
    raise exc.APDUError(status)
u2flib_host.exc.APDUError: 0x6985

and the yubikey blinks.
if I touch the yubikey (light is on) before calling u2f.register, a response is returned by the key (light is turned off) :

with device as yubikey:
 registrationResponse = u2f.register(yubikey, registrationRequest, 'https://localhost.localdomain')
registrationResponse
{'registrationData': ..., 'clientData': ...}

apdu_data = struct.pack('B B B B B B B %is B B' % size,0, ins, p1, p2, l0, l1, l2, data, 0x04, 0x00)
It shows that struct.error: required argument is not an integer

Can you add

(0x1209, 0x53c1), # Trezor U2F/FIDO2

to DEVICES in u2flib_host/hid_transport.py?

Thank you.

It reads:

from u2flib_host.yubicommon.setup import setup

To build a package from it, it should read:

from setuptools import setup

In U2F spec U2F_REGISTER command parameter define P1 => 0x00, P2 => 0x00. But this code P1 => 0x03, P2 => 0x00.

Nevertheless YubiKey work fine...