Cf. https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.html

If available, keystore are protected by cryptography hardware or TEE (in most devices).

This implementation of UAF, which appears to be FIDO certified, fails to correctly verify authenticator records and does not support TLS channel binding, which is essential for resisting certain man-in-the-middle attacks.

Notably, the implementation fails to verify any of the final challenge parameter (fcp) fields, potentially verifying attestations that do not even attest the appropriate challenge.

Hi @npesic ,

After this merge FIDO UAF client is checking if current android app hash is present on AppID (trusted facets) (currently FIDO Server code is serving statically this URL https://www.head2toes.org/fidouaf/v1/public/uaf/facets). If the app hash code is not present in that list, so the uafMessage string will be empty in clientSendRegResponse method in Reg class.

In this line decoded string is null, so it will throws java.lang.IllegalArgumentException: Source string may not be null in client side.

But if I change decoded = null to decoded = "" in this line, than FIDO UAF Server is in trouble because it believes that fromJson variable was instantiated correctly.

Some ideas:

• check if payload parameter is empty.
• check which lines could throws exceptions in processRegResponse method (i.e. gson.fromJson)

I am trying fidouafclient ( rp app ) on Galaxy S7. S7 has inbuilt FiDO UAF Client ( com.sec.android.fido.uaf.client.OxygenActivity ).

When I click on register it prompts me to select UAF Client app.

If I select OxygenActivity it crashes with the message.

Unfortunately, FiDO UAF client has stopped.

If I select eBay client it works fine.

Ideally we will not have our own FIDO_OPERATION intent ( org.ebayopensource.fidouafclient.ExampleFidoUafActivity ) . So in that case it will always crash.

I am not sure if the issue is with this app or inbuilt FiDO UAF Client.

Hi Neb,

I am very new to Fido and just has started on it with https://github.com/eBay/UAF
I want to know what are the 'Interfaces for Integration' with 'Local Authenticator' (Face, Finger and Voice) ?

I could see some classes are there for Integration, but some couldn't get its logic fully. The classes which are related to it are as :

1- ASMRequest
2- ASMResponse
3- Auth [ Function : getAsmRequestJson (int authenticatorIndex), getAsmRequest (int authenticatorIndex) , getAuthenticateIn() ](Above class is in package main.java.org.honda.fidouafclient.op;)

4- Reg [ Function : getRegIn(String username) ](Above class is in package main.java.org.honda.fidouafclient.op;)

Any pointer or help would be great. I Just want to know how Interfaces for 'Fido Client' for 'Local Authenticator' (Face, Finger or Voice)? Or Is there any open source code available for ASM ?

Thanks,
Ajeet Singh

Otherwise it is not automatically picked up by the war task. Alternatively added a war rule to included it, but better to follow the default layout.

e.g.,

fidouaf/src/main/resources/org/ebayopensource/fidouaf/res/config.properties

Also, any objections replacing config with a structured file (YAML, etc) so that all configurable properties (AID list, origin, multiple app facets, etc.) can be configured in one place?

I notice that in AndroidManifest.xml, a permission "com.sec.android.fido.uaf.asm.permissions.FIDO_UAF_ASM" is claimed. I googled this permission, it seems that this is a permission defined by Samsum?
So the android part in the repository must be installed in Samsum device that support FIDO, like Galaxy S6?

The documentation is somewhat weak. I'd love to help with that... May I? 😄

Hi there,

Thanks for sharing the source code.

We could build APK and run it on Samsung Galaxy S6 to use the Finger print reader for doing the authentication. But it didn't work with other Authenticators. Basically it shows all other options but it doesn't work/open other authenticators to perform the authentication. it just opens the built in authenticator activity.

Would you please consider that and help us at your earliest convenience?

Another quick point: Also in registration in "UAF_OPERATION_RESULT", "errorCode" must be included.

Thanks
Bam

https://github.com/eBay/UAF/wiki/BuildingAndRunningUAFServer

• Here is its pom.xml.

Yes, I'm the life of every party.

Hello!

We are in the process of starting with the implementation of a FIDO based authenticator following the FIDO specifications.
So we wanted to set up a testing environment for the same;
and we came across this code and thought this might help us.

Firstly, thank you for the open code.

Secondly, can you help us with setting up the FIDO test server with your implementation.
Is there any documentation that we can follow for the same?
Any help is much appreciated.
Thanks in advance.

Best Regards
Anish

Hi!

We have made a dummy metadata for the authenticator that we plan to develop.
We now want to register that metadata on the server code.

Can you please let me know, how to register that metadata information on the locally deployed server?

Thanks in advance.

Best Regards
Anish

At least in the example client app, the certificate is hardcoded and used only during registration, so it doesn't seem to add any security when using it to sign the attestation.

It seems like it would make more sense to sign the attestation with the private key corresponding to the public key that is sent at registration, right?

If so we can send a PR making that change :)

Hi

I want to send the registration/authentication response message to the deployed server for verification.

When I use the "/public/regResponse" or "/public/authResponse" links to the server and send the response message; it always gives "405: Method not allowed" error.

I am using "/public/regRequest/{username}" to register on the server and am getting a proper request message.

Can you please help me with this?
What information do I need to send to the server in the response?
What command to call and how to get the return from that?

Any help is highly appreciated.

Thanks in advance.

Best Regards
Anish

Based on the comments in OpUtil, getUafRequest() must either register a facetID with the server or check whether the client's facetID matches up with any from the list that the server has.

Is the intention here similar in concept to that of MAC address whitelisting? If so, I am curious to know the rationale for exposing all facetID's to the client via getTrustedFacets().
Can't the check for a matching facetID be done on the server side ?

Hello,
I have followed the wiki in order to compile the server, but whenever i try to get the trusted facets with: curl -s http://localhost:8080/fidouaf/v1/public/uaf/facets | python -m json.tool i get the following error:

java.lang.NullPointerException
	java.util.Properties$LineReader.readLine(Properties.java:434)
	java.util.Properties.load0(Properties.java:353)
	java.util.Properties.load(Properties.java:341)
	org.ebayopensource.fidouaf.res.FidoUafResource.readFacet(FidoUafResource.java:215)
	org.ebayopensource.fidouaf.res.FidoUafResource.facets(FidoUafResource.java:200)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
	com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
	com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
	com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:288)
	com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
	com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
	com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
	com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
	com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1469)
	com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1400)
	com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1349)
	com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1339)
	com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
	com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:537)
	com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:699)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

I get the same error from the application on android and it crashes.

Thank you for your time,
Nick

According to FIDO UAF Application API and Transport Binding Specification:

Android intent invokes the FIDO UAF Client to discover the available authenticators and capabilities. The FIDO UAF Client generally will not show a UI associated with the handling of this intent, but immediately return the JSON structure. The calling application cannot depend on this however, as the FIDO UAF Client MAY show a UI for privacy purposes, allowing the user to choose whether and which authenticators to disclose to the calling application.

This intent MUST be invoked with startActivityForResult().

Current ExampleFidoUafClient class is not handling UAFIntentType properly and there is nothing to catch UAFIntentType.DISCOVER. As consequence a 3rd party Android RP App is not able to discovery and use Marvin UAF Client.

It is my suggestion to be included in finishWithResult method:

Bundle extras = getIntent().getExtras();
        if (extras != null) {
            String data = (String) extras.get("UAFIntentType");
            if (data != null) {

                if (data.equals(UAFIntentType.DISCOVER)) {
                    extras = new Bundle();
                    extras.putString("UAFIntentType", UAFIntentType.DISCOVER_RESULT.name());
                    extras.putShort("errorCode", ErrorCode.NO_ERROR.getID());
                    extras.putString("discoveryData", DiscoveryData.getFakeDiscoveryData());
                    intent.putExtras(extras);

                    setResult(Activity.RESULT_OK, intent);
                    finish();
                }

                if (data.equals(UAFIntentType.UAF_OPERATION.name())) {
                    String message = (String) extras.get("message");
                    String channelBindings = (String) extras.get("channelBindings");
                    String inMsg = extract(message);
                    String response = "";
                }

            }
        }

But it will implicate in a lot of modifications in onActivityResult method in MainActivity class.

Here i have a query regarding Authenticator Specific Module (ASM). As i understand, flow is somethings as;
UAF Server <—> RP App <—> FIDO UAF Client <—> FIDO UAF ASM <—> FIDO UAF Authenticator <—> Finger Print Dialog etc
I found ASM related stuff in eBay sample app but app does’t use this code. Is ASM optional?

From the UAF protocol spec (section 3.1.3.1 "Dictionary OperationHeader Members"), the appID should be handled as follows:

• If the element is missing or empty in the request, the FIDO UAF Client must set it to the FacetID of the caller.
• If the appID present in the message is identical to the FacetID of the caller, the FIDO UAF Client must accept it.
• If it is an URI with HTTPS protocol scheme, the FIDO UAF Client must use it to load the list of trusted facet identifiers from the specified URI. The FIDO UAF Client must only accept the request, if the facet identifier of the caller matches one of the trusted facet identifiers in the list returned from dereferencing this URI.

I propose to bring the behaviour of the Android client closer to the above.
In particular, the getUafMsgRegRequest( ) method (in Reg.java) will need some edits since, right now, it erases the incoming value (from the server) to put its FacetID.
I'll create some code proposal to discuss this.

I'm getting Exception in thread "main" java.lang.NoSuchMethodError: org.bouncycastle.asn1.ASN1InputStream.readObject()Lorg/bouncycastle/asn1/ASN1Primitive;, from my class org.ebayopensource.fido.uaf.ops.AuthenticationResponseProcessing.

My pom.xml

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk15on</artifactId>
    <version>1.51</version>
</dependency>