Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"unspecified certificate verification error" when WEBAUTHN_TRUSTED_ATTESTATION_CERT_REQUIRED = True #47

Open
johnmcc3 opened this issue Jan 4, 2022 · 0 comments
Open

"unspecified certificate verification error" when WEBAUTHN_TRUSTED_ATTESTATION_CERT_REQUIRED = True #47

johnmcc3 opened this issue Jan 4, 2022 · 0 comments

Comments

@johnmcc3
Copy link

johnmcc3 commented Jan 4, 2022

Whenever attestation is enabled in settings.py, new keys are unable to be enrolled.

django debug log:

[04/Jan/2022 10:36:17] "GET /kagi/add-webauthn-key/ HTTP/1.1" 200 3940
[04/Jan/2022 10:36:24] "POST /kagi/api/begin-activate/ HTTP/1.1" 200 463
/path/to/virtualenv/lib64/python3.9/site-packages/OpenSSL/crypto.py:1837: CryptographyDeprecationWarning: This version of cryptography contains a temporary pyOpenSSL fallback path. Upgrade pyOpenSSL now.
  self._store_ctx, self._store._store, self._cert._x509, self._chain
Unable to verify certificate: [1, 0, 'unspecified certificate verification error'].
[04/Jan/2022 10:36:26] "POST /kagi/api/verify-credential-info/ HTTP/1.1" 400 105

relevant package versions (all up to date as of the time this issue was submitted):

$ pip list
Package              Version
-------------------- ---------
cryptography         36.0.1
pyOpenSSL            21.0.0

relevant items from settings.py:

WEBAUTHN_TRUSTED_CERTIFICATES = '/path/to/trusted_attestation_roots/'
WEBAUTHN_TRUSTED_ATTESTATION_CERT_REQUIRED = True
WEBAUTHN_SELF_ATTESTATION_PERMITTED = False
WEBAUTHN_NONE_ATTESTATION_PERMITTED = False

$ ls -l /path/to/trusted_attestation_roots/
total 4
-rw-rw-r--. 1 django django 1143 Nov 11 10:43 yubico_u2f_device_attestation_ca.pem

$ cat yubico_u2f_device_attestation_ca.pem:
-----BEGIN CERTIFICATE-----
MIIDHjCCAgagAwIBAgIEG0BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ
dWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw
MDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290
IENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk
5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep
8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw
nebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT
9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw
LvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ
hjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN
BgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4
MYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt
hX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k
LVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U
sG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc
U9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==
-----END CERTIFICATE-----
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johnmcc3