blob: 5d313a2ccd9cd1e943656869072a9fff542bc911 [file] [log] [blame]
hidgd - hid gadget daemon
Handles the hidg end of a FIDO2 device. Note that the certificate
file is simply placed straight into the register reply and therefore
must be correctly DER encoded. The parent is assumed to be the
storage seed unless you specify something different and the counter NV
index is asumed to be 01000101. If the counter NV index doesn't exist
in the TPM it will be created and thus we can assure that a
monotonically increasing count is attached to every authentication
response as required by the standard.
The way the system works is that the registration certificate and key
are used to sign registration responses, but each registration request
generates a new TPM key, which is serialized into the registration key
handle so that when it is presented at authentication time, it can be
loaded into the TPM. This is so that the TPM itself never has to
remember any key information and the only persistent TPM resource used
is the NV counter index.
Generate a certificate and key pair for registration
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out reg_key.key
And then generate a self signed DER form certificate with a common
openssl req -new -x509 -subj '/CN=My Fido Token/' -key reg_key.key -out reg_key.der -outform DER