github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-05-08 14:34:47 -05:00
Code Issues 266 Packages Projects Releases 82 Wiki Activity

[GH-ISSUE #105] U2F not working with krypt.co provider #8871

New Issue
Closed
opened 2026-04-20 11:35:29 -05:00 by GiteaMirror · 20 comments
GiteaMirror commented 2026-04-20 11:35:29 -05:00
Owner
Copy Link

Originally created by @rv32ima on GitHub (Jul 27, 2018).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/105

I'm using bitwarden_rs on docker, and whenever I try to register my U2F provider (Kryptonite), it errors, first, saying that "Error activating u2f", then, "Unable to recover challenge".
Looking in the logs, I see this:

POST /api/two-factor/get-u2f application/json; charset=utf-8:

    => Matched: POST /api/two-factor/get-u2f

    => Outcome: Success

    => Response succeeded.

GET /app-id.json:

    => Matched: GET /app-id.json

    => Outcome: Success

    => Response succeeded.

POST /api/two-factor/u2f application/json; charset=utf-8:

    => Matched: POST /api/two-factor/u2f

Error: BadCertificate

ERROR: Error activating u2f

    => Outcome: Success

    => Response succeeded.

I have enabled HTTPS on my server, and set the DOMAIN environment variable to the URL, including 'https'.

Originally created by @rv32ima on GitHub (Jul 27, 2018). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/105 I'm using bitwarden_rs on docker, and whenever I try to register my U2F provider (Kryptonite), it errors, first, saying that "Error activating u2f", then, "Unable to recover challenge". Looking in the logs, I see this: ``` POST /api/two-factor/get-u2f application/json; charset=utf-8: => Matched: POST /api/two-factor/get-u2f => Outcome: Success => Response succeeded. GET /app-id.json: => Matched: GET /app-id.json => Outcome: Success => Response succeeded. POST /api/two-factor/u2f application/json; charset=utf-8: => Matched: POST /api/two-factor/u2f Error: BadCertificate ERROR: Error activating u2f => Outcome: Success => Response succeeded. ``` I have enabled HTTPS on my server, and set the DOMAIN environment variable to the URL, including 'https'.
GiteaMirror added the troubleshootingbug labels 2026-04-20 11:35:29 -05:00
GiteaMirror commented 2026-04-20 11:35:32 -05:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Jul 31, 2018):

I've tested this with the Krypt iOS app and I can reproduce it. The issue seems to originate in the webpki library (the exact error is BadDER, which seems to indicate problems parsing the DER certificate).

I'm not sure there is much I can do about it, as I'm not a cryptography expert by any means, but I'll look into it a bit more.

<!-- gh-comment-id:409337224 --> @dani-garcia commented on GitHub (Jul 31, 2018): I've tested this with the Krypt iOS app and I can reproduce it. The issue seems to originate in the webpki library (the exact error is BadDER, which seems to indicate problems parsing the DER certificate). I'm not sure there is much I can do about it, as I'm not a cryptography expert by any means, but I'll look into it a bit more.
GiteaMirror commented 2026-04-20 11:35:33 -05:00
Author
Owner
Copy Link

@mannp commented on GitHub (Aug 6, 2018):

Is this U2F or Authenticator App, as I didn't think U2F was implemented in bitwarden_rs?

<!-- gh-comment-id:410765294 --> @mannp commented on GitHub (Aug 6, 2018): Is this U2F or Authenticator App, as I didn't think U2F was implemented in bitwarden_rs?
GiteaMirror commented 2026-04-20 11:35:36 -05:00
Author
Owner
Copy Link

@beatgammit commented on GitHub (Aug 6, 2018):

@mannp It looks like U2F is implemented: https://github.com/dani-garcia/bitwarden_rs#enabling-u2f-authentication

<!-- gh-comment-id:410781868 --> @beatgammit commented on GitHub (Aug 6, 2018): @mannp It looks like U2F is implemented: https://github.com/dani-garcia/bitwarden_rs#enabling-u2f-authentication
GiteaMirror commented 2026-04-20 11:35:36 -05:00
Author
Owner
Copy Link

@mannp commented on GitHub (Aug 6, 2018):

@beatgammit cool thanks, just that I thought that was TOTP Authentication with an Authenticator app, whereas U2F was using a Yubico key or similar.

My misunderstanding.

<!-- gh-comment-id:410797951 --> @mannp commented on GitHub (Aug 6, 2018): @beatgammit cool thanks, just that I thought that was TOTP Authentication with an Authenticator app, whereas U2F was using a Yubico key or similar. My misunderstanding.
GiteaMirror commented 2026-04-20 11:35:37 -05:00
Author
Owner
Copy Link

@mannp commented on GitHub (Aug 9, 2018):

My error is different but the exact same setup on v1 works fine.

PUT /api/two-factor/authenticator application/json; charset=utf-8:
=> Error: No matching routes for PUT /api/two-factor/authenticator application/json; charset=utf-8.
=> Warning: Responding with 404 Not Found catcher.
=> Response succeeded.

<!-- gh-comment-id:411894741 --> @mannp commented on GitHub (Aug 9, 2018): My error is different but the exact same setup on v1 works fine. > PUT /api/two-factor/authenticator application/json; charset=utf-8: > => Error: No matching routes for PUT /api/two-factor/authenticator application/json; charset=utf-8. > => Warning: Responding with 404 Not Found catcher. > => Response succeeded.
GiteaMirror commented 2026-04-20 11:35:38 -05:00
Author
Owner
Copy Link

@mprasil commented on GitHub (Aug 10, 2018):

@mannp this sounds like different issue, I've created #124 to handle that.

<!-- gh-comment-id:412055883 --> @mprasil commented on GitHub (Aug 10, 2018): @mannp this sounds like different issue, I've created #124 to handle that.
GiteaMirror commented 2026-04-20 11:35:38 -05:00
Author
Owner
Copy Link

@rezhajulio commented on GitHub (Mar 4, 2019):

I just test U2F with SoloKeys and it works just fine.

<!-- gh-comment-id:469355973 --> @rezhajulio commented on GitHub (Mar 4, 2019): I just test U2F with [SoloKeys](https://shop.solokeys.com) and it works just fine.
GiteaMirror commented 2026-04-20 11:35:39 -05:00
Author
Owner
Copy Link

@jkaberg commented on GitHub (Apr 21, 2019):

@dani-garcia which lib is that? I'm asking because I haven't came across this issue with any other U2F compatible service out there (tested on atleast 20+ different ones), just bitwarden_rs

This is/was tested/used with Krypton. Perhaps @kcking is able to share some light on the issue?

<!-- gh-comment-id:485233653 --> @jkaberg commented on GitHub (Apr 21, 2019): @dani-garcia which lib is that? I'm asking because I haven't came across this issue with any other U2F compatible service out there (tested on atleast 20+ different ones), just bitwarden_rs This is/was tested/used with [Krypton](http://krypt.co/). Perhaps @kcking is able to share some light on the issue?
GiteaMirror commented 2026-04-20 11:35:39 -05:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Apr 21, 2019):

We are using the U2F-rs library, which uses Webpki for cert validation, which is where it fails.

I'm not sure what the cause of the error is to be honest, looking for BadDER in webpki's issue tracker lists a couple of issues, like not supporting V1 certificates, or requiring certificates to have the subjectAltName extension field, but not sure if those are related.

<!-- gh-comment-id:485246035 --> @dani-garcia commented on GitHub (Apr 21, 2019): We are using the [U2F-rs](https://github.com/wisespace-io/u2f-rs/) library, which uses [Webpki](https://github.com/briansmith/webpki) for cert validation, which is where it fails. I'm not sure what the cause of the error is to be honest, looking for BadDER in webpki's issue tracker lists a couple of issues, like not supporting V1 certificates, or requiring certificates to have the subjectAltName extension field, but not sure if those are related.
GiteaMirror commented 2026-04-20 11:35:40 -05:00
Author
Owner
Copy Link

@kcking commented on GitHub (Apr 21, 2019):

Thanks for digging into this a bit -- we don't set any SAN extension on the cert, so if webpki requires it that would be at least one issue. Is there a rationale for why they require one or is it considered a bug?

<!-- gh-comment-id:485274549 --> @kcking commented on GitHub (Apr 21, 2019): Thanks for digging into this a bit -- we don't set any SAN extension on the cert, so if webpki requires it that would be at least one issue. Is there a rationale for why they require one or is it considered a bug?
GiteaMirror commented 2026-04-20 11:35:40 -05:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Apr 21, 2019):

Mostly that webpki is focused on certificates for TLS use, and every mayor browser requires those extensions. The u2f support is more of a happy coincidence, as it is.

https://github.com/briansmith/webpki/issues/90#issuecomment-458053599

<!-- gh-comment-id:485277878 --> @dani-garcia commented on GitHub (Apr 21, 2019): Mostly that webpki is focused on certificates for TLS use, and every mayor browser requires those extensions. The u2f support is more of a happy coincidence, as it is. https://github.com/briansmith/webpki/issues/90#issuecomment-458053599
GiteaMirror commented 2026-04-20 11:35:41 -05:00
Author
Owner
Copy Link

@jkaberg commented on GitHub (Apr 26, 2019):

@kcking Would it be feasible to do add SAN to the Kryptonite certificate?

<!-- gh-comment-id:486948639 --> @jkaberg commented on GitHub (Apr 26, 2019): @kcking Would it be feasible to do add SAN to the Kryptonite certificate?
GiteaMirror commented 2026-04-20 11:35:41 -05:00
Author
Owner
Copy Link

@raf924 commented on GitHub (Oct 18, 2019):

Just doing a health-check on this issue as I just tried and failed to use Krypton as a u2f security key with Bitwarden. @kcking Is setting SAN out of the question then ?

<!-- gh-comment-id:543725616 --> @raf924 commented on GitHub (Oct 18, 2019): Just doing a health-check on this issue as I just tried and failed to use Krypton as a u2f security key with Bitwarden. @kcking Is setting SAN out of the question then ?
GiteaMirror commented 2026-04-20 11:35:42 -05:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Jan 20, 2020):

I've tested this again with the latest image, with the new version of the u2f crate, which now uses openssl instead of ring/webpki and the krypt app seems to work for me for a basic register/login test.

I'd appreciate if someone else could also test it too.

<!-- gh-comment-id:576375507 --> @dani-garcia commented on GitHub (Jan 20, 2020): I've tested this again with the latest image, with the new version of the u2f crate, which now uses openssl instead of ring/webpki and the krypt app seems to work for me for a basic register/login test. I'd appreciate if someone else could also test it too.
GiteaMirror commented 2026-04-20 11:35:43 -05:00
Author
Owner
Copy Link

@raf924 commented on GitHub (Jan 22, 2020):

Just tested it, with bitwarden-rs v1.13.1-d212dfe7, Firefox v72.0.1 with the Krypton extension v1.0.16 on Windows and the Krypton Android App v2.5.5. Registered the app as a U2F key for Bitwarden and successfully logged in with it. Nice work!

<!-- gh-comment-id:577105961 --> @raf924 commented on GitHub (Jan 22, 2020): Just tested it, with bitwarden-rs v1.13.1-d212dfe7, Firefox v72.0.1 with the Krypton extension v1.0.16 on Windows and the Krypton Android App v2.5.5. Registered the app as a U2F key for Bitwarden and successfully logged in with it. Nice work!
GiteaMirror commented 2026-04-20 11:35:44 -05:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub (Jan 29, 2020):

Great, I've got some other confirmations that this works now, so I'll close the issue. If any problems appear again, it can be reopened/a new one can be created.

<!-- gh-comment-id:579893246 --> @dani-garcia commented on GitHub (Jan 29, 2020): Great, I've got some other confirmations that this works now, so I'll close the issue. If any problems appear again, it can be reopened/a new one can be created.
GiteaMirror commented 2026-04-20 11:35:45 -05:00
Author
Owner
Copy Link

@mustanggb commented on GitHub (Sep 16, 2022):

Seems like this is broken again.

There was a problem reading the security key. Try again.

<!-- gh-comment-id:1249929531 --> @mustanggb commented on GitHub (Sep 16, 2022): Seems like this is broken again. ```There was a problem reading the security key. Try again.```
GiteaMirror commented 2026-04-20 11:35:45 -05:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Sep 18, 2022):

@mustanggb if you are referring to krypt.co, then I can confirm that it doesn't work.
But it also doesn't work on https://webauthn.io/ or https://www.token2.com/tools/fido2-test/

Since Kryptco hasn't been updated for a long time since it has been acquired by Akamai, i think there are many issues with it using modern browsers and maybe even Android/iOS devices.

This is not something we can fix on our side.

<!-- gh-comment-id:1250326059 --> @BlackDex commented on GitHub (Sep 18, 2022): @mustanggb if you are referring to krypt.co, then I can confirm that it doesn't work. But it also doesn't work on https://webauthn.io/ or https://www.token2.com/tools/fido2-test/ Since Kryptco hasn't been updated for a long time since it has been acquired by Akamai, i think there are many issues with it using modern browsers and maybe even Android/iOS devices. This is not something we can fix on our side.
GiteaMirror commented 2026-04-20 11:35:46 -05:00
Author
Owner
Copy Link

@mustanggb commented on GitHub (Sep 20, 2022):

Yes, referring to krypt.co/krypton.

The same issue exists for Akamai by the way, I tried both.

Testing the two links you gave, https://webauthn.io/ registers, but at login gives the error:
The 'allowCredentials' attribute exceeds the maximum allowed size (64).

Whereas https://www.token2.com/tools/fido2-test/index.php actually works fine.

Both get "stuck" on the registering, as it appears to the user, but seemingly do actually perform the register behind the scenes (on both webauthn and token2), then the login works (on token2).

Whereas with vaultwarden it similarly appears to get "stuck" as the same point on registering, but doesn't save the information sent back.

So yes like you said it's not been updated in a while, and what it sends back might not be 100% "in spec", but it shouldn't be impossible to "fix on our side".

Perhaps you use a library for U2F support, so it's something that could be raised upstream?

<!-- gh-comment-id:1252151317 --> @mustanggb commented on GitHub (Sep 20, 2022): Yes, referring to krypt.co/krypton. The same issue exists for Akamai by the way, I tried both. Testing the two links you gave, https://webauthn.io/ registers, but at login gives the error: `The 'allowCredentials' attribute exceeds the maximum allowed size (64).` Whereas https://www.token2.com/tools/fido2-test/index.php actually works fine. Both get "stuck" on the registering, as it appears to the user, but seemingly do actually perform the register behind the scenes (on both webauthn and token2), then the login works (on token2). Whereas with vaultwarden it similarly appears to get "stuck" as the same point on registering, but doesn't save the information sent back. So yes like you said it's not been updated in a while, and what it sends back might not be 100% "in spec", but it shouldn't be impossible to "fix on our side". Perhaps you use a library for U2F support, so it's something that could be raised upstream?
GiteaMirror commented 2026-04-20 11:35:47 -05:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Sep 20, 2022):

Well, if you want to get it fixed in upstream, i would suggest to check the library for the details.
They do have some mentions about this.

The library: https://github.com/kanidm/webauthn-rs/
There test site: https://webauthn.firstyear.id.au/compat_test

Though, vaultwarden currently uses an older version of that library, i think there main site uses the latest version, and it doesn't work there either.

<!-- gh-comment-id:1252268320 --> @BlackDex commented on GitHub (Sep 20, 2022): Well, if you want to get it fixed in upstream, i would suggest to check the library for the details. They do have some mentions about this. The library: https://github.com/kanidm/webauthn-rs/ There test site: https://webauthn.firstyear.id.au/compat_test Though, vaultwarden currently uses an older version of that library, i think there main site uses the latest version, and it doesn't work there either.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label bug troubleshooting
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#8871
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?