bug#38341: webauthn support?

[Chris Marusich]

Hi Jack and Mark,

It seems I unintentionally created this new bug report in Debbugs
(38341) by emailing address@hidden.  Sorry about that; I'll try
not to do that again going forward.

Since the bug report was created in the middle of our discussion, I'll
reproduce some of the original discussion so the context is clear.

The original report was from Jack Hill:

https://lists.gnu.org/archive/html/bug-gnuzilla/2019-10/msg00013.html

Jack Hill <address@hidden> writes:

> Hi IceCat folks,
>
> What's the status of webauthn support? When using firefox esr 68 on
> Debian or ungoogled-chromium on GNU Guix, sites that use webauthn seem
> to work: the led color changes on my usb token, I press the button,
> and the webauthn exchange happens. However using icecat
> 68.2.0-guix0-preview1 (thanks Mark!), the led on my token never
> changes color and sites either report that step to have failed or say
> it is not supported by my browser.

I replied describing a similar problem:

https://lists.gnu.org/archive/html/bug-gnuzilla/2019-11/msg00029.html

Chris Marusich <address@hidden> writes:

> To reiterate, the specific problem I see is this.  I go to a website
> that uses two-factor authentication.  I know it works - with my specific
> YubiKey token - because the website works fine in Firefox on other
> systems.  But in IceCat 68, when I try to log in, I get a pop-up (modal?
> not sure what the proper term is) with this error:
>
> "Unknown U2F Error"
>
> I'm typing that from memory, so it might actually be "Unknown U2F
> Exception"; I'm not 100% sure.  But it's definitely a little window that
> appears, which says something along those lines, with no additional
> information.  Is this the same problem you see, Jack?
>
> I have double checked a lot of things.  For example, I double checked
> the following on my Guix system:
>
> - The udev rules from libu2f-host are installed.
>
> - My YubiKey token is usable via other mechanisms:
>
>      - I can load the SSH key stored within it via "ssh-add -s", using
>        the OpenSC PKCS11 library, and I can SSH into machines using it.
>
>      - I can access the YubiKey via tools such as "ykinfo" and
>        "yubico-piv-tool".
>
> - In about:config, security.webauth.u2f is set to true.
>
> The big issue for me is that I have no idea how to investigate further.
> I really wish I could figure out how to extract more information from
> IceCat, so I could figure out precisely where the problem is occurring,
> and follow the trail of bread crumbs from there.  I have even tried
> grepping the IceCat source (from "guix build -S icecat") for the string
> "Unknown U2F Error", but it yields no results.  If anyone here can
> provide advice on how to collect more information about what direction
> the problem is coming from, I'd really appreciate it.
>
> Since I can't find references to that error message in the IceCat 68
> source, I'm thinking the error probably comes from something else.
> Maybe a dependency that IceCat is calling out to, or perhaps even a
> JavaScript library.  Judging by the URLs IceCat loads, I think it might
> be using some version of the following file to do the U2F logic (IceCat
> loaded a file named "fidou2f.js", which is why I think this):
>
> https://github.com/rcdevs/openotp_authentication_owncloud/blob/master/js/fidou2f.js
>
> Any tips to debug this would be welcome, even if it's just a link to
> some tutorial on how to debug JavaScript that you find useful.  I'm a
> total newbie when it comes to debugging JavaScript in IceCat (Firefox).
> I'm not even sure the error is coming from this JavaScript, anyway.
> Tips on how to debugging the non-JS portions of my problem seem more
> helpful at this point in time, honestly, but any tips would be great.
>
> Finally, I have a non-Guix GNU/Linux machine with Firefox, on which this
> problem does not occur, and I am able to log in correctly using my token
> (in Firefox).  I will try building IceCat 68 from source manually on
> that distribution.

So, that is the context for the current bug report.

Jack Hill <address@hidden> writes:

> What dependencies did you have to provide on the non-Guix system?

I build IceCat on Ubuntu 19.  I basically did this:

Build the source:

  guix pull --commit=c07bc1d2ca1029b89c807cc6e62e4c099aebedbd
  guix build -S icecat

This produces the following file:

  
/gnu/store/zw9rrbash7d484f2jnash79fbidxw07n-icecat-68.2.0-guix0-preview3.tar.xz

That file's SHA512 hash is:

  
4cb509f59d2141e1311c054ed7df200597a068dbd868ed043053f4dce6429f199a4aa56a99917e57bfa60ab9f1bd5d1b0af26bdf283a4d65532cc285e9d5e83f

Install the following packages using apt (e.g., "apt install cargo"):

  autoconf2.13
  build-essential
  cargo
  clang
  curl
  libdbus-glib-1-2
  libgtk-2-0
  libgtk2.0-dev
  libpango1.0-0
  libpango1.0-dev
  libpulse-dev
  nasm
  nodejs
  rustc
  yasm

Using the apt-provided cargo, install cbindgen:

  cargo install cbindgen

Extract the
zw9rrbash7d484f2jnash79fbidxw07n-icecat-68.2.0-guix0-preview3.tar.xz
file somewhere.  Then build IceCat by running commands similar to this:

  mkdir objdir
  cd objdir
  srcdir=../icecat-68.2.0-guix0-preview3
  $srcdir/configure --with-l10n-base=$srcdir/l10n
  make

Hopefully, this works for you.  It took me a couple days of on-and-off
trial and error to get everything right.

In particular, it seems you need to use the apt-provided cargo to
install cbindgen.  I tried installing cargo, rustc, and cbindgen using
apt, but the build will failed because cbindgen was too old.  I also
tried installing cargo and rustc via rustup, and then I used the
rustup-provided cargo to install cbindgen, but the build failed for
mysterious reasons while attempting to compile xpcom_macros.  When I
tried installing cargo and rustc via apt, and then used the apt-provided
cargo to install cbindgen, the build succeeded.  My guess is that rustup
gave me a rust that was too recent, so it broke the build.

Various other problems occurred before I successfully built IceCat.
Mostly they seemed to be missing dependencies, or dependencies using the
wrong version.  For example, in addition to the rust confusion in the
previous paragraph, the IceCat build system expects to use autoconf2.13
specifically.  I originally tried using Ubuntu's default autoconf
package, but it failed.  You'll probably need to repeat the "configure"
and "make" invocations a few times to flush out such errors.  Based on
my notes, it seems I invoked "configure" at least 18 times, and "make"
at least 5 times.  Hopefully if you install the dependencies like I
suggest above, you won't have to go through quite so many iterations.

Of course, if you use Guix, you won't have to go through that pain! :-)

>> If anyone has any advice about how to determine what code is
>> actually emitting the "Unknown U2F Error", that would really help me
>> narrow down the possibilities quite a bit.
>
> I don't know if this will be helpful, but as I understand webauthn,
> browsers provide a new JavaScript API for interacting with security
> tokens. I suspect that the error is being generated some code the
> browser calls a JavaScript program it has loaded calls that API. The
> text may not be in the IceCat source, but presented by the JavaScript
> program in response to and error in its API call. I was thinking, but
> haven't had the time, to set up my own webauthn-using app, so I can
> control the JavaScript.

Jack, does your error come with a specific message of any kind?  Does it
occur when using the Guix-built IceCat preview?  Does it occur when you
build it manually on a non-Guix GNU/Linux system, following a procedure
like the one I describe above?

-- 
Chris

signature.asc
Description: PGP signature