Does not work with Firefox

[tutoduino]

Hello,
PicoFIDO fails to run on Raspberry Pi Pico with Firefox 131.0 under Linux Mint.
Testing on https://www.token2.com/tools/fido2-demo
It works fine with Chromium, but I need this solution to work with Firefox...
Thanks for your support.

[polhenarejos]

Can you try flashing with a nightly development build?

[tutoduino]

I did, the result of registration is "operation cancelled" after PIN code is entered and button is pushed.
See attachment.
Thanks for your support.

[polhenarejos]

And it works well with Chrome, right?

[tutoduino]

And it works well with Chrome, right?

Yes

[polhenarejos]

With Firefox in Windows 10 works. Not sure if it is a linux problem. However, compared to Chrome, Firefox is extremely slow. It takes almost 1 minute to perform the process, whereas Chrome takes 2-3 seconds.

[tutoduino]

Interesting thanks, then I tried on Firefox under Windows (I do not have Windows at home, so need to test another system :)) and indeed it works.
I am exploring the permission under Linux, because when I run the FIDO2 Key Data Explorer in Firefox/Linux I get an user permission error...

[polhenarejos]

I did not succeed in macOS neither. Firefox is sending continuously a bogus AAID for an unknown reason, which hangs the pico fido until it is closed. Perhaps is related.

If you are skilled, you can build the firmware with “DEBUG_APDU=1” in cmake and debuging UART0. I use a TTL to USB dongle that costs a couple of dollars using a terminal opened to the exposed COM port. I can review the log then.

[tutoduino]

On my setup (Firefox/Linux), my 2 other "real" FIDO2 key work fine.

[tutoduino]

I will try to collect traces.
Thanks

[tutoduino]

Hello,here are the traces for the registration failure on Linux/Firefox

�SCAN
[101fbfc0] scan fid cc00, len 32
[101fbdeb] scan fid ce00, len 457
[101fbddb] scan fid c000, len 4
[101fbdaf] scan fid 1090, len 32
[101fbd92] scan fid 1101, len 17
[101fbca0] scan fid cf00, len 230
[101fbc65] scan fid d000, len 47
report_cb 0
Data desc_hid_report (34 bytes):
06D0F10901A1010920150026FF007508954081020921150026FF00750895409102C0
report_cb 1
Data desc_hid_report (34 bytes):
06D0F10901A1010920150026FF007508954081020921150026FF00750895409102C0
set_report 0 0 2
Payload (uint8_t *)ctap_req (64 bytes):
200110d8h : FF FF FF FF 86 00 08 4E F2 DA 5B A9 6A 48 7D 00 : � N [�jH}
200110e8h : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :
200110f8h : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :
20011108h : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :

command 6
len 8
SCAN
[101fbfc0] scan fid cc00, len 32
[101fbdeb] scan fid ce00, len 457
[101fbddb] scan fid c000, len 4
[101fbdaf] scan fid 1090, len 32
[101fbd92] scan fid 1101, len 17
[101fbca0] scan fid cf00, len 230
[101fbc65] scan fid d000, len 47
SCAN
[101fbfc0] scan fid cc00, len 32
[101fbdeb] scan fid ce00, len 457
[101fbddb] scan fid c000, len 4
[101fbdaf] scan fid 1090, len 32
[101fbd92] scan fid 1101, len 17
[101fbca0] scan fid cf00, len 230
[101fbc65] scan fid d000, len 47
set_report 0 0 2
Payload (uint8_t *)ctap_req (64 bytes):
200110d8h : 00 00 00 01 90 00 01 04 00 00 00 00 00 00 00 00 : �
200110e8h : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :
200110f8h : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :
20011108h : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :

command 10
len 1
Data data + 1 (0 bytes):

Data res_APDU + 1 (354 bytes):
0183665532465F5632684649444F5F325F30684649444F5F325F3102866863726564426C6F626B6372656450726F746563746B686D61632D7365637265746C6C61726765426C6F624B65796C6D6
96E50696E4C656E67746871746869726450617274795061796D656E74035089FB94B706C936739B7E30526D96814504A8626570F462726BF568637265644D676D74F569617574686E72436667F5
69636C69656E7450696EF46A6C61726765426C6F6273F56E70696E557641757468546F6B656EF56F7365744D696E50494E4C656E677468F505190400068201020710081904000A84A263616C672
664747970656A7075626C69632D6B6579A263616C67382264747970656A7075626C69632D6B6579A263616C67382364747970656A7075626C69632D6B6579A263616C67382E64747970656A7075
626C69632D6B65790B1908000CF40D040E19050C0F188015821B03E43F56B34285E21B1831A40F04A25ED900
Payload &hid_tx[ITF_HID_CTAP].buffer[offset] (362 bytes):
200120e4h : 00 00 00 01 90 01 63 00 AF 01 83 66 55 32 46 5F : � c � �fU2F_
200120f4h : 56 32 68 46 49 44 4F 5F 32 5F 30 68 46 49 44 4F : V2hFIDO_ 2_0hFIDO
20012104h : 5F 32 5F 31 02 86 68 63 72 65 64 42 6C 6F 62 6B : _2_1 �hc redBlobk
20012114h : 63 72 65 64 50 72 6F 74 65 63 74 6B 68 6D 61 63 : credProt ectkhmac
20012124h : 2D 73 65 63 72 65 74 6C 6C 61 72 67 65 42 6C 6F : -secretl largeBlo
20012134h : 62 4B 65 79 6C 6D 69 6E 50 69 6E 4C 65 6E 67 74 : bKeylmin PinLengt
20012144h : 68 71 74 68 69 72 64 50 61 72 74 79 50 61 79 6D : hqthirdP artyPaym
20012154h : 65 6E 74 03 50 89 FB 94 B7 06 C9 36 73 9B 7E 30 : ent P� � 6s�~0
20012164h : 52 6D 96 81 45 04 A8 62 65 70 F4 62 72 6B F5 68 : Rm��E �b ep brk h
20012174h : 63 72 65 64 4D 67 6D 74 F5 69 61 75 74 68 6E 72 : credMgmt iauthnr
20012184h : 43 66 67 F5 69 63 6C 69 65 6E 74 50 69 6E F4 6A : Cfg icli entPin j
20012194h : 6C 61 72 67 65 42 6C 6F 62 73 F5 6E 70 69 6E 55 : largeBlo bs npinU
200121a4h : 76 41 75 74 68 54 6F 6B 65 6E F5 6F 73 65 74 4D : vAuthTok en osetM
200121b4h : 69 6E 50 49 4E 4C 65 6E 67 74 68 F5 05 19 04 00 : inPINLen gth
200121c4h : 06 82 01 02 07 10 08 19 04 00 0A 84 A2 63 61 6C : � ��cal
200121d4h : 67 26 64 74 79 70 65 6A 70 75 62 6C 69 63 2D 6B : g&dtypej public-k
200121e4h : 65 79 A2 63 61 6C 67 38 22 64 74 79 70 65 6A 70 : ey�calg8 "dtypejp
200121f4h : 75 62 6C 69 63 2D 6B 65 79 A2 63 61 6C 67 38 23 : ublic-ke y�calg8#
20012204h : 64 74 79 70 65 6A 70 75 62 6C 69 63 2D 6B 65 79 : dtypejpu blic-key
20012214h : A2 63 61 6C 67 38 2E 64 74 79 70 65 6A 70 75 62 : �calg8.d typejpub
20012224h : 6C 69 63 2D 6B 65 79 0B 19 08 00 0C F4 0D 04 0E : lic-key
20012234h : 19 05 0C 0F 18 80 15 82 1B 03 E4 3F 56 B3 42 85 : � � ?V B�
20012244h : E2 1B 18 31 A4 0F 04 A2 5E D9 : 1� � ^

set_report 0 0 2
Payload (uint8_t *)ctap_req (64 bytes):
200110d8h : 00 00 00 01 90 00 CB 01 A5 01 58 20 5F 88 2C 51 : � � X _�,Q
200110e8h : 21 E8 EC 11 5C 02 1D AD 63 4A AB 2D 50 5A BE F2 : ! \ � cJ�-PZ
200110f8h : 03 24 47 7D 9A 03 27 F5 CA 66 3B 67 02 A1 62 69 : $G}� ' f;g �bi
20011108h : 64 6E 77 77 77 2E 74 6F 6B 65 6E 32 2E 63 6F 6D : dnwww.to ken2.com

command 10
len 203
set_report 0 0 2
Payload (uint8_t *)ctap_req (64 bytes):
200110d8h : 00 00 00 01 00 03 A2 62 69 64 58 20 34 36 30 35 : �b idX 4605
200110e8h : 66 32 62 38 65 35 35 35 32 33 30 64 35 37 36 33 : f2b8e555 230d5763
200110f8h : 65 34 33 33 39 61 66 31 30 36 36 66 64 6E 61 6D : e4339af1 066fdnam
20011108h : 65 78 2E 74 6F 6B 65 6E 32 5F 75 73 65 72 5F 36 : ex.token 2_user_6

set_report 0 0 2
Payload (uint8_t *)ctap_req (64 bytes):
200110d8h : 00 00 00 01 01 37 30 38 31 63 35 34 61 61 32 66 : 708 1c54aa2f
200110e8h : 37 5F 36 32 34 39 34 36 33 36 37 30 38 31 63 35 : 7_624946 367081c5
200110f8h : 34 61 61 33 33 36 04 82 A2 63 61 6C 67 26 64 74 : 4aa336 � �calg&dt
20011108h : 79 70 65 6A 70 75 62 6C 69 63 2D 6B 65 79 A2 63 : ypejpubl ic-key�c

set_report 0 0 2
Payload (uint8_t *)ctap_req (64 bytes):
200110d8h : 00 00 00 01 02 61 6C 67 39 01 00 64 74 79 70 65 : alg 9 dtype
200110e8h : 6A 70 75 62 6C 69 63 2D 6B 65 79 07 A1 62 72 6B : jpublic- key �brk
200110f8h : F5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :
20011108h : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :

Data data + 1 (202 bytes):
A50158205F882C5121E8EC115C021DAD634AAB2D505ABEF20324477D9A0327F5CA663B6702A16269646E7777772E746F6B656E322E636F6D03A2626964582034363035663262386535353532333
06435373633653433333961663130363666646E616D65782E746F6B656E325F757365725F363730383163353461613266375F36323439343633363730383163353461613333360482A263616C67
2664747970656A7075626C69632D6B6579A263616C6739010064747970656A7075626C69632D6B657907A162726BF5
Data res_APDU + 1 (429 bytes):
01667061636B65640259014A65F3B60A9C4B861A3A38EB8F3994F41C6AD53DFB28393C62BE98775EDAF1039C410000000189FB94B706C936739B7E30526D96814500C6F1D002016B8C15FCD81F9
F58DD89434F4791D7A5DD65925FBD218B155AFD4A247F5D95AE27734EA4FF902E40699D70CE1928A1077BF24F3B2B43F454264A6C0E35E0BF58A907F19DAD4503EFEA07EF3ABD5EEB1127E623B0
43587ABD223C7F8C8E0A710AE9F7ABDF0B17F4AAF13F7204A2CB5F033D6D9106C7338746542A40243B3486080F43922F06E85D8313CADB3EF7C69D9FB60FBD30EE03FAE35A26EB4C1D3144A0610
36C88FF0BC928CB3FA504DDDD5BCBA7C276D9255B56BA3BB4925F87AAADC8C7EDA5010203262001215820AD3F1D82CFEDC118358F49122DF2483A3C4CEEF578E44ABBCF47E5EE261E1DF7225820
C2831B698C3A6695DD2C31EB8EA62AAF471D5FA397A5FFCE6E6A3FC69A49910D03A263616C67266373696758473045022100A63F2D9B03AEA340218F83D547D16B33DCB6D1DF14B1BDEC925250A
12502A78802207A575FA2B03DE5AAED42685857869CF6C8D54C6D7571528E79F8FD829F22B2FC04F400
Payload &hid_tx[ITF_HID_CTAP].buffer[offset] (437 bytes):
200120e4h : 00 00 00 01 90 01 AE 00 A4 01 66 70 61 63 6B 65 : � � � fpacke
200120f4h : 64 02 59 01 4A 65 F3 B6 0A 9C 4B 86 1A 3A 38 EB : d Y Je �K� :8
20012104h : 8F 39 94 F4 1C 6A D5 3D FB 28 39 3C 62 BE 98 77 : �9� j = (9<b �w
20012114h : 5E DA F1 03 9C 41 00 00 00 01 89 FB 94 B7 06 C9 : ^ �A � �
20012124h : 36 73 9B 7E 30 52 6D 96 81 45 00 C6 F1 D0 02 01 : 6s�~0Rm� �E
20012134h : 6B 8C 15 FC D8 1F 9F 58 DD 89 43 4F 47 91 D7 A5 : k� �X �COG� �
20012144h : DD 65 92 5F BD 21 8B 15 5A FD 4A 24 7F 5D 95 AE : e�_ !� Z J$ ]��
20012154h : 27 73 4E A4 FF 90 2E 40 69 9D 70 CE 19 28 A1 07 : 'sN� �.@ i�p (�
20012164h : 7B F2 4F 3B 2B 43 F4 54 26 4A 6C 0E 35 E0 BF 58 : { O;+C T &Jl 5 X
20012174h : A9 07 F1 9D AD 45 03 EF EA 07 EF 3A BD 5E EB 11 : � ��E : ^
20012184h : 27 E6 23 B0 43 58 7A BD 22 3C 7F 8C 8E 0A 71 0A : ' # CXz "< �� q
20012194h : E9 F7 AB DF 0B 17 F4 AA F1 3F 72 04 A2 CB 5F 03 : � � ?r � _
200121a4h : 3D 6D 91 06 C7 33 87 46 54 2A 40 24 3B 34 86 08 : =m� 3�F T*@$;4�
200121b4h : 0F 43 92 2F 06 E8 5D 83 13 CA DB 3E F7 C6 9D 9F : C�/ ]� > ��
200121c4h : B6 0F BD 30 EE 03 FA E3 5A 26 EB 4C 1D 31 44 A0 : 0 Z& L 1D�
200121d4h : 61 03 6C 88 FF 0B C9 28 CB 3F A5 04 DD DD 5B CB : a l� ( ?� [
200121e4h : A7 C2 76 D9 25 5B 56 BA 3B B4 92 5F 87 AA AD C8 : � v %[V ; �_���
200121f4h : C7 ED A5 01 02 03 26 20 01 21 58 20 AD 3F 1D 82 : � & !X �? �
20012204h : CF ED C1 18 35 8F 49 12 2D F2 48 3A 3C 4C EE F5 : 5�I - H:<L
20012214h : 78 E4 4A BB CF 47 E5 EE 26 1E 1D F7 22 58 20 C2 : x J G & "X
20012224h : 83 1B 69 8C 3A 66 95 DD 2C 31 EB 8E A6 2A AF 47 : � i�:f� ,1 ��*�G
20012234h : 1D 5F A3 97 A5 FF CE 6E 6A 3F C6 9A 49 91 0D 03 : _��� n j? �I�
20012244h : A2 63 61 6C 67 26 63 73 69 67 58 47 30 45 02 21 : �calg&cs igXG0E !
20012254h : 00 A6 3F 2D 9B 03 AE A3 40 21 8F 83 D5 47 D1 6B : �?-� �� @!�� G k
20012264h : 33 DC B6 D1 DF 14 B1 BD EC 92 52 50 A1 25 02 A7 : 3 �RP�% �
20012274h : 88 02 20 7A 57 5F A2 B0 3D E5 AA ED 42 68 58 57 : � zW_� = � BhXW
20012284h : 86 9C F6 C8 D5 4C 6D 75 71 52 8E 79 F8 FD 82 9F : �� Lmu qR�y ��
20012294h : 22 B2 FC 04 F4

[polhenarejos]

Nothing else?

[tutoduino]

No

[polhenarejos]

The response is correct and indeed, if it works in other OS, I do not know why it is cancelled in Linux. Operation cancelled does not give much info, perhaps in the firefox console is something additional displayed?
Do you perceive that the registration takes too much time? It might be a timeout due to the answer is not properly delivered by USB to OS or by OS to app.

[tutoduino]

I register the key on Chrome successfuly (PIN is setup). And then I try again to register on Firefox.
The first steps are fine, I enter the PIN, touch the key, then the message operation cancelled appears.
Here are the traces in this case.
putty.log

[polhenarejos]

Does it work with https://webauthn.io ?
Did you test it with no cookies and blank pico fido? Withour resident keys.

Perhaps this helps to debug

https://addons.mozilla.org/en-US/firefox/addon/webdevauthn/

[tutoduino]

I tested with no cookies and blank pico without resident keys.
Interesting warning on webauthn.io, looks like permission issue !
I do not understand how to use the webdevauthn addon, where are displayed the debug information ?

[tutoduino]

I checked the forums and found https://webauthn.bin.coffee/ testing site that raises similar issue.

[polhenarejos]

Related with #46

[polhenarejos]

Does it work?

"Adding on to the previous answer by Cody, and the respective comments, you must also enable security.webauth.u2f in Firefox's about:config for U2F, FIDO2, and subsequently Yubikeys to work."

Also:

• security.webauthn.webauthn is true
• security.webauthn.webauthn_enable_usbtoken is true
• security.webauthn.ctap2 is true

[tutoduino]

By default, firefox config set webauth flags correctly (flag names are different now, see attached picture). All flags set to true doe not work better.

[tutoduino]

I see on some forums that downloading Firefox from the official repository solved their issue.
I tried but it does not work for my problem here...

[polhenarejos]

And enabling direct attestation?

[tutoduino]

tried to enable all, does not work better

[tutoduino]

Firefox support could help ?

[polhenarejos]

What is strange to me is that your true Yubikey works smoothly with Firefox. There's something in it that is recognized by Firefox somehow.

[tutoduino]

Yes indeed. And I suspected udev but pico works fine with chromium...

[polhenarejos]

Any progress?

[tutoduino]

no idea of ​​research path...

[LinOx2]

I have the same issue with Firefox.
I use Falkon (chromium) for register, after I can use Firefox (131.0.3) for login, it work like that for me.

Falkon (webkit) on linux. Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Falkon/22.04.3 Chrome.

so Firefox cancel only register. BUGs in Firefox ???.

[tutoduino]

Firefox works fine with other FIDO2 keys so unclear to me...

[LinOx2]

I have Linux Mint and the same issue, and I use Raspberry Pi Pico (rp2040) in the way I have explain.
firefox reject (cancel) the pico key at register, but work well at login, if i have register with Falkon the pico key.
Maybe reading the Firefox code on fido register could explain what the problem is.

[patvdleer]

I can confirm I have the same issues with Firefox (currently at v132.0), I'm using the Waveshare RP2040 One running on Ubuntu 22.04.4 LTS with 6.8.0-45-generic. I have the Yubico NEO OTP+U2F+CCID and the SoloKeys Solo 4.0.0 which do work both on Firefox and Chrome.

Since I bought multiple waveshares I have one with and one without a pin set, both don't work.

Any way to further debug this?

Firefox settings:

---

Just tested on my wife's Mac and both, with and without pin, work. It's a Macbook Air M2 2022, MacOS Sonoma 14.2, Firefox v131.0.3 (aarch64)

[polhenarejos]

So which is the combination that does not work?

[patvdleer]

On Linux/Ubuntu on firefox the picokey doesnt work, others do. The picokey does work on Chrome.

On Mac it does work on Firefox and Chrome.

[polhenarejos]

I suspect it is related with the CCID interface. Firefox sends APDUs trying to find a specific file reference, but I do not know which one is the good one present in Yubikeys or Solo.

If you want to debug, you can try to generate a log file of pcscd process. More info at https://ccid.apdu.fr/ (see Log section). Do it with your Yubikey. Plug the Yubikey and start Firefox.
In the log file we’ll see the communication exchanged with the Yubikey and Firefox and I hope we’ll find which are the references needed by Firefox.

[air-eat]

i don't know if this is related, but disabling security.webauthn.ctap2 for me seems to make it pass various tests, and registering/signing in, although not through the "Or, sign in with passkey option", works with discord (even though none of the examples ask for the pin or recognize the device)

however, it does fail immediately in other areas like github passkey registration, where the prompt to touch the key comes up for one frame and i can see the neopixel flash blue

[air-eat]

btw, i get the same behaviour with firefox on both macos and linux