C++ - Is it possible to use libfido2 for other fido token brands except YubiKey?

Question

I had a c++ code to assert. It use winhello to comiuncate with my fido token. It was OK.

I had to use from other lib without winhello so I get libfido2 and build it.

The brand of my fido token is 'thetis'. So I encountered the following.

I have to change condition of is_fido on fido_hid_manifest():

//if (is_fido(d) == false)
if (wcscmp(d->product_string, L"FIDO2 Security Key") != 0)

Now I get this output:

   run_manifest: found 1 hid device
   fido_tx: dev=000002A60511C050, cmd=0x86
   fido_tx: buf=000002A60511C050, len=8
   0000: 5a ab b6 54 5c 5d 7e 23
   tx: tx_preamble
   fido_dev_open_tx: fido_tx

My problem is when I run fido_dev_open(dev, path); so ofter trace it I found error is here:

if ((sent = tx_preamble(d, cmd, buf, count, ms)) == 0) {
    fido_log_debug("%s: tx_preamble", __func__);
    return (-1);
}

Of course, I must say that the device is discovered with the following path:

\\?\HID#VID_1EA8&PID_FC25&MI_00#7&29aed109&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\KBD

At the beginning of my question is, can I use libfido2 to use another brand's token or not? And the next question is where should I change so that this token is supported?

Answer 1

I found the solution. In the Windows OS, it is necessary to run the program in run as admin mode. Therefore, after execution, FIDO token can be accessed by HID library.

Answer 2

Short answer to the question is yes, you can use it with any CTAP2 device. libfido just checks if the device adheres to CTAP2 and nothing else. But that is not a helpful answer as that wont solve your problem. Would probably need more information on the device your attempting to use with it for a better answer but will try to explain what might be happening.

For a device to be a valid USB device it needs to reply correctly with a HID report descriptor. The report descriptor should contain the standard stuff but also, and most importantly a HID_UsagePage defined as 0xF1D0. If not, the device is not a valid USB CTAP2 device and libfido will ignore it. The is_fido method does exactly that check, that is opens a connection, gets the descriptor and checks for that usage page. is_fido also has some side effects in regards to establishing a connection to the usb device, so with you removing it, your connection setup probably isn't proper for the preamble causing your issues. Output error at least seems to suggest that the transmit fails, either due to just incorrect communication. If that is due to lack of connection or because the device is not behaving correctly as a FIDO2 device I can't say.

More info on the HID setup for CTAP can be found at https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#usb-discovery