Verify the Authenticity of a CanoKey
2026-03-28T17:33:41+08:00
This post will guide you through verifying the authenticity of a CanoKey.
Step 1: Obtain the attestation root CA certificate
Visit this website to obtain the FIDO CA certificate for your model (Pigeon/Canary). Save the certificate as ca.pem.
Step 2: Install fido2-cred
Install fido2-cred. On Debian GNU/Linux, it is included in the fido2-tools package:
# apt install fido2-tools
Step 3: Verify the token
Plug in your CanoKey and run these commands:
$ printf '%s\n' "$(openssl rand -base64 32)" "canokey-check.local" "tmp-user" "$(openssl rand -base64 32)" > cred.in
$ fido2-cred -M -i cred.in /dev/hidrawX > cred.out
$ sed -n '7p' cred.out | base64 -d > attestation.der
$ openssl x509 -inform der -in attestation.der -out attestation.pem
$ openssl verify -CAfile ca.pem attestation.pem
If the last command returns OK, then your CanoKey is authentic.
The process can also be done with a script:
#!/usr/bin/env sh
set -eu
die() {
printf '%s\n' "Error: $*" >&2
exit 1
}
# Check required tools.
[ -x /usr/bin/fido2-cred ] || die "/usr/bin/fido2-cred does not exist or is not executable"
command -v openssl >/dev/null 2>&1 || die "openssl is not installed or not on PATH"
# Find the device.
device="${1:-}"
if [ -z "$device" ]; then
set -- /dev/hidraw*
if [ "$1" = '/dev/hidraw*' ]; then
die "No /dev/hidraw* device found. Pass the device path as the first argument."
fi
if [ "$#" -ne 1 ]; then
die "More than one /dev/hidraw* device found. Pass the correct device path as the first argument."
fi
device=$1
fi
[ -e "$device" ] || die "Device not found: $device"
tmpdir="$(mktemp -d)"
cleanup() {
rm -rf "$tmpdir"
}
trap cleanup EXIT INT TERM
pigeon_ca="$tmpdir/pigeon-ca.pem"
canary_ca="$tmpdir/canary-ca.pem"
cred_in="$tmpdir/cred.in"
cred_out="$tmpdir/cred.out"
attestation_der="$tmpdir/attestation.der"
attestation_pem="$tmpdir/attestation.pem"
cat > "$pigeon_ca" <<'EOF'
-----BEGIN CERTIFICATE-----
MIIBpzCCAUygAwIBAgIUatn9Rj8uCMjLrmFfCQYY5/X9xq4wCgYIKoZIzj0EAwIw
MTEvMC0GA1UEAwwmQ2Fub0tleXMgRklETyBBdHRlc3RhdGlvbiBSb290IENBIE5v
LjIwHhcNMjExMjI3MTE0OTMzWhcNNDEwNjI1MTE0OTMzWjAxMS8wLQYDVQQDDCZD
YW5vS2V5cyBGSURPIEF0dGVzdGF0aW9uIFJvb3QgQ0EgTm8uMjBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABNgW7CwchH80l4sj8luhwjbNoohB9Uqnvsh0SLor18w8
IMy6rnzzdDP9PgSSbuUZw302mBhyYJqJY1q9Ke0niZujQjBAMB0GA1UdDgQWBBRU
GAKiwvk2vLP5Zi6ul73RiWyr0jAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQE
AwIBBjAKBggqhkjOPQQDAgNJADBGAiEAlRNyrmngE3A1YZuwsuwBHLXY7wZC/4CO
JNA30mtp2+YCIQDA88Pp+Kjx3c4nrgRgSaSueC5IlvwpTSGBGwRYDSdMTA==
-----END CERTIFICATE-----
EOF
cat > "$canary_ca" <<'EOF'
-----BEGIN CERTIFICATE-----
MIIBpjCCAUygAwIBAgIUJqLszFCSI6gfDqvFL+vzQpDWS64wCgYIKoZIzj0EAwIw
MTEvMC0GA1UEAwwmQ2Fub0tleXMgRklETyBBdHRlc3RhdGlvbiBSb290IENBIE5v
LjMwHhcNMjQwOTAzMDM1NTUwWhcNNDQwMzAyMDM1NTUwWjAxMS8wLQYDVQQDDCZD
YW5vS2V5cyBGSURPIEF0dGVzdGF0aW9uIFJvb3QgQ0EgTm8uMzBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABEXEY5WDrVrndfPOhUxHo+6iMUbP9XTPkllE4lO9oG84
mw4CVoRcQ6/IGrr+zWEaPEgBmPANsdyWyeBKzoqTedajQjBAMB0GA1UdDgQWBBS6
obb0l+0czy2I17sSDcNuceE5ujAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQE
AwIBBjAKBggqhkjOPQQDAgNIADBFAiBstCxcYRiCCyjfVuX7pllb9Tt3dji+sEd1
XoWJgWAE0gIhAJs+giTpbPvztoEMkmv3Gfrmp6zXzcalYpFwbImJbCAr
-----END CERTIFICATE-----
EOF
printf '%s\n' "Please touch the button of your token..."
printf '%s\n' "$(openssl rand -base64 32)" "canokey-check.local" "tmp-user" "$(openssl rand -base64 32)" > "$cred_in"
/usr/bin/fido2-cred -M -i "$cred_in" "$device" > "$cred_out"
sed -n '7p' "$cred_out" | base64 -d > "$attestation_der"
openssl x509 -inform der -in "$attestation_der" -out "$attestation_pem"
if openssl verify -CAfile "$pigeon_ca" "$attestation_pem" >/dev/null 2>&1; then
printf '%s\n' "OK: verification succeeded against the Pigeon root CA."
elif openssl verify -CAfile "$canary_ca" "$attestation_pem" >/dev/null 2>&1; then
printf '%s\n' "OK: verification succeeded against the Canary root CA."
else
die "Verification failed: the attestation certificate did not verify against either root CA."
fi
