Vérifier l’authenticité d’un CanoKey
2026-03-28T17:33:41+08:00
Cet article vous guidera dans la vérification de l’authenticité d’un CanoKey.
Étape 1 : obtenir le certificat CA racine d’attestation
Visitez ce site pour obtenir le certificat CA FIDO correspondant à votre modèle (Pigeon/Canary). Enregistrez le certificat sous ca.pem.
Étape 2 : installer fido2-cred
Installez fido2-cred. Sous Debian GNU/Linux, il est inclus dans le paquet fido2-tools :
# apt install fido2-tools
Étape 3 : vérifier le jeton
Branchez votre CanoKey et exécutez ces commandes :
$ printf '%s\n' "$(openssl rand -base64 32)" "canokey-check.local" "tmp-user" "$(openssl rand -base64 32)" > cred.in
$ fido2-cred -M -i cred.in /dev/hidrawX > cred.out
$ sed -n '7p' cred.out | base64 -d > attestation.der
$ openssl x509 -inform der -in attestation.der -out attestation.pem
$ openssl verify -CAfile ca.pem attestation.pem
Si la dernière commande renvoie OK, alors votre CanoKey est authentique.
Le processus peut également être effectué à l'aide d'un script :
#!/usr/bin/env sh
set -eu
die() {
printf '%s\n' "Error: $*" >&2
exit 1
}
# Check required tools.
[ -x /usr/bin/fido2-cred ] || die "/usr/bin/fido2-cred does not exist or is not executable"
command -v openssl >/dev/null 2>&1 || die "openssl is not installed or not on PATH"
# Find the device.
device="${1:-}"
if [ -z "$device" ]; then
set -- /dev/hidraw*
if [ "$1" = '/dev/hidraw*' ]; then
die "No /dev/hidraw* device found. Pass the device path as the first argument."
fi
if [ "$#" -ne 1 ]; then
die "More than one /dev/hidraw* device found. Pass the correct device path as the first argument."
fi
device=$1
fi
[ -e "$device" ] || die "Device not found: $device"
tmpdir="$(mktemp -d)"
cleanup() {
rm -rf "$tmpdir"
}
trap cleanup EXIT INT TERM
pigeon_ca="$tmpdir/pigeon-ca.pem"
canary_ca="$tmpdir/canary-ca.pem"
cred_in="$tmpdir/cred.in"
cred_out="$tmpdir/cred.out"
attestation_der="$tmpdir/attestation.der"
attestation_pem="$tmpdir/attestation.pem"
cat > "$pigeon_ca" <<'EOF'
-----BEGIN CERTIFICATE-----
MIIBpzCCAUygAwIBAgIUatn9Rj8uCMjLrmFfCQYY5/X9xq4wCgYIKoZIzj0EAwIw
MTEvMC0GA1UEAwwmQ2Fub0tleXMgRklETyBBdHRlc3RhdGlvbiBSb290IENBIE5v
LjIwHhcNMjExMjI3MTE0OTMzWhcNNDEwNjI1MTE0OTMzWjAxMS8wLQYDVQQDDCZD
YW5vS2V5cyBGSURPIEF0dGVzdGF0aW9uIFJvb3QgQ0EgTm8uMjBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABNgW7CwchH80l4sj8luhwjbNoohB9Uqnvsh0SLor18w8
IMy6rnzzdDP9PgSSbuUZw302mBhyYJqJY1q9Ke0niZujQjBAMB0GA1UdDgQWBBRU
GAKiwvk2vLP5Zi6ul73RiWyr0jAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQE
AwIBBjAKBggqhkjOPQQDAgNJADBGAiEAlRNyrmngE3A1YZuwsuwBHLXY7wZC/4CO
JNA30mtp2+YCIQDA88Pp+Kjx3c4nrgRgSaSueC5IlvwpTSGBGwRYDSdMTA==
-----END CERTIFICATE-----
EOF
cat > "$canary_ca" <<'EOF'
-----BEGIN CERTIFICATE-----
MIIBpjCCAUygAwIBAgIUJqLszFCSI6gfDqvFL+vzQpDWS64wCgYIKoZIzj0EAwIw
MTEvMC0GA1UEAwwmQ2Fub0tleXMgRklETyBBdHRlc3RhdGlvbiBSb290IENBIE5v
LjMwHhcNMjQwOTAzMDM1NTUwWhcNNDQwMzAyMDM1NTUwWjAxMS8wLQYDVQQDDCZD
YW5vS2V5cyBGSURPIEF0dGVzdGF0aW9uIFJvb3QgQ0EgTm8uMzBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABEXEY5WDrVrndfPOhUxHo+6iMUbP9XTPkllE4lO9oG84
mw4CVoRcQ6/IGrr+zWEaPEgBmPANsdyWyeBKzoqTedajQjBAMB0GA1UdDgQWBBS6
obb0l+0czy2I17sSDcNuceE5ujAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQE
AwIBBjAKBggqhkjOPQQDAgNIADBFAiBstCxcYRiCCyjfVuX7pllb9Tt3dji+sEd1
XoWJgWAE0gIhAJs+giTpbPvztoEMkmv3Gfrmp6zXzcalYpFwbImJbCAr
-----END CERTIFICATE-----
EOF
printf '%s\n' "Please touch the button of your token..."
printf '%s\n' "$(openssl rand -base64 32)" "canokey-check.local" "tmp-user" "$(openssl rand -base64 32)" > "$cred_in"
/usr/bin/fido2-cred -M -i "$cred_in" "$device" > "$cred_out"
sed -n '7p' "$cred_out" | base64 -d > "$attestation_der"
openssl x509 -inform der -in "$attestation_der" -out "$attestation_pem"
if openssl verify -CAfile "$pigeon_ca" "$attestation_pem" >/dev/null 2>&1; then
printf '%s\n' "OK: verification succeeded against the Pigeon root CA."
elif openssl verify -CAfile "$canary_ca" "$attestation_pem" >/dev/null 2>&1; then
printf '%s\n' "OK: verification succeeded against the Canary root CA."
else
die "Verification failed: the attestation certificate did not verify against either root CA."
fi
