openssh bugs - Apr 2025 - [Bug 3815] New: ssh-verify-attestation fails to check attestation

https://bugzilla.mindrot.org/show_bug.cgi?id=3815

            Bug ID: 3815
           Summary: ssh-verify-attestation fails to check attestation
           Product: Portable OpenSSH
           Version: 10.0p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: at at symbiosis.finance

Hello, 
I?m currently working with the ssh-verify-attestation tool to verify
the attestation of a key generated on a YubiKey, using the following
commands:

dd if=/dev/random bs=1 count=32 of=challenge 

ssh-keygen -t ed25519-sk -O resident \
-O application=ssh:yubikey \
-O challenge=challenge \
-O write-attestation=id_ed25519_sk_yubi.attest \
-C "YubiKey FIDO SSH Key" \
-f ~/.ssh/id_ed25519_sk_yubi


and when I run 

./openssh-portable/regress/misc/ssh-verify-attestation/ssh-verify-attestation
-A  ~/.ssh/id_ed25519_sk_yubi  challenge  id_ed25519_sk_yubi.attest

I get  "basic attestation failed"  without any details. 

According to 
https://github.com/openssh/openssh-portable/blob/76631fdd04824c3e50ea6551d3611b1fe0216a41/regress/misc/ssh-verify-attestation/ssh-verify-attestation.c#L33

it should be fine. 

What am I doing wrong?

Thank you.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3815

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Add -vvv to the commandline for more verbosity

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3815

--- Comment #2 from Aleks <at at symbiosis.finance> ---
Hello,
> Add -vvv to the commandline for more verbosity

Here it is:

./openssh-portable/regress/misc/ssh-verify-attestation/ssh-verify-attestation
-vvv  -A  ~/.ssh/id_ed25519_sk_yubi challenge id_ed25519_sk_yubi.attest
debug2: key id_ed25519_sk_yubi.attest: ED25519-SK
SHA256:zK7k0i4T6b1Vx/LR5wK700kLz15Z9y/aYXMcAKJvdKM
debug1: basic attestation
basic attestation failed

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3815

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Maybe try adding -U to the command-line. This is required if you're
using a U2F rather than a FIDO2 token - it's not possible to
automatically detect this at present.

This tool is also pretty experimental, there may be bugs...

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3815

--- Comment #4 from Aleks <at at symbiosis.finance> ---
(In reply to Damien Miller from comment #3)
> Maybe try adding -U to the command-line. This is required if you're
> using a U2F rather than a FIDO2 token - it's not possible to
> automatically detect this at present.
> 
> This tool is also pretty experimental, there may be bugs...
with -U the output is exactly the same. 


Btw, this tool successfully validates the attestation 

https://gist.github.com/joostd/ed790ade9ddd4b711af6c1b80eaed7ca

may be it could be useful to understand what is happening.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3815

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|10.0p1                      |10.0p2

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.