Getting a valid facetID for an Android app for using with com.google.android.gms.fido.u2f.api

Question

I have two questions regarding the appID in the Android FIDO U2F API.

Is it possible to use the facetID identifying my app directly or does it need to be an HTTPS URL pointing to a JSON containing valid facetIDs? I suspect that it may not be possible to use the facetID directly as the appID (although the official FIDO specifications should allow for it).

My other question is regarding the facetID identifying my app. The official FIDO specification defines the facetID for an Android app as follows:

In the Android [ANDROID] case, the FacetID must be a URI derived from the Base64 encoding SHA-1 hash of the APK signing certificate [APK-Signing]:

android:apk-key-hash:<base64_encoded_sha1_hash-of-apk-signing-cert>

When I look at a working example from the Google Samples, the used facetID seems to contain something else.

facetID in question (definitely not base64):

android:apk-key-hash:bkHnlWEV_jRCPdYGJfwOl7Sn_CLC_2TE3h4TO1_n34I

Here is the JSON containing the facetID in question.

If the API doesn't expect a base64 encoded hash, what format does it expect (and how does one generate it)?

Answer 1

You actually need the following script:

keytool -list -v -keystore ~/.android/debug.keystore | grep "SHA256: " | cut -d " " -f 3 | xxd -r -p | basenc --base64url | sed 's/=//g'

Answer 2

As already pointed out: Googles uses the SHA256 hash.

Get the encoded version of the signing key from your keystore.

keytool -list -v -keystore <your.keystore> | grep "SHA256: " | cut -d " " -f 3 | xxd -r -p | openssl base64 | sed 's/=//g'

Answer 3

Solution:

Google for some reason did not go by the FIDO U2F specification. Calculate the SHA-256 (not the SHA-1 per FIDO spec) of the apk-signing-cert and then calculate the base64. Then remove the = chars at the end.