Verify the Authenticity of a CanoKey

rebel1725@tilde.club (Rebel Zhang) — Sat, 28 Mar 2026 17:33:41 +0800

This post will guide you through verifying the authenticity of a CanoKey.

Step 1: Obtain the attestation root CA certificate

Visit this website to obtain the FIDO CA certificate for your model (Pigeon/Canary). Save the certificate as ca.pem.

Step 2: Install `fido2-cred`

Install fido2-cred. On Debian GNU/Linux, it is included in the fido2-tools package:


# apt install fido2-tools

Step 3: Verify the token

Plug in your CanoKey and run these commands:


$ printf '%s\n' "$(openssl rand -base64 32)" "canokey-check.local" "tmp-user" "$(openssl rand -base64 32)" > cred.in
$ fido2-cred -M -i cred.in /dev/hidrawX > cred.out
$ sed -n '7p' cred.out | base64 -d > attestation.der
$ openssl x509 -inform der -in attestation.der -out attestation.pem
$ openssl verify -CAfile ca.pem attestation.pem

If the last command returns OK, then your CanoKey is authentic.

The process can also be done with a script:

#!/usr/bin/env sh
set -eu

die() {
    printf '%s\n' "Error: $*" >&2
    exit 1
}

# Check required tools.
[ -x /usr/bin/fido2-cred ] || die "/usr/bin/fido2-cred does not exist or is not executable"
command -v openssl >/dev/null 2>&1 || die "openssl is not installed or not on PATH"

# Find the device.
device="${1:-}"
if [ -z "$device" ]; then
    set -- /dev/hidraw*
    if [ "$1" = '/dev/hidraw*' ]; then
        die "No /dev/hidraw* device found. Pass the device path as the first argument."
    fi
    if [ "$#" -ne 1 ]; then
        die "More than one /dev/hidraw* device found. Pass the correct device path as the first argument."
    fi
    device=$1
fi

[ -e "$device" ] || die "Device not found: $device"

tmpdir="$(mktemp -d)"
cleanup() {
    rm -rf "$tmpdir"
}
trap cleanup EXIT INT TERM

pigeon_ca="$tmpdir/pigeon-ca.pem"
canary_ca="$tmpdir/canary-ca.pem"
cred_in="$tmpdir/cred.in"
cred_out="$tmpdir/cred.out"
attestation_der="$tmpdir/attestation.der"
attestation_pem="$tmpdir/attestation.pem"

cat > "$pigeon_ca" <<'EOF'
-----BEGIN CERTIFICATE-----
MIIBpzCCAUygAwIBAgIUatn9Rj8uCMjLrmFfCQYY5/X9xq4wCgYIKoZIzj0EAwIw
MTEvMC0GA1UEAwwmQ2Fub0tleXMgRklETyBBdHRlc3RhdGlvbiBSb290IENBIE5v
LjIwHhcNMjExMjI3MTE0OTMzWhcNNDEwNjI1MTE0OTMzWjAxMS8wLQYDVQQDDCZD
YW5vS2V5cyBGSURPIEF0dGVzdGF0aW9uIFJvb3QgQ0EgTm8uMjBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABNgW7CwchH80l4sj8luhwjbNoohB9Uqnvsh0SLor18w8
IMy6rnzzdDP9PgSSbuUZw302mBhyYJqJY1q9Ke0niZujQjBAMB0GA1UdDgQWBBRU
GAKiwvk2vLP5Zi6ul73RiWyr0jAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQE
AwIBBjAKBggqhkjOPQQDAgNJADBGAiEAlRNyrmngE3A1YZuwsuwBHLXY7wZC/4CO
JNA30mtp2+YCIQDA88Pp+Kjx3c4nrgRgSaSueC5IlvwpTSGBGwRYDSdMTA==
-----END CERTIFICATE-----
EOF

cat > "$canary_ca" <<'EOF'
-----BEGIN CERTIFICATE-----
MIIBpjCCAUygAwIBAgIUJqLszFCSI6gfDqvFL+vzQpDWS64wCgYIKoZIzj0EAwIw
MTEvMC0GA1UEAwwmQ2Fub0tleXMgRklETyBBdHRlc3RhdGlvbiBSb290IENBIE5v
LjMwHhcNMjQwOTAzMDM1NTUwWhcNNDQwMzAyMDM1NTUwWjAxMS8wLQYDVQQDDCZD
YW5vS2V5cyBGSURPIEF0dGVzdGF0aW9uIFJvb3QgQ0EgTm8uMzBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABEXEY5WDrVrndfPOhUxHo+6iMUbP9XTPkllE4lO9oG84
mw4CVoRcQ6/IGrr+zWEaPEgBmPANsdyWyeBKzoqTedajQjBAMB0GA1UdDgQWBBS6
obb0l+0czy2I17sSDcNuceE5ujAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQE
AwIBBjAKBggqhkjOPQQDAgNIADBFAiBstCxcYRiCCyjfVuX7pllb9Tt3dji+sEd1
XoWJgWAE0gIhAJs+giTpbPvztoEMkmv3Gfrmp6zXzcalYpFwbImJbCAr
-----END CERTIFICATE-----
EOF

printf '%s\n' "Please touch the button of your token..."
printf '%s\n' "$(openssl rand -base64 32)" "canokey-check.local" "tmp-user" "$(openssl rand -base64 32)" > "$cred_in"

/usr/bin/fido2-cred -M -i "$cred_in" "$device" > "$cred_out"

sed -n '7p' "$cred_out" | base64 -d > "$attestation_der"
openssl x509 -inform der -in "$attestation_der" -out "$attestation_pem"

if openssl verify -CAfile "$pigeon_ca" "$attestation_pem" >/dev/null 2>&1; then
    printf '%s\n' "OK: verification succeeded against the Pigeon root CA."
elif openssl verify -CAfile "$canary_ca" "$attestation_pem" >/dev/null 2>&1; then
    printf '%s\n' "OK: verification succeeded against the Canary root CA."
else
    die "Verification failed: the attestation certificate did not verify against either root CA."
fi

CanoKey on Rebel Zhang's Blog

Verify the Authenticity of a CanoKey

Step 1: Obtain the attestation root CA certificate

Step 2: Install fido2-cred

Step 3: Verify the token

Step 2: Install `fido2-cred`