Giters

webauthn-open-source / fido2-lib

A node.js library for performing FIDO 2.0 / WebAuthn server functionality

Home Page:https://webauthn.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Does not support self attestation

kg0r0 opened this issue · comments

commented

The following error occurred when using MacBook TouchID as a authenticator.

Error: Server responed with error. The message is: packed attestation: self attestation not implemented, please open a GitHub issue.

Looks like fido2-lib doesn't support self-attestation.So we can not use TouchID as a authenticator.

commented

I believe this was fixed - can you re-test?

commented

@JamesCullum
Thank you for your reply.
I tried this. But it didn't seem to be fixed.
SELF Attestation is used by the authenticators that don’t have “x5c” and “ecdaaKeyId.

It used by the authenticators that don’t have memory to store batch certificate and key pair. If attStmt missing “x5c” and “ecdaaKeyId”, then it is a SELF(SURROGATE) attestation.
https://herrjemand.medium.com/verifying-fido2-packed-attestation-a067a9b2facd#6081

However, the code below doesn't seem to explain what to do in the above case.

fido2-lib/lib/attestations/packed.js

Lines 78 to 88 in 6ab981a

async function packedValidateFn() {
var x5c = this.authnrData.get("x5c");
var ecdaaKeyId = this.authnrData.get("ecdaaKeyId");
if (x5c !== undefined && ecdaaKeyId !== undefined) {
throw new Error("packed attestation: should be 'basic' or 'ecdaa', got both");
}
if (x5c) return packedValidateBasic.call(this);
if (ecdaaKeyId) return packedValidateEcdaa.call(this);
return packedValidateSurrogate.call(this);

Can you tell me which commit fixed it?
I am very interested in this project and would like to contribute.

commented

Hey @kg0r0 thank you for the feedback and testing! There were many commits in the meantime, so I wanted to make sure this is not part of anything that happened in between.

I see that in line 88 it refers to it and the missing implementation exists in line 230 of your linked file.

It would be highly appreciated if you could contribute this part - I will have to look up what the best way is to test this.

commented

The spec refers to steps to verify if x5c is not present. https://w3c.github.io/webauthn/#sctn-packed-attestation. This express package does have an implementation: https://github.com/strangerlabs/webauthn/blob/master/src/Webauthn.js#L417, which this package is based off of the fido alliance demo. Though said demo is missing self attestation for packed, tpm attestation, etc.

commented

Can you contribute this @agmcleod ?

commented

@JamesCullum i have it working with attestation for touchid on my mac, i just haven't been able to get the login (authentication assertion) working yet. Not sure if it's something in the library or something i've missed in my own application code.

Essentially the userHandle in the credential object on the frontend is the 32 byte array buffer that i passed down when the credential was created in the registration process. Looking at the OWASP example project, they compare the credential ID. However for my case the credId is a 117 byte buffer. Im wondering if there's a separate value i need to store, but im not seeing where the user id is captured in the credentials data during registration. The spec does say credential ID can be used for this, but im wondering if i need to check another field before trying the credential id.

https://w3c.github.io/webauthn/#user-handle

Edit

Not sure why the OWASP example didn't show this, but seems like it's best to persist the value used for the user.id in the navigator.credentials.create() call, and then use that on the server side. So essentially i would use it in a similar way to the persisted public key data. I'll create a PR soon

commented

I think thats the typical FIDO flow anyways, isn't it? Quite certain the OWASP example does that as well. Thanks for the PR, let's continue there 👍