Getting GmsCompat crash after trying to authorize with FIDO2 security key using NFC

[savely-krasovsky]

I have this problem only with Solo 2 keys, Yubikey works correctly. Maybe something wrong with the key, but it works on some sites.

Feel free to close if the problem is related to the bad Solo 2 firmware.

type: crash
osVersion: google/bluejay/bluejay:14/AP1A.240305.019.A1/2024030900:user/release-keys
package: com.google.android.gms:240812038
process: com.google.android.gms.ui
processUptime: 35578 + 61 ms
installer: com.android.vending
GmsCompatConfig version: 98

java.lang.IllegalArgumentException: Short encoding mandated, but APDU has more than 255 bytes of data
    at athc.a(:com.google.android.gms@240812038@24.08.12 (190400-608507424):62)
    at atha.d(:com.google.android.gms@240812038@24.08.12 (190400-608507424):1)
    at atdu.i(:com.google.android.gms@240812038@24.08.12 (190400-608507424):239)
    at atdu.h(:com.google.android.gms@240812038@24.08.12 (190400-608507424):1)
    at atdu.j(:com.google.android.gms@240812038@24.08.12 (190400-608507424):11)
    at atdu.g(:com.google.android.gms@240812038@24.08.12 (190400-608507424):12)
    at aump.run(:com.google.android.gms@240812038@24.08.12 (190400-608507424):124)
    at alab.c(:com.google.android.gms@240812038@24.08.12 (190400-608507424):50)
    at alab.run(:com.google.android.gms@240812038@24.08.12 (190400-608507424):76)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
    at alfp.run(:com.google.android.gms@240812038@24.08.12 (190400-608507424):8)
    at java.lang.Thread.run(Thread.java:1012)
    Suppressed: edpc: 

[thestinger]

This looks like it might occur on stock OS too.

[savely-krasovsky]

I just got it after few tries also with Yubikey (also APDU related error), but it's not consistent (with Solo 2 I get it everytime). Maybe it relates to stability of NFC connection? Problem occurs at selfhosted miniflux.app if that important.

[thestinger]

May just be how it is upstream. Are you able to try via USB instead?

[savely-krasovsky]

With USB both keys works perfectly, yeah, I get it only with NFC. Sure could be in upstream, but I don't have another Pixel to test...

[FID02]

I registered an account at miniflux.app in order to test this on GrapheneOS. I then registered a Yubikey 5 as a passkey, using NFC, which was successful. Notably the site doesn't offer the option of using FIDO2 as MFA.

Attempting to sign in to miniflux.app with the Yubikey makes the site show an error, but I'm not getting a crash. Tried with NFC and USB.

I did the same on stock PixelOS (QPR2): same error. Unable to sign in with the Yubikey.

I checked the resident keys on the Yubikey using Yubico Authenticator: there is no passkey from miniflux.app stored on the Yubikey.

I'm not self-hosting miniflux.app.

Error displayed on the site:

Unable to login with passkey (NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.)

L11R: Does this only occur on miniflux.app or can you reproduce this on other sites as well?

[savely-krasovsky]

Miniflux has weird UX decision: in order to login with Passkey you need to type login, leave empty password field and finally click Login with Passkey.

[FID02]

Miniflux has weird UX decision: in order to login with Passkey you need to type login, leave empty password field and finally click Login with Passkey.

Ah, I see. I now successfully signed in to minireader.app with a Yubikey 5 using NFC. Tried 4 times, always succeeded. On GrapheneOS.

I don't have a Solo 2 key available to try with.

[savely-krasovsky]

Thanks for testing, probably it's something with my Solo 2. But it shouldn't crash anyway in my opinion.