search

StrongKey / fido2

Open-source FIDO server, featuring the FIDO2 standard. https://demo4.strongkey.com/getstarted/#/openapi/fido
204 stars 59 forks source link

/register fail if authenticator response contains "authenticatorAttachment": null #211

Closed Link214FR closed 1 year ago

Link214FR commented 2 years ago

Hello.

Describe the bug On client device a call to navigator.credentials.create(registerOptions) may return a response with authenticatorAttachment set to null

If this null value is not filtered downstream and is sent to SKFS API /skfs/rest/preregister then : -SKFS raise an exception and repond with error 400 {"Response":"FIDO-ERR-2001: FIDO 2 Error Message : {0}class javax.json.JsonValueImpl cannot be cast to class javax.json.JsonString (javax.json.JsonValueImpl and javax.json.JsonString are in unnamed module of loader org.apache.felix.framework.BundleWiringImpl$BundleClassLoader @2f8a6170)"}

On SKFS logfile we have following stacktrace : [2022-10-03T02:32:26.819+0200] [Payara 5.2021.6] [GRAVE] [] [] [tid: _ThreadID=75 _ThreadName=http-thread-pool::http-listener-2(6)] [timeMillis: 1664757146819] [levelValue: 1000] [[ java.lang.ClassCastException: class javax.json.JsonValueImpl cannot be cast to class javax.json.JsonString (javax.json.JsonValueImpl and javax.json.JsonString are in unnamed module of loader org.apache.felix.framework.BundleWiringImpl$BundleClassLoader @2f8a6170) at org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(JsonObjectBuilderImpl.java:228) at org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getString(JsonObjectBuilderImpl.java:233) at com.strongkey.skfs.txbeans.FIDO2RegistrationBean.execute(FIDO2RegistrationBean.java:191) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:588) at org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:408) at com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:4826) at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:665) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:834) at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:615) at com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doCall(SystemInterceptorProxy.java:163) at com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:140) at jdk.internal.reflect.GeneratedMethodAccessor265.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:888) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:833) at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:615) at org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:72) at org.jboss.weld.module.ejb.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:52) at jdk.internal.reflect.GeneratedMethodAccessor125.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:888) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:833) at com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:375) at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:4798) at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:4786) at com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:212) at com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:90) at com.sun.proxy.$Proxy290.execute(Unknown Source) at com.strongkey.skfs.txbeans.u2fServletHelperBean.register(u2fServletHelperBean.java:426) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:588) at org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:408) at com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:4826) at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:665) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:834) at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:615) at com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doCall(SystemInterceptorProxy.java:163) at com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:140) at jdk.internal.reflect.GeneratedMethodAccessor265.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:888) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:833) at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:615) at org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:81) at org.jboss.weld.module.ejb.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:52) at jdk.internal.reflect.GeneratedMethodAccessor125.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:888) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:833) at com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:375) at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:4798) at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:4786) at com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:212) at com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:90) at com.sun.proxy.$Proxy348.register(Unknown Source) at com.strongkey.skfs.rest.SKFSServlet.register(SKFSServlet.java:220) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:253) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) at org.glassfish.jersey.internal.Errors.process(Errors.java:244) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:232) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680) at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394) at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:366) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:319) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205) at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1636) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:259) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:757) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:577) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:158) at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:371) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:238) at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:520) at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:217) at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:182) at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:156) at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:218) at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177) at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109) at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88) at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53) at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:524) at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:33) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549) at java.base/java.lang.Thread.run(Thread.java:829) ]]

To Reproduce Send a register message with authenticatorAttachment: null example : { "svcinfo": { "did": 1, "protocol": "FIDO2_0", "authtype": "PASSWORD", "svcusername": "svcfidouser", "svcpassword": "abcdefg" }, "payload": { "strongkeyMetadata": { "version": "1.0", "create_location": "Sunnyvale, CA", "username": "demo1", "origin": "https://yubi.lab.org.com" }, "publicKeyCredential": { "id": "AecmZbJtzz9bsve7kevyYpu3GTRci_Umz5QBwIIaehblNGpUzpH3GE3Cf9a-EIl4Y_M-TcK4oM_heyGz_aUl4fM", "rawId": "AecmZbJtzz9bsve7kevyYpu3GTRci_Umz5QBwIIaehblNGpUzpH3GE3Cf9a-EIl4Y_M-TcK4oM_heyGz_aUl4fM", "response": { "attestationObject": "o2...[TRUNCATED-DATA]....928jg", "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiR3otcTR3dGZJeVUwbnlKdGFLT3JmdyIsIm9yaWdpbiI6Imh0dHBzOlwvXC95dWJpLmxhYi5zeWFnZS5mciIsImFuZHJvaWRQYWNrYWdlTmFtZSI6ImNvbS5hbmRyb2lkLmNocm9tZSJ9" }, "type": "public-key", "clientExtensionResults": {}, "authenticatorAttachment": null, <== This is causing the issue "transports": [] } } }

Expected behavior authenticatorAttachment should be ignored if not matching a known Authenticator Attachment Enumeration value. We tested and confirmed any other unknown value works fine. only null cause the issue. Or maybe the null value should be handled an return a specific error

Additional context Add any other context about the problem here.

/fido2/server/fidoserverbeans/src/main/java/com/strongkey/skfs/txbeans)/FIDO2RegistrationBean.java : line 190 : if (responseObject.containsKey(SKFSConstants.FIDO2_ATTR_ATTACHMENT)) { authattachment = responseObject.getString(SKFSConstants.FIDO2_ATTR_ATTACHMENT); } JsonObject.getstring() raise exception when the retrieved param is null

Nice work looking forward into this project !.

push2085 commented 2 years ago

Hi @Link214FR, Thank you for bringing this to our attention. We will work on fixing this in the next build that we put out on Github.

Thank you Pushkar