search

Yubico / java-webauthn-server

Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations
Other
457 stars 142 forks source link

Signature count in assertion always 0 #198

Closed igorlogvin closed 2 years ago

igorlogvin commented 2 years ago

Hi @emlun Emil! I have some problem with signature count in assertion operation. After registration it's 0, is ok. But in assertion in first time and second time, signature count 0 again. UserHandle into allowCredentials is same for assertion operations. Here is my publicKeyCredentialRequestOptions

"assertionRequest": {
        "publicKeyCredentialRequestOptions": {
            "challenge": "NTEyYjE1MTMtNzFiYy00NzBlLTkzNzEtZGJhZTFhZjZkOWE4",
            "timeout": 60000,
            "rpId": "....",
            "allowCredentials": [
                {
                    "type": "public-key",
                    "id": "....",
                    "transports": [
                        "internal"
                    ]
                }
            ],
            "userVerification": "required",
            "extensions": {
                "appid": "....",
                "largeBlob": null,
                "uvm": null
            }
        },
        "username": "00002000"
    }

And after my iPhone read my face, i get this response

{
  "type": "public-key",
  "id": "...",
  "rawId": "...",
  "response": {
    "clientDataJSON": "...",
    "authenticatorData": "9WV8L4R8e0CoohcFgkecRBqpFy4cG9DrQWj1qMm_8hIFAAAAAA",
    "signature": "...",
    "userHandle": "...."
  },
  "clientExtensionResults": {}
}

And after java-webauthn-server parse authenticatorData, then signature count is 0. I dont understand why. Can you, please, explain me for that? We had such a process: we registered a credential in the database with signatureCount 0. Then we completed attestation and saved the new signatureCount (here it was valid, higher than what is stored in the database). Then we re-attested with new options with new challenge (logout and re-login with faceId), but the authenticator returned signatureCount = 0. Maybe it has something to do with what I write below.

We testing Web authentication with java-webauthn-server on multiple devices and for some of them response.userHandle from the authenticator response, what i brought earlier, is null for publicKeyCredentialRequestOptions which you saw above. In what cases does this happen?

igorlogvin commented 2 years ago

I found some info about signature count into spec

Authenticators SHOULD implement a signature counter feature.

The signature counter is incremented for each successful authenticatorGetAssertion operation by some positive value, and subsequent values are returned to the WebAuthn Relying Party within the authenticator data again.

But from iOS (iPhone, Mac etc.) sign counter is always 0. Is that bug in iOs?

Edit: Okay, i found some info in here

The signature counter is not implemented and therefore it is always zero. Secure Enclave is used to prevent the credential private key from leaking instead of a software safeguard.

emlun commented 2 years ago

Hi! This is allowed by the spec. Step 9 in §6.3.3. The authenticatorGetAssertion Operation reads:

[...] If the authenticator does not implement a signature counter, let the signature counter value remain constant at zero.

But thanks for pointing this out - I've opened w3c/webauthn#1734 to make this a bit more clear in section §6.1.1 too.