search

Yubico / java-webauthn-server

Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations
Other
457 stars 142 forks source link

AuthData from android-safetynet is not found #199

Closed igorlogvin closed 2 years ago

igorlogvin commented 2 years ago

Hello! @emlun can u please explain me, in which cases authData may be an empty? My problem is below. Some of android devices not supported requireResidentKey field. We handling NotSupportedError, which u can found at the bottom on this website.

Message: Either the device has received unexpected request parameters, or the device cannot support this request. Explanation: If you see this error, it most likely means that you are trying to register a device with the resident key value set to true in the create credentials request. To overcome the issue, you should set the isResidentKeyRequiredparameter to false when creating the FIDO credential.

I tried set requireResidentKeyto false and set residentKey to preferred or discouraged, but in both cases java-webauthn-server throwed exception with message what authData is null.

emlun commented 2 years ago

Hi! Can you provide an example of a PublicKeyCredential response object (probably JSON encoded) that exhibits this issue?

igorlogvin commented 2 years ago

Hi! Can you provide an example of a PublicKeyCredential response object (probably JSON encoded) that exhibits this issue?

Hi! This is full authenticatorAttestationResponse from android (safetynet type) device after finger was readed:

{
  "type": "public-key",
  "id": "....",
  "rawId": "...",
  "response": {
    "clientDataJSON": "....",
    "attestationObject": "o2NmbXRxYW5kcm9pZC1zYWZldHluZXRnYXR0U3RtdKJjdmVyaTIyMTUxNDAzN2hyZXNwb25zZVkgjWV5SmhiR2NpT2lKU1V6STFOaUlzSW5nMVl5STZXeUpOU1VsR1ltcERRMEpHWVdkQmQwbENRV2RKVVVGaE0wOUxUMlJ2VkZrMFVVRkJRVUZCUVROWVdFUkJUa0puYTNGb2EybEhPWGN3UWtGUmMwWkJSRUpIVFZGemQwTlJXVVJXVVZGSFJYZEtWbFY2UldsTlEwRkhRVEZWUlVOb1RWcFNNamwyV2pKNGJFbEdVbmxrV0U0d1NVWk9iR051V25CWk1sWjZTVVY0VFZGNlJWUk5Ra1ZIUVRGVlJVRjRUVXRTTVZKVVNVVk9Ra2xFUmtWT1JFRmxSbmN3ZVUxcVFYcE5ha0Y1VFZSRk1VMXFSbUZHZHpCNVRXcEJNazFVWjNsTlZFVXhUV3BDWVUxQ01IaEhla0ZhUW1kT1ZrSkJUVlJGYlVZd1pFZFdlbVJETldoaWJWSjVZakpzYTB4dFRuWmlWRU5EUVZOSmQwUlJXVXBMYjFwSmFIWmpUa0ZSUlVKQ1VVRkVaMmRGVUVGRVEwTkJVVzlEWjJkRlFrRk1iWEZNUWxoV05FTmFRVFZ6VkRWalZHWjFXR04zTVRGWFJESlpWVmN6WlVGS2RtUnhLMWhKWWtoRVowMU9UVUp5YzNndldFUjROa3h0T1U5dFNrTlZOSFpEY0ZkSlRqUlhRMGd5TUZRNVQyWmxOa2hrZVU1MlJXVnBNM3BvYkhwT01Gb3ZXVlI1YjFSbGNGZHdOVWd2YlhKdVIyOXpVM050Y0VwMU5EVjNPVkpZYm01S2JFbHJSelU1ZEROMFYxSm9ZWE5aWlc1R1kwaGxZMFpvYkcxb2RtNVVRblJIYTAxVmIwVkdSRVpuYW5sdFoydHdVVWRrTW14b2FVOVlXR0p3TXpFMVNYbEdiRWRVVkZwdk5FUkJZVFppTUhwMlZHWlFPWFY2UjFGSlpIaG1hM041VFVsR1ptSkRZVmQ2VGpOUGFuQjFiVkl3TUhnMlNWWmpaRGR5T1V4dk9WQmxWV3c1YTI5NmNqaEZhRFJEV1M5UFFpdEVPVkV2VmpaNFJWcGlWSE5IZVhjMGFVRnhRMHR2TVRSRFJYcERSVkZJTUVaV1dUUTFjRmczYjJJcmJXaG1MMXBLYldOekwwMTRibFpHYmt4NmJEQkRRWGRGUVVGaFQwTkJiamgzWjJkS04wMUJORWRCTVZWa1JIZEZRaTkzVVVWQmQwbEdiMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUZVUVUxQ1owNVdTRkpOUWtGbU9FVkJha0ZCVFVJd1IwRXhWV1JFWjFGWFFrSlVPVkkzWjIxUFpVUXhkbHBSVmtOSVl6QlVkR2gyVDFscE16bEVRV1pDWjA1V1NGTk5SVWRFUVZkblFsRnNOR2huVDNOc1pWSnNRM0pzTVVZeVIydEpVR1ZWTjA4MGEycENOMEpuWjNKQ1owVkdRbEZqUWtGUlVuWk5SekIzVDBGWlNVdDNXVUpDVVZWSVRVRkhSMHhIYURCa1NFRTJUSGs1ZGxrelRuZE1ia0p5WVZNMWJtSXlPVzVNTTAxMldqTlNlazFYVVRCaFZ6VXdURE5vVDB4V09IZGtSRTR6VjFScmQwMUVSVWREUTNOSFFWRlZSa0o2UVVOb2FWWnZaRWhTZDA5cE9IWmpSM1J3VEcxa2RtSXlZM1pqYlZaM1luazVhbHBZU2pCamVUbHVaRWhOZUZwRVVYVmFSMVo1VFVJd1IwRXhWV1JGVVZGWFRVSlRRMFZ0UmpCa1IxWjZaRU0xYUdKdFVubGlNbXhyVEcxT2RtSlVRV2hDWjA1V1NGTkJSVWRxUVZsTlFXZEhRbTFsUWtSQlJVTkJWRUZOUW1kdmNrSm5SVVZCWkZvMVFXZFZSRTFFT0VkQk1WVmtTSGRSTkUxRVdYZE9TMEY1YjBSRFIweHRhREJrU0VFMlRIazVhbU50ZUhwTWJrSnlZVk0xYm1JeU9XNU1NbVF3WTNwR2EwNUhiSFZrUXpsWlRXdHZlVk5JU21aT01VSndWRk0xYW1OdGQzZG5aMFZGUW1kdmNrSm5SVVZCWkZvMVFXZFJRMEpKU0RGQ1NVaDVRVkJCUVdSblFsSnZOMFF4TDFGR05XNUdXblIxUkdRMGFuZDVhMlZ6ZDJKS09IWXpibTlvUTIxbk15c3hTWE5HTlZGQlFVRllLM0JhYTBweVFVRkJSVUYzUWtoTlJWVkRTVkZEYjJSV1JucFBRMVZ1YkhWUlV6QjBNRzlIZFVFemRsWkZSMFp4YjJJNFNWSmlRM0JaZVRkVlptTkJVVWxuUmk5TlpWVlNkRzlFTjFGcmFGaENUakIxY21sRGRFd3ZURU5zTVcxelJFNW9XakZ0TVVoS2VFcFJiMEZrWjBGd1pXSTNkMjVxYXpWSlprSlhZelU1YW5CWVpteDJiR1E1YmtkQlN5dFFiRTVZVTFwalNsWXpTR2hCUVVGQldDdHdXbXRLV1VGQlFVVkJkMEpJVFVWVlEwbFJRMXB2UlcxQmJ6YzBVaXRHVDBwUWVWSkxZa2t5UlNzMlMwTllOa0YxV0cxb1puTlhhMmgwYVVGTFlXZEpaMXAxZG1aSWNVRTJVRTlzTTBKa1YzUmxVMWw0VHpBMlFtTndUM2RVWVRWNk5qVnFTa3cwZEV4RWNrbDNSRkZaU2t0dldrbG9kbU5PUVZGRlRFSlJRVVJuWjBWQ1FVUkpjQzkzYmxGc1puRTNkVlo2ZERVM01IbFJSVEpPUVZBMWFqaDVPR0Z6V1doS1RYY3JVVEJZWjNNMmEzcHFabnBHTDJnM09WcG1SbGhMT1RoM1FWSmhWbkkyYW1WU1FYbzJZM0U0Y1VWSU1VOHlRa1E1ZURWRVEwOVVaekp4Y2xOblNsZGlUVTVWV2tSNVRYVjZSbVZ5UTJFeU56bG9Ra2xRVlhCcU56ZzBZVWRzWVdwNFkyTTNWSFJZU0hwYWNuaG1iR00wZDFCeloySm5RMnR3ZDNWcU5tb3dhbmRETmpkUk5HSnJPVlZZS3pOeGNHdzNNbUZLTW5wV2J6Rm1UMnMzVTBad1NUVTRSak5KTDFjNGJra3ZhMk53YjFCdmNESkNOa294UjNSeFRVUklSbkJ5YzNSblpVcE1iRmt6UVdWbVpXb3llVzlGZDNVeWFqSXJZekV2U2paM1NEVjRZV1JFUzNobk0wNTJhRElyZUdoYVVrWmFiMEZVWWpKbE5sbHplRFJTTUVKMGVXVllORWhhVFdjME9GRmhRazQwTjJ4QmVFRmpaelIxWVZOcVJ5OHZRa2hYVGpNMGNFMUZZV05KZUVkT01EMGlMQ0pOU1VsR2FrUkRRMEV6VTJkQmQwbENRV2RKVGtGblEwOXpaMGw2VG0xWFRGcE5NMkp0ZWtGT1FtZHJjV2hyYVVjNWR6QkNRVkZ6UmtGRVFraE5VWE4zUTFGWlJGWlJVVWRGZDBwV1ZYcEZhTFEUVVkQk1WVkZRMmhOV2xJeU9YWmFNbmhzU1VaU2VXUllUakJKUms1c1kyNWFjRmt5Vm5wSlJYaE5VWHBGVlUxQ1NVZEJNVlZGUVhoTlRGSXhVbFJKUmtwMllqTlJaMVZxUlhkSWFHTk9UV3BCZDA5RVJYcE5SRUYzVFVSUmVWZG9ZMDVOYW1OM1QxUk5kMDFFUVhkTlJGRjVWMnBDUjAxUmMzZERVVmxFVmxGUlIwVjNTbFpWZWtWcFRVTkJSMEV4VlVWRGFFMWFVakk1ZGxveWVHeEpSbEo1WkZoT01FbEdUbXhqYmxwd1dUSldla2xGZUUxUmVrVlVUVUpGUjBFeFZVVkJlRTFMVWpGU1ZFbEZUa0pKUkVaRlRrUkRRMEZUU1hkRVVWbEtTMjlhU1doMlkwNUJVVVZDUWxGQlJHZG5SVkJCUkVORFFWRnZRMmRuUlVKQlMzWkJjWEZRUTBVeU4yd3dkemw2UXpoa1ZGQkpSVGc1WWtFcmVGUnRSR0ZITjNrM1ZtWlJOR01yYlU5WGFHeFZaV0pWVVhCTE1IbDJNbkkyTnpoU1NrVjRTekJJVjBScVpYRXJia3hKU0U0eFJXMDFhalp5UVZKYWFYaHRlVkpUYW1oSlVqQkxUMUZRUjBKTlZXeGtjMkY2ZEVsSlNqZFBNR2N2T0RKeGFpOTJSMFJzTHk4emREUjBWSEY0YVZKb1RGRnVWRXhZU21SbFFpc3lSR2hyWkZVMlNVbG5lRFozVGpkRk5VNWpWVWd6VW1OelpXcGpjV280Y0RWVGFqRTVka0p0Tm1reFJtaHhURWQ1YldoTlJuSnZWMVpWUjA4emVIUkpTRGt4WkhObmVUUmxSa3RqWmt0V1RGZExNMjh5TVRrd1VUQk1iUzlUYVV0dFRHSlNTalZCZFRSNU1XVjFSa3B0TWtwTk9XVkNPRFJHYTNGaE0ybDJjbGhYVldWV2RIbGxNRU5SWkV0MmMxa3lSbXRoZW5aNGRIaDJkWE5NU25wTVYxbElhelUxZW1OU1FXRmpSRUV5VTJWRmRFSmlVV1pFTVhGelEwRjNSVUZCWVU5RFFWaFpkMmRuUm5sTlFUUkhRVEZWWkVSM1JVSXZkMUZGUVhkSlFtaHFRV1JDWjA1V1NGTlZSVVpxUVZWQ1oyZHlRbWRGUmtKUlkwUkJVVmxKUzNkWlFrSlJWVWhCZDBsM1JXZFpSRlpTTUZSQlVVZ3ZRa0ZuZDBKblJVSXZkMGxDUVVSQlpFSm5UbFpJVVRSRlJtZFJWVXBsU1ZsRWNrcFlhMXBSY1RWa1VtUm9jRU5FTTJ4UGVuVktTWGRJZDFsRVZsSXdha0pDWjNkR2IwRlZOVXM0Y2twdVJXRkxNR2R1YUZNNVUxcHBlblk0U1d0VVkxUTBkMkZCV1VsTGQxbENRbEZWU0VGUlJVVllSRUpoVFVOWlIwTkRjMGRCVVZWR1FucEJRbWhvY0c5a1NGSjNUMms0ZG1JeVRucGpRelYzWVRKcmRWb3lPWFphZVRsdVpFaE9lVTFVUVhkQ1oyZHlRbWRGUmtKUlkzZEJiMWxyWVVoU01HTkViM1pNTTBKeVlWTTFibUl5T1c1TU0wcHNZMGM0ZGxreVZubGtTRTEyV2pOU2VtTnFSWFZhUjFaNVRVUlJSMEV4VldSSWQxRjBUVU56ZDB0aFFXNXZRMWRIU1RKb01HUklRVFpNZVRscVkyMTNkV05IZEhCTWJXUjJZakpqZGxvelVucGpha1YyV2pOU2VtTnFSWFZaTTBwelRVVXdSMEV4VldSSlFWSkhUVVZSZDBOQldVZGFORVZOUVZGSlFrMUVaMGREYVhOSFFWRlJRakZ1YTBOQ1VVMTNTMnBCYjBKblozSkNaMFZHUWxGalEwRlNXV05oU0ZJd1kwaE5Oa3g1T1hkaE1tdDFXakk1ZGxwNU9YbGFXRUoyWXpKc01HSXpTalZNZWtGT1FtZHJjV2hyYVVjNWR6QkNRVkZ6UmtGQlQwTkJaMFZCU1ZaVWIza3lOR3AzV0ZWeU1ISkJVR001TWpSMmRWTldZa3RSZFZsM00yNU1abXhNWmt4b05VRlpWMFZsVm13dlJIVXhPRkZCVjFWTlpHTktObTh2Y1VaYVltaFlhMEpJTUZCT1kzYzVOM1JvWVdZeVFtVnZSRmxaT1VOckwySXJWVWRzZFdoNE1EWjZaRFJGUW1ZM1NEbFFPRFJ1Ym5KM2NGSXJORWRDUkZwTEsxaG9NMGt3ZEhGS2VUSnlaMDl4VGtSbWJISTFTVTFST0ZwVVYwRXplV3gwWVd0NlUwSkxXalpZY0VZd1VIQnhlVU5TZG5BdlRrTkhkakpMV0RKVWRWQkRTblp6WTNBeEwyMHljRlpVZEhsQ2FsbFFVbEVyVVhWRFVVZEJTa3RxZEU0M1VqVkVSbkptVkhGTlYzWlpaMVpzY0VOS1FtdDNiSFUzS3pkTFdUTmpWRWxtZWtVM1kyMUJUSE5yVFV0T1RIVkVlaXRTZWtOamMxbFVjMVpoVlRkV2NETjRURFl3VDFsb2NVWnJkVUZQVDNoRVdqWndTRTlxT1N0UFNtMVpaMUJ0VDFRMFdETXJOMHcxTVdaWVNubFNTRGxMWmt4U1VEWnVWRE14UkRWdWJYTkhRVTluV2pJMkx6aFVPV2h6UWxjeGRXODVhblUxWmxwTVdsaFdWbE0xU0RCSWVVbENUVVZMZVVkTlNWQm9SbGR5YkhRdmFFWlRNamhPTVhwaFMwa3dXa0pIUkRObldXZEVUR0pwUkZRNVprZFljM1J3YXl0R2JXTTBiMnhXYkZkUWVsaGxPREYyWkc5RmJrWmljalZOTWpjeVNHUm5TbGR2SzFkb1ZEbENXVTB3U21rcmQyUldiVzVTWm1aWVoyeHZSVzlzZFZST1kxZDZZelF4WkVad1owcDFPR1pHTTB4SE1HZHNNbWxpVTFscFEyazVZVFpvZGxVd1ZIQndha3A1U1ZkWWFHdEtWR05OU214UWNsZDRNVlo1ZEVWVlIzSllNbXd3U2tSM1VtcFhMelkxTm5Jd1MxWkNNREo0U0ZKTGRtMHlXa3RKTUROVVoyeE1TWEJ0VmtOTE0ydENTMnRMVG5CQ1RtdEdkRGh5YUdGbVkwTkxUMkk1U25ndk9YUndUa1pzVVZSc04wSXpPWEpLYkVwWGExSXhOMUZ1V25GV2NIUkdaVkJHVDFKdldtMUdlazA5SWl3aVRVbEpSbGxxUTBOQ1JYRm5RWGRKUWtGblNWRmtOekJPWWs1ek1pdFNjbkZKVVM5Rk9FWnFWRVJVUVU1Q1oydHhhR3RwUnpsM01FSkJVWE5HUVVSQ1dFMVJjM2REVVZsRVZsRlJSMFYzU2tOU1ZFVmFUVUpqUjBFeFZVVkRhRTFSVWpKNGRsbHRSbk5WTW14dVltbENkV1JwTVhwWlZFVlJUVUUwUjBFeFZVVkRlRTFJVlcwNWRtUkRRa1JSVkVWaVRVSnJSMEV4VlVWQmVFMVRVako0ZGxsdFJuTlZNbXh1WW1sQ1UySXlPVEJKUlU1Q1RVSTBXRVJVU1hkTlJGbDRUMVJCZDAxRVFUQk5iRzlZUkZSSk5FMUVSWGxQUkVGM1RVUkJNRTFzYjNkU2VrVk1UVUZyUjBFeFZVVkNhRTFEVmxaTmVFbHFRV2RDWjA1V1FrRnZWRWRWWkhaaU1tUnpXbE5DVldOdVZucGtRMEpVV2xoS01tRlhUbXhqZVVKTlZFVk5lRVpFUVZOQ1owNVdRa0ZOVkVNd1pGVlZlVUpUWWpJNU1FbEdTWGhOU1VsRFNXcEJUa0puYTNGb2EybEhPWGN3UWtGUlJVWkJRVTlEUVdjNFFVMUpTVU5EWjB0RFFXZEZRWFJvUlVOcGVEZHFiMWhsWWs4NWVTOXNSRFl6YkdGa1FWQkxTRGxuZG13NVRXZGhRMk5tWWpKcVNDODNOazUxT0dGcE5saHNOazlOVXk5cmNqbHlTRFY2YjFGa2MyWnVSbXc1TjNaMVprdHFObUozVTJsV05tNXhiRXR5SzBOTmJuazJVM2h1UjFCaU1UVnNLemhCY0dVMk1tbHRPVFhWVZKM01VNUZSRkJxVkhKRlZHODRaMWxpUlhaekwwRnRVVE0xTVd0TFUxVnFRalpITURCcU1IVlpUMFJRTUdkdFNIVTRNVWs0UlRORGQyNXhTV2x5ZFRaNk1XdGFNWEVyVUhOQlpYZHVha2g0WjNOSVFUTjVObTFpVjNkYVJISllXV1pwV1dGU1VVMDVjMGh0YTJ4RGFYUkVNemh0TldGblNTOXdZbTlRUjJsVlZTczJSRTl2WjNKR1dsbEtjM1ZDTm1wRE5URXhjSHB5Y0RGYWEybzFXbEJoU3pRNWJEaExSV280UXpoUlRVRk1XRXd6TW1nM1RURmlTM2RaVlVnclJUUkZlazVyZEUxbk5sUlBPRlZ3YlhaTmNsVndjM2xWY1hSRmFqVmpkVWhMV2xCbWJXZG9RMDQyU2pORGFXOXFOazlIWVVzdlIxQTFRV1pzTkM5WWRHTmtMM0F5YUM5eWN6TTNSVTlsV2xaWWRFd3diVGM1V1VJd1pYTlhRM0oxVDBNM1dFWjRXWEJXY1RsUGN6WndSa3hMWTNkYWNFUkpiRlJwY25oYVZWUlJRWE0yY1hwcmJUQTJjRGs0WnpkQ1FXVXJaRVJ4Tm1SemJ6UTVPV2xaU0RaVVMxZ3ZNVmszUkhwcmRtZDBaR2w2YW10WVVHUnpSSFJSUTNZNVZYY3JkM0E1VlRkRVlrZExiMmRRWlUxaE0wMWtLM0IyWlhvM1Z6TTFSV2xGZFdFckszUm5lUzlDUW1wR1JrWjVNMnd6VjBad1R6bExWMmQ2TjNwd2JUZEJaVXRLZERoVU1URmtiR1ZEWm1WWWEydFZRVXRKUVdZMWNXOUpZbUZ3YzFwWGQzQmlhMDVHYUVoaGVESjRTVkJGUkdkbVp6RmhlbFpaT0RCYVkwWjFZM1JNTjFSc1RHNU5VUzh3YkZWVVltbFRkekZ1U0RZNVRVYzJlazh3WWpsbU5rSlJaR2RCYlVRd05ubExOVFp0UkdOWlFscFZRMEYzUlVGQllVOURRVlJuZDJkblJUQk5RVFJIUVRGVlpFUjNSVUl2ZDFGRlFYZEpRbWhxUVZCQ1owNVdTRkpOUWtGbU9FVkNWRUZFUVZGSUwwMUNNRWRCTVZWa1JHZFJWMEpDVkd0eWVYTnRZMUp2Y2xORFpVWk1NVXB0VEU4dmQybFNUbmhRYWtGbVFtZE9Wa2hUVFVWSFJFRlhaMEpTWjJVeVdXRlNVVEpZZVc5c1VVd3pNRVY2VkZOdkx5OTZPVk42UW1kQ1oyZHlRbWRGUmtKUlkwSkJVVkpWVFVaSmQwcFJXVWxMZDFsQ1FsRlZTRTFCUjBkSFYyZ3daRWhCTmt4NU9YWlpNMDUzVEc1Q2NtRlROVzVpTWpsdVRESmtlbU5xUlhkTFVWbEpTM2RaUWtKUlZVaE5RVXRIU0Zkb01HUklRVFpNZVRsM1lUSnJkVm95T1haYWVUbHVZek5KZUV3eVpIcGpha1YxV1ROS01FMUVTVWRCTVZWa1NIZFJjazFEYTNkS05rRnNiME5QUjBsWGFEQmtTRUUyVEhrNWFtTnRkM1ZqUjNSd1RHMWtkbUl5WTNaYU0wNTVUVk01Ym1NelNYaE1iVTU1WWtSQk4wSm5UbFpJVTBGRlRrUkJlVTFCWjBkQ2JXVkNSRUZGUTBGVVFVbENaMXB1WjFGM1FrRm5TWGRFVVZsTVMzZFpRa0pCU0ZkbFVVbEdRWGRKZDBSUldVeExkMWxDUWtGSVYyVlJTVVpCZDAxM1JGRlpTa3R2V2tsb2RtTk9RVkZGVEVKUlFVUm5aMFZDUVVSVGEwaHlSVzl2T1VNd1pHaGxiVTFZYjJnMlpFWlRVSE5xWW1SQ1drSnBUR2M1VGxJemREVlFLMVEwVm5obWNUZDJjV1pOTDJJMVFUTlNhVEZtZVVwdE9XSjJhR1JIWVVwUk0ySXlkRFo1VFVGWlRpOXZiRlZoZW5OaFRDdDVlVVZ1T1Zkd2NrdEJVMDl6YUVsQmNrRnZlVnBzSzNSS1lXOTRNVEU0Wm1WemMyMVliakZvU1ZaM05ERnZaVkZoTVhZeGRtYzBSblkzTkhwUWJEWXZRV2hUY25jNVZUVndRMXBGZERSWGFUUjNVM1I2Tm1SVVdpOURURUZPZURoTVdtZ3hTamRSU2xacU1tWm9UWFJtVkVweU9YYzBlak13V2pJd09XWlBWVEJwVDAxNUszRmtkVUp0Y0haMldYVlNOMmhhVERaRWRYQnplbVp1ZHpCVGEyWjBhSE14T0dSSE9WcExZalU1VldoMmJXRlRSMXBTVm1KT1VYQnpaek5DV214MmFXUXdiRWxMVHpKa01YaHZlbU5zVDNwbmFsaFFXVzkyU2twSmRXeDBlbXROZFRNMGNWRmlPVk42TDNscGJISmlRMmRxT0QwaVhYMC5leUp1YjI1alpTSTZJbkYzTVZwS1lqUjFhbU5YWldoQllVTTBUVFZCWjJWUmNFRkxXblJGY25aemN6Rm9aWEJ6U0ZWSVp6QTlJaXdpZEdsdFpYTjBZVzF3VFhNaU9qRTJOVE0yTkRrek5URTROaklzSW1Gd2ExQmhZMnRoWjJWT1lXMWxJam9pWTI5dExtZHZiMmRzWlM1aGJtUnliMmxrTG1kdGN5SXNJbUZ3YTBScFoyVnpkRk5vWVRJMU5pSTZJbU16UjJ0a1puaEdOVGhzUVRsbk5EaDRRazVGVlZad1NsY3lZVk54VlVWSFpqSjNibTlGVnpreWN6ZzlJaXdpWTNSelVISnZabWxzWlUxaGRHTm9JanAwY25WbExDSmhjR3REWlhKMGFXWnBZMkYwWlVScFoyVnpkRk5vWVRJMU5pSTZXeUk0VURGelZ6QkZVRXBqYzJ4M04xVjZVbk5wV0V3Mk5IY3JUelV3UldRclVrSkpRM1JoZVRGbk1qUk5QU0pkTENKaVlYTnBZMGx1ZEdWbmNtbDBlU0k2ZEhKMVpTd2laWFpoYkhWaGRHbHZibFI1Y0dVaU9pSkNRVk5KUXl4SVFWSkVWMEZTUlY5Q1FVTkxSVVFpZlEuczFyZ1JYdHRxTXI3QlJ6YUhGVm9ET05kdHEySkNnUUxza2xNT2dURnhNZERzMWhYZXhqMjdJS0VhUkZEVlRFbERMVDd2SW02Z3VIZ21UTk1MNG40VEJjQkdNcUwtelRkQTJ2RGF6eVdKcmdTSGdrZTdDckdyZGktb0U1azBQSmlNS1NodnBaUHh5aWJsM2g3YlNvMy1VcEJwYV82TW8wQW9qdy1KSTJHelJ1c0dmY0h4OUJCUTRiOU1xZndxU0hmUkQ1OUNpUS1sTWFDdk1ENXVzTmsyMC1PNXJ4TUFsYmcyLVdkMVpkcVNOQ0FLeUhWU2Y5b1BqSFE1N0Rybmp6dkJCWkhSX3NVcnQzSHlxWnVwcEQ1VHc0T2J5QXFPR2JqOXFfZVRpRmM5TTlZS2NmTDd0S2gwMHJhMGRqS2twQzhMWFRSd0syRDB4ald4ZUZmSzZfMW93aGF1dGhEYXRhWMX1ZXwvhHx7QKiiFwWCR5xEGqkXLhwb0OtBaPWoyb_yEkUAAAAAuT_ZYfLmRi-xIoIAIkfeeABBAV5sigIpNTx1QcsiqbrDn49y61BprW6QgPFN6wQiOHcJG7uqG1vk4fWMNwOxZVPARWO1ycnDtGdZgc-AYwVIG0ilAQIDJiABIVggcxsDNpqTtpyewCJKfXx4h4uf03yQbPeIU0gmNkaUF5oiWCBBVT3uLV3HfIcdq0FGWZwaxiha4W-JivLN-KOqKnLRWQ",
    "transports": []
  },
  "clientExtensionResults": {}
}

After java-webauth-server parsed attestationObject, he throws exception with message authData is null. I runed debug mode and made sure of it.

emlun commented 2 years ago

It looks like this response is indeed corrupted. If you base64url-decode the attestationObject and parse the CBOR (for example using https://cbor.me/), you get an object that looks like this (truncated):

{
  "fmt": "android-safetynet",
  "attStmt": {
    "ver": "221514037",
    "response": h'65794A68624763694F694A53557A4931...430786A57786546664B365F316F77686'
  },
  23: h'4684461746158C5F5657C2F847C7B40A8A2170582479C4'
}

For brevity I removed 16602 digits where the ... is in the "response", but the important bit is the last part. https://cbor.me/ reports "182 unused bytes after the end of the data item".

If you do the same with one of the test cases you instead get this:

{
  "fmt": "android-safetynet",
  "attStmt": {
    "ver": "14799021",
    "response": h'65794A68624763694F694A53557A4931...526E6636724E5965737167497A6A5741'
  },
  "authData": h'C46CEF82AD1B546477591D008B08759EC3E6D2ECB4F39474BFEA6969925D03B74500000000B93FD961F2E6462FB12282002247DE780041011008255E1873A6B1159429C94A34347F9F6A6F2ED524A14B44E603CA095BD2138693D5663DEA237A1F26C27B1FDDEC60201A15A2F0A621A1A082217760F215F0A5010203262001215820DBC0097FFD23CBD1B0EC8FD5A577022A861D2D845155456B741C79BC313E4057225820BD73E91F23BCFBADC008A75FBECCDDA870A0DC4558FBD1D79BEE86FD5A7FC73A'
}

Notice the "authData" at the end, which is missing in your example.

Either your authenticator is producing invalid data, or it gets corrupted somewhere on the way to the server.

igorlogvin commented 2 years ago

Hello! Okay, @emlun thanks for the so detailed answer. It really looks like the data got corrupted on the way to the server. it seems that this problem is not present for android.

I closing that issue, thanks.