search

Yubico / python-fido2

Provides library functionality for FIDO 2.0, including communication with a device over USB.
BSD 2-Clause "Simplified" License
429 stars 109 forks source link

`CBOR_UNEXPECTED_TYPE` when using `allowCredentials` in `Fido2Client.get_assertion` #227

Open mpdn opened 3 months ago

mpdn commented 3 months ago

Hi. I seem to be hitting an issue where setting allowCredentials causes a CBOR_UNEXPECTED_TYPE to be returned. I am using Yubikey 5C USB.

I am not totally sure whether I am structuring the parameters to the call correctly, but it seems to be translated into an underlying PublicKeyCredentialDescriptor correctly, so it seems odd that this is somehow translated into invalid CBOR.

I can replicate the issue with the following snippet:

import fido2.features
from fido2.hid import CtapHidDevice
from fido2.client import Fido2Client
from fido2.utils import websafe_encode

fido2.features.webauthn_json_mapping.enabled = True

device = next(CtapHidDevice.list_devices())
client = Fido2Client(device, 'https://example.com')
client.get_assertion({
    'challenge': websafe_encode(b'foo'),
    'rpId': 'example.com',
    'allowCredentials': [{
        'type': 'public-key',
        'id': websafe_encode(b'bar')
    }],
})
sardok commented 2 months ago

Try disabling fido2.features.webauthn_json_mapping.enabled = True line. webauthn_json_mapping changes the encoding method for bytes. bytes serialized into str when this feature is enabled where the device expects bytes.