Implement Attestation for TPM

[mstingl]

Currently, there is only fido-u2f, android-safetynet and packet attestation implemented. With the release of Windows 1903, Windows Hello can be used as a WebAuthn device, which is supported with Chrome, Edge and I think also Firefox. Implementing the attestation for tpm modules, fido2 could be brought to more users.

[mkalioby]

Windows Hello is working with version 0.6

[mstingl]

I have to disagree.

The fido2 package is on version 0.6 and all you get when you try to do a Fido2Server.register_complete is an UnsupportedType error.

I'll give you the relevant part of the stacktrace:

  File "...\app\models\user.py", line 715, in webauthn_register_complete
    auth_data = self.WEBAUTHN_FIDO2_SERVER.register_complete(state, client_data, att_obj)
  File "...\Python36\lib\site-packages\fido2\server.py", line 218, in register_complete
    client_data.hash
  File "...\Python36\lib\site-packages\fido2\attestation.py", line 77, in verify
    raise UnsupportedType(auth_data)
fido2.attestation.UnsupportedType: This attestation format is not supported!

The attestation format of Windows Hello is tpm, but there is no attestation class for this type.

[mstingl]

@dainnilsson

[dainnilsson]

The library does currently not support verifying TPM attestation. You can still use it with these credentials, just not verify their attestation. We'll likely add support for this format to the library at some point.

[mstingl]

I know that it isnt supported yet. Thats why I named this issue "Implement Attestation for TPM". I would highly appreceate it if someone would take care of it.

I was trying around to make a base implementation but I'm not that much into crypto that I can achieve a working solution.

If there is an other implementaion I could take as a reference, I could try it...

[baloo]

from what I've been able to observe, windows hello does not provide attestation, what happens is you need to supply a list of supported attestation that includes NoneAttestation to fido2.server.Server like:

from fido2.attestation import Attestation
from fido2.server import Fido2Server

def attestation_types():
    return [cls() for cls in Attestation.__subclasses__()
            if getattr(cls, 'FORMAT', None) is not None]

server = Fido2Server(
   # ...
   attestation_types=attestation_types(),
)

[baloo]

I'm not too sure this should be considered as a bug, or if this is an oversight in the implementation of fido2.server._default_attestations. Basically a windows hello would not come with an attestation and this breaks the Fido2Server. @dainnilsson would you have an opinion on this? I'd be happy to provide a PR to fix this if you think this is a bug.

[dainnilsson]

The platform authenticator in Windows seems to do different things varying between different machines. I've seen it return "tpm" attestation, "none" attestation, and "packed" attestation with no certificate (self-signed).

The reasoning behind not including "none" in the default_attestations list is that if the RP is explicitly requesting attestation, it probably wants attestation, and allowing "none" there seems like it should be an explicit choice rather than the default. The attestation_types argument to Fido2Server is there precisely for the ability to customize this behavior, as the snipped you supplied does (we do something similar on our own demo.yubico.com site). Does this reasoning make sense to you?

[baloo]

That makes total sense. We've been using attestation to guess the device type (nice to sort out which authenticator are plugged in), failure to provide attestation just means we won't show device type. Providing none where asked it not too much of a problem for us.

Thanks for the explanation

[mstingl]

@baloo sadly, your suggestion to add NoneAttestation doesnt work. I added the None Attestation to the attestation_types and tryed to do a webauthn register with windows hello on a surface book 2. The call was rejected with the same exception as abough: UnsupportedType: This attestation format is not supported!

[baloo]

@mstingl could you share the cbor output from the registration?

[mstingl]

@baloo sorry for the late feedback, i hope this data can help you

here is an example webauthn register flow of my implementation:

begin registration:

"credentials": {
    "publicKey": {
        "rp": {
            "id": "example.com",
            "name": "Example.com",
            "icon": "https://example.com/image.png"
        },
        "user": {
            "...": "..."
        },
        "challenge": "2EkHFmjfhPdiuMaX3lK5lT7mSOcvpTg6x-iyy8Ddkcg",
        "pubKeyCredParams": [
            {
                "type": "public-key",
                "alg": -7
            },
            {
                "type": "public-key",
                "alg": -8
            },
            {
                "type": "public-key",
                "alg": -37
            },
            {
                "type": "public-key",
                "alg": -257
            }
        ],
        "excludeCredentials": [],
        "timeout": 60000,
        "attestation": "direct",
        "authenticatorSelection": {
            "requireResidentKey": false,
            "userVerification": "preferred"
        }
    }
}

webauthn register complete feedback: client data:

{"challenge":"2EkHFmjfhPdiuMaX3lK5lT7mSOcvpTg6x-iyy8Ddkcg","origin":"https://example.com","type":"webauthn.create"}

attestation object:

{
    <KEY.FMT: 1>: 'tpm',
    <KEY.ATT_STMT: 3>: {
        'alg': -65535,
        'sig': b"d\x9d\x1b\x1f0\tz\xd3f\x1b\xa9\xd2\xfa\xabN\x9c^\x86\x8d\xe3*\xf269\x0f\x1c\xe2\xd4U\xc4>\xcaU\x97u\xe6\x9b\x85\xa9\xea\xdb\x85\xb0\x9cN\x0c\xce\x0bP\xa0\x85\xb0\x10\xdc(\x9a\xbc\xc5\xbd\xa9\r2*\x10\xd4P\xfb\xf0\xd5 E\x0f\x81\xf2\xbdb\xa1\x0by\xe6\xf3\xe0\xff\x11\xce'+\xcbB\x0c\x93H\x020\xc2\x9e\x9e\xcb66\r!\x9b\xae#\x01\xfa=\xeb_hz\x1d\xef\xd6\xb1\xc4\x16$^V\xeb\x8a\x92\xf6\xf2\xb3\x1e\tnM\x08}x\xd2\x0b!\xbc\r<o\xdc\xbbn)}dH\xbaK\x1a\x1a<U\xd5Z7\xe3\x90\xccqY\n;}\x81L\xe5Bi\xe6\xb3-\xf1\xc0W\x9f?\xbbN\xc3\x86\xf2\xdfP\xc3\xd4\\-&9\xb2\xd9>\x9cD\x99\xbc<'1\x8fw\xa7\x10\xfc\xcd-\xc8\x93\x15\xb4\xfc>\xac\x91B`\xbf.\x8d\xc7\x0e\x90\x0e\xe2\x8bs|>\xf6\x1dF\xb7\x1f \xcf\xbd#\x0fZ\xe2\x19\x8e\xd7\xf3\xaa\xed\xa1*B\xa1\x1bLB\xc2", 'ver': '2.0', 'x5c': [b'0\x82\x05\xb10\x82\x03\x99\xa0\x03\x02\x01\x02\x02\x10=\xbfI\xc5\xe6{Oz\x99\xd0\xb4\x16"\x16\xaeO0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000A1?0=\x06\x03U\x04\x03\x136WUS-NTC-KEYID-1591D4B6EAF98D0104864B6903A48DD0026077D30\x1e\x17\r190523190822Z\x17\r250321203042Z0\x000\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xac\x83\x06a&\xbe\x92\xb4\xe2\x9f\xbf\xd6q\\\t\x9f9iMYR\x9d\x90\xb7\x8a\xdb\xbcwd\xc4\xdch\x1e\x16*\xd3FR\x10L\x8b\xccX\x118\x9e\x83\xbb@\xda?\x92;5\x83\xcc\xfe\x90\xce\x14\x91\xa17\x0b\x98\x02O\xee9=s\xb9\x0b\xc7Cg\x80\xf6\xe6\x98FI\xdcI\xd92l\xdd6p#\x08cY\xea\xd9K\xef\xa7{\xea4\xdb\x98\xf1\xcdy\xf6\x04G\xd7\xfe\xd0Sl\x12\xf0\xdb\x1e\xba\x85\x82r\x94\x9f\xf4 \xfd\x07\x1em\x1b-?\xd9\xe6\xd5\xad\xf9\x07\x11z\xbe\xff\x0eI\xad\xb4\x1d\x84\x9e\xfd\xc5\x80dm\x1ct\xa1O\x8d,\xccs\x98\x1f\x91\x82\x95\x16\xec\xec\xfb7FD\xde\xf1<\x7f\xef\x91Puc0_\x80q\x84\x8e\x88\x07d>\xbd\xb6\xd5QtO\xe4\xd5\xce\xfeu\xfe\xa5\xe9Q%\xc1fkX\xe5\xcbi\xa8\xd5\r\x16\xea\x18H\x8d.i\xf0 \x1e\x19\xc2\xad{\x9d&\x86\xbc9|\xa3;\xf6\xe2\xbd\xe3!\xd3P\xdar;:\x92\x01\x02\x03\x01\x00\x01\xa3\x82\x01\xe40\x82\x01\xe00\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x07\x800\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000m\x06\x03U\x1d \x01\x01\xff\x04c0a0_\x06\t+\x06\x01\x04\x01\x827\x15\x1f0R0P\x06\x08+\x06\x01\x05\x05\x07\x02\x020D\x1eB\x00T\x00C\x00P\x00A\x00 \x00 \x00T\x00r\x00u\x00s\x00t\x00e\x00d\x00 \x00 \x00P\x00l\x00a\x00t\x00f\x00o\x00r\x00m\x00 \x00 \x00I\x00d\x00e\x00n\x00t\x00i\x00t\x00y0\x10\x06\x03U\x1d%\x04\t0\x07\x06\x05g\x81\x05\x08\x030J\x06\x03U\x1d\x11\x01\x01\xff\x04@0>\xa4<0:180\x0e\x06\x05g\x81\x05\x02\x03\x0c\x05id:130\x10\x06\x05g\x81\x05\x02\x02\x0c\x07NPCT6xx0\x14\x06\x05g\x81\x05\x02\x01\x0c\x0bid:4E5443000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xf0\x1b\xe7r\xbe\x1d\xa3\n\xaf=\xa5\xd6+\x9c|\x94\x14"\x01\xfd0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xc9m\xf7\xc5\xfb\xe3\x1a\x130k\xe7|\xb4\xc0\x9f\xcc\xa9\x81\xa1D0\x81\xb2\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04\x81\xa50\x81\xa20\x81\x9f\x06\x08+\x06\x01\x05\x05\x070\x02\x86\x81\x92http://azcsprodwusaikpublish.blob.core.windows.net/wus-ntc-keyid-1591d4b6eaf98d0104864b6903a48dd0026077d3/f7edb00c-ded5-4144-8194-057ab5c96529.cer0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00.M|\'`\x03\x1c\xf1\xfa\xc9y\xf6\xaa\xc0\xc2\x8aYd7\x88^s\x0f\xa1\xf1\xf8v\x12\xb9@\xd3\x10\xd0l\x04A5\xf7\xaaU\xe4\xe7\x1f"\xac\xf368[\xeed!\xf1\xd4*\xfa\x9fQ\x8a\x95f8m\xf1\xc1\x86\xca\xc5=Y7#Wv\x91\xdc\xd5G\x00\x87|\xcfh\x87\x04\xf1\xf7\x81\xadd6=Q\xe8\xb8\xe6\xc1\xc4\xb4\xb9/K\xfc\xbfn; Xp?w\xb2\xef\x08\xb8\xd9\xf2\xb2\xf0^\x08\xa7\x85\x01\xd1\x86\xb2.=\xe4\x9aY\xbf<\x8eV#\x95\xe0\x12w\xdc\x1c\x07{E\xd9\xbf"\xc5\xb6?\xac\x08\xaaa\xfe\xfc\xa1B\xa7\xae\x97r\xeeW\xa5\xa1Af\xe3\xa1JI\x10Y\x9bm\x8b\xb1\xfc\xc4\xac\xf7c\xe6\xa5\xc1\xf4\xa8\x0fT\x9eY\x87\xe9\xec\xe52\xd0\xfaI\'7\xd6\xe1\xe1\xe2B\xb4\xb8\xe2\xf2\xadW\xf2\xe1\x0c\xdc\xc9A\x1d\xcd,\x83\xa6J\x05 \xf3\xe149\xd0\x874y\xb1tY\xc797\xa3d\x8f\xab\x8a\x91\x04g\xee\x83\xecuX\xc9\xb3D!Q\xf6\x037W\xe1\xf0:\x8f\xa3\xbcV\xc4-\xfe\x91_\xc9\x14\xed\x9f\x99\x7f\xe1Z\xfd\xb0\xda\x19m\x8f+=\xfd\xdc\x8d9\x86\xf5\x11\xa32\xc4\xb7;]Nb\x94m\xe9T\x05\xc5.Rf\xd8\xa4\x0b\x1e\xdaU\xa7\x8d\xa0D\x8a\xc9\xc1\t\x06Q\xd1\x91\x8fg\xf5+j\x94z\xfb\xcf\xd8%\xf2\xcfmf\xb96\xd1P\xfc \x81^\xfd\x91Hf\xe9\xd0\x8b-\x91\xfd\x15\xcc\x0f\x16\xc5\xc3\x16\xf4X\xac\xfc\xd3\xec~R3$\x8f\x06\x11\xab\x06\xed\xca(\x03D\xacb>\xdb\x1aXT\'\x9b\x7fG?>Ev-$\x12\xcb/\xfa\x04\xb8on+\xb27\xa7Qe&\xda\x14U\xf7\xd2\xc2\xea\xe9b\xf7W!\x07\xb6\xceL\xd8\x1b\x16c\xc2\x95\x15\xc5s\x1e\xd7\x1b!\xd9h_\xee\\te\x90\xe2l\x0e\x0b\xf2\x80\xea\x1a\xdb\xde\x13\xce\x13u\xb0~\xba\xeb\xabv\xcaC\n\xb5\xe6\x9ax\x95\xb0\xe0\xba\xc5\xc6(\x99\xae\x93\x877\x94\xa4\xdd8}n\xa5g\xed', b'0\x82\x06\xeb0\x82\x04\xd3\xa0\x03\x02\x01\x02\x02\x133\x00\x00\x02\xa5\x02V\xbbm\x88\x8b\x17\x86\x00\x00\x00\x00\x02\xa50\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000\x81\x8c1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x13\nWashington1\x100\x0e\x06\x03U\x04\x07\x13\x07Redmond1\x1e0\x1c\x06\x03U\x04\n\x13\x15Microsoft Corporation1604\x06\x03U\x04\x03\x13-Microsoft TPM Root Certificate Authority 20140\x1e\x17\r190321203042Z\x17\r250321203042Z0A1?0=\x06\x03U\x04\x03\x136WUS-NTC-KEYID-1591D4B6EAF98D0104864B6903A48DD0026077D30\x82\x02"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\n\x02\x82\x02\x01\x00\x92\x95\x08k\xa5;+\xc7\xb6NPp\x8c\xcc\xbe\xdc4$\xc83 \xb4\x1d@\x99\x85 \xc1P\x9b\xde\xfd\xcb\x85~KBi<\xc3\xc8\x1fk\xd0\rs\x92\xb6,\x18r\x81\x91\x97#\xba\xb3\xc9\xc8\xf1~Vb%\x8c\x828\xc9\x0f!-\x9a\xf9\x0fuN\x85\xc0\x8a\x96\x9e\xdf\xff.\xa3\xe9\x0f\xb2\xb3\xcf\xfc\xe0\xca(+!P&\x93\xeb\r2\xb6y\xd7\x9fo\xa70TSZ\x01\xf2\xa6\x85\x1dN\xea\xd8\x04\x0b\xb3\xc9p\xcdnFO"\xe9|\x9e\x9b\x8d\xe8U\x16;$\xea\x05\x99]4D\xec\xab\x16\xf45\xd1\xf1\xcd\x18r1\xc3\xe4A\x1a-p.v\r0\xed\xe6b\xb03\tF\xb1\x85C=T\xa0\xffU\nG\x03`\x11\xb7\x9e*K\xd7\x8b\xbb\x1b\x06\xc4kXB\x16\xa1\x0c\x90\xb4\xaa;\xce\xa5\xf5\xec\xbc\xc5\xc8-A\xb2\xb3;\xb1\xdc\xf7j\x1b\xb6g\x85a\x8aF0\x85X\x9c;\xfa!\x95\xe4 \x81W\xf4$\x84H\xd8w\xdb\xe4\xfe\xbbZ\x89\n\xdcM}\xaa\xb4\x96t\x8b\x7f[\xb8S\xbe@\xa4\xdf$\x1clm\x7f\xbfLE,\xae\x92\x97T\x8a\xf3#\x9e{\xfdZ\xed\xd5bC\xfe\xa9c\x18`y\x9f\xa1m\xde\xf9\xe4\x11\xce\xf4!A\x02\xaf\x9e\x18\x97\xdft[\xd2\xa4\xf9\xd4\xbcd\xbeC\x80\xc3lI\x97\x99\x9b\xda\xf8T I\xe7\xf97\xa1_\xcd\xf3\x9a\x9e\x8d\xa1\xcdR\x8f\xaac\x1fP\xb4>8\xfeer\x93.\xa2\xf9l\x84\x8b\xa1u\xa7j\xa8@\x8dBc{\xe6<_/oE=?\xa0\xfb\r|\xe7\x9ct\xbe\x82\xc2\xf7\x96\x853>2^\x98\x02\x1f=\x8a-\x9bS\xf3\x18G\xca\x03b\xe3\xb0\xf4WdA\xea\xe1\xc0\x1a\xba5\x0e5\xed\x8b\xab\xd7Hj~^\xcf\xcb\xa0\x93\x9c\x9dY\x9b\xc3\t\xcd\xc2ov\xa5\xf6bE\xee\xd5\xb8\xdb\xb2\x80\xb0C\x16\xe4]\xd4\xbe\xcc!\xc1V\xc5\xb1V\xa6\xb8\x16Z\x86\xae\xe8\x96]\x04\xe0\xe2fn!\'\xd7\xdcB:\x16\x15\xc7\xa0s\xf3g\x0b}\x9b+\x01\x02\x03\x01\x00\x01\xa3\x82\x01\x8e0\x82\x01\x8a0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x02\x840\x1b\x06\x03U\x1d%\x04\x140\x12\x06\t+\x06\x01\x04\x01\x827\x15$\x06\x05g\x81\x05\x08\x030\x16\x06\x03U\x1d \x04\x0f0\r0\x0b\x06\t+\x06\x01\x04\x01\x827\x15\x1f0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xf0\x1b\xe7r\xbe\x1d\xa3\n\xaf=\xa5\xd6+\x9c|\x94\x14"\x01\xfd0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14z\x8c\n\xce/Hb\x17\xe2\x94\xd1\xaeU\xc1R\xecqt\xa4V0p\x06\x03U\x1d\x1f\x04i0g0e\xa0c\xa0a\x86_http://www.microsoft.com/pkiops/crl/Microsoft%20TPM%20Root%20Certificate%20Authority%202014.crl0}\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04q0o0m\x06\x08+\x06\x01\x05\x05\x070\x02\x86ahttp://www.microsoft.com/pkiops/certs/Microsoft%20TPM%20Root%20Certificate%20Authority%202014.crt0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x89\xba\x9e\nC1sM\x13\xd8\x1a\xf1\x0bt\xb9RK\x17\'\xfc\xdcW=\xe4\xfa\x19\xc6\x80\x16d\xa9\xfb\xdcOd\t\xe9\x12\xb8\xda\x8f\xefBT\x18\x08\xb8\x19#\x94Up+b\xa7\xa9]\x8c\xd6\x87\x13\x9a\x1a\x89\x94\xbd\x8e\x8a\x81\xfe-\x00\xb7\xd0R\x17#\xd5wc\xe7\xd8\x94\xcf8\xcc\xd8\x0b\xec\xc2\x8c\x89H\x0b\x0f\x0bx\n\xcd\xab\xba\x8fM"g\xa7\xed\xee!i)\x1e\xc5\x1c\xd9\x8d\xa5\xae\xb4\xbb\xfe\x92\xdex\x96\xa7\x99\xe3\xa2\xb7\x13\xe0-\xbeY\x0b8m\'\x16\x0eR\x18H9\x840:\xda\x1f\xb7\x11mpy\'\x1b\xcb\xf0=S\x12R3\x1d\xf3J\x87F;Q\x85):e\xd0\xb8.Rpu\xe7K\xce\x8a+\xef\x17\x94\xdc\xab\xf3\x0e>\x12\xf8\xba\xbcj:(\xd4FZ=R\xaf\xdc\x8c\x83>i\xd8\xc3\xb3\xe6"\x10\xfb\x06\xeb\t\xbd\xfeJ\xac\xf8&\xcd\xa7~\\*\xcb{2\xefy\xa48\xb8B\xe0\xc6\xf2E\x00Q|3\xb8\x8b\xfc\xa6\xeb-q!\x9a\xb4\x13`Ej+\x1f\r\xa5Q`\xb19\xdd\x9eQ\x1f(\x9f\x08\xeb:\x93\x8d\xd5\xa0\xe9\x08=\xe6\x02]\x8a\xe8w\xd2\xa9\xd1\xaee\xed\xa9*Y)\xee\xd5\xc0\x16ks\xf2x\xc7\xb9k\xfd\xd8\xa15\x03\n\xe6\x8c\x1al\x91\xfck\x0fT\xfc\xf64\x8b\x82i"\x8a\x97\xf6\x0e\x07\xfb\xa3\xe4\x16\x13\xed\xc7\t\xfa9\xf4*\xc4\xa7\xef\xeb5\x16\xc4\x8e\x8a\xca\x85\x1b\x10\xd4!\xf5\xefB;J\xd6\x9f\x98Lw\xf5\x12\xa1\xbb\xce\x04\xca~@\xa3w\xcaU\xc2\x90p\xee\x9c+(\'B;L\xc4B"\xc2\xcaID\xdc\xe5\xaa\x8c\xd4\x12\x15x\xd2\x0c(?\xec3\x82#\x82\xc3\xc1\xbd\xb4\x180r \x1a\xeeO\xfb[\xb70\xb9T\xc1prv\xd3\x15p\xb8D\x96\x0e\x83\x88[\xdd\x13\xb0\x88\x0e9\x08V\x14Z\xd0\x02\x99\x87\xf4?\xdf\xd7}\xf2g\x81\x13V\xeb\xef\x16\xe4\xb6\xdf\xff~b\x9f\xc0\xe6\x81\x8f\xd8)*\xdabh\xaf\xc1\xad;w\xdd\x1a\xbd\x89A'], 'pubArea': b'\x00\x01\x00\x0b\x00\x06\x04r\x00 \x9d\xff\xcb\xf3l8:\xe6\x99\xfb\x98h\xdcm\xcb\x89\xd7\x158\x84\xbe(\x03\x92,\x12AX\xbf\xad"\xae\x00\x10\x00\x10\x08\x00\x00\x00\x00\x00\x01\x00\xbb\xbe\x13*\xc2\xbf\t\x083q\xaa\xd1\x9e\xbd\x85\xfc\xf5I \x8b\xf7\x90j\xf4J\x99n\xdc\x90\xf8\xac,<k\xaf\x10\xa1\xd3CCU\x90&U\xaan\xa6\xf4q\xf2D\xb7N\xe1=\x16\xa2\xf8z\x03\\\xde\x95\x7f\x8d\xd6{3\xec\x81\x97\x88\xd7K\xc11\xd8\x98]\xde[y\xaa`P\x1c\xf2o,Z[\xd3\x95\x01\x16\xcaE\x0e\xecb\xed\x17\x7f\x0f\xba\xb6C\'\x8at\xd4\x1a1 \xc4/?\xc4\xbd-<\xa4\xa0\xf9av\xceB~\xc8\x18\x97\xbb\xc2CqWbk:,\xc8\xfe\x0fT\x05J\xfe\xdeu/\x8e\x0b\xc5k\x1d\xdf\xdd0\xa8\xe7\x152\xd26\xb0\xb1\xf2=\xb5Y\xe0\x7f\x1b\xe4\xad\x18xTX\x97\x9b\xb1G\x93DU\xa6\xfa\xf4\x97\r\xf7\x84\xe2\x90\xc01\x0bcvSH\x7f[\x92\xa8)\x98\x92\x07\x95\xf1X}:\xe2q\xe1\x18\xadz\x8b\xab\xa8\xbbX\xc5m(\xcdY\x84!\x8b\x18\xcd\xec\xd2\x96%\xd7\xbc\xee4F?L\x1e[\xcf\xd9=\x13wI',
        'certInfo': b'\xffTCG\x80\x17\x00"\x00\x0b\x17\xe6\x15\x83C\x06\xef\xef\x07\x0b\xa7\xcf}\x14\xcc}\xc5\x12\xca\xfc8V\xfdy\xef\xc4\xd5\x06+PH\xce\x00\x14\xd5\xf6\xe7\xfb\x94\xb1O9=\xa1\x06\xd0\xfa\xfeG\xc5\x04y\x99\x12\x00\x00\x00\x01\xbcq\xd4X\xd8U7y\xbc\xb4\xbfC\x01\x979\xc2\xabu\x07B\x1d\x00"\x00\x0b9\x8d_qg{\xc9\xcd\xb6\x83]\xc1\xd8{\xeeLf\xc0\x82a\x0f\xac\xc2;\x0c,\x11\xd6;^\xaex\x00"\x00\x0b:\xda>\x08s"C|\xd6\xb4\xea\x9e\x8a!\xbe\xa2\x8d\xa41\x86\xe8\x97\xfd\x88\x03\xee\x19\x13?\x0c\xb7\xdc'
    },
    <KEY.AUTH_DATA: 2>: AuthenticatorData(
        rp_id_hash: h'ce07fecb63222ac25e7183699d722f8f3a86dfe377c432114fe594b08613c4d8', 
        flags: 0x45, 
        counter: 0, 
        credential_data: AttestedCredentialData(
        aaguid: h'08987058cadc4b81b6e130de50dcbe96',
        credential_id: h'30304e3244d7e3cc1860b0d3f77e29fc19f8c7369695119d805a536610da666a', 
        public_key: {
            1: 3, 
            3: -257, 
            -1: b"\xbb\xbe\x13*\xc2\xbf\t\x083q\xaa\xd1\x9e\xbd\x85\xfc\xf5I \x8b\xf7\x90j\xf4J\x99n\xdc\x90\xf8\xac,<k\xaf\x10\xa1\xd3CCU\x90&U\xaan\xa6\xf4q\xf2D\xb7N\xe1=\x16\xa2\xf8z\x03\\\xde\x95\x7f\x8d\xd6{3\xec\x81\x97\x88\xd7K\xc11\xd8\x98]\xde[y\xaa`P\x1c\xf2o,Z[\xd3\x95\x01\x16\xcaE\x0e\xecb\xed\x17\x7f\x0f\xba\xb6C'\x8at\xd4\x1a1 \xc4/?\xc4\xbd-<\xa4\xa0\xf9av\xceB~\xc8\x18\x97\xbb\xc2CqWbk:,\xc8\xfe\x0fT\x05J\xfe\xdeu/\x8e\x0b\xc5k\x1d\xdf\xdd0\xa8\xe7\x152\xd26\xb0\xb1\xf2=\xb5Y\xe0\x7f\x1b\xe4\xad\x18xTX\x97\x9b\xb1G\x93DU\xa6\xfa\xf4\x97\r\xf7\x84\xe2\x90\xc01\x0bcvSH\x7f[\x92\xa8)\x98\x92\x07\x95\xf1X}:\xe2q\xe1\x18\xadz\x8b\xab\xa8\xbbX\xc5m(\xcdY\x84!\x8b\x18\xcd\xec\xd2\x96%\xd7\xbc\xee4F?L\x1e[\xcf\xd9=\x13wI", 
            -2: b'\x01\x00\x01'
        }
    )
}

[baloo]

@mstingl That's weird, it looks like you're missing some fields in the attStmt field. There should be a pubArea. Would you mind sharing the cbor itself? Can't do much with that output.

[mstingl]

@baloo what cbor output do you mean and where can i get it? I grabbed the attestation and client data with the debugger just before it should be passed to Fido2Server.register_complete()

Part of my code, where register_complete is called, self is a django model and data is the post data the client sends

        state = {
            'challenge': self.challenge,
            'user_verification': USER_VERIFICATION.PREFERRED,
        }
        client_data = ClientData.from_b64(data['clientData'])
        att_obj = AttestationObject(websafe_decode(data['attObj']))

        if settings.DEBUG and client_data.data.get('origin') == "http://localhost:8000":
            client_data.data['origin'] = "https://localhost:8000"

        auth_data = self.WEBAUTHN_FIDO2_SERVER.register_complete(state, client_data, att_obj)

[baloo]

I guess the base64 encoded value would do just fine, a dump of your data struct there ideally

[baloo]

should be fixed in master, I believe we can close this issue.

[mstingl]

Thanks.