search

duo-labs / android-webauthn-authenticator

A WebAuthn Authenticator for Android leveraging hardware-backed key storage and biometric user verification.
BSD 3-Clause "New" or "Revised" License
110 stars 20 forks source link

Does not handle user.id as json object gracefully #10

Closed StefanLobbenmeier closed 3 years ago

StefanLobbenmeier commented 3 years ago

From webauthn.io I get this json (later in the issue) - the user.id in it is encoded as an object:

    "id": {
      "0": 243,
      "1": 210,
      "2": 9,
      "3": 0,
      "4": 0,
      "5": 0,
      "6": 0,
      "7": 0,
      "8": 0,
      "9": 0
    }

but this library expects it to be encoded in base64 and can not handle the object version of it. 

{
  "challenge": {
    "0": 229,
    "1": 201,
    "2": 40,
    "3": 1,
    "4": 241,
    "5": 234,
    "6": 199,
    "7": 52,
    "8": 18,
    "9": 48,
    "10": 178,
    "11": 210,
    "12": 146,
    "13": 73,
    "14": 159,
    "15": 202,
    "16": 161,
    "17": 20,
    "18": 228,
    "19": 115,
    "20": 10,
    "21": 84,
    "22": 214,
    "23": 124,
    "24": 161,
    "25": 205,
    "26": 92,
    "27": 35,
    "28": 164,
    "29": 142,
    "30": 1,
    "31": 184
  },
  "rp": {
    "name": "webauthn.io",
    "id": "webauthn.io"
  },
  "user": {
    "name": "dzigf",
    "displayName": "dzigf",
    "id": {
      "0": 243,
      "1": 210,
      "2": 9,
      "3": 0,
      "4": 0,
      "5": 0,
      "6": 0,
      "7": 0,
      "8": 0,
      "9": 0
    }
  },
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": -7
    },
    {
      "type": "public-key",
      "alg": -35
    },
    {
      "type": "public-key",
      "alg": -36
    },
    {
      "type": "public-key",
      "alg": -257
    },
    {
      "type": "public-key",
      "alg": -258
    },
    {
      "type": "public-key",
      "alg": -259
    },
    {
      "type": "public-key",
      "alg": -37
    },
    {
      "type": "public-key",
      "alg": -38
    },
    {
      "type": "public-key",
      "alg": -39
    },
    {
      "type": "public-key",
      "alg": -8
    }
  ],
  "authenticatorSelection": {
    "requireResidentKey": false,
    "userVerification": "discouraged"
  },
  "timeout": 60000,
  "extensions": {
    "txAuthSimple": ""
  },
  "attestation": "none"
}
StefanLobbenmeier commented 3 years ago

I was able to see why - the webauthn.io calls 

            makeCredentialOptions.publicKey.challenge = bufferDecode(makeCredentialOptions.publicKey.challenge);
            makeCredentialOptions.publicKey.user.id = bufferDecode(makeCredentialOptions.publicKey.user.id);

to convert the base64 to an Uint8Array before calling the browser api. I will have to manually revert that before calling JSON.stringify on this Uint8Array

StefanLobbenmeier commented 3 years ago

To revert https://webauthn.io/ uses

function bufferEncode(value) {
    return base64js.fromByteArray(value)
        .replace(/\+/g, "-")
        .replace(/\//g, "_")
        .replace(/=/g, "");
}