Closed 0xC4DE closed 9 months ago
Does the pem_root_certs_bytes_by_fmt
argument in verify_registration_response()
not fulfill your needs?
It doesn't do exactly what the old trust_anchor_dir
and trusted_attestation_cert_required
enabled, but you should be able to achieve something similar by 1) specifying root certs in pem_root_certs_bytes_by_fmt
for AttestationFormat.FIDO_U2F
, and then 2) rejecting if VerifiedRegistration.fmt
is not AttestationFormat.FIDO_U2F
.
verification = verify_registration_response(
credential=credential,
expected_challenge=challenge,
expected_origin=expected_origin,
expected_rp_id=rp_id,
pem_root_certs_bytes_by_fmt={
AttestationFormat.FIDO_U2F: [CUSTOM_CERT_PEM.encode("ascii")]
},
)
if verification.fmt is not AttestationFormat.FIDO_U2F:
raise Exception("Detected unsupported attestation format")
Something like that 🤔
Hmm. It would be nice if it did handle loading the certs from a filesystem instead of expecting bytes in x509, there is a helper for it though. Pretty sure your solution should work.
Would it be true that pem_root_certs_bytes_by_fmt
would only validate certificates that exist under the specific certs provided in CUSTOM_CERT_PEM
? I'm unclear since under the hood the pem_root_certs_bytes_by_fmt
only extends and maybe allows certs that are signed by FIDO_U2F, but dont exist in the set of custom certs. Instead just providing stronger validation for those that exist under the root FIDO_U2F cert.
As an aside I'm having weird issues with my yubikey, the attestation is coming up as none (at a higher level than this library), even though it should be coming up with something. (I forgot to set attestation=AttestationConveyancePreference.DIRECT
, also Yubi uses AttestationFormat.PACKED)
Would it be true that
pem_root_certs_bytes_by_fmt
would only validate certificates that exist under the specific certs provided inCUSTOM_CERT_PEM
?
Yes, right now no certificate chain validation occurs because py_webauthn doesn't provide any default certificates. The "extends" you mention isn't augmenting any existing list of certificates with those provided in pem_root_certs_bytes_by_fmt
- [].extends([])
is a pythonic way to append values in one list into another list, so it's all one big list.
pem_root_certs_bytes
is always initially empty, and I'm simply adding into it whatever certs might have been specified in pem_root_certs_bytes_by_fmt
for the fmt
specified in the attestation statement. I've left it as an exercise for the RP dev as to which certs actually get used for attestation statement certificate chain validation.
Yes, right now no certificate chain validation occurs because py_webauthn doesn't provide any default certificates.
I should clarify myself here, a few attestation statement formats include their own known root certificates which means certificate chain validation does occur even if you don't specify any values for pem_root_certs_bytes_by_fmt
. This includes "apple"
, "android-safetynet"
, and "android-key"
:
For formats like these pem_root_certs_bytes_by_fmt
also gives RP's a way to specify updated root certificates if the root certificates included in this package expire. Ideally it'll never need to be used for this but just in case it's possible.
I don't think there's anything more to do here so I'm going to close this out. Please feel free to reopen if I've missed an actual issue with the library.
Hello, I am currently updating an application that utilizes an old version of this library (<1.0). In this version, there was reference to a folder named
trusted_attestation_roots
inWebAuthnRegistrationResponse
. (https://github.com/duo-labs/py_webauthn/blob/2c2c9f7a16cdd96531d3dea8acbb70863bf1f6c3/webauthn/webauthn.py#L255) That was used for the purpose of allowing only specific attestation certificates during registration.It is unclear to me if there is a similar flow available in the latest version of this library, I do see the flows available in https://github.com/duo-labs/py_webauthn/blob/master/tests/test_verify_registration_response_android_key.py, and other related test files. But I am uncertain if it functions at-all similarly.
Ideally, something in
verify_registration_response
that can function similarly to the oldtrusted_attestation_roots
would be ideal. But something such as the following:would also be acceptable, I think.