search

eclipse-vertx / vertx-auth

Apache License 2.0
162 stars 154 forks source link

WebAuthn : Apple attStmt does not contain "alg" field #453

Closed tcompiegne closed 3 years ago

tcompiegne commented 3 years ago

Questions

Do not use this issue tracker to ask questions, instead use one of these channels. Questions will likely be closed without notice.

Version

Which version(s) did you encounter this bug ?

4.0.0

Context

I encountered an exception which looks suspicious while trying to use Apple FaceID device with direct attestation.

NPE at : 

  // meta data check
            metadata.verifyMetadata(
                    authData.getAaguidString(),
                    PublicKeyCredential.valueOf(attStmt.getInteger("alg")),
                    certChain);

"alg" value does not exist.

Here the format of apple anonymous attestation :

https://w3c.github.io/webauthn/#sctn-apple-anonymous-attestation https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/

Steps to reproduce

  1. Set up vertx webauthn with direct attestation option
  2. Register Apple FaceID device

Extra

pmlopes commented 3 years ago

@tcompiegne thanks for the catch. It is hard to test apple devices due to the nature of the attestations (short lived). Sadly we were tested during the last iOS betas and the alg was present.

The alg is only needed for the metadata validation which can be used in the future to "deny" devices that are known to have been compromised, yet I believe apple will handle this with a iOS update.

Nevertheless, I've made the field optional so older devices (with older os versions) may send the field and we can use it in that check too if present.

tcompiegne commented 3 years ago

@pmlopes Thanks for the feedback.