search

eclipse-vertx / vertx-auth

Apache License 2.0
166 stars 156 forks source link

WebAuthn : MetadataServiceImpl parseX5c method returns emptyList when x5c is null #619

Closed tcompiegne closed 1 year ago

tcompiegne commented 1 year ago

Version

Which version(s) did you encounter this bug ?

4.3.8

Context

I encountered an exception which looks suspicious while I tried to verify my Webauthn authenticator using the metadataService.verify() method and when my authenticator attestationStatement (packed) looks like this : "{"alg":"ES256"}" leading to empty chain error when calling the MetaData.verifyMetadata() method.

private static List<X509Certificate> parseX5c(List<String> x5c) throws CertificateException {
    => List<X509Certificate> certChain = new ArrayList<>();

    if (x5c == null || x5c.size() == 0) {
      => return certChain;
    }

    for (String s : x5c) {
      certChain.add(JWS.parseX5c(BASE64_DECODER.decode(s)));
    }

    return certChain;
  }
    MetaData.verifyMetadata()
    # at this stage the x5c is an empty list
    => if (x5c != null) {
        // make a copy before we start
        x5c = new ArrayList<>(x5c);
        ...
    }

Steps to reproduce

  1. Verify a packed attestation with no x5c
  2. Call the metadataService.verify() method
  3. Should not throw RuntimeException if MetaDataEntry is empty or OK

Potential Solution

Do not create an empty list if the x5c is null.

remisultan commented 1 year ago

Note: with @tcompiegne we reproduced the test using MacOS TouchID which didn't deliver the x5c certificate at registration