search

fido-alliance / webauthn-demo

WebAuthn Workshop Demo [Completed DEMO is at completed demo-branch]
MIT License
733 stars 152 forks source link

Fix for self-signed #17

Open inorganik opened 4 years ago

inorganik commented 4 years ago

Sorry for all the whitespace changes, I auto-formatted in vscode.

This fixes #12

estensen commented 4 years ago

Could you also add the fix for the branch completed-demo?

The current state of your completed-demo branch allows to register with a built-in sensor on macOS, but if you log out you can only log in with a security key.

inorganik commented 4 years ago

I could, that would require a separate PR. I'd like to see if the maintainers want to merge this first though.

If you want to merge it into your completed-demo branch, you could do

$ git remote add inorganik git@github.com:inorganik/webauthn-demo.git
$ git fetch inorganik
$ git checkout inorganik/master --  utils.js

which should keep you on your completed-demo branch but take my updated copy of utils.js

NFhbar commented 4 years ago

Could you also add the fix for the branch completed-demo?

The current state of your completed-demo branch allows to register with a built-in sensor on macOS, but if you log out you can only log in with a security key.

@estensen Did you find a solution for this?

estensen commented 4 years ago

@NFhbar Yes, I got it to work! Had some browser issues. Think I ended up using Chrome. Don't know it browser support has been improved since.

NFhbar commented 4 years ago

@NFhbar Yes, I got it to work! Had some browser issues. Think I ended up using Chrome. Don't know it browser support has been improved since.

Yeah, works on Chrome just fine, but the login keeps forcing security key and has no built-in-sensor option. You got a link I can look at your implementation of this?

estensen commented 4 years ago

@NFhbar you have to copy the changes from this branch to the branch completed-demo. These are the only changes. It's a bit hard to see because of the automatic linting.

 } else if (ctapMakeCredResp.fmt === 'packed') { // Self signed
        let authrDataStruct = parseMakeCredAuthData(ctapMakeCredResp.authData);
        if (!(authrDataStruct.flags & U2F_USER_PRESENTED))
            throw new Error('User was NOT presented durring authentication!');

        const clientDataHash = hash(base64url.toBuffer(webAuthnResponse.response.clientDataJSON))
        const publicKey = COSEECDHAtoPKCS(authrDataStruct.COSEPublicKey)
        const signatureBase = Buffer.concat([ctapMakeCredResp.authData, clientDataHash]);
        const PEMCertificate = ASN1toPEM(publicKey);

        const { attStmt: { sig: signature, alg } } = ctapMakeCredResp

        response.verified = // Verify that sig is a valid signature over the concatenation of authenticatorData
            // and clientDataHash using the attestation public key in attestnCert with the algorithm specified in alg.
            verifySignature(signature, signatureBase, PEMCertificate) && alg === -7

        if (response.verified) {
            response.authrInfo = {
                fmt: 'fido-u2f',
                publicKey: base64url.encode(publicKey),
                counter: authrDataStruct.counter,
                credID: base64url.encode(authrDataStruct.credID)
            }
        }