search

google / u2f-ref-code

U2F reference implementations
BSD 3-Clause "New" or "Revised" License
588 stars 182 forks source link

inconsistency of register response format #165

Closed lsanil closed 6 years ago

lsanil commented 7 years ago

I am integrating U2F support into our product. I am using u2f-api.js available from u2f-ref-code. I see inconsistency when declaring RegiterResponse object.

From https://github.com/google/u2f-ref-code/blob/37f55816242d4e5b569810c32ff88aaf9b148022/u2f-gae-demo/war/js/u2f-api.js, RegisterResponse (line 148-156) is defined as 

/**
 * Data object for a registration response.
 * @typedef {{
 *   version: string,
 *   keyHandle: string,
 *   transports: Transports,
 *   appId: string
 * }}
 */
u2f.RegisterResponse;

From U2F fido 1.2 spec, https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html#dictionary-registerresponse-members, RegisterResponse is defined as

dictionary RegisterResponse {
    DOMString version;
    DOMString registrationData;
    DOMString clientData;
};

In my limited testing with a Yubi key, I observed following

  1. Registration response conforms to format defined in 1.2 U2F spec.
  2. Attestation certificate contains the transports information in an extension.

Not sure if this a simple bug in comment. If not, could you please explain what am I missing and why the inconsistency exists?

With the format suggested in https://github.com/google/u2f-ref-code/blob/37f55816242d4e5b569810c32ff88aaf9b148022/u2f-gae-demo/war/js/u2f-api.js, how would a RP get device registration information? Please clarify.

Thank you! Anil

cpiper commented 7 years ago

Anil, I believe this is just a bug in the comments, looks like it was accidentally copy pasted from the sign request comment. You can just ignore that comment.

lsanil commented 7 years ago

Thank you cpiper for clarification!