Response length limited?

[geofli]

When testing USB hardware CTAP2 authenticator from https://webauthndemo.appspot.com/ using Chrome 67+ on Windows , if the 3-tier attestation certificates (recommended on https://w3c.github.io/webauthn/#sec-attestation-security-considerations ) are returned by authenticatorMakeCredential ( https://drafts.fidoalliance.org/fido-2/latest/fido-client-to-authenticator-protocol-v2.0-wd-20180623.html#authenticatorMakeCredential ) and the certificates are little longer, the webpage will not response by always showing "Waiting for user touch". After more testing, I found, if the authenticatorMakeCredential command returns more than 0x75F bytes, the webpage will not response. If I shorter the certificates and the authenticatorMakeCredential response is short than 0x75F bytes, the demo website will work well. But there is no limitation in CTAP2 spec. Is it the problem of chrome? Same version Chrome on mac can work well.

[kpaulh]

What kind of authenticator are you using? If you can share a sample response with us, we can take a look and see if there's something in the response that causing a failure within Chrome.

[geofli]

The CBOR byte data is here for the authenticatorMakeCredential command response is here: a301667061636b65640258e446cc7fb9679d55b2db9092e1c8d9e5e1d02b7580f0b4812c770962e1e48f5ad841000006b24238324544373343384642344535413200600fef826b389145f7f8e5bcaa0b063583838aed86b715484162144aa61de300d5869c2ce313388f75e86b64c60890efca7082d6638a3740e6ea02bffb4e6055062b6fad91aef2a3e788ed26c9d00ec67d2d5d337db101001a5e03b5e99530a855a501020326200121582008f4173905ce159d4601325059ad9800108181c18d9dadc3ee9f4f1d22afefd5225820e40111dd704c1fc142ce2e4265cd7e658f42bfcdb0837e0b3278b7e64d1a059403a363616c67266373696758463044022022ceedd3a0a2eb87e28bc57a6816c9a62f13059c6feb9ab6411932244c4b9b5a0220313b458b1fa68c9d16f255f0300ad74383a98c315492c9f77f9304348c38b344637835638359024530820241308201e8a0030201020210159f7bc2cd8918f1286b9348fa9f33e2300a06082a8648ce3d0403023049310b300906035504061302434e311d301b060355040a0c144665697469616e20546563686e6f6c6f67696573311b301906035504030c124665697469616e204649444f322043412d313020170d3138303431313030303030305a180f32303333303431303233353935395a306f310b300906035504061302434e311d301b060355040a0c144665697469616e20546563686e6f6c6f6769657331223020060355040b0c1941757468656e74696361746f72204174746573746174696f6e311d301b06035504030c1446542042696f50617373204649444f32205553423059301306072a8648ce3d020106082a8648ce3d030107034200048006755c59fbc949b015a8d20a925897be830ab2efe82cf88feda0909663e548c71f11270533b42446789d4cfee101438a94e9833de2002c2f2a1dd76f4ddb5da38189308186301d0603551d0e041604147a5482428062d88ae7af849825c4af91a93498f2301f0603551d230418301680144d3bd8c467151bbb13e8f384d8304f9d6915c083300c0603551d130101ff040230003013060b2b0601040182e51c0201010404030205203021060b2b0601040182e51c0101040412041042383245443733433846423445354132300a06082a8648ce3d04030203470030440220244b45a3be88dcb7e025a2c6a312cffb86edbc274a22c1052e314851f0e8b0870220341abf4e1c24f20b1a73d53dacc2a9f915b41bb23a6b016f1feff8e0e7f890c05901ff308201fb308201a0a0030201020210159f7bc2cd8918f1286b9348fa9f33e1300a06082a8648ce3d040302304b310b300906035504061302434e311d301b060355040a0c144665697469616e20546563686e6f6c6f67696573311d301b06035504030c144665697469616e204649444f20526f6f742043413020170d3138303431303030303030305a180f32303338303430393233353935395a3049310b300906035504061302434e311d301b060355040a0c144665697469616e20546563686e6f6c6f67696573311b301906035504030c124665697469616e204649444f322043412d313059301306072a8648ce3d020106082a8648ce3d030107034200048e7e6009ecc11665cca0fac3e96fe5083b956d572511eb5b32f4d6673957dd67d8b617351dff4bb980e60ba9b933b99a3430f317ea21130756bd6a0774de758fa3663064301d0603551d0e041604144d3bd8c467151bbb13e8f384d8304f9d6915c083301f0603551d23041830168014d1a1984d817fc3b96bf60767bd5012fe9045f15430120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300a06082a8648ce3d0403020349003046022100fb7fa3d24047a11150c278566d21cc901698eca17f4f3b48345379ca60e4c265022100eb0a43c188c1d7bd883e91246056c2b0b95b58a2746f0b9f3ca91c292d2b59ec5901dc308201d83082017ea0030201020210159f7bc2cd8918f1286b9348fa9f33d6300a06082a8648ce3d040302304b310b300906035504061302434e311d301b060355040a0c144665697469616e20546563686e6f6c6f67696573311d301b06035504030c144665697469616e204649444f20526f6f742043413020170d3138303430313030303030305a180f32303438303333313233353935395a304b310b300906035504061302434e311d301b060355040a0c144665697469616e20546563686e6f6c6f67696573311d301b06035504030c144665697469616e204649444f20526f6f742043413059301306072a8648ce3d020106082a8648ce3d030107034200049df00a6e3bcc5f5132d5bea4f9641074d54cb7d260196c89dcfbcce0148ae57a937e8fbed28023ff8b67c3220bd0714147d4adfa4b63a925c37e389702eaecf3a3423040301d0603551d0e04160414d1a1984d817fc3b96bf60767bd5012fe9045f154300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300a06082a8648ce3d0403020348003045022100b7b13d6506319e17ec4a4e9cd5d4a614d9c91a85377898b272cd83a1687bf88a02200f625891fc87e50e01a68f2bae83b422dee8623176920cbf79267753d1a56aac

Here is the CBOR content: {1: "packed", 2: h'46CC7FB9679D55B2DB9092E1C8D9E5E1D02B7580F0B4812C770962E1E48F5AD841000006B24238324544373343384642344535413200600FEF826B389145F7F8E5BCAA0B063583838AED86B715484162144AA61DE300D5869C2CE313388F75E86B64C60890EFCA7082D6638A3740E6EA02BFFB4E6055062B6FAD91AEF2A3E788ED26C9D00EC67D2D5D337DB101001A5E03B5E99530A855A501020326200121582008F4173905CE159D4601325059AD9800108181C18D9DADC3EE9F4F1D22AFEFD5225820E40111DD704C1FC142CE2E4265CD7E658F42BFCDB0837E0B3278B7E64D1A0594', 3: {"alg": -7, "sig": h'3044022022CEEDD3A0A2EB87E28BC57A6816C9A62F13059C6FEB9AB6411932244C4B9B5A0220313B458B1FA68C9D16F255F0300AD74383A98C315492C9F77F9304348C38B344', "x5c": [h'30820241308201E8A0030201020210159F7BC2CD8918F1286B9348FA9F33E2300A06082A8648CE3D0403023049310B300906035504061302434E311D301B060355040A0C144665697469616E20546563686E6F6C6F67696573311B301906035504030C124665697469616E204649444F322043412D313020170D3138303431313030303030305A180F32303333303431303233353935395A306F310B300906035504061302434E311D301B060355040A0C144665697469616E20546563686E6F6C6F6769657331223020060355040B0C1941757468656E74696361746F72204174746573746174696F6E311D301B06035504030C1446542042696F50617373204649444F32205553423059301306072A8648CE3D020106082A8648CE3D030107034200048006755C59FBC949B015A8D20A925897BE830AB2EFE82CF88FEDA0909663E548C71F11270533B42446789D4CFEE101438A94E9833DE2002C2F2A1DD76F4DDB5DA38189308186301D0603551D0E041604147A5482428062D88AE7AF849825C4AF91A93498F2301F0603551D230418301680144D3BD8C467151BBB13E8F384D8304F9D6915C083300C0603551D130101FF040230003013060B2B0601040182E51C0201010404030205203021060B2B0601040182E51C0101040412041042383245443733433846423445354132300A06082A8648CE3D04030203470030440220244B45A3BE88DCB7E025A2C6A312CFFB86EDBC274A22C1052E314851F0E8B0870220341ABF4E1C24F20B1A73D53DACC2A9F915B41BB23A6B016F1FEFF8E0E7F890C0', h'308201FB308201A0A0030201020210159F7BC2CD8918F1286B9348FA9F33E1300A06082A8648CE3D040302304B310B300906035504061302434E311D301B060355040A0C144665697469616E20546563686E6F6C6F67696573311D301B06035504030C144665697469616E204649444F20526F6F742043413020170D3138303431303030303030305A180F32303338303430393233353935395A3049310B300906035504061302434E311D301B060355040A0C144665697469616E20546563686E6F6C6F67696573311B301906035504030C124665697469616E204649444F322043412D313059301306072A8648CE3D020106082A8648CE3D030107034200048E7E6009ECC11665CCA0FAC3E96FE5083B956D572511EB5B32F4D6673957DD67D8B617351DFF4BB980E60BA9B933B99A3430F317EA21130756BD6A0774DE758FA3663064301D0603551D0E041604144D3BD8C467151BBB13E8F384D8304F9D6915C083301F0603551D23041830168014D1A1984D817FC3B96BF60767BD5012FE9045F15430120603551D130101FF040830060101FF020100300E0603551D0F0101FF040403020106300A06082A8648CE3D0403020349003046022100FB7FA3D24047A11150C278566D21CC901698ECA17F4F3B48345379CA60E4C265022100EB0A43C188C1D7BD883E91246056C2B0B95B58A2746F0B9F3CA91C292D2B59EC', h'308201D83082017EA0030201020210159F7BC2CD8918F1286B9348FA9F33D6300A06082A8648CE3D040302304B310B300906035504061302434E311D301B060355040A0C144665697469616E20546563686E6F6C6F67696573311D301B06035504030C144665697469616E204649444F20526F6F742043413020170D3138303430313030303030305A180F32303438303333313233353935395A304B310B300906035504061302434E311D301B060355040A0C144665697469616E20546563686E6F6C6F67696573311D301B06035504030C144665697469616E204649444F20526F6F742043413059301306072A8648CE3D020106082A8648CE3D030107034200049DF00A6E3BCC5F5132D5BEA4F9641074D54CB7D260196C89DCFBCCE0148AE57A937E8FBED28023FF8B67C3220BD0714147D4ADFA4B63A925C37E389702EAECF3A3423040301D0603551D0E04160414D1A1984D817FC3B96BF60767BD5012FE9045F154300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106300A06082A8648CE3D0403020348003045022100B7B13D6506319E17EC4A4E9CD5D4A614D9C91A85377898B272CD83A1687BF88A02200F625891FC87E50E01A68F2BAE83B422DEE8623176920CBF79267753D1A56AAC']}}

Attached file is the USB data of whole process. usb_data.txt

You can see in the file that USB device (30.3 USB Input Device) has returned the data to Windows, but Windows driver (31 HID-compliant device ) does not return the data to chrome or Chrome does not read from Windows because of some errors( the first HID package of response data for 31 is lost ).

[kpaulh]

Thanks! We will take a look.

[geofli]

Hi, any progress?

[kpaulh]

Hi Geoffrey, our Chrome CBOR parsers were able to process the data just fine. Out of curiosity, can you try with one of the other browsers? Firefox or Edge? Right now, our suspicion is that this has something to do with Windows, particularly since the Chrome 67 on Mac does work with this authenticator device. Is there somewhere you can file a bug with the Fido/WebAuthN folks at MSFT to also have them take a look at it?

[geofli]

@kpaulh I have tested Microsoft Edge on Windows 10 RS5 (since Edge on RS4 does not support CTAP2), it can work well with our CTAP2 device. I don't hear that Firefox can support CTAP2 now. Here I attached USB data captured for Chrome and Edge, please compare. chrome_not_ok.txt edge_ok.txt

[geofli]

Hi Kpauth, Any update for this?

[kpaulh]

Hi Geoffrey, apologies, we have been out most of last week due to July 4th. At this stage, if you could send the actual device we probably could find the issue more quickly. In the meantime, I've filed a Chromium bug to track the issue there, since this is an issue with Chromium and not with webauthn demo: https://bugs.chromium.org/p/chromium/issues/detail?id=862207

[geofli]

Thank you very much. A real hardware key will be sent at once.