search

mozilla / authenticator-rs

Rust library to interact with Security Keys, used by Firefox
https://crates.io/crates/authenticator
Mozilla Public License 2.0
273 stars 70 forks source link

Select a reasonable default pin protocol when `pinUvAuthProtocols` is absent from GetInfo response #274

Closed jschanck closed 1 year ago

jschanck commented 1 year ago

In Bug 1836722 we have a user reporting that WebAuthn transactions with a WearAuthn token abort immediately with [ERROR authenticator::statemachine] Error when determining pinAuth: HIDError(Command(UnsupportedPinProtocol)). This seems to be because WearAuthn doesn't report pinUvAuthProtocols in its GetInfo response.

The spec is not very clear about what we should do here. But my interpretation is: 1) For CTAP 2.0 devices we should use protocol 1, because protocol 2 wasn't defined for 2.0. 2) For CTAP 2.1 we should use protocol 2, because protocol 2 is mandatory-to-implement in 2.1.

We should also wrap the pin_protocols entry in our AuthenticatoInfo struct with Option, as there's a clause in 2.1 that the device MUST NOT return an empty list.

msirringhaus commented 1 year ago

The spec seems to be almost deliberately unclear here :sweat_smile:

For CTAP 2.1, the spec says:

9. Mandatory features

Authenticators that include FIDO_2_1 in versions: ...

  1. MUST include an array element with the value 2 in the authenticatorGetInfo response’s pinUvAuthProtocols member (i.e. support PIN/UV auth protocol two) if it includes any values at all.

So, I think I agree. We should determine the protocol version based on the supported CTAP-level, if none is returned.