Closed northway closed 2 years ago
What is your webauthn module configuration?
The module config:
<?php
$config = [
/* Enable/disable Debug made */
'debug' => true,
/* required configuration parameters */
'store' => [
'webauthn:Database',
'database.dsn' => 'mysql:host=REDACTED;dbname=REDACTED',
'database.username' => 'REDACTED',
'database.password' => 'REDACTED',
],
// eppn
'attrib_username' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
// displayName
'attrib_displayname' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
/* optional configuration parameters */
/* FIDO2 is phishing-resistent by binding generated credentials to a scope.
* Browsers will only invoke the registration/authentication if the scope
* matches the principal domain name the user is currently visiting.
* If not specified, the scope will be the hostname of the IdP as per
* its metadata. It is permissible to widen the scope up to the prinicpal
* domain though (e.g. authentication service is "saml.example.com" => scope
* can be extended to "example.com"; but not "examp1e.com". A registered
* FIDO2 token can then also be used on other servers in the same domain.
* If configuring this item, be sure that the authentication server name and
* the desired scope are a suffix match.
*
* If you do not control the entirety of your second-level domain, you must
* set the scope here explicitly to your own hostname to prevent some
* contrived attack scenarios with other servers in that same second-level
* domain.
*/
'scope' => 'eduid.hu',
/* the following will interactively ask the user if he is willing to share
* manufacturer and model information during credential registration.
* The user can decline, in which case registration will still succeed but
* vendor and model will be logged as "unknown model [unknown vendor]"
*
* When not requesting this, there is one less user interaction during the
* registration process; and no model information will be saved.
*
* defaults to "false"
*/
'request_tokenmodel' => false,
/* should FIDO2 be enabled by default for all users? If not, users need to
* be white-listed in the database - other users simply pass through the
* filter without being subjected to 2FA.
*
* defaults to "disabled by default" === false
*/
'default_enable' => true,
/* this parameter is used only if "use_database" is false. If the value of
* "force" is true then we trigger WebAuthn only if "attrib_toggle" from the
* user is not empty. If the value of "force" is false then we switch the value of
* "default_enable" only if "attrib_toggle" from the user is not empty.
* Default falue is true.
*/
'force' => true,
/* this parameter stores the name of the attribute that is sent with user and which
* determines whether to trigger WebAuthn.
* Default value is 'toggle'
*/
'attrib_toggle' => 'toggle',
/* this parameter determines if the database will be used to check
* whether to trigger second factor authentication or use the "attrib_toggle" instead.
* Default value of this attribute is true
*/
'use_database' => true,
/* optional parameter which determines whether you will be able to register and manage tokens
* while authenticating or you want to use the standalone registration page for these
* purposes. If set to false => standalone registration page, if true => inflow registration.
* Defaults to true.
*/
'use_inflow_registration' => true,
/* optional parameter that determines what auth source will be used in standalone registration page.
* Defaults to 'default-sp'.
*/
'registration_auth_source' => 'default-sp',
];
And please confirm that your web server with SSP is actually running on a FQDN within 'eduid.hu'. Otherwise, the transaction will rightly be refused by the browser.
This concrete error is raised by a third-party library. What is the version of spomky-labs/cbor-php on your deployment?
Looking at the spec, the CBOR object you got from the Yubikey contains an information element which the original RFC7049 marks as "Reserved for future use": https://www.rfc-editor.org/rfc/rfc7049#section-2 (second paragraph, top of page 7).
Recently, that RFC has been obsoleted with RFC8949: https://www.rfc-editor.org/rfc/rfc8949 It still considers value 30 reserved for future use, and that the use of that information element makes the response syntactically invalid.
That is the most recent version of CBOR.
I.e. the CBOR library has every reason to bail out on that particular Yubikey response. I use a Yubikey 5 and 5C (firmware 5.1.2) myself on a daily basis, which do not throw this error. Maybe a key with a very recent firmware does something brand new with information element 30? I will continue investigating if the specs are on the move in regards to CBOR.
And please confirm that your web server with SSP is actually running on a FQDN within 'eduid.hu'. Otherwise, the transaction will rightly be refused by the browser.
It was not on the correct FQDN (einfra.hu), so I changed it and the token registration started.
After completing the registration, this error message comes up:
Nov 19 14:28:44 idp-dev simplesamlphp[6722]: 7 [8fb1932cd9] webauthn: userid: REDACTED
Nov 19 14:28:44 idp-dev simplesamlphp[6722]: 7 [8fb1932cd9] User does not exist in DB, returning desired default.
Nov 19 14:28:44 idp-dev simplesamlphp[6722]: 7 [8fb1932cd9] Saved state: '_fe8e1a9370199031ede2201cf6dd200c5e1e00751c:https://idp.dev.einfra.hu/simplesaml/saml2/idp/SSOService.php?spentityid=https.eduid.hu&RelayState=ss&cookieTime=1637332121'
Nov 19 14:28:44 idp-dev simplesamlphp[6721]: 6 [8fb1932cd9] FIDO2 - Accessing WebAuthn interface
Nov 19 14:28:44 idp-dev simplesamlphp[6721]: 7 [8fb1932cd9] Loading state: '_fe8e1a9370199031ede2201cf6dd200c5e1e00751c:https://idp.dev.einfra.hu/simplesaml/saml2/idp/SSOService.php?spentityid=https.eduid.hu&RelayState=ss&cookieTime=1637332121'
Nov 19 14:28:44 idp-dev simplesamlphp[6721]: 7 [8fb1932cd9] Localization: load domain 'messages' at '/srv/simplesamlphp/locales'
Nov 19 14:28:44 idp-dev simplesamlphp[6721]: 7 [8fb1932cd9] Trying langpath for 'en' as '/srv/simplesamlphp/locales/en/LC_MESSAGES/'
Nov 19 14:28:44 idp-dev simplesamlphp[6721]: 7 [8fb1932cd9] Localization: load domain 'webauthn' at '/srv/simplesamlphp/modules/webauthn/locales'
Nov 19 14:28:44 idp-dev simplesamlphp[6721]: 7 [8fb1932cd9] Trying langpath for 'en' as '/srv/simplesamlphp/modules/webauthn/locales/en/LC_MESSAGES/'
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 6 [8fb1932cd9] FIDO2 - Accessing WebAuthn enrollment validation
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 7 [8fb1932cd9] Loading state: '_fe8e1a9370199031ede2201cf6dd200c5e1e00751c:https://idp.dev.einfra.hu/simplesaml/saml2/idp/SSOService.php?spentityid=https.eduid.hu&RelayState=ss&cookieTime=1637332121'
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 4 [8fb1932cd9] Missing AAGUID configuration file (/srv/simplesamlphp/config/webauthn-aaguid.json). No device will be recognized.
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 6 [8fb1932cd9] AAGUID c5ef55ffad9a4b9fb580adebafe026d0 not found in dictionary, device is unknown.
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 7 [8fb1932cd9] Credential does not exist yet.
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 6 [8fb1932cd9] AAGUID c5ef55ffad9a4b9fb580adebafe026d0 not found in dictionary, device is unknown.
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 7 [8fb1932cd9] Saved state: '_fe8e1a9370199031ede2201cf6dd200c5e1e00751c:https://idp.dev.einfra.hu/simplesaml/saml2/idp/SSOService.php?spentityid=https.eduid.hu&RelayState=ss&cookieTime=1637332121'
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] Backtrace:
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] 2 /srv/simplesamlphp/www/_include.php:20 (SimpleSAML_exception_handler)
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] 1 /srv/simplesamlphp/vendor/symfony/error-handler/ErrorHandler.php:607 (Symfony\Component\ErrorHandler\ErrorHandler::handleException)
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] 0 [builtin] (N/A)
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] Caused by: ArgumentCountError: Too few arguments to function SimpleSAML\Module\webauthn\Controller\RegProcess::SimpleSAML\Module\webauthn\Controller\{closure}(), 0 passed in /srv/simplesamlphp/vendor/symfony/http-foundation/StreamedResponse.php on line 109 and exactly 2 expected
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] Backtrace:
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] 5 /srv/simplesamlphp/modules/webauthn/lib/Controller/RegProcess.php:200 (SimpleSAML\Module\webauthn\Controller\RegProcess::SimpleSAML\Module\webauthn\Controller\{closure})
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] 4 /srv/simplesamlphp/vendor/symfony/http-foundation/StreamedResponse.php:109 (Symfony\Component\HttpFoundation\StreamedResponse::sendContent)
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] 3 /srv/simplesamlphp/vendor/symfony/http-foundation/Response.php:394 (Symfony\Component\HttpFoundation\Response::send)
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] 2 /srv/simplesamlphp/modules/webauthn/www/regprocess.php:15 (require)
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] 1 /srv/simplesamlphp/lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] 0 /srv/simplesamlphp/www/module.php:10 (N/A)
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 3 [8fb1932cd9] Error report with id e85b23c3 generated.
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 7 [8fb1932cd9] Session: Valid session found with 'niifp-ldap'.
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 7 [8fb1932cd9] Localization: load domain 'messages' at '/srv/simplesamlphp/locales'
Nov 19 14:29:04 idp-dev simplesamlphp[6721]: 7 [8fb1932cd9] Trying langpath for 'en' as '/srv/simplesamlphp/locales/en/LC_MESSAGES/'
This concrete error is raised by a third-party library. What is the version of spomky-labs/cbor-php on your deployment?
"spomky-labs/cbor-php": "^1.0"
I have an older YubiKey, but the error message is the same.
Device type: YubiKey NEO
Serial number: REDACTED
Firmware version: 3.5.0
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.
Applications USB NFC
FIDO2 Not available Not available
OTP Enabled Enabled
FIDO U2F Enabled Enabled
OATH Enabled Enabled
YubiHSM Auth Not available Not available
OpenPGP Enabled Enabled
PIV Enabled Enabled
Well, the original problem was the scope mismatch between eduid.hu and einfra.hu. I am surprised that the error then leads to broken CBOR, but that is apparently the correct explanation for the original error: "Cannot parse the data. Found invalid Additional Information "11110" (30)." I.e. this was a configuration issue: wrong scope.
The subsequent error you get is unrelated to the core cryptographic operations (which seem to succeed already), and look more like Symfony framework issues. I'll double check the code...
This is happening inside a conditional that is only executed in debug mode. Probably that conditional was overlooked with some Symfony updates. Can you turn debug off in the module config?:
$config = [ / Enable/disable Debug made / 'debug' => false,
and try again?
The problem is that the callback for a StreamedResponse cannot have parameters.. Our callback requires two. We have to refactor this
And yes, it works after the debug mode was turned off! :D
Happy to hear that! Have fun with WebAuthN!
I guess we could keep this issue open for the StreamedResponse refactor. But TBH, I'm eagerly awaiting SSP 2.0 and would prefer to work only on the branch for 2.0. We could also remove that non-working closure call and call it a day?
Hold on for one sec, I may be able to fix this quite easily..
Can someone test with the patch in #38? I don't have a working install available right now
I tried with it, but I got the same error:
Nov 19 15:04:06 idp-dev simplesamlphp[6721]: 3 [88005c9d16] Caused by: ArgumentCountError: Too few arguments to function SimpleSAML\Module\webauthn\Controller\AuthProcess::SimpleSAML\Module\webauthn\Controller\{closure}(), 0 passed in /srv/simplesamlphp/vendor/symfony/http-foundation/StreamedResponse.php on line 109 and exactly 2 expected
Nov 19 15:04:06 idp-dev simplesamlphp[6721]: 3 [88005c9d16] Backtrace:
Nov 19 15:04:06 idp-dev simplesamlphp[6721]: 3 [88005c9d16] 5 /srv/simplesamlphp/modules/webauthn/lib/Controller/AuthProcess.php:181 (SimpleSAML\Module\webauthn\Controller\AuthProcess::SimpleSAML\Module\webauthn\Controller\{closure})
Nov 19 15:04:06 idp-dev simplesamlphp[6721]: 3 [88005c9d16] 4 /srv/simplesamlphp/vendor/symfony/http-foundation/StreamedResponse.php:109 (Symfony\Component\HttpFoundation\StreamedResponse::sendContent)
Nov 19 15:04:06 idp-dev simplesamlphp[6721]: 3 [88005c9d16] 3 /srv/simplesamlphp/vendor/symfony/http-foundation/Response.php:394 (Symfony\Component\HttpFoundation\Response::send)
Nov 19 15:04:06 idp-dev simplesamlphp[6721]: 3 [88005c9d16] 2 /srv/simplesamlphp/modules/webauthn/www/authprocess.php:15 (require)
Nov 19 15:04:06 idp-dev simplesamlphp[6721]: 3 [88005c9d16] 1 /srv/simplesamlphp/lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
Nov 19 15:04:06 idp-dev simplesamlphp[6721]: 3 [88005c9d16] 0 /srv/simplesamlphp/www/module.php:10 (N/A)
https://raw.githubusercontent.com/simplesamlphp/simplesamlphp-module-webauthn/b6b532948b110f586784fd4675f8075850a15512/lib/Controller/RegProcess.php
Same error, different location! Fixing that one too
Anyway it's more than good for testing now!
Happy to hear that! Have fun with WebAuthN!
Thanks you guys for the fast responses! 👍
You are very welcome! Please let us know if you run into something else.. This module is relatively new, so we may have to smooth some of the rough edges
When I enabled the debug mode and after the auth was complete, it dumped a buch of webauthn related data into the browser.
So I'm guessing that was the intented result.
Yes, great! Thank you
Hi!
When I try to enroll my token I'm getting this error message in every major browser.
v1.19.3
v0.11.0
usenewui
is enabled .My Yuibkey infos:
This is what's in the SSP log (no php error so far):
If I close the dialog window and hit enter: