search

tanguilp / wax

WebAuthn for Elixir
https://hexdocs.pm/wax_
Apache License 2.0
175 stars 14 forks source link

FIDO2 Metadata #43

Open miguelvillaresb opened 5 days ago

miguelvillaresb commented 5 days ago

What is the difference between the 2 options described in the README for loading FIDO2 Metadata?

I downloaded the metadata from the FIDO test suite client and the I used option "Loading FIDO2 metadata from a directory". With this option the tests pass.

The another option "Configuring MDSv3 metadata" replaces the first one? I tried to pass the tests loading MDSv3 metadata from the web site and removing the local metadata files but the tests failed. It seems that the aaguid is not found in the downloaded metadata.

Thanks in advance

tanguilp commented 5 days ago

The test suite uses mocked root anchors for testing purpose. Given the architecture of FIDO, it obviously cannot generate genuine real credentials.

MDSV3 is the official repository of root anchors from vendors. Unfortunately, not all vendors publish publicly or in time their certificates in it. Therefore there’s another mechanism to load metadata from file. Last time I checked for instance, Apple didn’t publish their metadata in mdsv3.

miguelvillaresb commented 4 days ago

Trying to pass "Metadata Service Tests" I do not find the way to tell wax how to download the metadata from the 5 endpoints you get when registering the service in FIDO:

image
tanguilp commented 4 days ago

These tests don’t apply to wax afaik

miguelvillaresb commented 4 days ago

From my point of view, you already have a way to validate metadata blobs in wax so wax could include a way to get the endpoints from the domain, iterate over the endpoints and save the blob passing the validation. This was not included for a specific reason?

tanguilp commented 4 days ago

Haven't dig these test to be honest. Are they fake MDSv3 endpoints to be parsed and tested by a WebAuthn server implementation?

miguelvillaresb commented 4 days ago

I found this https://github.com/fido-alliance/conformance-test-tools-resources/issues/422

It seems that to pass those tests new metadata has to be used. The way to get the metadata is to go through https://mds3.certinfra.fidoalliance.org/ and try with the 5 provided endpoints. Only one of the endpoints provides a valid blob metatada. This right metadata is the one to be used with the tests.