Closed lea-ger closed 2 years ago
Hi @lea-ger,
I am sorry but I cannot reporduce the issue on my computer (Windows 11) Could you please send me:
/attestation/options
)/attestation/result
)Both are JSON objects
Hello @Spomky,
The attestation object:
{
"rp":{
"name":"Webauthn Demo",
"id":"webauthn.spomky-labs.com"
},
"pubKeyCredParams":[
{
"type":"public-key",
"alg":-8
},
{
"type":"public-key",
"alg":-7
},
{
"type":"public-key",
"alg":-46
},
{
"type":"public-key",
"alg":-35
},
{
"type":"public-key",
"alg":-36
},
{
"type":"public-key",
"alg":-257
},
{
"type":"public-key",
"alg":-258
},
{
"type":"public-key",
"alg":-259
},
{
"type":"public-key",
"alg":-37
},
{
"type":"public-key",
"alg":-38
},
{
"type":"public-key",
"alg":-39
}
],
"challenge":"Te4W2OWn8QCnXX9i8qA0OEMXIvpiea3OGUKw1drCxl8",
"attestation":"none",
"user":{
"name":"Test1",
"id":"MDFGWktQOEJBNDU2Mk1GWE5aSDM3N1ZOMEU",
"displayName":"Test1"
},
"authenticatorSelection":{
"requireResidentKey":false,
"userVerification":"preferred"
},
"timeout":60000,
"status":"ok",
"errorMessage":""
}
The authenticator response:
{
"id":"3pa7b5fE7ozHQCkYuKsR-e4ivCX1Y3O6VLYuw3nFzes",
"type":"public-key",
"rawId":"3pa7b5fE7ozHQCkYuKsR+e4ivCX1Y3O6VLYuw3nFzes=",
"response":{
"clientDataJSON":"eyJjaGFsbGVuZ2UiOiJUZTRXMk9XbjhRQ25YWDlpOHFBME9FTVhJdnBpZWEzT0dVS3cxZHJDeGw4IiwiY2xpZW50RXh0ZW5zaW9ucyI6e30sImhhc2hBbGdvcml0aG0iOiJTSEEtMjU2Iiwib3JpZ2luIjoiaHR0cHM6Ly93ZWJhdXRobi5zcG9ta3ktbGFicy5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0=",
"attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVkBWJYE6oKCTpikraFLRGLQ1zqOxGkTDakbGTB0WSKfdKNZRQAAAAAAACDelrtvl8TujMdAKRi4qxH57iK8JfVjc7pUti7DecXN66QBAwM5AQAgWQEAtYGhqe5wnQiKSj9fCucnx8rYA8F2m/XUKbFBeYmlb9ZGe6hn9KPLT6CJ7nWF4KtuasjvpgmGKU3UOCs55CyJ1s46tyGhrnnmsMsUMZnvrC+sgW9hTpYUBngbN86xp5tzuaEZ0Q5S2GDde3bYCmEf3/s36qoqAZoG69C+3ynmTuiTLF9fjiRXkrHdoyy1dD37sdcVRPId45Q9Vuv6NIWXuCZv5nZRVpr0M8FQYiYvhH4C1GTWKOgys5l6DOPUPGxCq7Tiv1K4cXN4YaqzGDXkj+vuz1xmblvRsYVTnhyP+Ln+iUiIIKPaDFTH6i0GGnW4mmF3Hi8hmKbVlquvnqYRFyFDAQAB"
}
}
In this case, it resulted in this response:
{
"status":"error",
"errorMessage":"Out of range. Expected: 43793, read: 289."
}
Many thanks.
The structure looks good, but the attested credential data returned by the authenticator has an invalid public key ID length (43793 bits is way too long)
The authenticator data (in hex, spaces added) is 9604ea82824e98a4ada14b4462d0d73a8ec469130da91b19307459229f74a359 45 00000000 000020de96bb6f97c4ee8cc7402918b8 ab11 f9ee22bc25f56373ba54b62ec379c5cdeba401030339010020590100b581a1a9ee709d088a4a3f5f0ae727c7cad803c1769bf5d429b1417989a56fd6467ba867f4a3cb4fa089ee7585e0ab6e6ac8efa60986294dd4382b39e42c89d6ce3ab721a1ae79e6b0cb143199efac2fac816f614e961406781b37ceb1a79b73b9a119d10e52d860dd7b76d80a611fdffb37eaaa2a019a06ebd0bedf29e64ee8932c5f5f8e245792b1dda32cb5743dfbb1d71544f21de3943d56ebfa348597b8266fe67651569af433c15062262f847e02d464d628e832b3997a0ce3d43c6c42abb4e2bf52b871737861aab31835e48febeecf5c666e5bd1b185539e1c8ff8b9fe89488820a3da0c54c7ea2d061a75b89a61771e2f2198a6d596abaf9ea611172143010001
9604ea82824e98a4ada14b4462d0d73a8ec469130da91b19307459229f74a359
corresponds to the RP ID hash (sha-256 of "webauthn.spomky-labs.com") => OK45
(b01000101) corresponds to the flags.
00000000
corresponds to the counter (0) which is normal for a first credential use => OK000020de96bb6f97c4ee8cc7402918b8
is the AAGUID. It is not listed in the Fido Alliance MDS server so I cannot tell who is the manufacturer (if anybody knows). It will be set to a null AAGUID later as no attestation is used here => OKab11
is supposed to be the length of the credential (unsigned 16bits big-endian), which corresponds to 43793 => NOT OKWhat is your authenticator manufacturer (computer brand/TPM chip)?
The authenticator with the AAGUID 000020de-96bb-6f97-c4ee-8cc7402918b8
seems to be the reason for failure, but I am not sure at all.
Could you please test with a roaming authenticator (USB/BLE interface) and Windows Hello?
The computer itself is a HP notebook and the TPM chip was manufactured by AMD.
Using a roaming authenticator (in this case I used a Yubico Security Key NFC) doesn't seem to work for me either. Here is the authenticator response:
{
"id":"FsWK1xvQgVijGcW2t1T8f6YMudEBX4FDQ8Nft1jrWo7w-JJTWbDhgRcWpPhwKACN-hBY3B0NBXQ7SAg4bJzDLu-e2Pdhx-Px_g9dN1S8c-Vwcx4YpQ-cKESjoI_ARi3o-DZdxHUQv5wvYSziN5_mXsxbH6J_F_JUjRx9NxVfr44",
"type":"public-key",
"rawId":"FsWK1xvQgVijGcW2t1T8f6YMudEBX4FDQ8Nft1jrWo7w+JJTWbDhgRcWpPhwKACN+hBY3B0NBXQ7SAg4bJzDLu+e2Pdhx+Px/g9dN1S8c+Vwcx4YpQ+cKESjoI/ARi3o+DZdxHUQv5wvYSziN5/mXsxbH6J/F/JUjRx9NxVfr44=",
"response":{
"clientDataJSON":"eyJjaGFsbGVuZ2UiOiJIUlNILWZ0VzNEOVJhRmYyUmdVZm1BeHJHdHliLW0xeFhPSmJjVjcxcmxjIiwiY2xpZW50RXh0ZW5zaW9ucyI6e30sImhhc2hBbGdvcml0aG0iOiJTSEEtMjU2Iiwib3JpZ2luIjoiaHR0cHM6Ly93ZWJhdXRobi5zcG9ta3ktbGFicy5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0=",
"attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjSlgTqgoJOmKStoUtEYtDXOo7EaRMNqRsZMHRZIp90o1lFAAAAAQAAgBbFitcb0IFYoxnFtrdU/H+mDLnRAV+BQ0PDX7dY61qO8PiSU1mw4YEXFqT4cCgAjfoQWNwdDQV0O0gIOGycwy7vntj3Ycfj8f4PXTdUvHPlcHMeGKUPnChEo6CPwEYt6Pg2XcR1EL+cL2Es4jef5l7MWx+ifxfyVI0cfTcVX6+OpAEBAycgBiFYIEi0puUv5PCRuafjh0NkT+54W39r+vMxr7vuCW2RwWgf"
}
}
Hi,
Many thanks for the details. I extracted the attestation object and I am still facing the same issue.
The first bytes are correct: same RP ID hash, same flags, counter is 1. But the key length and the following bytes (public key) are still invalid.
Regarding the AAGUID, I was expecting one of those listed on the Yubico page, but here we have 00008016-C58A-D71B-D081-58A319C5B6B7
So for me the issue comes from the client (web browser). I tested with Firefox and it is failing for me (was working fine few days ago). Google Chrome, MS Edge or Opera work as expected.
I found that issue on Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1554397
Can you tell me if you are using Firefox? If yes, can you test with another browser and confirm if it fails or not?
Many thanks. Regards.
Hi,
yes, I am using Firefox and indeed that seems to be the issue. I was able to successfully register using MS Edge. Thanks for linking the Bugzilla issue, I hope this will be worked on soon.
Thanks a lot for your help and your patience!
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Hi,
I am trying to use this package and always run into an issue when trying to register new users. This issue seems to only appear when using Windows Hello, as I've tested this on a colleague's MacBook and it worked there seamlessly. I first thought that this was an issue with my configuration but it appears that the same issue can be found on the demo page (see screenshot below). The issue seems to be the attestationObject's credential length which is used in AttestationObjectLoader::109, the byte length read from the StringStream is way too large. I'm not too well versed on the inner workings of the package or the details of the inner workings of WebAuthn authentication, so I'm afraid this is all I can provide as help to find the reason for this issue. But it might be related to this issue.
Here is an extract of a stacktrace I'm getting: [2022-04-01 18:12:37] local.ERROR: Out of range. Expected: 35079, read: 289. {"userId":1,"exception":"[object] (Assert\InvalidArgumentException(code: 37): Out of range. Expected: 35079, read: 289. at C:\Users\Leander\PhpstormProjects\brezel\api\vendor\beberlei\assert\lib\Assert\Assertion.php:2728) [stacktrace]
0 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\beberlei\assert\lib\Assert\Assertion.php(840): Assert\Assertion::createException('\xCCS\x84@3\x11P\x19\x7F\xE4\xB3\x90\x8FY\x90...', 'Out of range. E...', 37, NULL, Array)
1 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\StringStream.php(58): Assert\Assertion::length('\xCCS\x84@3\x11P\x19\x7F\xE4\xB3\x90\x8FY\x90...', 35079, 'Out of range. E...', NULL, '8bit')
2 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\AttestationStatement\AttestationObjectLoader.php(109): Webauthn\StringStream->read(35079)
3 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\PublicKeyCredentialLoader.php(139): Webauthn\AttestationStatement\AttestationObjectLoader->load('o2NmbXRkbm9uZWd...')
4 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\PublicKeyCredentialLoader.php(100): Webauthn\PublicKeyCredentialLoader->createResponse(Array)
5 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\PublicKeyCredentialLoader.php(120): Webauthn\PublicKeyCredentialLoader->loadArray(Array)
6 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\Server.php(256): Webauthn\PublicKeyCredentialLoader->load('{\"id\":\"xYZ74Bvm...')
7 C:\Users\Leander\PhpstormProjects\brezel\api\app\Http\Controllers\GeneralController.php(424): Webauthn\Server->loadAndCheckAttestationResponse('{\"id\":\"xYZ74Bvm...', Object(Webauthn\PublicKeyCredentialCreationOptions), Object(Nyholm\Psr7\ServerRequest))
8 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\laravel\framework\src\Illuminate\Routing\Controller.php(54): App\Http\Controllers\GeneralController->registerWebauthnResponse(Object(Illuminate\Http\Request), Object(App\System\System))
9 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\laravel\framework\src\Illuminate\Routing\ControllerDispatcher.php(45): Illuminate\Routing\Controller->callAction('registerWebauth...', Array)
To Reproduce Go to https://webauthn.spomky-labs.com/register and try to register using Windows Hello.
Desktop (please complete the following information):