search

web-auth / webauthn-framework

FIDO-U2F / FIDO2 / Webauthn Framework
MIT License
425 stars 54 forks source link

"Unable to create the response object" when adding a 1Password passkey #583

Closed Flole998 closed 7 months ago

Flole998 commented 7 months ago

Version(s) affected

4.8.2

Description

Trying to add a Passkey using 1Password fails. The cuprit is a Unable to create the response object error in PublicKeyCredentialLoader.php:188.

How to reproduce

Try to add a Passkey where authenticatorData is set, signature is not set and attestationObject is set.

Possible Solution

My "fix" was to change the && to a || in https://github.com/web-auth/webauthn-framework/blob/df747094d06415db637ac811d4478e056037e7a9/src/webauthn/src/PublicKeyCredentialLoader.php#L156

I am not sure if that is a proper fix, likely not. It should probably check if attestationObject exists.

Additional Context

No response

Spomky commented 7 months ago

Hi @Flole998,

Can you please send me the authenticator options and response as JSON objects? I will try to understand this behavior. I wonder if this is due to the upcoming Webauthn v3 which is not supported yet.

Flole998 commented 7 months ago

I just did some additional debugging, and the "missing" signature is intended and simply caused by the library doing the client-side part: https://github.com/MasterKale/SimpleWebAuthn/blob/fe90e2765b2bfab2405ef2875c9c98d39d66416e/packages/browser/src/methods/startRegistration.ts#L101

You can see what parameters it passes to the server in the line I linked.

Either they are interpreting the standard in a different way or (what is more likely IMO) this library is requiring more than it should/the condition is wrong. I would assume the condition I linked to above is wrong, and it should be either array_key_exists('attestationObject', $response) && ( ! array_key_exists('authenticatorData', $response) || ! array_key_exists('signature', $response) ), meaning "if attestationObject is set and either authenticatorData or signature is missing use the attestationObject, otherwise (if authenticatorData and signature is present) use that, otherwise fail", or probably also a simple array_key_exists('attestationObject', $response) could work, which means "if attestationObject is set use it, otherwise check for authenticatorData and signature, use if present, fail otherwise".

I will try to setup a debug enviroment so I am not sending you some real-world data if you still need the options/responses.

Spomky commented 7 months ago

Hi @Flole998,

I tried to figure out what is going on and I think I spotted the issue. The virification was done as per the Webauthn v1 where the Assertion Response (login) contains both authenticatorData and signature. The Attestation Response (creation) was only supposed to contain an attestationObject.

It changed in v2 where the authenticatorData can be present in the Attestation Reponse.

From my understanding, the only required key for the Assertion Response is the signature. For the Attestation Response, the absence of the signature or the presence of the attestationObject should be sufficient.

Spomky commented 7 months ago

Should be fixed in 4.8.5. Feel free to reopen if this is still an issue.

github-actions[bot] commented 6 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.