search

web-auth / webauthn-framework

FIDO-U2F / FIDO2 / Webauthn Framework
MIT License
381 stars 51 forks source link

WebauthnSerializerFactory cannot serialize PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions #591

Closed mrpachara closed 2 weeks ago

mrpachara commented 3 months ago

Version(s) affected

4.8.5

Description

I try to serialize PublicKeyCredentialCreationOptions by using WebauthnSerializerFactory then get error:

Symfony\Component\Serializer\Exception\NotEncodableValueException with message Malformed UTF-8 characters, possibly incorrectly encoded in sonEncode.php:52

But this doesn't happen when I use json_encode(). I think it comes from some of normalizers in serializer.

How to reproduce

Example code:

$serializer = (new WebauthnSerializerFactory($attestationStatementSupportManager))->create();

$publicKeyCredentialCreationOptions = PublicKeyCredentialCreationOptions::create(
    $rpEntity,
    $userEntity,
    \random_bytes(16),
    authenticatorSelection: $authenticatorSelectionCriteria,
    attestation: PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE,
);

// Error
$json = $serializer->serialize(
    $publicKeyCredentialCreationOptions,
    'json',
    [
        JsonEncode::OPTIONS => \JSON_THROW_ON_ERROR,
    ],
);

// No error and can be deserialized
$json = \json_encode(
    $publicKeyCredentialCreationOptions,
    \JSON_THROW_ON_ERROR,
);
$result = $serializer->deserialize(
    $json,
    PublicKeyCredentialCreationOptions::class,
    'json',
);

But when I change \random_bytes(16) to '123456789012345', it works.

$publicKeyCredentialCreationOptions = PublicKeyCredentialCreationOptions::create(
    $rpEntity,
    $userEntity,
    '123456789012345',
    authenticatorSelection: $authenticatorSelectionCriteria,
    attestation: PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE,
);

// No error
$json = $serializer->serialize(
    $publicKeyCredentialCreationOptions,
    'json',
    [
        JsonEncode::OPTIONS => \JSON_THROW_ON_ERROR,
    ],
);

I think the error comes from some of normalizers in serialize() process that change the value of challenge.

Possible Solution

No response

Additional Context

No response

Spomky commented 2 months ago

Hi,

Indeed, the serializer generated from the WebauthnSerializerFactory is only suitable for reading a JSON object, but not for generating it. It would be a nice addition though.

Spomky commented 2 weeks ago

Will be tagged 4.9.0