search

webauthn-open-source / fido2-lib

A node.js library for performing FIDO 2.0 / WebAuthn server functionality
https://webauthn.io
MIT License
407 stars 120 forks source link

Error registering a security key when requesting resident key #104

Open MxBlu opened 2 years ago

MxBlu commented 2 years ago

Hi there,

I was interested in using the standard to implement both passwordless login as well as usernameless login, so I created a demo for it which allowed both forms: https://github.com/MxBlu/fido-poc

Unfortunately I've found that when requiring a resident key, the response cannot be parsed by the server using attestationResult():

Error: couldn't parse authenticator.authData.attestationData CBOR: Error: Data read, but end of buffer not reached
    at PublicKey.fromCose (\x\fido-poc\backend\node_modules\fido2-lib\dist\main.cjs:1010:10)
    at parseAuthenticatorData (\x\fido-poc\backend\node_modules\fido2-lib\dist\main.cjs:2898:19)
    at parseAuthnrAttestationResponse (\x\fido-poc\backend\node_modules\fido2-lib\dist\main.cjs:2845:12)
    at Fido2AttestationResult.parse (\x\fido-poc\backend\node_modules\fido2-lib\dist\main.cjs:3035:27)
    at async Fido2AttestationResult.create (\x\fido-poc\backend\node_modules\fido2-lib\dist\main.cjs:3004:3)
    at async Function.create (\x\fido-poc\backend\node_modules\fido2-lib\dist\main.cjs:3050:10)
    at async Fido2Lib.attestationResult (\x\fido-poc\backend\node_modules\fido2-lib\dist\main.cjs:5465:10)

I can debug JS code, but decoding the CBOR response is out of my expertise sadly. Any insight would be much appreciated!

The issue can be reproduced with my demo by setting FIDO2_REQUIRE_RESIDENT_KEY = true in backend/src/constants.ts.

Options object passed to nagivator.credentials.create():

{
  "publicKey": {
    "rp": {
      "name": "MxBlue Server",
      "id": "fido.mxblue.net.au"
    },
    "user": {
      "id": {},
      "displayName": "mxblue",
      "name": "mxblue-150822-3"
    },
    "challenge": {},
    "pubKeyCredParams": [
      {
        "type": "public-key",
        "alg": -7
      },
      {
        "type": "public-key",
        "alg": -257
      }
    ],
    "timeout": 120000,
    "attestation": "none",
    "authenticatorSelection": {
      "requireResidentKey": true
    }
  }
}

Environment details:

Hexagon commented 2 years ago

@MxBlu Do the fix in PR #105 released in fido2-lib@3.3.0 change the outcome of this problem?