search

webauthn-open-source / fido2-lib

A node.js library for performing FIDO 2.0 / WebAuthn server functionality
https://webauthn.io
MIT License
394 stars 118 forks source link

Signature mismatch when using mobile device #158

Closed wparad closed 4 months ago

wparad commented 4 months ago

This happens for multiple yubikeys and the Brave browser authenticator. All of them work through the Brave browser, but when using the cross-platform authenticators on mobile browser irrelevant all of them get invalid signatures.

Calling await fido2lib.assertionResult(res, assertionExpectations):

res:

{
    rawId: b64'rqinmeEqIk9P4rlj5+w4UZTRDiaHcJmuy46InojSlnEWQpidux1XPpRZYXk/t7N4nisvj/US5Wdv4EBdYfX1+g==',
    response: {
        authenticatorData: 'aIcEYStClZXHYBcsiOnRIQyLrczjunPQHtagHxFwIkIFAAAB2g==',
        clientDataJSON: 'eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiV2xoVmRHUXlWbnBrU0hob1pGaFNiMk50Vm5wamVUVndZak4zTUUxRVJtbE5WRVUwVFVkUk1GbHRUWGhOVjFac1QxUm5NRTFIV210Wk1rVjRXbGRSZUU1NlNUTlBXSGN0V2t4SU9HODNZVE00VTBOYVozQkNlVlZKVFhWMFpreHpUbHBtV0dSUlNUTlVYMjFEVUZoNVdIRkxaR05DWVdOQlpteHBkVWwwVUhobWFFNUlZbVV5VFdKUlVucEtRM1k0V0VwQ1NWZEJaVnB2ZDNsU1gxRi1aMjl2WjJ4bCIsIm9yaWdpbiI6Imh0dHBzOi8vbG9naW4uYXV0aHJlc3MuaW8iLCJhbmRyb2lkUGFja2FnZU5hbWUiOiJvcmcubW96aWxsYS5maXJlZm94In0=',
        signature: 'MEUCIQCUHVZ4KE1L0Id292knR44w7K/ffp7juJ/SlX5627vO6gIgG+J0R7B3Ohb4G1uRfPsdIXfc+xdrLPgWFhIvqEQw0To='
    }
}

AssertionExpectations:

{
    "challenge": "WlhVdGQyVnpkSHhoZFhSb2NtVnpjeTVwYjN3ME1ERmlNVEU0TUdRMFltTXhNV1ZsT1RnME1HWmtZMkV4WldReE56STNPWHctWkxIOG83YTM4U0NaZ3BCeVVJTXV0ZkxzTlpmWGRRSTNUX21DUFh5WHFLZGNCYWNBZmxpdUl0UHhmaE5IYmUyTWJRUnpKQ3Y4WEpCSVdBZVpvd3lSX1F-Z29vZ2xl",
    "rpId": "authress.io",
    "origin": "https://login.authress.io",
    "factor": "either",
    "publicKey": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEReu3J7NmGpW930G7B4Au6uU+D0TA\n9x/EpArFOZEF79u0tngM7ZvZQrpPHsuRIlVv+kfY8TccmejyvJ/cBwNUoQ==\n-----END PUBLIC KEY-----\n",
    "prevCounter": 1,
    "userHandle": "google-oauth2|109357119042447700062"
}

I'm using a Pixel 8, is it the source of the problem, would seem really suspicious if it were, these same hardware devices (yubikeys through the pixel work fine) Is it possible there is a weird other flow is that is causing a problem?

wparad commented 4 months ago

Okay, the issue here was that in some cases android might encode things in an inconsistent way regarding the clientDataJSON object, but this had to be resolved before passing the data into the library. That means the caller has to be extra careful to not muck with the inputs into this library.