-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attestation with full attestation from authenticator that does not support full attestation #149
Comments
Which browser and OS (and their builds) are you using? |
I used Chrome latest (114.0.5735.198) on Windows 11. |
What OS build? Also it's not entirely clear that a browser couldn't cause this strange behavior as some browsers do not have complete support for WebAuthn and forcibly use fido-u2f, however it's not exactly likely either and basically should not occur on Chrome (would still be interested if the behavior is the same on Edge but it's very likely the same). I'll try and replicate this and see what's going on after consulting the relevant specs.
The more I look at this the more unclear it becomes, I'll revisit this and see if the contributor who implemented MDS3 has some more information maybe.
|
@aseigler if you had some insight on this one it'd be a great help. |
Yes, I was going to try to take a look at this. Will report back with findings. |
Same error on
So I infer it's independent from Browser type and build. I tested on Windows 11 Enterprise And I remember this happened to me on older Windows 10 version, so it is authenticator-related, not OS build related. As the AAGUID it's the same and didn't changed. (08987058-cadc-4b81-b6e1-30de50dcbe96) Yes. It may be a problem on the BLOB, but may be a problem with the library as well... that's why I opened the issue to ask. If you need me to test any additional scenario, no problem! Thanks. |
Tested on Firefox Version 115.0 (64 bit) with Same error. The aaguid is the same (08987058-cadc-4b81-b6e1-30de50dcbe96) |
Also tested these scenarios Attestation: "indirect" Attestation "direct" Attestation "indirect" Attestation "direct" |
Tested this with old duo-labs/webauthn and it works. Seems this logic in particular got migrated from attestation_packed.go to attestation.go causing this issue. |
Yeah I'm fairly certain it's our issue, there is a chance it's an issue with the MDS3 blob as well; but I suspect that check is incomplete/incorrect. I had in mind interfacing that verification logic as well so maybe this is partially a whip crack to accomplishing that. We don't need further OS testing, the only situation this would theoretically not occur is when not using TPM backed Windows Hello. Likely Commit: 697bc4c I suspect this check is not required and we can just revert it partially to provide a temporary fix, however I'd like to figure out if a similar check would be beneficial before merging. |
That aaguid as well as |
I think we simply need to treat |
If you find anything specific that may explain this it might be helpful to link the spec or related docs in the code, if you don't find anything that's fine too. I was thinking similar being the proper solution. Do we know if |
I don't think basic_surrogate falls into this category. Here's a couple of links describing the different types. https://www.w3.org/TR/webauthn-2/#sctn-attestation-types |
Yeah gotcha. That kind of makes sense to me too. One strange thing I noticed when looking at this was there were no obvious MDS3 entries for Apple unless I am missing something. |
You're not missing anything. Apple doesn't have any FIDO certified products, they do not provide attestation and they have no AAGUID. They do have an AAGUID for Apple AppAttest but that is a different animal and still not in MDS. |
For purposes of determining if an authenticator has produced a full attestation when the MDS entry for the authenticator indicates cannot produce a full attestation, treat attca and basic_full both as full attestation types. Add test data with an authenticator aaguid that only has attca type. Make production metadata available for use in tests. Fixes #149
Version
0.8.2
Description
Doing an enrollment with a Windows Hello Authenticator device with "direct" attestation throws this error that happens at attestation.go:187.
This happens because the MetatadataStatement for Windows Hello Authenticator (aaguid 08987058-cadc-4b81-b6e1-30de50dcbe96) doesn't have "basic_full" in the attestationTypes array.
"attestationTypes": [
"attca"
]
Is this a correct behavior?
Reproduction
Enroll a device with:
AttestationType "direct"
AuthenticatorType "platform"
Authenticator: "Windows Hello Authenticator"
Expectations
The device should be enrolled succesfully.
Documentation
No response
The text was updated successfully, but these errors were encountered: