Git Product home page Git Product logo

google / virtual-authenticators-tab Goto Github PK

View Code? Open in Web Editor NEW
179.0 12.0 28.0 279 KB

Debug webauthn with a chrome extension that adds a virtual authenticators tab to devtools

Home Page: https://chrome.google.com/webstore/detail/virtual-authenticators-ta/gafbpmlmeiikmhkhiapjlfjgdioafmja

License: Apache License 2.0

Shell 4.41% HTML 6.99% JavaScript 75.85% CSS 12.75%
chrome extension web webauthn devtools

virtual-authenticators-tab's Introduction

Virtual Authenticators Tab

Deprecated

This extension has been deprecated in favour of the Chrome Devtools WebAuthn tab, which provides more functionality, is included with chrome, and is more polished. This repository is no longer maintained.

virtual authenticators tab icon

Introduction

A Google Chrome extension for developers that adds a virtual authenticators tab to devtools, allowing you to debug and try WebAuthn without physical security keys.

This extension will work best on Chrome 80 onwards, but you can still try it on 78 and 79.

Download

The extension is available at the chrome web store

Development

To try the extension locally,

  1. Install the dependencies
npm install
  1. Generate the main module
npm run dev
  1. Load the extension as an unpacked extension

Building for release

npm run build

Will produce a zip file suitable for upload to the chrome web store.

Authors

Alexander Bradt [email protected]

Nina Satragno [email protected]

Disclaimer

This is not an officially supported Google product

virtual-authenticators-tab's People

Contributors

dependabot[bot] avatar gramthanos avatar nsatragno avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

virtual-authenticators-tab's Issues

Request: Option to export and import credentials.

The reason is very simple, today I use it to authenticate, but I have to format my computer so I'll lose all my keys or I'll have to save it by hand. D:

The idea is to put a way to export and import the keys, to maintain security it would be good to have some kind of password encryption for this exported file and when it is re-imported you have to enter the same password, plus an option to export without password.

Maybe you can also use google's own API with the storage.sync function to sync them across the user's other devices.
https://developer.chrome.com/docs/extensions/reference/storage/

// Save
chrome.storage.sync.set({ name: 'Vinícius' }, function() {
  console.log('Name saved');
});

// Later on...
chrome.storage.sync.get('name', function(r) {
  console.log('Name retrieved: ' + r['name']);
});

Support EdDSA in pubKeyCredParams

Hello. I'm trying to create some credentials using the following code (please ignore the domain):

        const options = {
          rp: {
              name: "Example CORP",
              id: "xxx.com",
              icon: "https://xxx.com/login.ico"
          },
          challenge: new Uint8Array(26), 
          user: {
              id: new Uint8Array(16),
              name: "[email protected]",
              displayName: "John P. Smith",
          },
          pubKeyCredParams: [{
              type: "public-key",
              alg: -7,
          }],
          timeout: 1000,
          attestation: "none",
          extensions: {
            uvm: true,
            exts: true
          },
          authenticatorSelection:{
            authenticatorAttachment: "cross-platform",
            requireResidentKey: true,
            userVerification: "preferred"
          }
      }
      return navigator.credentials.create({  "publicKey": options })

Success. However, after changing alg to -8, it shows a timeout error (or just hangs if timeout is long enough).
So, can you please add -8 (EdDSA) to the list of supported algorithms? From webauthn spec:

User agents MUST be able to return a non-null value for getPublicKey() when the credential public key has a COSEAlgorithmIdentifier value of:

-7 (ES256), where kty is 2 (with uncompressed points) and crv is 1 (P-256).

-257 (RS256).

-8 (EdDSA), where crv is 6 (Ed25519).

Manually key selection and activating

I'm trying to debug the credential creating process with this extension and there is an issue.

For instance, assume I created a virtual authenticator key1, created a credential, and registered it to the server. If I then go to creating another authenticator key2, I will not be able to create a credential for key2 if I wish to keep both key1 and key2 since now the extension will automatically activate both keys, and the key1 in the excludeCredentials will crash the creating process.

I'm hoping if you can support for selecting and activating key manually so that I can explicitly choose to activate key2 in the scenario.

Thanks!

chromium crashes when trying to use the EdDSA key

steps to reproduce:

  • Chromium 85.0.4183.83 Arch Linux, this extension is installed from the chrome web store
  • open https://webauthn.io (its sources are available here)
  • create a virtual authenticator with default parameters
  • force the website to use the EdDSA key. To do this, set the breakpoint before navigator.credentials.create call in this line, press the Register button in the website interface, then, after reaching the breakpoint, run
makeCredentialOptions.publicKey.pubKeyCredParams = [makeCredentialOptions.publicKey.pubKeyCredParams[9]]

and resume execution

  • extension shows that the credential is successfully created
  • press the Login button. Chromium crashes with message
'chromium' terminated by signal SIGTRAP (Trace or breakpoint trap)

:((

Expired Certificate

Hi,

When testing this in Chrome 83.0.4103.61 (Ubuntu 20.04), I get an error from Fido.NET saying the certificate is invalid, looking into this further it does appear to be expired in 2017.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Chromium, OU = Authenticator Attestation, CN = Batch Certificate
        Validity
            Not Before: Jul 14 02:40:00 2017 GMT
            Not After : Jul 14 02:40:00 2017 GMT
        Subject: C = US, O = Chromium, OU = Authenticator Attestation, CN = Batch Certificate
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:8d:61:7e:65:c9:50:8e:64:bc:c5:67:3a:c8:2a:
                    67:99:da:3c:14:46:68:2c:25:8c:46:3f:ff:df:58:
                    df:d2:fa:3e:6c:37:8b:53:d7:95:c4:a4:df:fb:41:
                    99:ed:d7:86:2f:23:ab:af:02:03:b4:b8:91:1b:a0:
                    56:99:94:e1:01
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            1.3.6.1.4.1.45724.2.1.1: 
                ... 
    Signature Algorithm: sha256WithRSAEncryption
         30:45:02:21:00:95:8c:4e:49:0f:4c:ff:18:ec:97:8a:07:4c:
         a0:d3:5e:78:81:69:e6:b7:69:c7:6f:32:bd:df:e7:ab:6e:6b:
         6b:02:20:1c:3a:4a:f3:d4:06:16:b0:67:1b:89:9b:4b:a7:c0:
         53:e0:81:9e:49:12:df:b3:33:0b:04:77:40:84:04:58:0d
-----BEGIN CERTIFICATE-----
MIIBzDCCAW+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGDAJVUzER
MA8GA1UECgwIQ2hyb21pdW0xIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0
YXRpb24xGjAYBgNVBAMMEUJhdGNoIENlcnRpZmljYXRlMB4XDTE3MDcxNDAyNDAw
MFoXDTE3MDcxNDAyNDAwMFowYDELMAkGA1UEBgwCVVMxETAPBgNVBAoMCENocm9t
aXVtMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMRowGAYDVQQD
DBFCYXRjaCBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI1h
fmXJUI5kvMVnOsgqZ5naPBRGaCwljEY//99Y39L6Pmw3i1PXlcSk3/tBme3Xhi8j
q68CA7S4kRugVpmU4QGjFzAVMBMGCysGAQQBguUcAgEBBAQDAgUgMA0GCSqGSIb3
DQEBCwUAA0gAMEUCIQCVjE5JD0z/GOyXigdMoNNeeIFp5rdpx28yvd/nq25rawIg
HDpK89QGFrBnG4mbS6fAU+CBnkkS37MzCwR3QIQEWA0=
-----END CERTIFICATE-----

Have you ever seen this error before?

Regards,
Kieran

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.