web-auth / webauthn-framework Goto Github PK
View Code? Open in Web Editor NEWFIDO-U2F / FIDO2 / Webauthn Framework
License: MIT License
FIDO-U2F / FIDO2 / Webauthn Framework
License: MIT License
Q | A |
---|---|
Bug report? | no |
Feature request? | yes |
BC Break report? | no |
RFC? / Specification | https://www.w3.org/TR/webauthn/#android-safetynet-attestation |
Version | 1.x |
Add Android SafetyNet Attestation support.
Describe the bug
It is no possible to use Windows 10 as authenticator. When CBOR public key is loaded, an exception is thrown:
InvalidArgumentException : Out of range. Expected: 598, read: 261.
To Reproduce
Steps to reproduce the behavior:
Desktop/Smartphone (please complete the following information):
Additional context
Example of public key (base64 encoded): pAEDAzkBACBZAla/lVRaOlEYG+nbNrCJfYkoL1ZIO9XGUt+o2pTURix03qI2DXoUUX/QQeS3u0nP3CTALcLHm9gXJuVTDtQXmbypLnv05wZGO9voweP4xAW44oKijAExj9WO4X5NPXh14oy5a1KFPYwJpvWC1+eS4YCURy7YIBK8DC1sQ8pnYmRqi5ZZoneEM5hNdZiAKC0zkOqqc30lRmNeuCYB9ALzZJiHpkBX4xDazhEbaM/928S3bfmgVIiSvckSqFK1C8n4IWaNWTrugW2h9whJrHjgLKcJ3Yuvz2KdZTUHQnBIHWjK4s+rkcJC5KYV53+mIaNV8WAJs3S0JcmQAa5+QNcTcnjFIUMBAAE=
Result during decoding:
Map(4)
Unsigned Integer(1) //Key type
Unsigned Integer(3) // RSA
Unsigned Integer(3) // Alg
Signed Integer(-257) // RS256
Signed Integer(-1) // RSA modulus n
Byte string(598)
//Fails here when trying to read the 598 bytes
The decoding fails using other tools (e.g. http://cbor.me/) with the same error (Out of bytes to decode (need at least 337 bytes more)
). It looks like the error comes from the encoding of the byte string length and not from spomky-labs/cbor-php
.
The length is 0x256
i.e. 598. When replaced with 0x100
(256), the decoding works fine.
At the moment, the public key credential is just a binary string.
It could be easier for implementers to get a dedicated object that represent that key.
This object could be of type RsaKey
/EcKey
implementing an interface (e.g. PublicKeyCredential
).
Is your feature request related to a problem? Please describe.
See Token Binding feature:
The framework proposes several strategies:
Webauthn\TokenBinding\IgnoreTokenBindingHandler
Webauthn\TokenBinding\TokenBindingNotSupportedHandler
Webauthn\TokenBinding\SecTokenBindingHandler
(not tested)Describe the solution you'd like
The library should propose a class to fully support this feature
Describe alternatives you've considered
N/A
Additional context
Is your feature request related to a problem? Please describe.
As per the specification section 5.5, the allowCredentials
parameter can be set to none (default).
The user identification in the specification is different from what is done in the library:
Describe the solution you'd like
allowCredentials
to be set to none
.Describe alternatives you've considered
--none--
Is your feature request related to a problem? Please describe.
The method createFromJson()
by its name would seem to indicate that you pass JSON to it, but in actuality you need to pass an array.
Describe the solution you'd like
Either allow method to consume either array or JSON string, or only string
I have an issue concerning register challenge.
When I use this challenge, I have an error "rpId mismatch" (check registration)
{"rp":{"name":"xxxxx"},"pubKeyCredParams":[{"type":"public-key","alg":-7}],"challenge":"XXXXXXXXXXXXX","attestation":"direct","user":{"name":"name","id":"XXXXXXID=","displayName":"XXXX XXXX"},"authenticatorSelection":{"requireResidentKey":false,"userVerification":"preferred"},"extensions":{"loc":true},"timeout":20000}
When I use this challenge with rpId, I have a DOMException during navigator.credentials.create(publicKey).
{"rp":{"name":"xxxxx","id":"xxxxx.net"},"pubKeyCredParams":[{"type":"public-key","alg":-7}],"challenge":"XXXXXXXXXXXXX","attestation":"direct","user":{"name":"name","id":"XXXXXXID=","displayName":"XXXX XXXX"},"authenticatorSelection":{"requireResidentKey":false,"userVerification":"preferred"},"extensions":{"loc":true},"timeout":20000}
Have you an idea ?
Desktop/Smartphone (please complete the following information):
Is your feature request related to a problem? Please describe.
At the moment, the firewall triggers an error when a username does not exist. This could be used by an attacker to find usernames and associated key descriptors.
Describe the solution you'd like
No error should be triggered if the username does not exist.
A list of fake key descriptors should be generated. This list should be always the same for a given username.
Describe the bug
When I add SimpleMetadataStatementRepository
to the server and the browser requests the security key data, it fails with
Invalid certificate or certificate chain. Error is: C = SE, O = Yubico AB, OU = Authenticator Attestation, CN = Yubico U2F EE Serial 61730834 error 20 at 0 depth lookup: unable to get local issuer certificate
If I do not provide a MDS Repository, the key registers correctly.
$metadataRepo = new SimpleMetadataStatementRepository(new FilesystemAdapter('__test__));
return new Server($rpEntity, $repo, $metadataRepo);
Manually executing the validation via openssl verify
also does not work:
openssl verify -verbose /tmp/webauthn-leaf-1sYuxD
error /tmp/webauthn-leaf-1sYuxD: verification failed
C = SE, O = Yubico AB, OU = Authenticator Attestation, CN = Yubico U2F EE Serial 61730834
error 20 at 0 depth lookup: unable to get local issuer certificate
EDIT: I should point out that openssl verify -verbose /tmp/webauthn-leaf-1sYuxD
is literally the full extent of the command that is being passed to Symfony's Process
class. There is no webauthn-untrusted-
or webauthn-ca-
file.
cat
'ing the file shows
-----BEGIN CERTIFICATE-----
<the key>
-----END CERTIFICATE-----
Expected behavior
I expect to not receive that error.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
I'm running the web server in a Docker container using FROM php:7.3.9-apache-stretch
. I have checked /etc/ssl/certs
and it contains a bunch of certificates. I have also tried to manually download the curl.haxx.se
PEM file and set that as -CAfile
when testing the openssl verify
command but that also does not work.
Is your feature request related to a problem? Please describe.
PublicKeyCredentialLoader->load($data)
accepts only JSON encoded string which prevents me using different serialization formats (eg. XML) or in case JSON was already decoded earlier.
Describe the solution you'd like
PublicKeyCredentialLoader->load($data)
to support already decoded PHP array
object so it's independent of serialization format.
Describe alternatives you've considered
Alternative is extending PublicKeyCredentialLoader
and reimplement it myself which isn't nice.
Is your feature request related to a problem? Please describe.
At the moment, the list of suitable transport methods (usb, nfc...) is always an empty list.
Describe the solution you'd like
The Metadata Statement may contain the supported methods. This information should be used to populate the list.
I noticed a curious quirk that PublicKeyCredentialUserEntity
will base64 encode/decode $id
on JSON serialization. Since the roundtrip works, nothing it broken per se, but I was curious as to the decision to do any encoding that parameter.
User entities are most likely coming from a datastore of some sort, so having a non JSON-safe $id would be rather rare would it not?
Is your feature request related to a problem? Please describe.
It could be interesting to associate the Attestation Metadata to the attestation object returned after the attestation ceremony (registration of the authenticator).
Describe the solution you'd like
The Attestation Metdata is already retrieved by the attestation statement supports (except none). This should be easy to move all of the logic to the attestation loader and check it in the attestation response validator.
This will deprecate the use of the attestation metadata repository in the attestation statement supports.
Describe alternatives you've considered
-NONE-
Additional context
Closes #77 as more or less similar
Describe the bug
Because of the CBOR Decoder dependency, the framework requires the extensions GMP and BCMath.
These 2 extensions are not necessarily available on plateforms.
Expected behavior
It should be possible to install the framework on a plateform without these extensions.
Looking through your library and noticed that you require a specific implementation for $request - a Symfony\Component\HttpFoundation\Request
object - when doing FIDO2 client credential checking. Yet that object is not actually utilized in anything using TokenBindingInterface
. Is this for future development?
I have an application that already has a PSR-7 ServerRequestInterface
object (I'm using Zend Expressive middleware) and was wondering why you are asking for a Symfony-specific request object and not a PSR-7 object - especially since it's not really used anyways.
I've tried to implement solution, written in examples of two steps.
Actually, everything works great except the one step, the last and main :)
To Reproduce
I create my own CredentialRepository class with such method:
public function findOneByCredentialId(string $publicKeyCredentialId): ?PublicKeyCredentialSource
{
$user = MongoUser::getByFieldValue(
'webauthn_pkc_source.publicKeyCredentialId',
Base64Url::encode($publicKeyCredentialId)
);
if ($user !== null) {
$credentials = $user->webauthn_pkc_source;
$res = PublicKeyCredentialSource::createFromArray($credentials);
}
return $res;
}
So, my created Public Key Credential Source object writes to users account in MongoDB and finds from DB in this method, if finded - returns as PublicKeyCredentialSource object.
In credentials validation procedure I run method check():
// Check the response against the attestation request
$authenticatorAssertionResponseValidator->check(
$publicKeyCredential->getRawId(),
$publicKeyCredential->getResponse(),
$publicKeyCredentialRequestOptions,
$psr7Request,
null // User handle
);
and in returns an error of step 7.2.16 of checkings, $this->algorithmManager
is null
Expected behavior
Of course, I've expected that check() returns true and authentication completes.
Desktop/Smartphone (please complete the following information):
Additional context
I suppose that, may by, I send to check procedure the wrong saved object. I save this object with credential info on second step of making credentials, actually:
// You can get the Public Key Credential Source. This object should be persisted using the Public Key Credential Source repository
$publicKeyCredentialSource = \Webauthn\PublicKeyCredentialSource::createFromPublicKeyCredential(
$publicKeyCredential,
$publicKeyCredentialCreationOptions->getUser()->getId()
);
MongoUser::update(
(int)$publicKeyCredentialCreationOptions->getUser()->getId(),
array_merge(
['webauthn_pkc_source' => json_decode(json_encode($publicKeyCredentialSource), true)]
)
);
Is your feature request related to a problem? Please describe.
At the moment, the library supports the following attestation types:
The ECDAA type is not yet supported and the attestation statement formats Packed and TPM may be rejected even if valid.
Describe the solution you'd like
This issue is a reminder for the implementation of this attestation type and allow to close #5 and #4.
Describe alternatives you've considered
Additional context
This attestation type is subject to security considerations.
It should also be note that, at the time of writing (17 January 2019), the status of the Webauthn specification is "Proposed Recommendation"
Describe the bug
The documentation examples for web-auth/webauthn-lib miss a couple of things and are wrong in some areas.
In the process of implementing WebAuthn for EGroupware I created a self-contained example app:
https://github.com/ralfbecker/webauthn
I'm happy to contribute it to this project, to save everyone finding and fixing the problems themself.
Here is a list of the problems I run into:
to transfer the $publicKeyCredentialCreationOptions from registration or $publicKeyCredentialCreationOptions from login to JavaScript/Browser you use json-encode, which serializes some attributes of the object as base64url and then use window.btoa to decode it again. base64url is not base64 and every couple of requests you get an error trying to decode it. I added a base64url2base64 method to your example code:
https://github.com/ralfbecker/webauthn/blob/master/register.php#L84
Storing the state ($publicKeyCredentialCreationOptions or $publicKeyCredentialCreationOptions objects) in the session is missing
No Example for the PublicKeyCredentialsRepo, I added one: https://github.com/ralfbecker/webauthn/blob/master/src/PubkeyCredentialsRepo.php
There were a couple more small things and typos I fixed to get a working example.
According to https://www.w3.org/TR/webauthn/#conforming-authenticators-u2f u2f token return no userHandle, but the $authenticatorAssertionResponseValidator->check() method requires it. I temporarily worked around it in the example code, as my Yubico Security Key - U2F and Fido2, did not return the userHandle (neither with Chrome nor Firefox): https://github.com/ralfbecker/webauthn/blob/master/login_response.php#L98
Maybe this needs an option to allow this in the check ...
Ralf
Is your feature request related to a problem? Please describe.
See https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#transport-binding-profile
Is your feature request related to a problem? Please describe.
I would like to be able to view and verify the AAGUID (when applicable) of an authenticator. The AAGUID is created by the authenticator manufacturer in UUIDv4 format:
^[0-9A-F]{8}-[0-9A-F]{4}-4[0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i
It's stored in the certificate in CBOR (Major Type 3) format. I've tried to use your decoder, but I can't seem to get the right info out.
$aaguidStream = new StringStream($response->getAttestationObject()->getAuthData()->getAttestedCredentialData()->getAaguid());
$aaguidDecoded = $decoder->decode($aaguidStream);
$aaguid = bin2hex($aaguid->getNormalizedData());
While this obviously doesn't insert the hyphens, but it doesn't create a hex string long enough to be valid even with hyphens.
Is your feature request related to a problem? Please describe.
As explained in the specification, the e-mail addresses should not be used as usernames.
Describe the solution you'd like
A a section in the doc about all security means that can be implemented.
Should be linked to #37
Q | A |
---|---|
Bug report? | no |
Feature request? | yes |
BC Break report? | no |
RFC? / Specification | https://www.w3.org/TR/webauthn/#tpm-attestation |
Version | x.y(.z) |
Add TPM Attestation format support.
Is your feature request related to a problem? Please describe.
The RFC8610 describes a schema format for acceptable CBOR data.
Describe the solution you'd like
A validator could be added to the CBOR library. This validator will be used to check if the parsed data is compliant with a given data structure
Is your feature request related to a problem? Please describe.
The CredentialRepository
has several methods that could be simplified:
public function has(string $credentialId): bool;
public function get(string $credentialId): AttestedCredentialData;
public function getUserHandleFor(string $credentialId): string;
public function getCounterFor(string $credentialId): int;
public function updateCounterFor(string $credentialId, int $newCounter): void;
The Webauthn specification has a Public Key Credential Source
where the information is stored.
It could be useful to have something similar on application side.
Describe the solution you'd like
A Credential
object could be added with the following method:
The CredentialRepository
would return only Credential
objects and simplified: getUserHandleFor
, getCounterFor
and updateCounterFor
could be removed in favor of public function save(Credential $credential): void;
.
The nice side effect is that you will query the repository only once instead of three times with current configuration. This will be limit the DB overhead.
Is your feature request related to a problem? Please describe.
This framework contains lot of classes and it may be hard for newcomers to clearly understand what to do.
The documentation is quite complicated.
Describe the solution you'd like
This framework should provide helper classes to ease the integration for basic features.
The default configuration should only ask for the minimal mandotory information.
Describe alternatives you've considered
Additional context
Add any other context or screenshots about the feature request here.
Thanks for the great library. It is very useful for classic websites. However for SPAs with REST api, this lib. is not ideal. It requires PHP session for storing assertion during login. See check in Security/Firewall/WebauthnListener.
Ideally this should be abstracted into some kind of common storage system that developer can customize and configure.
Hey guys. Amazing project. Seems that you are already have implemented everything. Have you thought on passing FIDO conformance tests? https://fidoalliance.org/certification/functional-certification/conformance/
If you do, please let me know and I will mark your project as FIDO Compliant in https://github.com/herrjemand/awesome-webauthn
Is your feature request related to a problem? Please describe.
The MDS repository does not have any cache support and only rely on an hypothetical cache mechanism on the http client side.
Describe the solution you'd like
Add an optional PSR cache parameter to the repository
Describe alternatives you've considered
Additional context
Hi,
PublicKeyCredentialSource
does not "fully" serialize correctly; this has already shortly been mentioned here: #57 (comment)
Here's an example to show the problem:
$json0 ='{"publicKeyCredentialId":"5ZYF8upZZUFfw3ot0gkKOqcdIcSlem2P_oOcVrk_fVAhr6SqYFdG5TprFl336gjG-i5fefSsP8S5YFKI9Jee8A","type":"public-key","transports":[],"attestationType":"none","trustPath":{"type":"empty"},"aaguid":"AAAAAAAAAAAAAAAAAAAAAA","credentialPublicKey":"pQECAyYgASFYIHt5_B-asO10TT0pl5RDfljYMoEU_hSXAjxrnup_eX-uIlgg3AuFH37_CH6ntpD61_D8LqUBJ5bVY4vNPml0ZbtTeg4","userHandle":"YW5vdGhlci11bmlxdWUtaWQ","counter":0}';
// ok
$source1 = PublicKeyCredentialSource::createFromArray(json_decode($json0, true));
// workaround:
$source2 = PublicKeyCredentialSource::createFromArray(json_decode(json_encode($source1), true));
// that's how it supposedly should work, but doesn't
$source3 = PublicKeyCredentialSource::createFromArray($source1->jsonSerialize());
It seems like this can easily be fixed by pulling JsonSerializable
from AbstractTrustPath
to TrustPath
, and fixing
to be:
'trustPath' => $this->trustPath->jsonSerialize(),
... but I'm not sure if this would be the preferred solution.
Is your feature request related to a problem? Please describe.
At the moment, if the authenticator counter is equal or lower than the one stored in the DB, the assertion is rejected.
This is useful to prevent clones. But in some cases it will reject legit assertions.
Example:
The cloned authenticator can be used for any subsequent authentications when the original one is now useless.
Describe the solution you'd like
The library should provide a way to allow applications to be warned or to decide to disable the authenticator.
Describe alternatives you've considered
In certain circumstances, the application may decide to continue the authentication process.
Additional context
Lines to be updated: https://github.com/web-auth/webauthn-framework/blob/master/src/webauthn/src/AuthenticatorAssertionResponseValidator.php#L165-L172
Q | A |
---|---|
Bug report? | no |
Feature request? | yes |
BC Break report? | no |
RFC? / Specification | https://www.w3.org/TR/webauthn/#packed-attestation |
Version | 1.x |
Add support for packed
attestionation format.
Is your feature request related to a problem? Please describe.
Android Safety Net statement support requires a http client to verify the Response against Google servers.
The library should be able to first check the signature of the response and, if a client is available, confirm the validity of the response through a dedicated request
Describe the solution you'd like
Describe alternatives you've considered
Additional context
Is your feature request related to a problem? Please describe.
Currently there are many parameters for __construct()
that could be obtained from PublicKeyCredential
.
Describe the solution you'd like
Add a method to PublicKeyCredential
for creation of PublicKeyCredentialSource
Describe alternatives you've considered
Have __construct
ingest PublicKeyCredential
for many of its parameters.
Additional context
Currently I'm doing something along the lines of:
$publicKeyCredential = $publicKeyCredentialLoader->load(json_encode($data));
$publicKeyCredentialDescriptor = $publicKeyCredential->getPublicKeyCredentialDescriptor();
$response = $publicKeyCredential->getResponse();
$pkCredentialSource = new PublicKeyCredentialSource(
$publicKeyCredentialDescriptor->getId(),
$publicKeyCredentialDescriptor->getType(),
$publicKeyCredentialDescriptor->getTransports(),
$response->getAttestationObject()->getAttStmt()->getType(),
$response->getAttestationObject()->getAttStmt()->getTrustPath(),
$response->getAttestationObject()->getAuthData()->getAttestedCredentialData()->getAaguid(),
$response->getAttestationObject()->getAuthData()->getAttestedCredentialData()->getCredentialPublicKey(),
$this->getLoggedInUser($request)->_id->__toString(),
0
);
As you can see, all but the last two parameters could be obtained internally by passing an attested PublicKeyCredential
, user ID, and counter (that should be optional and default to 0)
Just a small typo in your docs. The specification talks about a Relying Party, but you have Relaying Party. It makes a difference in understanding the workflow. Google Translate seems to have an issue with these words. C'est la diffΓ©rence entre "la partie se fiant" (relying party) et "la partie relais" (relaying party).
And yes, I seem to be using quite a few of your projects!
Is your feature request related to a problem? Please describe.
If one want to integrate the bundle in a Symfony project, the script and the data have to be integrated in the twig template.
This step can be difficult and not really easy for newcomers.
Describe the solution you'd like
It could be simple to provide twig helpers to ease the integration.
This could be acheived through a form widget with an associated script.
The form to display could be very simple
Describe alternatives you've considered
If the form is not easy/simple, twig helpers can be provided
Additional context
-NONE-
Is your feature request related to a problem? Please describe.
See https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-service-v2.0-rd-20180702.html
This feature should implement a command or service that will perform http calls to the metadata service, retrieve and store the last dataset for all registered authenticators.
As the data from the MDS should not evolved often, the data should stay in a cache or a persistent storage to avoid unnecessary calls.
Is your feature request related to a problem? Please describe.
The documentation says a Credential class and associated repository have to be created.
Describe the solution you'd like
The bundle should provide an abstract class for both components and the doctrine mapping.
Describe alternatives you've considered
Additional context
The use in application will become very easy: the repository could be used as default one and the Credential class will only need to implement the getId() method.
Is your feature request related to a problem? Please describe.
At the moment ther are 3 bundles. 2 of them are firewalls.
The symfony-security-bundle
is now useless as the responses from symfony-json-security-bundle
can be altered.
Additionally, symfony-json-security-bundle
could be merged with the main bundle for a better consistency and DX/UX.
Describe the solution you'd like
symfony-security-bundle
as deprecated in v1.xsymfony-json-security-bundle
as deprecated in v1.xsymfony-json-security-bundle
into the main bundle in v2.0Geting The certificate in the attestation statement is not valid.
When using Yubi Security Key Series (https://www.yubico.com/products/security-key/)
with PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT
In FidoU2FAttestationStatementSupport::checkCertificate
function openssl_pkey_get_details
returns
array(3) {
["bits"]=>
int(256)
["key"]=>
string(178) "-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElV3zrfckfTF17/2cxPMaToeOuuGB
CVZhUPs4iy5fZSe/V0CapYGlDQrFLxhEXAoTVIoTU8ik5ZpwTlI7wE3r7Q==
-----END PUBLIC KEY-----"
["type"]=>
int(3)
}
The certificate itself
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIEdIb9wjANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ
dWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw
MDBaGA8yMDUwMDkwNDAwMDAwMFowbzELMAkGA1UEBhMCU0UxEjAQBgNVBAoMCVl1
YmljbyBBQjEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEoMCYG
A1UEAwwfWXViaWNvIFUyRiBFRSBTZXJpYWwgMTk1NTAwMzg0MjBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABJVd8633JH0xde/9nMTzGk6HjrrhgQlWYVD7OIsuX2Un
v1dAmqWBpQ0KxS8YRFwKE1SKE1PIpOWacE5SO8BN6+2jbDBqMCIGCSsGAQQBgsQK
AgQVMS4zLjYuMS40LjEuNDE0ODIuMS4xMBMGCysGAQQBguUcAgEBBAQDAgUgMCEG
CysGAQQBguUcAQEEBBIEEPigEfOMCk0VgAYXER+e3H0wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAMVxIgOaaUn44Zom9af0KqG9J655OhUVBVW+q0As6
AIod3AH5bHb2aDYakeIyyBCnnGMHTJtuekbrHbXYXERIn4aKdkPSKlyGLsA/A+WE
i+OAfXrNVfjhrh7iE6xzq0sg4/vVJoywe4eAJx0fS+Dl3axzTTpYl71Nc7p/NX6i
CMmdik0pAuYJegBcTckE3AoYEg4K99AM/JaaKIblsbFh8+3LxnemeNf7UwOczaGG
vjS6UzGVI0Odf9lKcPIwYhuTxM5CaNMXTZQ7xq4/yTfC3kPWtE4hFT34UJJflZBi
LrxG4OsYxkHw/n5vKgmpspB3GfYuYTWhkDKiE8CYtyg87g==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1955003842 (0x7486fdc2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Yubico U2F Root CA Serial 457200631
Validity
Not Before: Aug 1 00:00:00 2014 GMT
Not After : Sep 4 00:00:00 2050 GMT
Subject: C = SE, O = Yubico AB, OU = Authenticator Attestation, CN = Yubico U2F EE Serial 1955003842
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:95:5d:f3:ad:f7:24:7d:31:75:ef:fd:9c:c4:f3:
1a:4e:87:8e:ba:e1:81:09:56:61:50:fb:38:8b:2e:
5f:65:27:bf:57:40:9a:a5:81:a5:0d:0a:c5:2f:18:
44:5c:0a:13:54:8a:13:53:c8:a4:e5:9a:70:4e:52:
3b:c0:4d:eb:ed
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
1.3.6.1.4.1.41482.2:
1.3.6.1.4.1.41482.1.1
1.3.6.1.4.1.45724.2.1.1:
...
1.3.6.1.4.1.45724.1.1.4:
.......
M........}
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
31:5c:48:80:e6:9a:52:7e:38:66:89:bd:69:fd:0a:a8:6f:49:
eb:9e:4e:85:45:41:55:6f:aa:d0:0b:3a:00:8a:1d:dc:01:f9:
6c:76:f6:68:36:1a:91:e2:32:c8:10:a7:9c:63:07:4c:9b:6e:
7a:46:eb:1d:b5:d8:5c:44:48:9f:86:8a:76:43:d2:2a:5c:86:
2e:c0:3f:03:e5:84:8b:e3:80:7d:7a:cd:55:f8:e1:ae:1e:e2:
13:ac:73:ab:4b:20:e3:fb:d5:26:8c:b0:7b:87:80:27:1d:1f:
4b:e0:e5:dd:ac:73:4d:3a:58:97:bd:4d:73:ba:7f:35:7e:a2:
08:c9:9d:8a:4d:29:02:e6:09:7a:00:5c:4d:c9:04:dc:0a:18:
12:0e:0a:f7:d0:0c:fc:96:9a:28:86:e5:b1:b1:61:f3:ed:cb:
c6:77:a6:78:d7:fb:53:03:9c:cd:a1:86:be:34:ba:53:31:95:
23:43:9d:7f:d9:4a:70:f2:30:62:1b:93:c4:ce:42:68:d3:17:
4d:94:3b:c6:ae:3f:c9:37:c2:de:43:d6:b4:4e:21:15:3d:f8:
50:92:5f:95:90:62:2e:bc:46:e0:eb:18:c6:41:f0:fe:7e:6f:
2a:09:a9:b2:90:77:19:f6:2e:61:35:a1:90:32:a2:13:c0:98:
b7:28:3c:ee
I'm thinking maybe it's because of old OpenSSL version for PHP I'm using π€
Q | A |
---|---|
Bug report? | no |
Feature request? | yes |
BC Break report? | no |
RFC? / Specification | https://www.w3.org/TR/webauthn/#android-key-attestation |
Version | x.y(.z) |
Add Android Key Attestation support.
Hello!
I notice there is a .gitattributes file in this repo, which is great, but it doesn't seem to get included into sub repos such as webauthn-lib and cose-lib.
This means when they're installed via composer, the various root and dot files still exist in those repos, losing the benefits of the .gitattributes file
I don't know how your build processes work, as such, how code ends up in those "readonly" repos... But if you could include .gitattributes in the files that are copied/pushed across, that'd be really helpful
Thanks!
βββ web-auth
βββ cose-lib
βΒ Β βββ composer.json
βΒ Β βββ LICENSE
βΒ Β βββ phpunit.xml.dist
βΒ Β βββ README.md
βΒ Β βββ src
βΒ Β βΒ Β βββ Algorithm
βΒ Β βΒ Β βΒ Β βββ Algorithm.php
βΒ Β βΒ Β βΒ Β βββ Mac
βΒ Β βΒ Β βΒ Β βΒ Β βββ Hmac.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ HS256.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ HS256Truncated64.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ HS384.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ HS512.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ Mac.php
βΒ Β βΒ Β βΒ Β βββ Manager.php
βΒ Β βΒ Β βΒ Β βββ Signature
βΒ Β βΒ Β βΒ Β βββ ECDSA
βΒ Β βΒ Β βΒ Β βΒ Β βββ ECDSA.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ ES256.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ ES384.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ ES512.php
βΒ Β βΒ Β βΒ Β βββ EdDSA
βΒ Β βΒ Β βΒ Β βΒ Β βββ EdDSA.php
βΒ Β βΒ Β βΒ Β βββ RSA
βΒ Β βΒ Β βΒ Β βΒ Β βββ PS256.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ PS384.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ PS512.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ PSSRSA.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ RS1.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ RS256.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ RS384.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ RS512.php
βΒ Β βΒ Β βΒ Β βΒ Β βββ RSA.php
βΒ Β βΒ Β βΒ Β βββ Signature.php
βΒ Β βΒ Β βββ Algorithms.php
βΒ Β βΒ Β βββ Key
βΒ Β βΒ Β βΒ Β βββ Ec2Key.php
βΒ Β βΒ Β βΒ Β βββ Key.php
βΒ Β βΒ Β βΒ Β βββ OkpKey.php
βΒ Β βΒ Β βΒ Β βββ RsaKey.php
βΒ Β βΒ Β βΒ Β βββ SymmetricKey.php
βΒ Β βΒ Β βββ Verifier.php
βΒ Β βββ tests
βΒ Β βββ unit
βΒ Β βββ Signature
βΒ Β βββ RSA15SignatureTest.php
βΒ Β βββ RSAPSSSignatureTest.php
βββ webauthn-lib
βββ composer.json
βββ LICENSE
βββ phpunit.xml.dist
βββ README.md
βββ src
βΒ Β βββ AttestationStatement
βΒ Β βΒ Β βββ AndroidKeyAttestationStatementSupport.php
βΒ Β βΒ Β βββ AndroidSafetyNetAttestationStatementSupport.php
βΒ Β βΒ Β βββ AttestationObjectLoader.php
βΒ Β βΒ Β βββ AttestationObject.php
βΒ Β βΒ Β βββ AttestationStatement.php
βΒ Β βΒ Β βββ AttestationStatementSupportManager.php
βΒ Β βΒ Β βββ AttestationStatementSupport.php
βΒ Β βΒ Β βββ FidoU2FAttestationStatementSupport.php
βΒ Β βΒ Β βββ NoneAttestationStatementSupport.php
βΒ Β βΒ Β βββ PackedAttestationStatementSupport.php
βΒ Β βΒ Β βββ TPMAttestationStatementSupport.php
βΒ Β βββ AttestedCredentialData.php
βΒ Β βββ AuthenticationExtensions
βΒ Β βΒ Β βββ AuthenticationExtension.php
βΒ Β βΒ Β βββ AuthenticationExtensionsClientInputs.php
βΒ Β βΒ Β βββ AuthenticationExtensionsClientOutputsLoader.php
βΒ Β βΒ Β βββ AuthenticationExtensionsClientOutputs.php
βΒ Β βΒ Β βββ ExtensionOutputCheckerHandler.php
βΒ Β βΒ Β βββ ExtensionOutputChecker.php
βΒ Β βΒ Β βββ ExtensionOutputError.php
βΒ Β βββ AuthenticatorAssertionResponse.php
βΒ Β βββ AuthenticatorAssertionResponseValidator.php
βΒ Β βββ AuthenticatorAttestationResponse.php
βΒ Β βββ AuthenticatorAttestationResponseValidator.php
βΒ Β βββ AuthenticatorData.php
βΒ Β βββ AuthenticatorResponse.php
βΒ Β βββ AuthenticatorSelectionCriteria.php
βΒ Β βββ CertificateToolbox.php
βΒ Β βββ CollectedClientData.php
βΒ Β βββ Credential.php
βΒ Β βββ PublicKeyCredentialCreationOptions.php
βΒ Β βββ PublicKeyCredentialDescriptorCollection.php
βΒ Β βββ PublicKeyCredentialDescriptor.php
βΒ Β βββ PublicKeyCredentialEntity.php
βΒ Β βββ PublicKeyCredentialLoader.php
βΒ Β βββ PublicKeyCredentialParameters.php
βΒ Β βββ PublicKeyCredential.php
βΒ Β βββ PublicKeyCredentialRequestOptions.php
βΒ Β βββ PublicKeyCredentialRpEntity.php
βΒ Β βββ PublicKeyCredentialSource.php
βΒ Β βββ PublicKeyCredentialSourceRepository.php
βΒ Β βββ PublicKeyCredentialUserEntity.php
βΒ Β βββ TokenBinding
βΒ Β βΒ Β βββ IgnoreTokenBindingHandler.php
βΒ Β βΒ Β βββ TokenBindingHandler.php
βΒ Β βΒ Β βββ TokenBindingNotSupportedHandler.php
βΒ Β βΒ Β βββ TokenBinding.php
βΒ Β βββ TrustPath
βΒ Β βββ CertificateTrustPath.php
βΒ Β βββ EcdaaKeyIdTrustPath.php
βΒ Β βββ EmptyTrustPath.php
βΒ Β βββ TrustPathLoader.php
βΒ Β βββ TrustPath.php
βββ tests
βββ certificates
βΒ Β βββ chain
βΒ Β βΒ Β βββ 1.crt
βΒ Β βΒ Β βββ 1.der
βΒ Β βΒ Β βββ 2.crt
βΒ Β βΒ Β βββ 2.der
βΒ Β βΒ Β βββ 3.crt
βΒ Β βΒ Β βββ 3.der
βΒ Β βΒ Β βββ 4.crt
βΒ Β βΒ Β βββ 4.der
βΒ Β βββ frank4dd-cacert.crt
βΒ Β βββ yubico.crt
βββ functional
βΒ Β βββ AbstractTestCase.php
βΒ Β βββ AndroidKeyAttestationStatementTest.php
βΒ Β βββ AndroidSafetyNetAttestationStatementTest.php
βΒ Β βββ AssertionTest.php
βΒ Β βββ AttestationStatementWithTokenBindingTest.php
βΒ Β βββ Fido2AttestationStatementTest.php
βΒ Β βββ NoneAttestationStatementTest.php
βΒ Β βββ PackedAttestationStatementTest.php
βΒ Β βββ SubDomainRelyingPartyTest.php
βΒ Β βββ TPMAttestationStatementTest.php
βΒ Β βββ W10Test.php
βββ unit
βββ AttestationStatement
βΒ Β βββ AndroidKeyAttestationStatementSupportTest.php
βΒ Β βββ AttestationObjectTest.php
βΒ Β βββ AttestationStatementSupportManagerTest.php
βΒ Β βββ AttestationStatementTest.php
βΒ Β βββ FidoU2FAttestationStatementSupportTest.php
βΒ Β βββ NoneAttestationStatementSupportTest.php
βββ AttestedCredentialDataTest.php
βββ AuthenticationExtensions
βΒ Β βββ AuthenticationExtensionsClientOutputsLoaderTest.php
βΒ Β βββ AuthenticationExtensionsClientTest.php
βββ AuthenticatorAssertionResponseTest.php
βββ AuthenticatorAttestationResponseTest.php
βββ AuthenticatorDataTest.php
βββ AuthenticatorSelectionCriteriaTest.php
βββ CertificateChainCheckerTest.php
βββ CollectedClientDataTest.php
βββ EntityTest.php
βββ PublicKeyCredentialCreationOptionsTest.php
βββ PublicKeyCredentialDescriptorTest.php
βββ PublicKeyCredentialParametersTest.php
βββ PublicKeyCredentialRequestOptionsTest.php
βββ TokenBindingTest.php
βββ TrustPath
βββ FooTrustPath.php
βββ NotAValidTrustPath.php
βββ TrustPathTest.php
Thanks for the updates to .gitattributes amongst your repositories (#71), much appreciated
It seems the addition of .github hasn't actually worked correctly, and we're still getting the .github folder in the different libraries
I'm guessing it's the lack of export-ignore
after the github lines, and I guess the same for the docs and tests lines too
reedy@ubuntu64-web-esxi:~/composer-test$ composer require web-auth/cose-lib v2.1.5
./composer.json has been created
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 3 installs, 0 updates, 0 removals
- Installing beberlei/assert (v3.2.3): Loading from cache
- Installing fgrosse/phpasn1 (v2.1.1): Loading from cache
- Installing web-auth/cose-lib (v2.1.5): Loading from cache
fgrosse/phpasn1 suggests installing php-curl (For loading OID information from the web if they have not bee defined statically)
Writing lock file
Generating autoload files
reedy@ubuntu64-web-esxi:~/composer-test$ ls -al vendor/web-auth/cose-lib/
total 32
drwxrwxr-x 5 reedy reedy 4096 Sep 3 13:11 .
drwxrwxr-x 3 reedy reedy 4096 Sep 3 13:11 ..
-rw-rw-r-- 1 reedy reedy 1116 Sep 2 21:01 composer.json
drwxrwxr-x 2 reedy reedy 4096 Sep 2 21:01 .github
-rw-rw-r-- 1 reedy reedy 1068 Sep 2 21:01 LICENSE
-rw-rw-r-- 1 reedy reedy 1130 Sep 2 21:01 README.md
drwxrwxr-x 4 reedy reedy 4096 Sep 2 21:01 src
drwxrwxr-x 3 reedy reedy 4096 Sep 2 21:01 tests
reedy@ubuntu64-web-esxi:~/composer-test$ ls -al vendor/web-auth/cose-lib/.github/
total 20
drwxrwxr-x 2 reedy reedy 4096 Sep 2 21:01 .
drwxrwxr-x 5 reedy reedy 4096 Sep 3 13:11 ..
-rw-rw-r-- 1 reedy reedy 224 Sep 2 21:01 CONTRIBUTING.md
-rw-rw-r-- 1 reedy reedy 25 Sep 2 21:01 FUNDING.yml
-rw-rw-r-- 1 reedy reedy 160 Sep 2 21:01 PULL_REQUEST_TEMPLATE.md
The library only supports EC signatures and may support RSA ones.
The algorithms supported by this library should be extensible and new algorithms should be easily added if needed.
Is your feature request related to a problem? Please describe.
It is not possible to login on a Symfony app with the provided firewall when the frontend is a SPA.
Describe the solution you'd like
The firewall should not only rely on forms
Is your feature request related to a problem? Please describe.
When residentKey=true
and userVerefication="required"
are set, the authenticators should be able to authenticate the users even if the allowedCredentials
list is empty.
Describe the solution you'd like
An option should be added to allow this use case.
When set, the username should not be asked to the user.
Describe alternatives you've considered
Additional context
Following on from #71... Can we get the tests directories added to the .gitattributes file too?
Thanks!
Describe the bug
The TPM Statemnt Support class cannot handle certificates/public keys if ECC, only RSA.
See https://github.com/web-auth/webauthn-framework/blob/v2.1/src/webauthn/src/AttestationStatement/TPMAttestationStatementSupport.php#L103
To Reproduce
Not easy to demonstrateβ¦
Expected behavior
ECC keys should be supported
Screenshots
N/A
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context
fido-alliance/conformance-test-tools-resources#407
Describe the bug
web-authn/webauth-lib requires ramsey/uuid, but it is not required in composer.json
To Reproduce
Should be obvious.
Ralf
Our implementation of WebAuthn using webauthn-lib got broken after running composer update.
We pinpointed the issue to the update of https://github.com/web-auth/cose-lib from 2.0.3 to 2.1.
Problem occurs here https://github.com/web-auth/cose-lib, seems that our key retrurns signature of length 71, while expected is 64. (Using FIDO2 usb key)
Since the signature handling is done compeltely by the library, we are not sure how to deal with this issue.
Temporarely we worked around the issue by manually requiring 2.0.3 in main composer.json.
What are the recommendations for resolving this?
Thank you
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.