Problem when registering new users on Windows

[lea-ger]

Hi,

I am trying to use this package and always run into an issue when trying to register new users. This issue seems to only appear when using Windows Hello, as I've tested this on a colleague's MacBook and it worked there seamlessly. I first thought that this was an issue with my configuration but it appears that the same issue can be found on the demo page (see screenshot below).
The issue seems to be the attestationObject's credential length which is used in AttestationObjectLoader::109, the byte length read from the StringStream is way too large. I'm not too well versed on the inner workings of the package or the details of the inner workings of WebAuthn authentication, so I'm afraid this is all I can provide as help to find the reason for this issue. But it might be related to this issue.

Here is an extract of a stacktrace I'm getting:
[2022-04-01 18:12:37] local.ERROR: Out of range. Expected: 35079, read: 289. {"userId":1,"exception":"[object] (Assert\InvalidArgumentException(code: 37): Out of range. Expected: 35079, read: 289. at C:\Users\Leander\PhpstormProjects\brezel\api\vendor\beberlei\assert\lib\Assert\Assertion.php:2728)
[stacktrace]
#0 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\beberlei\assert\lib\Assert\Assertion.php(840): Assert\Assertion::createException('\xCCS\x84@3\x11P\x19\x7F\xE4\xB3\x90\x8FY\x90...', 'Out of range. E...', 37, NULL, Array)
#1 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\StringStream.php(58): Assert\Assertion::length('\xCCS\x84@3\x11P\x19\x7F\xE4\xB3\x90\x8FY\x90...', 35079, 'Out of range. E...', NULL, '8bit')
#2 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\AttestationStatement\AttestationObjectLoader.php(109): Webauthn\StringStream->read(35079)
#3 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\PublicKeyCredentialLoader.php(139): Webauthn\AttestationStatement\AttestationObjectLoader->load('o2NmbXRkbm9uZWd...')
#4 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\PublicKeyCredentialLoader.php(100): Webauthn\PublicKeyCredentialLoader->createResponse(Array)
#5 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\PublicKeyCredentialLoader.php(120): Webauthn\PublicKeyCredentialLoader->loadArray(Array)
#6 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\web-auth\webauthn-lib\src\Server.php(256): Webauthn\PublicKeyCredentialLoader->load('{"id":"xYZ74Bvm...')
#7 C:\Users\Leander\PhpstormProjects\brezel\api\app\Http\Controllers\GeneralController.php(424): Webauthn\Server->loadAndCheckAttestationResponse('{"id":"xYZ74Bvm...', Object(Webauthn\PublicKeyCredentialCreationOptions), Object(Nyholm\Psr7\ServerRequest))
#8 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\laravel\framework\src\Illuminate\Routing\Controller.php(54): App\Http\Controllers\GeneralController->registerWebauthnResponse(Object(Illuminate\Http\Request), Object(App\System\System))
#9 C:\Users\Leander\PhpstormProjects\brezel\api\vendor\laravel\framework\src\Illuminate\Routing\ControllerDispatcher.php(45): Illuminate\Routing\Controller->callAction('registerWebauth...', Array)

To Reproduce
Go to https://webauthn.spomky-labs.com/register and try to register using Windows Hello.

Desktop (please complete the following information):

• Windows 11/10

[Spomky]

Hi @lea-ger,

I am sorry but I cannot reporduce the issue on my computer (Windows 11)
Could you please send me:

• the attestation option (response body of POST /attestation/options)
• the authenticator response (request body of POST /attestation/result)

Both are JSON objects

[lea-ger]

Hello @Spomky,

• The attestation object:

{
   "rp":{
      "name":"Webauthn Demo",
      "id":"webauthn.spomky-labs.com"
   },
   "pubKeyCredParams":[
      {
         "type":"public-key",
         "alg":-8
      },
      {
         "type":"public-key",
         "alg":-7
      },
      {
         "type":"public-key",
         "alg":-46
      },
      {
         "type":"public-key",
         "alg":-35
      },
      {
         "type":"public-key",
         "alg":-36
      },
      {
         "type":"public-key",
         "alg":-257
      },
      {
         "type":"public-key",
         "alg":-258
      },
      {
         "type":"public-key",
         "alg":-259
      },
      {
         "type":"public-key",
         "alg":-37
      },
      {
         "type":"public-key",
         "alg":-38
      },
      {
         "type":"public-key",
         "alg":-39
      }
   ],
   "challenge":"Te4W2OWn8QCnXX9i8qA0OEMXIvpiea3OGUKw1drCxl8",
   "attestation":"none",
   "user":{
      "name":"Test1",
      "id":"MDFGWktQOEJBNDU2Mk1GWE5aSDM3N1ZOMEU",
      "displayName":"Test1"
   },
   "authenticatorSelection":{
      "requireResidentKey":false,
      "userVerification":"preferred"
   },
   "timeout":60000,
   "status":"ok",
   "errorMessage":""
}

• The authenticator response:

{
   "id":"3pa7b5fE7ozHQCkYuKsR-e4ivCX1Y3O6VLYuw3nFzes",
   "type":"public-key",
   "rawId":"3pa7b5fE7ozHQCkYuKsR+e4ivCX1Y3O6VLYuw3nFzes=",
   "response":{
      "clientDataJSON":"eyJjaGFsbGVuZ2UiOiJUZTRXMk9XbjhRQ25YWDlpOHFBME9FTVhJdnBpZWEzT0dVS3cxZHJDeGw4IiwiY2xpZW50RXh0ZW5zaW9ucyI6e30sImhhc2hBbGdvcml0aG0iOiJTSEEtMjU2Iiwib3JpZ2luIjoiaHR0cHM6Ly93ZWJhdXRobi5zcG9ta3ktbGFicy5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0=",
      "attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVkBWJYE6oKCTpikraFLRGLQ1zqOxGkTDakbGTB0WSKfdKNZRQAAAAAAACDelrtvl8TujMdAKRi4qxH57iK8JfVjc7pUti7DecXN66QBAwM5AQAgWQEAtYGhqe5wnQiKSj9fCucnx8rYA8F2m/XUKbFBeYmlb9ZGe6hn9KPLT6CJ7nWF4KtuasjvpgmGKU3UOCs55CyJ1s46tyGhrnnmsMsUMZnvrC+sgW9hTpYUBngbN86xp5tzuaEZ0Q5S2GDde3bYCmEf3/s36qoqAZoG69C+3ynmTuiTLF9fjiRXkrHdoyy1dD37sdcVRPId45Q9Vuv6NIWXuCZv5nZRVpr0M8FQYiYvhH4C1GTWKOgys5l6DOPUPGxCq7Tiv1K4cXN4YaqzGDXkj+vuz1xmblvRsYVTnhyP+Ln+iUiIIKPaDFTH6i0GGnW4mmF3Hi8hmKbVlquvnqYRFyFDAQAB"
   }
}

In this case, it resulted in this response:

{
   "status":"error",
   "errorMessage":"Out of range. Expected: 43793, read: 289."
}

[Spomky]

Many thanks.

The structure looks good, but the attested credential data returned by the authenticator has an invalid public key ID length (43793 bits is way too long)

The authenticator data (in hex, spaces added) is 9604ea82824e98a4ada14b4462d0d73a8ec469130da91b19307459229f74a359 45 00000000 000020de96bb6f97c4ee8cc7402918b8 ab11 f9ee22bc25f56373ba54b62ec379c5cdeba401030339010020590100b581a1a9ee709d088a4a3f5f0ae727c7cad803c1769bf5d429b1417989a56fd6467ba867f4a3cb4fa089ee7585e0ab6e6ac8efa60986294dd4382b39e42c89d6ce3ab721a1ae79e6b0cb143199efac2fac816f614e961406781b37ceb1a79b73b9a119d10e52d860dd7b76d80a611fdffb37eaaa2a019a06ebd0bedf29e64ee8932c5f5f8e245792b1dda32cb5743dfbb1d71544f21de3943d56ebfa348597b8266fe67651569af433c15062262f847e02d464d628e832b3997a0ce3d43c6c42abb4e2bf52b871737861aab31835e48febeecf5c666e5bd1b185539e1c8ff8b9fe89488820a3da0c54c7ea2d061a75b89a61771e2f2198a6d596abaf9ea611172143010001

• 9604ea82824e98a4ada14b4462d0d73a8ec469130da91b19307459229f74a359 corresponds to the RP ID hash (sha-256 of "webauthn.spomky-labs.com") => OK
• 45 (b01000101) corresponds to the flags.
  • The bit 7 indicates there is an attested credential data which is expected during the attestation ceremony => OK
  • The bits 2 and 0 indicate the user was present and verified => OK
• 00000000 corresponds to the counter (0) which is normal for a first credential use => OK
• 000020de96bb6f97c4ee8cc7402918b8 is the AAGUID. It is not listed in the Fido Alliance MDS server so I cannot tell who is the manufacturer (if anybody knows). It will be set to a null AAGUID later as no attestation is used here => OK
• ab11 is supposed to be the length of the credential (unsigned 16bits big-endian), which corresponds to 43793 => NOT OK
• The rest of the data is supposed to be a CBOR object with the public key, but the data is not valid => NOT OK

What is your authenticator manufacturer (computer brand/TPM chip)?
The authenticator with the AAGUID 000020de-96bb-6f97-c4ee-8cc7402918b8 seems to be the reason for failure, but I am not sure at all.

Could you please test with a roaming authenticator (USB/BLE interface) and Windows Hello?

[lea-ger]

The computer itself is a HP notebook and the TPM chip was manufactured by AMD.

Using a roaming authenticator (in this case I used a Yubico Security Key NFC) doesn't seem to work for me either. Here is the authenticator response:

{
   "id":"FsWK1xvQgVijGcW2t1T8f6YMudEBX4FDQ8Nft1jrWo7w-JJTWbDhgRcWpPhwKACN-hBY3B0NBXQ7SAg4bJzDLu-e2Pdhx-Px_g9dN1S8c-Vwcx4YpQ-cKESjoI_ARi3o-DZdxHUQv5wvYSziN5_mXsxbH6J_F_JUjRx9NxVfr44",
   "type":"public-key",
   "rawId":"FsWK1xvQgVijGcW2t1T8f6YMudEBX4FDQ8Nft1jrWo7w+JJTWbDhgRcWpPhwKACN+hBY3B0NBXQ7SAg4bJzDLu+e2Pdhx+Px/g9dN1S8c+Vwcx4YpQ+cKESjoI/ARi3o+DZdxHUQv5wvYSziN5/mXsxbH6J/F/JUjRx9NxVfr44=",
   "response":{
      "clientDataJSON":"eyJjaGFsbGVuZ2UiOiJIUlNILWZ0VzNEOVJhRmYyUmdVZm1BeHJHdHliLW0xeFhPSmJjVjcxcmxjIiwiY2xpZW50RXh0ZW5zaW9ucyI6e30sImhhc2hBbGdvcml0aG0iOiJTSEEtMjU2Iiwib3JpZ2luIjoiaHR0cHM6Ly93ZWJhdXRobi5zcG9ta3ktbGFicy5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0=",
      "attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjSlgTqgoJOmKStoUtEYtDXOo7EaRMNqRsZMHRZIp90o1lFAAAAAQAAgBbFitcb0IFYoxnFtrdU/H+mDLnRAV+BQ0PDX7dY61qO8PiSU1mw4YEXFqT4cCgAjfoQWNwdDQV0O0gIOGycwy7vntj3Ycfj8f4PXTdUvHPlcHMeGKUPnChEo6CPwEYt6Pg2XcR1EL+cL2Es4jef5l7MWx+ifxfyVI0cfTcVX6+OpAEBAycgBiFYIEi0puUv5PCRuafjh0NkT+54W39r+vMxr7vuCW2RwWgf"
   }
}

[Spomky]

Hi,

Many thanks for the details. I extracted the attestation object and I am still facing the same issue.
The first bytes are correct: same RP ID hash, same flags, counter is 1. But the key length and the following bytes (public key) are still invalid.
Regarding the AAGUID, I was expecting one of those listed on the Yubico page, but here we have 00008016-C58A-D71B-D081-58A319C5B6B7

So for me the issue comes from the client (web browser).
I tested with Firefox and it is failing for me (was working fine few days ago).
Google Chrome, MS Edge or Opera work as expected.

I found that issue on Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1554397

Can you tell me if you are using Firefox? If yes, can you test with another browser and confirm if it fails or not?

Many thanks.
Regards.

[lea-ger]

Hi,

yes, I am using Firefox and indeed that seems to be the issue. I was able to successfully register using MS Edge.
Thanks for linking the Bugzilla issue, I hope this will be worked on soon.

Thanks a lot for your help and your patience!

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.