'Invalid signature' as result of authentication

[justewg]

I've tried to implement solution, written in examples of two steps.
Actually, everything works great except the one step, the last and main :)

To Reproduce
I create my own CredentialRepository class with such method:

public function findOneByCredentialId(string $publicKeyCredentialId): ?PublicKeyCredentialSource
    {
        $user = MongoUser::getByFieldValue(
            'webauthn_pkc_source.publicKeyCredentialId',
            Base64Url::encode($publicKeyCredentialId)
        );

        if ($user !== null) {
            $credentials = $user->webauthn_pkc_source;
            $res = PublicKeyCredentialSource::createFromArray($credentials);
        }

        return $res;
    }

So, my created Public Key Credential Source object writes to users account in MongoDB and finds from DB in this method, if finded - returns as PublicKeyCredentialSource object.

In credentials validation procedure I run method check():

// Check the response against the attestation request
            $authenticatorAssertionResponseValidator->check(
                $publicKeyCredential->getRawId(),
                $publicKeyCredential->getResponse(),
                $publicKeyCredentialRequestOptions,
                $psr7Request,
                null // User handle
            );

and in returns an error of step 7.2.16 of checkings, $this->algorithmManager is null

Expected behavior
Of course, I've expected that check() returns true and authentication completes.

Desktop/Smartphone (please complete the following information):

• OS: Mac OS Mojave 10.14.4
• Browser Chrome
• Version 74.0.3729.169

Additional context
I suppose that, may by, I send to check procedure the wrong saved object. I save this object with credential info on second step of making credentials, actually:

        // You can get the Public Key Credential Source. This object should be persisted using the Public Key Credential Source repository
        $publicKeyCredentialSource = \Webauthn\PublicKeyCredentialSource::createFromPublicKeyCredential(
            $publicKeyCredential,
            $publicKeyCredentialCreationOptions->getUser()->getId()
        );

        MongoUser::update(
            (int)$publicKeyCredentialCreationOptions->getUser()->getId(),
            array_merge(
                ['webauthn_pkc_source' => json_decode(json_encode($publicKeyCredentialSource), true)]
            )
        );

[Spomky]

Hi, thank you for this report.
Can you share an example of the data you store and an authenticator assertion?
What type of authenticator do you use? Built-in fingerprint reader on MacBook Pro, USB key or anything else?

By the way, instead of json_decode(json_encode(...)) you can use $publicKeyCredentialSource->jsonSerialize()

[justewg]

Ok, thanks for point to jsonSerialize()

Something like this:

Authenticator - built-in fingerprint on MacBook Pro, correct

Thanks for quick response

[Spomky]

OK. Is et possible to get one record as text that I copy/paste?
I also need an assertion and the associated options.

Can you test if it works wish the demo (https://webauthn.spomky-labs.com). If it fails, the error may come from the library itself. Otherwise I need to investigate deeper.

[justewg]

OK, I'll send json string below.
Actually, if I use $publicKeyCredentialSource->jsonSerialize(), the parameter trustPath in my case returns as empty array and there is an error in PublicKeyCredentialSource::createFromArray($credentials); because it expect {type:'empty'}
But json_decode(json_encode()) returns correct trustPath

[justewg]

{"publicKeyCredentialId":"AG1dhBPuRhDPlfoFDGKnjnniCgLB7k4n_ogfzdjin4VSeu_ytc2YKfxfCRgLG58Xn03oWIJT8hB4eSZloGbOKcYMVVQvdkvdGf9O","type":"public-key","transports":[],"attestationType":"none","trustPath":{"type":"empty"},"aaguid":"rc4AAjW8xgpkiwsl8fBVAw","credentialPublicKey":"pQECAyYgASFYIJnA9jpVFs-1tx9eQxPIXao1WGIVxLP9YbiETU_opGREIlggDcj_4eG3UJxBo9jqswVa0nMzwSLbnESHquEzcnLXn7g","userHandle":"NjY","counter":1559743445}

[justewg]

What objects do you need more? PublicKeyCredentialCreationOptions ?

[justewg]

And what should I test on your host ? Webauthn Demo on this page doesn't do anything

[Spomky]

There is a menu where you can create an account and login.
If there is something wrong I will receive a notification.

[justewg]

I choose option of built-in fingerprint scanner, but then I receive a message about checking usb-key manufacturer.

[Spomky]

I’ve just released v1.2.2 that fixes a bug when key are loaded using the method createFromArray.
Can you update your depndencies and let me know if it works fine?

I don’t know why the demo doesn’t allow you to use the fingerprint.
I also updated it with v1.2.2 and will test it again soon.

[Spomky]

Hi @justewg , is there any news. Did the last release fix the issue?

[justewg]

Works great now, thanks!

[Spomky]

Excellent. Thank you.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.