Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passkey support doesn't provide getAuthenticatorData for WebAuthn #2061

Closed
ForNeVeR opened this issue Dec 29, 2023 · 8 comments
Closed

Passkey support doesn't provide getAuthenticatorData for WebAuthn #2061

ForNeVeR opened this issue Dec 29, 2023 · 8 comments

Comments

@ForNeVeR
Copy link

ForNeVeR commented Dec 29, 2023

Expected Behavior

I am trying to authenticate using Passkey on a test site of WebAuthn.NET library (sources are here), and it doesn't work: the library throws an exception when trying to access response.getAuthenticatorData function on the received object.

Current Behavior

The following snippet throws an error, because there's no getAuthenticatorData function:

const responseAuthenticatorData = newCredential.response?.getAuthenticatorData();

(newCredential.response here is meant to be an AuthenticatorAttestationResponse, here's a link to the spec)

Link to the corresponding JS sources.

Possible Solution

keepasssc-browser should implement a corresponding part of the spec and provide all the methods required by the spec on its response object somehow.

Steps to Reproduce (for bugs)

(Copied from my report at dodobrands/WebAuthn.Net#1)

I'm trying to use KeePassXC's passkey support with WebAuthn.Net, and it fails.

My environment is Windows 11.

  1. Install the latest snapshot version KeePassXC (only that one supports passkeys for now).
  2. Start KeePassXC, open or create a database.
  3. In the KeePassXC settings, enable the browser support, also install the Chrome extension.
  4. In the browser extension settings, enable Passkey generator:
    image
  5. Try to register at https://webauthn.vanbukin.com

Expected result: same as with other passkey providers, it should generate a new passkey and authenticate.
Actual result: KeePassXC successfully shows its window to generate the passkey, but nothing happens after I generate it. The KeePassXC window just closes.

In the browser console, I see the following error message:

Uncaught (in promise) TypeError: newCredential.response?.getAuthenticatorData is not a function
   at completeRegistration (lib.js:129:71)
   at HTMLButtonElement.onRegisterButtonHandler (register.js:100:42)

Note that KeePassXC works well on the test site https://webauthn.io/, so I believe it is a problem with WebAuthn.Net.

Debug info

KeePassXC - Version 2.8.0-snapshot
Build Type: Snapshot
Revision: 681a0f5

Qt 5.15.6
Debugging mode is disabled.

Operating system: Windows 10 Version 2009
CPU architecture: x86_64
Kernel: winnt 10.0.22631

Enabled extensions:
- Auto-Type
- Browser Integration
- Passkeys
- SSH Agent
- KeeShare
- YubiKey
- Quick Unlock

Cryptographic libraries:
- Botan 2.19.1

KeePassXC-Browser Version: 1.8.10
Operating system: Win
Browser: Chrome 120.0.6099.130

@varjolintu
Copy link
Member

We currently don't support any attestation with the Passkey feature.

@ForNeVeR
Copy link
Author

Is there some formal description of what parts of the spec (and which spec then) are supported by this plugin? Like, for example, does it support the webauthn spec at all, and on what level?

@varjolintu
Copy link
Member

See keepassxreboot/keepassxc#8825 for the current support.

@Szer
Copy link

Szer commented Dec 29, 2023

We currently don't support any attestation with the Passkey feature.

Could it be better to respond with "None"-attestation format for forward compatibility?

There was a problem where the server assumed only the latest level of the spec from the client and was looking for attestation in the response.

@varjolintu varjolintu added the bug label Jan 3, 2024
@vanbukin
Copy link

vanbukin commented Jun 4, 2024

@varjolintu
In the #2178, you wrapped the response to PublicKeyCredential. This led to an error when calling the getAuthenticatorData() function in KeePassXC version 2.7.8.
This happens because at the time of calling this line of code, publicKey.response has the following structure:

{
    "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVkBZ8g1D_AzJTBVGNHi09dMVmpPEGId9Nb25ACq-N1pt3GvRQAAAAD9sUGyXYREPoo1RpjCBaUCACCRhZd9KtFBTPoFmf84gjsknzJQid7HJypxH7NYDDX1M6QBAwM5AQAgWQEAvOOYcaDBS4DRyjgWTUJzJWY_drlY-Fafi3iatAqy1kxKixVWMn5sFWDoxm23Fh2UpC6M6ZbEztLCC7b2wNJkiJ_pfAofIoj1yhxjEKvInhmZO47oqeJgWHgZIwFD_6d4PN9Q0DF770muJybO3M5hXoIMlpPakUsHg7xU-RyPdzhANKjOI_3l4u-1hI7BYWtg7xU-3jJ2jrFK8wxhUtwOjAeZd33cVSSoL-JvJOg6pn0a3XTBvPwrSh-nqnjkVBeePJ_XuFs9dExbX4UDTK0yYG6hWNNLaR8koYtZa22SVqiALA4gFBz6ar10TyTOei1VuPGc8vqGF0AO5eTHDzwCDSFDAQAB",
    "clientDataJSON": "eyJjaGFsbGVuZ2UiOiJHTG9rNUJYNTVfZ0xxVUF5S09yVkMza1lpVEw3WWJia0I4Sm9TMkVvWTh3IiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvcmlnaW4iOiJodHRwczovL3dlYmF1dGhuLmRvZG8uZGV2IiwidHlwZSI6IndlYmF1dGhuLmNyZWF0ZSJ9",
    "clientExtensionResults": {}
}

There is no authenticatorData property in the publicKey.response object, so undefined is passed to the base64ToArrayBuffer function, after which an exception occurs.

Therefore, issue is still present in the current version of KeePassXC (2.7.8).

@varjolintu
Copy link
Member

@vanbukin Thanks for letting me know. I'll check it out.

@varjolintu
Copy link
Member

varjolintu commented Jun 4, 2024

@vanbukin There's another bug in the page. It also checks for getPublicKey() but does not allow null for answer, even if it's a valid response according to: https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-authenticatorattestationresponse-getpublickey

EDIT: I got the site working.

@varjolintu
Copy link
Member

This is now fixed for KeePassXC 2.7.9.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants