Hi, this lib with example JS code is not working on macOS BigSur with Touch ID.

In Safari - it stops on navigator.credentials.create with not allowed error "This request has been canceled by the user."

• probably caused by missing gestures? paragraph about Propagating User Gestures

In Chrome - the x5c field is missing in the CBOR object, so root CA can't be validated.

• according to section SELF(SURROGATE) Attestation there is self-attestation allowed when fmt == packed and x5c is missing. Problem is on this line where we should return true or hanle it differently on this line

btw,

• on this page https://webauthn.io it is working without problems but looks like the CBOR object is different
• iPhone with the latest iOS and Safari is working fine using Face ID

How to add key id to mysql database? What is needed to know what user is it?

Undefined index in these functions when opening from mobile browser

public function getCertificateIssuer()
{
$pem = $this->getCertificatePem();
$issuer = '';
if ($pem) {
$certInfo = \openssl_x509_parse($pem);
if (\is_array($certInfo) && \is_array($certInfo['issuer'])) {
if ($certInfo['issuer']['CN']) {
$issuer .= \trim($certInfo['issuer']['CN']);
}
if ($certInfo['issuer']['O'] || $certInfo['issuer']['OU']) {

                if ($issuer) {
                    $issuer .= ' (' . \trim($certInfo['issuer']['O'] . ' ' . $certInfo['issuer']['OU']) . ')';
                } else {
                    $issuer .= \trim($certInfo['issuer']['O'] . ' ' . $certInfo['issuer']['OU']);
                }
            }
        }
    }

    return $issuer;
}

/**
 * return the certificate subject as string
 * @return string
 */
public function getCertificateSubject()
{
    $pem = $this->getCertificatePem();
    $subject = '';
    if ($pem) {
        $certInfo = \openssl_x509_parse($pem);
        if (\is_array($certInfo) && \is_array($certInfo['subject'])) {
            if ($certInfo['subject']['CN']) {
                $subject .= \trim($certInfo['subject']['CN']);
            }
            if ($certInfo['subject']['O'] || $certInfo['subject']['OU']) {
                
                if ($subject) {
                    $subject .= ' (' . \trim($certInfo['subject']['O'] . ' ' . $certInfo['subject']['OU']) . ')';
                } else {
                    $subject .= \trim($certInfo['subject']['O'] . ' ' . $certInfo['subject']['OU']);
                }
            }
        }
    }

    return $subject;
}

Hi all

Thank you for this example!

Question, did I need the certificates? If yes, did I need to create this self? If yes, did you have any instructions how to do this?

Hey,

With example code, I can generate credentialId, credentialPublicKey, and certificate from PHP Session ($_SESSION['registrations']) and save that data to MySQL database. But, everytime the user logout and login again, the credentialId, credentialPublicKey, and certificate not the same as the previous ones.

This sample code from my project to get the data from PHP Session.

<?php

foreach ($_SESSION['registrations'] as $obj)
{
   
    echo $obj->credentialPublicKey;
    echo "<br>";
    echo $obj->certificate;
    echo "<br>";
    echo $obj->credentialId;

}

My question is, how to authenticate user with that data?

basically explains itself. if the attestation cant be verified for any reason, but the format list contains "none", just continue as if there is no attestation rather than erroring.

In Firefox on Android (u2f enabled) "the page at https://webauthn.lubu.ch says: unknown error occured"

In Chrome on Android "webauthn.lubu.ch says Not implemented"

I checked all attestation statement formats.

I checked/unchecked all root certificates.

I run LineageOS (Android 8.1) and would like to use my fingerprint sensor.

Hi!

I tried your library today. Unfortunately i can't add a new registration for my device (Android 11, Xiaomi Mi 9, Chrome newest) with android safetynet (Using devices lock screen mechanism).

On my installation, and even on your demo page, after clicking "new registration", enable the desired option, the error "invalid ctsProfileMatch in payload" pop up, which comes from server side. I found this error message in your WebAuthn code, when ctsProfileMatch is false.

I can't find any further info about this, as i am no expert of how your internal things work.

If you need more info, please let me know.

Hi!

Using your demo code with no change, when I register a device with [email protected] username, my phone (iOS and iPadOS up to date) returns demodemocom as username when I login (in the list of identities I need to select to authenticate).

Can it be improved ?

Romain

When testing with Chrome with WebAuthn tool enabled in the inspector, I get the invalid root certificate error.

How to update the certificate list available in _test/rootCertificates

Where did you get them?

I don't know how to register and consult this application in my project

HI guys, any one can submit a code using async/await as an example for a super simple client implemnetations, the callback hell makes it super hard to understand the dynammic of the library...

Any help will be so much appreciated

When using a security key on Chrome, I'm getting this error response.

On your demo URL, my security key works correctly, however when cloning your library and running the test, I get {"success":false,"msg":"Indefinite length is not supported."}

I'm running apache2 with php7.0, I also set up en envrionment with php5.6 but have the same issue.

Any ideas?

I see the userEntity is hard-coded.
$createArgs = $WebAuthn->getCreateArgs('demo', 'demo', 'Demo Demolin', 20, $requireResidentKey, $userVerification, $crossPlatformAttachment);
I changed this to a field to make it variable. I was trying to determine how FIDO2 would handle multiple userIDs with the same rpId. I assume it would allow me to select the one to use.

Why is the credentialID field blank? Any way to display "displayName" and "name" fields with the registration?
Any ideas on selecting from multiple userEntities?

Thanks in advance for any insight you can provide.

anyone have solution for apple-appattest support ?
is-it planned ?

Is there a way to decrease latency on registration (~4s). The latency on check registration is ~2s.

Hi!

I'm trying to save to database and it doesn't work. When I store "credentialId" a value is saved each time, of unknown format. I just want to save to database instead of "_SESSION" ... but is it not possible?

Any way to get the AAGUID field shown on the screen with registered credentials? Is appears blank.

https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs

New AAGUIDs will be issued for new YubiKey products which support FIDO2, or when existing YubiKey products have FIDO2 features added or removed.

Product Name or Laser Marking Firmware FIDO2 AAGUID
FIDO U2F Security Key All N/A
YubiKey 4 (Series) All N/A
YubiKey FIPS (4 Series) 4.4 N/A
YubiKey 5 (USB-A, No NFC) 5.1 cb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5 (USB-A, No NFC) 5.2, 5.4 ee882879-721c-4913-9775-3dfcce97072a
YubiKey 5 NFC 5.1 fa2b99dc-9e39-4257-8f92-4a30d23c4118
YubiKey 5 NFC 5.2, 5.4 2fc0579f-8113-47ea-b116-bb5a8db9202a
YubiKey 5 NFC FIPS 5.4 c1f9a0bc-1dd2-404a-b27f-8e29047a43fd
YubiKey 5 Nano 5.1 cb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5 Nano 5.2, 5.4 ee882879-721c-4913-9775-3dfcce97072a
YubiKey 5 Nano FIPS 5.4 73bb0cd4-e502-49b8-9c6f-b59445bf720b
YubiKey 5C 5.1 cb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5C 5.2, 5.4 ee882879-721c-4913-9775-3dfcce97072a
YubiKey 5C FIPS 5.4 73bb0cd4-e502-49b8-9c6f-b59445bf720b
YubiKey 5C Nano 5.1 cb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5C Nano 5.2, 5.4 ee882879-721c-4913-9775-3dfcce97072a
YubiKey 5C Nano FIPS 5.4 73bb0cd4-e502-49b8-9c6f-b59445bf720b
YubiKey 5C NFC 5.2, 5.4 2fc0579f-8113-47ea-b116-bb5a8db9202a
YubiKey 5C NFC FIPS 5.4 c1f9a0bc-1dd2-404a-b27f-8e29047a43fd
YubiKey 5Ci 5.2, 5.4 c5ef55ff-ad9a-4b9f-b580-adebafe026d0
YubiKey 5Ci FIPS 5.4 85203421-48f9-4355-9bc8-8a53846e5083
Security Key By Yubico 5.1 f8a011f3-8c0a-4d15-8006-17111f9edc7d
Security Key By Yubico 5.2 b92c3f9a-c014-4056-887f-140a2501163b
Security Key NFC 5.1 6d44ba9b-f6ec-2e49-b930-0c8fe920cb73
Security Key NFC 5.2 149a2021-8ef6-4133-96b8-81f8d5b7f1f5

FIDO MDS:

FIDO2 AAGUID Description
149a2021-8ef6-4133-96b8-81f8d5b7f1f5 Security Key by Yubico with NFC
2fc0579f-8113-47ea-b116-bb5a8db9202a YubiKey 5 Series with NFC
6d44ba9b-f6ec-2e49-b930-0c8fe920cb73 Security Key by Yubico with NFC
73bb0cd4-e502-49b8-9c6f-b59445bf720b YubiKey 5 FIPS Series
85203421-48f9-4355-9bc8-8a53846e5083 YubiKey 5Ci FIPS
b92c3f9a-c014-4056-887f-140a2501163b Security Key by Yubico
c1f9a0bc-1dd2-404a-b27f-8e29047a43fd YubiKey 5 FIPS Series with NFC
c5ef55ff-ad9a-4b9f-b580-adebafe026d0 YubiKey 5Ci
cb69481e-8ff7-4039-93ec-0a2729a154a8 YubiKey 5 Series
ee882879-721c-4913-9775-3dfcce97072a YubiKey 5 Series
f8a011f3-8c0a-4d15-8006-17111f9edc7d Security Key by Yubico
fa2b99dc-9e39-4257-8f92-4a30d23c4118 YubiKey 5 Series with NFC

On the surface, the RPID is essentially the domain URL. https://www.w3.org/TR/webauthn-1/#relying-party-identifier
I was wondering if another identifier such as a random UUID could be used?

Reason - To hide the website URL from the token, or someone that found/stole a token. FIDO in some instances has discoverable credentials.
https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Overview.html

User login flows supported

Example FIDO2/WebAuthn authenticator flows:
Single factor: Username + FIDO2 credential
Second factor: Username + password + FIDO2 credential
Passwordless single factor: FIDO2 discoverable credential (a ‘discoverable credential’ stores user data on the authenticator)
Passwordless MFA: FIDO2 discoverable credential + PIN

FIDO2 is also backwards-compatible with FIDO U2F authenticators
Single factor: Username + FIDO U2F credential
Second factor: Username + password + FIDO U2F credential

As we can save the blob data in the key. And these can be retrieved in clear form anytime. But is it possible that we can store some sensitive additional information in key, which can be only verified?

Probably bug on chrome, but if response has
allowCredentials > transports chrome removes linked android device as a valid verification step (leaving only security key option)

if we remove transports at all, leaving only id and type keys - it works fine. You can try to test it at https://webauthn.lubu.ch/_test/client.html

https://snipboard.io/17wGqE.jpg screenshot using check registration button and all transports enabled
https://snipboard.io/Q8ds0Z.jpg screenshot using check registration button and all transports disabled

Hi there I got authenticated the user by storing the info in the database, but if I store the same device/fingerprint into a new user, it not longer works the previous user, only works the new one.. How do I authenticate device/fingerprint with older user and then logout and authenticate with the new one

Hi! I don't know how to integrate this project into mine. I have a project in php and I want to integrate this part of security.. Could somebody explain to me? I'm new in this domain. Thank you so much!

Hi,

When I'm trying to add registration in the demo (on my server), i have a message : "unexpected token A in JSON at position 0" after enrollment with android safetynet on google chrome.

I don't understand moreover it works on your online demo in the same conditions ...

My server is running on PHP 7.4.15 with openssl 1.1.1d

Thanks :)

I am getting PHP errors in AttestationObject.php line 90 for YubiKey.
Undefined Index: OU
Undefined Index: O
Line: if ($certInfo['issuer']['O'] || $certInfo['issuer']['OU']) {....

This appears to be looking for the O and OU in the Issuer field. However, this YubiKey shows:

Issuer: CN=Yubico U2F Root CA Serial ...

There isn't a O or OU in the Issuer field. Only in the Subject Field.

ByteBuffer.php makes use of the broken Serializable interface and causes deprecation warnings with PHP 8.1. __serialize() should be used instead: https://wiki.php.net/rfc/phase_out_serializable

i tried your demo on my webserver with PHP 7.0.33.

JSON.parse: unexpected end of data at line 1 column 1 of the JSON data

currently it is only possible to "require" (you have to verify the user) or "prefer" (if you can verify the user, please do so) the userVerification.

if you want to use the device only as a second factor it may not be wanted to use the verification of the Fido device. this is generally possible by setting userVerification to discouraged

https://github.com/lbuchs/WebAuthn/blob/master/WebAuthn.php#L114

hacking that line to replace preferred with discouraged makes it register fine without verification, but apparently there is no obvious way to do the same for logging in.

okay for login one has to make the following for getgetargs:

$args->publicKey->userVerification = 'discouraged';

I think I can work on a pull request.

Hi!

The ByteBuffer class is incompatible with PHP 8.1

I had to remove \Serializable interface (https://php.watch/versions/8.1/serializable-deprecated) and also to fix the return type of jsonSerialize to :mixed.

I don't create a pull request for this, as i guess this is a breaking change for existing users.

I'm not exactly saying this is a bug, but it might help some others out with migration.

First up the public certificate needs to be adjusted, and the rpId need to be matched to the kind of key use.

                                        $webAuthn = new lbuchs\WebAuthn\WebAuthn('App Name', $key['appid'], $formats);
                                        if (strpos($key['appid'], 'https://') !== false)
                                        {
                                                $der  = "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01";
                                                $der .= "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42";
                                                $der .= "\0".base64_decode($key['publicKey']);

                                                $pem  = "-----BEGIN PUBLIC KEY-----\r\n";
                                                $pem .= chunk_split(base64_encode($der), 64);
                                                $pem .= "-----END PUBLIC KEY-----";
                                                $credentialPublicKey = $pem;
                                        }
                                        else
                                        {
                                                $credentialPublicKey = $key['publicKey'];
                                        }

Second the u2f keyHandle needs to be fixed, and all known keys need to be put into the credentials.get (template code is Smarty, adjust as needed)

U2F stored the keyHandle in an url safe base64 format that causes issues. Easily fixed

$keyHandle = base64_decode(str_pad(strtr($reg['keyHandle'], '-_', '+/'), strlen($reg['keyHandle']) % 4, '=', STR_PAD_RIGHT));
$reg['keyHandle'] = base64_encode($keyHandle);

                                        {if $u2fKeys || $webAuthnKeys}
                                        allowCredentials: [
                                                {foreach $u2fKeys as $key}
                                                {
                                                        type: 'public-key',
                                                        id: _base64ToArrayBuffer('{$key.keyHandle}')
                                                },
                                                {/foreach}
                                                {foreach $webAuthnKeys as $key}
                                                {
                                                        type: 'public-key',
                                                        id: _base64ToArrayBuffer('{$key.keyHandle}')
                                                },
                                                {/foreach}
                                        ],
                                        {/if}

PHP8 seems to have a problem with the getChallenge() method. Easy enough to store it as:

$_SESSION['webAuthnChallenge'] = $challenge->publicKey->challenge->getBinaryString();

Lastly the checkOrigin() from WebAuthn will fail due to the regex when passing in https://domain.com

Realistically there should be a better check for this or a flag, but a quick fix is simply

return \preg_match('/' . \preg_quote(\str_replace('https://', '', $this->_rpId)) . '$/i', $host) === 1;

I also found Chrome doesn't follow the standards, and a lot of defaults are ignored and are instead required.

Hi, lbuchs!
Thank you for this library. I forked it and made a couple of changes.
I will be glad if you include changes in your main repository. Here are the links to commits:

Set Authenticator Attachment:
kumirska@8254e63

Certificate Subject (issue: keys 'O' & 'OU' may not exist):
kumirska@c079273

Certificate Issuer (issue: keys 'O' & 'OU' may not exist):
kumirska@9bec6de

Added composer.json for convenient dependency management:
https://github.com/kumirska/WebAuthn/blob/master/composer.json

Added some cases in .gitignore:
https://github.com/kumirska/WebAuthn/blob/master/.gitignore

Sources files replaces into src directory (not necessary)

`

return navigator.credentials.create(createCredentialArgs);
// convert to base64
}).then(function(cred) {
console.log(cred);
return {
clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null,
attestationObject: cred.response.attestationObject ? arrayBufferToBase64(cred.response.attestationObject) : null
};

`

The following is put to the console:

PublicKeyCredential {rawId: ArrayBuffer(65), response: AuthenticatorAttestationResponse, id: "AaOosB3oUJNgInLWrLVHCL6dVDJ4kLyL6775pbE0zPHs49RWys3OFSjqPf2YnKnd-Uzo-Vo48ZSmnSrz9gTuj2U", type: "public-key"}

So the data gets null.

How do I fix it so that response.clientDataJSON and response.attestationObject exist?

Hi there! I've read what is available, but couldn't find the answer, I'm trying to integrate without using SESSIONS in WebAuthn code because server.php sends some issues too at some point (PHP Warning: session_start(): Failed to decode session object. Session has been destroyed in PATH/server.php on line 39) I think something interferes why my session app, this is when I only use challenge session on server.php. So I tried to store everything in a db like this:

[[ $fn === 'processCreate' ]]

  require_once 'scripts/db.php';
  $link = db_open();

  $uuuid = $_GET['uuuid'];     //Got user_id and send it by using getGetParams() functions on client side

  $q = "SELECT uchallenge
        FROM users
        WHERE uuuid = ? ";
  $params = array( $uuuid );
  $r = db_query( $link, $q, "s", $params );
  
    $clientDataJSON = base64_decode($post->clientDataJSON);
    $attestationObject = base64_decode($post->attestationObject);
    $challenge = $r[0]['uchallenge'];  //Got challenge from db

    // continue as usual code

    $data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $userVerification === 'required', true, false);

  $q = "UPDATE users 
     SET ufingerprint = ?
     WHERE uuuid = ? ";
  $params = array( serialize($data), $uuuid );  // Save array to db
  db_query( $link, $q, "ss", $params );

// this is an example in one of the sections, but basically I use everywhere data[] and challenge variables are used.

When I try to save to fingerprint array info, it asks for a fingerprint an then throw me the error: Unknown error occurred
I think this in processCreate function.
the challenge string is saved correctly (64 chars);

any help is appreciated

The requirenments part of your documentation should be updated to >= PHP 7.1

This other library does not have this issue:
https://github.com/davidearl/webauthn

Miss stable release for composer. Only dev-master version is available.

I would like to use this library, but if I test it on
webauthn.lubu.ch
with a 'hypersecu' USB key:

'Ivalid root certificat' comes up if I try to make a new registration.

are there plans to add TPM attestation?

currently one cannot directly pull whether UV was used on any given auth/register.

especially on uv=preferred attempts one might wanna know whether UV was used or not to add that info to add server-side validation of UV in the future (to prevent thieves from changing the UV value in the request and do bad stuff)

on an auth attempt it isnt too hard to pull the value out since it's at a fixed byte (32 counting from 0) offset of the authenticatordata

but at the registration the authenticator data is part of the Attestation object, a CBOR array, something one cant take apart THAT easily or quickly, so it would be useful if the processcreate/processget just give out this fact.

the attestationcert of my Yubikey 5 NFC has apparently very little info on the issuer in the attestation cert so basically the registering process just breaks on newer versions ( a0d0fa4 ) .

honestly never really noticed since I patched myself some UV support in quite a while ago, and therefore didnt really try a lot on the new versions.

see the pic below:

$data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $userVerification === 'required');

results in:
$data->certificateChain equals NULL
$data->certificate equal NULL
$data->certificateIssuer equals ""
$data->certificateSubject equals ""
$data->signatureCounter equals NULL

I'm testing with windows hello.
Any help would be much appreciated.

EDIT: I looked at \Format\None and it returns null for getCertificatePem, Which makes sense. But when using \Format\Packed, I can't figure out why my attestStmt->x5c is coming through as null.

I can't get my Yubikey working.

I encounter the following error:
lbuchs\WebAuthn\WebAuthnException: unsupported alg: in ...vendor/lbuchs/webauthn/src/Attestation/Format/U2f.php

It looks like data is expected in $attStmt['alg'];
However 'attStmt' should not have any 'alg' at all following this page:
https://www.w3.org/TR/webauthn/#sctn-fido-u2f-attestation

Add support for Apples attestation
From: passwordless-lib/fido2-net-lib#184

Format came out last night: https://pr-preview.s3.amazonaws.com/alanwaketan/webauthn/pull/1491.html#sctn-apple-anonymous-attestation

Initial implementation here: 0d6410c

Borrowed initial test data from webauthn4j/webauthn4j@9a7260b#diff-b16de03d04ad98253ba2011fc88e755f

so I had some tries with the new version that supports the MDS which is pretty nice.

but apparently for some reason, the idem Card gets rejected as allegedly not matching any root.

however I pulled a copy and looked for the AAGUID and pulled the root certs from that (there are 2), and it definitely matched one of them.

Seem to be not working with HELLO
Fatal error: Uncaught exception 'WebAuthn\WebAuthnException' with message 'Unsupported simple value 5.'
Stack trace:
#0 /var/www/htdocs/include/CBOR/CborDecoder.php(109): WebAuthn\CBOR\CborDecoder::_parseSimple(5) --> ERROR
#1 /var/www/htdocs/include/CBOR/CborDecoder.php(70): WebAuthn\CBOR\CborDecoder::_parseFloatSimple(5, Object(WebAuthn\Binary\ByteBuffer), 23)
#2 /var/www/htdocs/include/CBOR/CborDecoder.php(200): WebAuthn\CBOR\CborDecoder::_parseItem(Object(WebAuthn\Binary\ByteBuffer), 23)
#3 /var/www/htdocs/include/CBOR/CborDecoder.php(186): WebAuthn\CBOR\CborDecoder::_parseMap(Object(WebAuthn\Binary\ByteBuffer), 23, 3)
#4 /var/www/htdocs/include/CBOR/CborDecoder.php(75): WebAuthn\CBOR\CborDecoder::_parseItemData(5, 3, Object(WebAuthn\Binary\ByteBuffer), 23)
#5 /var/www/htdocs/include/CBOR/CborDecoder.php(33): WebAuthn\CBOR\CborDecoder::_parseItem(Object(WebAuthn\Binary\ByteBuffer), 23)
#6 /var/www/htdocs/include/Attestation/AttestationObject.php(21): WebAuthn\CBOR\CborDecoder: in /var/www/htdocs/include/CBOR/CborDecoder.php on line 127

My local dev environment makes use of complex localhost FQDN's such as ..localhost (eg. prod.abc.localhost)

I had to alter line 583 in WebAuthn.php to the following to allow these domain names to work:

if ($this->_rpId !== 'localhost' && !\str_ends_with($this->_rpId, '.localhost') && \parse_url($origin, PHP_URL_SCHEME) !== 'https') {
            return false;
}

Is anyone able to check this for security/compliance issues and submit a pull request (I'm happy to submit if someone can point me in the right direction)? I was able to use a Yubikey and TouchID locally after making this change.

The WebAuthn2 spec supports a new field residentKey in the authenticator selection criteria, which can be used to encourage (without requiring) or discourage resident keys.

Currently we only support requireResidentKey which still needs to be there because of backwards compatibility with v1.

If we want to add this I can submit a PR.

Hello

Just a friendly notification that the demo is not currently working.

Thank you for all the excellent work!

Hello,
Just tried https://webauthn.lubu.ch/_test/client.html on my Android 8.1 chrome 72.0.3626.121 and i am having this error once the fingerprint verification succeeds:

invalid attestation format