Comments (6)
Hi @maricavor 👋 !
Thank you for the report!
I'll try to reproduce this tomorrow with my YubiKey 5C so that I can understand what's the issue. I'll let you know what I end up finding!
from webauthn-ruby.
Hi @santiagorodriguez96 ! Thanks for your help! After some time in troubleshooting the verification process I found out that it fails on validation of attestation statement:
module AttestationStatement
class Packed < Base
# Follows "Verification procedure"
def valid?(authenticator_data, client_data_hash)
valid_format? &&
valid_algorithm?(authenticator_data.credential) &&
valid_ec_public_keys?(authenticator_data.credential) &&
meet_certificate_requirement? &&
matching_aaguid?(authenticator_data.attested_credential_data.raw_aaguid) &&
valid_signature?(authenticator_data, client_data_hash) &&
trustworthy?(aaguid: authenticator_data.aaguid) &&
[attestation_type, attestation_trust_path]
end
...
where trustworthy?
check return false
. The reason of this is the following verification:
def valid_certificate_chain?(aaguid: nil, attestation_certificate_key_id: nil)
attestation_root_certificates_store(
aaguid: aaguid,
attestation_certificate_key_id: attestation_certificate_key_id
).verify(attestation_certificate, attestation_trust_path)
end
I managed to retrive the error information and it returns error 20:
unable to get local issuer certificate
Does it mean that I have to add attestation_root_certificates_finders
for every authenticator I want to support and get authenticator data?
from webauthn-ruby.
Good catch @maricavor!
Does it mean that I have to add attestation_root_certificates_findersfor every authenticator I want to support and get authenticator data?
Yes, as stated in the README:
You can define what trust policy to enforce by setting
acceptable_attestation_types
config to a subset of['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA']
andattestation_root_certificates_finders
to an object that responds to#find
and returns the corresponding root certificate for each registration. The#find
method will be called passing keyword argumentsattestation_format
,aaguid
andattestation_certificate_key_id
.
The gem doesn't provide a way of obtaining the list of acceptable trust anchors right now. However, as an example that might be useful, we implemented a finder that – along with the fido_metadata
gem – knows how to obtain the list of attestation root certificates as defined in the FIDO Metadata Service that we use for running the conformance specs – here you can see how we configure the relying party to use it. By following this protocol, you will be able to fetch the root certificates related to the FIDO authenticators. Alternatively, you could go ahead and collect all the root certificates yourself from manufacturers you want trust.
from webauthn-ruby.
Thanks a lot, @santiagorodriguez96 ! That makes sense. Actually I already modified fido_metadata
gem for myself to support FIDO metadata Service v3 and download all the metadata and save it to database, which I use for validating the authenticators by their certificates statuses. Now as you suggested I just have to collect all the root certificates form metadata as well and implement a finder.
from webauthn-ruby.
That's great! 🙌
Now as you suggested I just have to collect all the root certificates form metadata as well and implement a finder.
If I'm not mistaken, you should be good with just the MDS Root Certificate.
https://fidoalliance.org/metadata/
from webauthn-ruby.
Closing this as it seems that the issue was addressed. Feel free to open if you have any other doubt or question!
from webauthn-ruby.
Related Issues (20)
- Method name difference between WebAuthn::Credential and WebAuthn::RelyingParty (3.0.0 alpha 1) HOT 1
- Inconsistent/unexpected naming (`Webauthn` vs `WebAuthn`) HOT 2
- ruby 2.2 support HOT 4
- Support openssl 3.0 HOT 6
- Update conformance tests
- Instance based API timeline HOT 8
- Allow multiple origins HOT 2
- Support FIDO metadata service version 3 for attestations HOT 2
- Incompatibility with Ruby `3.2.0` HOT 5
- Circular require warning in verbose mode
- Sign count is always zero HOT 1
- Webauthn authentication on Windows always prompts for windows security key HOT 4
- Add base64 dependency to gemspec or inline implementation
- Pass FIDO2 conformance Server-ServerAuthenticatorAttestationResponse-Resp-5 P-3 test HOT 2
- Pass FIDO2 conformance Server-ServerAuthenticatorAttestationResponse-Resp-5 F-10 test HOT 2
- Pass FIDO2 conformance Server-ServerAuthenticatorAttestationResponse-Resp-9 P-3 test HOT 1
- Facing error when verify registration HOT 2
- warning: loading in progress, circular require considered harmful HOT 1
- Tests failing when using OpenSSL library v3 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn-ruby.