tanguilp / wax Goto Github PK
View Code? Open in Web Editor NEWWebAuthn for Elixir
Home Page: https://hexdocs.pm/wax_
License: Apache License 2.0
WebAuthn for Elixir
Home Page: https://hexdocs.pm/wax_
License: Apache License 2.0
Instead of HTTPoison
Hiya, thanks a lot for this library! I've gotten Wax working locally, but when I try to deploy to my server I'm having issues with asn1ct. I see the calls to it in priv/android_key/AndroidKeyAttestationV1
but it doesn't seem to be a dependency. Have you see these issues?
Cheers!
2019-03-08T21:26:09.974426+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 | 21:26:09.973 [info] Application wax exited: exited in: Wax.Application.start(:normal, [])
2019-03-08T21:26:09.974439+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 | ** (EXIT) an exception was raised:
2019-03-08T21:26:09.974465+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 | :asn1ct.compile('/app/lib/wax-0.1.1/priv/android_key/AndroidKeyAttestationV1.asn1', [outdir: '/app/lib/wax-0.1.1/priv/android_key/asn_generated'])
2019-03-08T21:26:09.974440+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 | ** (UndefinedFunctionError) function :asn1ct.compile/2 is undefined (module :asn1ct is not available)
2019-03-08T21:26:09.974499+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 | (wax) lib/wax/attestation_statement_format/android_key.ex:347: Wax.AttestationStatementFormat.AndroidKey.install_asn1_module/0
2019-03-08T21:26:09.974622+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 | (kernel) application_master.erl:273: :application_master.start_it_old/4
2019-03-08T21:26:09.974621+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 | (wax) lib/wax/application.ex:8: Wax.Application.start/2
2019-03-08T21:26:11.575074+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 | {"Kernel pid terminated",application_controller,"{application_start_failure,wax,{bad_return,{{'Elixir.Wax.Application',start,[normal,[]]},{'EXIT',{undef,[{asn1ct,compile,[\"/app/lib/wax-0.1.1/priv/android_key/AndroidKeyAttestationV1.asn1\",[{outdir,\"/app/lib/wax-0.1.1/priv/android_key/asn_generated\"}]],[]},{'Elixir.Wax.AttestationStatementFormat.AndroidKey',install_asn1_module,0,[{file,\"lib/wax/attestation_statement_format/android_key.ex\"},{line,347}]},{'Elixir.Wax.Application',start,2,[{file,\"lib/wax/application.ex\"},{line,8}]},{application_master,start_it_old,4,[{file,\"application_master.erl\"},{line,273}]}]}}}}}"}
2019-03-08T21:26:11.579166+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 |
2019-03-08T21:26:11.575092+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 | Kernel pid terminated (application_controller) ({application_start_failure,wax,{bad_return,{{'Elixir.Wax.Application',start,[normal,[]]},{'EXIT',{undef,[{asn1ct,compile,["/app/lib/wax-0.1.1/priv/andro
2019-03-08T21:26:13.596870+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 | Crash dump is being written to: erl_crash.dump...done
2019-03-08T21:26:14.473527+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1 | exited with code 1
Hey, thank you for the library.
I'm testing direct attestation verification with an Android device, and I'm getting the following error:
%Wax.AttestationVerificationError{type: :safetynet, reason: :algs_mismatch}
Poking at the code yielded that authenticationAlgorithms
is ["secp256r1_ecdsa_sha256_raw"]
while jws_alg
is RS256
. It seems the code expects either secp256r1_ecdsa_sha256_raw
and ES256
or rsassa_pkcsv15_sha256_raw
and RS256
.
I tested with two Android phones with Android 13.
Any ideas? I don't know what other information is relevant to the issue.
On a related matter, I tested it with a Windows 11 laptop, and it also failed but with a %Wax.AttestationVerificationError{type: :tpm, reason: :invalid_pub_area}
error. I can open a second issue for that if necessary.
Hi. I'm looking at wax and noticed at that deps section in mix.exs brings in the tesla web client, but I can't see anywhere in the code where it is used.
Is it a leftover from the past that can be safely removed? I'd rather not have dependencies loaded that aren't actually being used.
Thanks
Wax is crashing on startup for me. I get this message numerous times, until my server actually runs out of memory and erlang crashes.
[error] Task Wax.Metadata started from #PID<0.3294.0> terminating
** (FunctionClauseError) no function clause matching in Wax.Metadata.Statement.user_verification_method/1
(wax_ 0.3.0) lib/wax/metadata/statement.ex:434: Wax.Metadata.Statement.user_verification_method(2048)
(wax_ 0.3.0) lib/wax/metadata/statement.ex:349: anonymous fn/1 in Wax.Metadata.Statement.from_json!/1
(elixir 1.10.0) lib/enum.ex:1396: Enum."-map/2-lists^map/1-0-"/2
(elixir 1.10.0) lib/enum.ex:1396: Enum."-map/2-lists^map/1-0-"/2
(wax_ 0.3.0) lib/wax/metadata/statement.ex:342: Wax.Metadata.Statement.from_json!/1
(elixir 1.10.0) lib/task/supervised.ex:90: Task.Supervised.invoke_mfa/2
(elixir 1.10.0) lib/task/supervised.ex:35: Task.Supervised.reply/5
(stdlib 3.9.2) proc_lib.erl:249: :proc_lib.init_p_do_apply/3
Function: #Function<7.27430003/0 in Wax.Metadata.process_metadata_toc/2>
Args: []
The only changes I've made to my codebase in the last few days are other unrelated packages- ex_aws, pow, phoenix_live_dashboard, so I don't think any of them could be causing this. Any idea what's going on?
I think there are some copy-paste typos in the verify
logic for the AttestationStatementFormat.FIDOU2F
and Wax.AttestationStatementFormat.AppleAnonymous
modules. For the former, the :type
value for any AttestationVerificationError
returned should probably be :fido_u2f
, and for the latter, :apple
.
Also, are these :type
values supposed to be the same as those in the Wax.Attestation.statement_format
typespec?
In which case, :apple
or :apple_anonymous
should be added to that typespec, and :safetynet
should be :android_safetynet
, and possibly :apple
should be :apple_anonymous
...
In lib/wax/attestation_statement_format/tpm.ex
, a custom cert verification function is used, because OTP22 doesn't support certificate policies extension when marked as critical.
This ought to be removed as soon as OTP (and Wax's minimum OTP version) supports it.
CRLs can be found here: https://fidoalliance.org/metadata/
Looks excessively complicated to implement with the Erlang SSL API, compared with the security gains it would provide.
Module: Wax.AttestationStatementFormat.TPM
Issue: Calling String.slice(2..-1)
raises a warning because is deprecated for new Elixir versions.
Fix: Replace current code by String.slice(2..-1//1)
I only can create an issue, not a PR but I have the fix running locally.
My current IP is flagged for spam from a number of domains (including CloudFlare). This causes this error from Wax unless I run through a VPN:
[error] GenServer Wax.Metadata terminating
** (FunctionClauseError) no function clause matching in Wax.Metadata.handle_info/2
(wax) lib/wax/metadata.ex:101: Wax.Metadata.handle_info({:ssl_closed, {:sslsocket, {:gen_tcp, #Port<0.63>, :tls_connection, :undefined}, [#PID<0.631.0>, #PID<0.630.0>]}}, [serial_number: 0])
(stdlib) gen_server.erl:637: :gen_server.try_dispatch/4
(stdlib) gen_server.erl:711: :gen_server.handle_msg/6
(stdlib) proc_lib.erl:249: :proc_lib.init_p_do_apply/3
Last message: {:ssl_closed, {:sslsocket, {:gen_tcp, #Port<0.63>, :tls_connection, :undefined}, [#PID<0.631.0>, #PID<0.630.0>]}}
State: [serial_number: 0]
The failure body is a HTML page with status 403.
I'm also getting this failure when starting up my server with my VPN enabled:
[error] GenServer Wax.Metadata terminating
** (stop) exited in: Task.await(%Task{owner: #PID<0.367.0>, pid: #PID<0.570.0>, ref: #Reference<0.2688299539.1131151361.214542>}, 5000)
** (EXIT) time out
(elixir) lib/task.ex:577: Task.await/2
(wax) lib/wax/metadata.ex:174: anonymous fn/1 in Wax.Metadata.process_metadata_toc/2
(elixir) lib/enum.ex:769: Enum."-each/2-lists^foreach/1-0-"/2
(elixir) lib/enum.ex:769: Enum.each/2
(wax) lib/wax/metadata.ex:171: Wax.Metadata.process_metadata_toc/2
(wax) lib/wax/metadata.ex:76: Wax.Metadata.handle_continue/2
(stdlib) gen_server.erl:637: :gen_server.try_dispatch/4
(stdlib) gen_server.erl:388: :gen_server.loop/7
(stdlib) proc_lib.erl:249: :proc_lib.init_p_do_apply/3
Last message: {:continue, :update_metadata}
State: [serial_number: 0]
Wax then resumes update and everything seems to be working properly.
Let me know what other info would be helpful!
Hi,
I can see in your tests that you also get stuck with the Android SafetyNet Attestation.
With my Android smartphone, I finally managed to get a valid attestation.
I use it in my tests:
{"id":"Ac8zKrpVWv9UCwxY1FyMqkESz2lV4CNwTk2-Hp19LgKbvh5uQ2_i6AMbTbTz1zcNapCEeiLJPlAAVM4L7AIow6I","type":"public-key","rawId":"Ac8zKrpVWv9UCwxY1FyMqkESz2lV4CNwTk2+Hp19LgKbvh5uQ2/i6AMbTbTz1zcNapCEeiLJPlAAVM4L7AIow6I=","response":{"clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoia21uczQzQ1dWc3diTW92cktQa2dkMWxFcGM2TFpkZmswVVFfbnVaYnAwMGpXNUM2MVBFVzFkTmFwdFowR2tySUs5V1J0YUFYV2tuZElFRUJnTklDUnciLCJvcmlnaW4iOiJodHRwczpcL1wvd2ViYXV0aG4ubW9yc2VsbGkuZnIiLCJhbmRyb2lkUGFja2FnZU5hbWUiOiJjb20uYW5kcm9pZC5jaHJvbWUifQ==","attestationObject":"o2NmbXRxYW5kcm9pZC1zYWZldHluZXRnYXR0U3RtdKJjdmVyaDE0Nzk5MDM3aHJlc3BvbnNlWRS9ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbmcxWXlJNld5Sk5TVWxHYTJwRFEwSkljV2RCZDBsQ1FXZEpVVkpZY205T01GcFBaRkpyUWtGQlFVRkJRVkIxYm5wQlRrSm5hM0ZvYTJsSE9YY3dRa0ZSYzBaQlJFSkRUVkZ6ZDBOUldVUldVVkZIUlhkS1ZsVjZSV1ZOUW5kSFFURlZSVU5vVFZaU01qbDJXako0YkVsR1VubGtXRTR3U1VaT2JHTnVXbkJaTWxaNlRWSk5kMFZSV1VSV1VWRkVSWGR3U0ZaR1RXZFJNRVZuVFZVNGVFMUNORmhFVkVVMFRWUkJlRTFFUVROTlZHc3dUbFp2V0VSVVJUVk5WRUYzVDFSQk0wMVVhekJPVm05M1lrUkZURTFCYTBkQk1WVkZRbWhOUTFaV1RYaEZla0ZTUW1kT1ZrSkJaMVJEYTA1b1lrZHNiV0l6U25WaFYwVjRSbXBCVlVKblRsWkNRV05VUkZVeGRtUlhOVEJaVjJ4MVNVWmFjRnBZWTNoRmVrRlNRbWRPVmtKQmIxUkRhMlIyWWpKa2MxcFRRazFVUlUxNFIzcEJXa0puVGxaQ1FVMVVSVzFHTUdSSFZucGtRelZvWW0xU2VXSXliR3RNYlU1MllsUkRRMEZUU1hkRVVWbEtTMjlhU1doMlkwNUJVVVZDUWxGQlJHZG5SVkJCUkVORFFWRnZRMmRuUlVKQlRtcFlhM293WlVzeFUwVTBiU3N2UnpWM1QyOHJXRWRUUlVOeWNXUnVPRGh6UTNCU04yWnpNVFJtU3pCU2FETmFRMWxhVEVaSWNVSnJOa0Z0V2xaM01rczVSa2N3VHpseVVsQmxVVVJKVmxKNVJUTXdVWFZ1VXpsMVowaEROR1ZuT1c5MmRrOXRLMUZrV2pKd09UTllhSHAxYmxGRmFGVlhXRU40UVVSSlJVZEtTek5UTW1GQlpucGxPVGxRVEZNeU9XaE1ZMUYxV1ZoSVJHRkROMDlhY1U1dWIzTnBUMGRwWm5NNGRqRnFhVFpJTDNob2JIUkRXbVV5YkVvck4wZDFkSHBsZUV0d2VIWndSUzkwV2xObVlsazVNRFZ4VTJ4Q2FEbG1jR293TVRWamFtNVJSbXRWYzBGVmQyMUxWa0ZWZFdWVmVqUjBTMk5HU3pSd1pYWk9UR0Y0UlVGc0swOXJhV3hOZEVsWlJHRmpSRFZ1Wld3MGVFcHBlWE0wTVROb1lXZHhWekJYYUdnMVJsQXpPV2hIYXpsRkwwSjNVVlJxWVhwVGVFZGtkbGd3YlRaNFJsbG9hQzh5VmsxNVdtcFVORXQ2VUVwRlEwRjNSVUZCWVU5RFFXeG5kMmRuU2xWTlFUUkhRVEZWWkVSM1JVSXZkMUZGUVhkSlJtOUVRVlJDWjA1V1NGTlZSVVJFUVV0Q1oyZHlRbWRGUmtKUlkwUkJWRUZOUW1kT1ZraFNUVUpCWmpoRlFXcEJRVTFDTUVkQk1WVmtSR2RSVjBKQ1VYRkNVWGRIVjI5S1FtRXhiMVJMY1hWd2J6UlhObmhVTm1veVJFRm1RbWRPVmtoVFRVVkhSRUZYWjBKVFdUQm1hSFZGVDNaUWJTdDRaMjU0YVZGSE5rUnlabEZ1T1V0NlFtdENaMmR5UW1kRlJrSlJZMEpCVVZKWlRVWlpkMHAzV1VsTGQxbENRbEZWU0UxQlIwZEhNbWd3WkVoQk5reDVPWFpaTTA1M1RHNUNjbUZUTlc1aU1qbHVUREprTUdONlJuWk5WRUZ5UW1kbmNrSm5SVVpDVVdOM1FXOVpabUZJVWpCalJHOTJURE5DY21GVE5XNWlNamx1VERKa2VtTnFTWFpTTVZKVVRWVTRlRXh0VG5sa1JFRmtRbWRPVmtoU1JVVkdha0ZWWjJoS2FHUklVbXhqTTFGMVdWYzFhMk50T1hCYVF6VnFZakl3ZDBsUldVUldVakJuUWtKdmQwZEVRVWxDWjFwdVoxRjNRa0ZuU1hkRVFWbExTM2RaUWtKQlNGZGxVVWxHUVhwQmRrSm5UbFpJVWpoRlMwUkJiVTFEVTJkSmNVRm5hR2cxYjJSSVVuZFBhVGgyV1ROS2MweHVRbkpoVXpWdVlqSTVia3d3WkZWVmVrWlFUVk0xYW1OdGQzZG5aMFZGUW1kdmNrSm5SVVZCWkZvMVFXZFJRMEpKU0RGQ1NVaDVRVkJCUVdSM1EydDFVVzFSZEVKb1dVWkpaVGRGTmt4TldqTkJTMUJFVjFsQ1VHdGlNemRxYW1RNE1FOTVRVE5qUlVGQlFVRlhXbVJFTTFCTVFVRkJSVUYzUWtsTlJWbERTVkZEVTFwRFYyVk1Tblp6YVZaWE5rTm5LMmRxTHpsM1dWUktVbnAxTkVocGNXVTBaVmswWXk5dGVYcHFaMGxvUVV4VFlta3ZWR2g2WTNweGRHbHFNMlJyTTNaaVRHTkpWek5NYkRKQ01HODNOVWRSWkdoTmFXZGlRbWRCU0ZWQlZtaFJSMjFwTDFoM2RYcFVPV1ZIT1ZKTVNTdDRNRm95ZFdKNVdrVldla0UzTlZOWlZtUmhTakJPTUVGQlFVWnRXRkU1ZWpWQlFVRkNRVTFCVW1wQ1JVRnBRbU5EZDBFNWFqZE9WRWRZVURJM09IbzBhSEl2ZFVOSWFVRkdUSGx2UTNFeVN6QXJlVXhTZDBwVlltZEpaMlk0WjBocWRuQjNNbTFDTVVWVGFuRXlUMll6UVRCQlJVRjNRMnR1UTJGRlMwWlZlVm8zWmk5UmRFbDNSRkZaU2t0dldrbG9kbU5PUVZGRlRFSlJRVVJuWjBWQ1FVazVibFJtVWt0SlYyZDBiRmRzTTNkQ1REVTFSVlJXTm10aGVuTndhRmN4ZVVGak5VUjFiVFpZVHpReGExcDZkMG8yTVhkS2JXUlNVbFF2VlhORFNYa3hTMFYwTW1Nd1JXcG5iRzVLUTBZeVpXRjNZMFZYYkV4UldUSllVRXg1Um1wclYxRk9ZbE5vUWpGcE5GY3lUbEpIZWxCb2RETnRNV0kwT1doaWMzUjFXRTAyZEZnMVEzbEZTRzVVYURoQ2IyMDBMMWRzUm1sb2VtaG5iamd4Ukd4a2IyZDZMMHN5VlhkTk5sTTJRMEl2VTBWNGEybFdabllyZW1KS01ISnFkbWM1TkVGc1pHcFZabFYzYTBrNVZrNU5ha1ZRTldVNGVXUkNNMjlNYkRabmJIQkRaVVkxWkdkbVUxZzBWVGw0TXpWdmFpOUpTV1F6VlVVdlpGQndZaTl4WjBkMmMydG1aR1Y2ZEcxVmRHVXZTMU50Y21sM1kyZFZWMWRsV0daVVlra3plbk5wYTNkYVltdHdiVkpaUzIxcVVHMW9kalJ5YkdsNlIwTkhkRGhRYmpod2NUaE5Na3RFWmk5UU0ydFdiM1F6WlRFNFVUMGlMQ0pOU1VsRlUycERRMEY2UzJkQmQwbENRV2RKVGtGbFR6QnRjVWRPYVhGdFFrcFhiRkYxUkVGT1FtZHJjV2hyYVVjNWR6QkNRVkZ6UmtGRVFrMU5VMEYzU0dkWlJGWlJVVXhGZUdSSVlrYzVhVmxYZUZSaFYyUjFTVVpLZG1JelVXZFJNRVZuVEZOQ1UwMXFSVlJOUWtWSFFURlZSVU5vVFV0U01uaDJXVzFHYzFVeWJHNWlha1ZVVFVKRlIwRXhWVVZCZUUxTFVqSjRkbGx0Um5OVk1teHVZbXBCWlVaM01IaE9la0V5VFZSVmQwMUVRWGRPUkVwaFJuY3dlVTFVUlhsTlZGVjNUVVJCZDA1RVNtRk5SVWw0UTNwQlNrSm5UbFpDUVZsVVFXeFdWRTFTTkhkSVFWbEVWbEZSUzBWNFZraGlNamx1WWtkVloxWklTakZqTTFGblZUSldlV1J0YkdwYVdFMTRSWHBCVWtKblRsWkNRVTFVUTJ0a1ZWVjVRa1JSVTBGNFZIcEZkMmRuUldsTlFUQkhRMU54UjFOSllqTkVVVVZDUVZGVlFVRTBTVUpFZDBGM1oyZEZTMEZ2U1VKQlVVUlJSMDA1UmpGSmRrNHdOWHByVVU4NUszUk9NWEJKVW5aS2VucDVUMVJJVnpWRWVrVmFhRVF5WlZCRGJuWlZRVEJSYXpJNFJtZEpRMlpMY1VNNVJXdHpRelJVTW1aWFFsbHJMMnBEWmtNelVqTldXazFrVXk5a1RqUmFTME5GVUZwU2NrRjZSSE5wUzFWRWVsSnliVUpDU2pWM2RXUm5lbTVrU1UxWlkweGxMMUpIUjBac05YbFBSRWxMWjJwRmRpOVRTa2d2VlV3clpFVmhiSFJPTVRGQ2JYTkxLMlZSYlUxR0t5dEJZM2hIVG1oeU5UbHhUUzg1YVd3M01Va3laRTQ0UmtkbVkyUmtkM1ZoWldvMFlsaG9jREJNWTFGQ1ltcDRUV05KTjBwUU1HRk5NMVEwU1N0RWMyRjRiVXRHYzJKcWVtRlVUa001ZFhwd1JteG5UMGxuTjNKU01qVjRiM2x1VlhoMk9IWk9iV3R4TjNwa1VFZElXR3Q0VjFrM2IwYzVhaXRLYTFKNVFrRkNhemRZY2twbWIzVmpRbHBGY1VaS1NsTlFhemRZUVRCTVMxY3dXVE42Tlc5Nk1rUXdZekYwU2t0M1NFRm5UVUpCUVVkcVoyZEZlazFKU1VKTWVrRlBRbWRPVmtoUk9FSkJaamhGUWtGTlEwRlpXWGRJVVZsRVZsSXdiRUpDV1hkR1FWbEpTM2RaUWtKUlZVaEJkMFZIUTBOelIwRlJWVVpDZDAxRFRVSkpSMEV4VldSRmQwVkNMM2RSU1UxQldVSkJaamhEUVZGQmQwaFJXVVJXVWpCUFFrSlpSVVpLYWxJclJ6UlJOamdyWWpkSFEyWkhTa0ZpYjA5ME9VTm1NSEpOUWpoSFFURlZaRWwzVVZsTlFtRkJSa3AyYVVJeFpHNUlRamRCWVdkaVpWZGlVMkZNWkM5alIxbFpkVTFFVlVkRFEzTkhRVkZWUmtKM1JVSkNRMnQzU25wQmJFSm5aM0pDWjBWR1FsRmpkMEZaV1ZwaFNGSXdZMFJ2ZGt3eU9XcGpNMEYxWTBkMGNFeHRaSFppTW1OMldqTk9lVTFxUVhsQ1owNVdTRkk0UlV0NlFYQk5RMlZuU21GQmFtaHBSbTlrU0ZKM1QyazRkbGt6U25OTWJrSnlZVk0xYm1JeU9XNU1NbVI2WTJwSmRsb3pUbmxOYVRWcVkyMTNkMUIzV1VSV1VqQm5Ra1JuZDA1cVFUQkNaMXB1WjFGM1FrRm5TWGRMYWtGdlFtZG5ja0puUlVaQ1VXTkRRVkpaWTJGSVVqQmpTRTAyVEhrNWQyRXlhM1ZhTWpsMlduazVlVnBZUW5aak1td3dZak5LTlV4NlFVNUNaMnR4YUd0cFJ6bDNNRUpCVVhOR1FVRlBRMEZSUlVGSGIwRXJUbTV1TnpoNU5uQlNhbVE1V0d4UlYwNWhOMGhVWjJsYUwzSXpVazVIYTIxVmJWbElVRkZ4TmxOamRHazVVRVZoYW5aM1VsUXlhVmRVU0ZGeU1ESm1aWE54VDNGQ1dUSkZWRlYzWjFwUksyeHNkRzlPUm5ab2MwODVkSFpDUTA5SllYcHdjM2RYUXpsaFNqbDRhblUwZEZkRVVVZzRUbFpWTmxsYVdpOVlkR1ZFVTBkVk9WbDZTbkZRYWxrNGNUTk5SSGh5ZW0xeFpYQkNRMlkxYnpodGR5OTNTalJoTWtjMmVIcFZjalpHWWpaVU9FMWpSRTh5TWxCTVVrdzJkVE5OTkZSNmN6TkJNazB4YWpaaWVXdEtXV2s0ZDFkSlVtUkJka3RNVjFwMUwyRjRRbFppZWxsdGNXMTNhMjAxZWt4VFJGYzFia2xCU21KRlRFTlJRMXAzVFVnMU5uUXlSSFp4YjJaNGN6WkNRbU5EUmtsYVZWTndlSFUyZURaMFpEQldOMU4yU2tORGIzTnBjbE50U1dGMGFpODVaRk5UVmtSUmFXSmxkRGh4THpkVlN6UjJORnBWVGpnd1lYUnVXbm94ZVdjOVBTSmRmUS5leUp1YjI1alpTSTZJbVoxUlZsb0szaFhVRkEzZUhCNVVUZzVhbGh3Y0ZGT05tMWlNV2RYWnpNM1JsQnZOM05VU2pFeFVFMDlJaXdpZEdsdFpYTjBZVzF3VFhNaU9qRTFORGcwT0RneU5UazRNamtzSW1Gd2ExQmhZMnRoWjJWT1lXMWxJam9pWTI5dExtZHZiMmRzWlM1aGJtUnliMmxrTG1kdGN5SXNJbUZ3YTBScFoyVnpkRk5vWVRJMU5pSTZJa0YyV0hGcE1FSnRiVXRKYm1KSVlqTXlaalI2VldoMmVqUmxjR3BwU25RM2EwdE5SMmhUZDNjeFJGVTlJaXdpWTNSelVISnZabWxzWlUxaGRHTm9JanAwY25WbExDSmhjR3REWlhKMGFXWnBZMkYwWlVScFoyVnpkRk5vWVRJMU5pSTZXeUk0VURGelZ6QkZVRXBqYzJ4M04xVjZVbk5wV0V3Mk5IY3JUelV3UldRclVrSkpRM1JoZVRGbk1qUk5QU0pkTENKaVlYTnBZMGx1ZEdWbmNtbDBlU0k2ZEhKMVpYMC5DQldQQ1FNaDBIdjhSTllZc05HTGVuci16RVEyY3o2Q25xalZhblZKOXV1b0d5WFpkc19mRTkwbFRjN0tpYVFMNExWSDl1TnNLWjdyN0xZSzRHTHhHekNqWklwZFlFZUIwdWxaWEN1bDdaVFI2MzZmODBWZmxkZ0dJdDRocWJ6S3dsd0EwNEZJN3ZpbDZjbkNJRHQ4SHVyTzVwRnJIdDVhUkpVcUxnOWhPT3VOaDVYS1JQS29aVTZyQlg5eVhxUmFtbl9SbWd6SkEwRGpqcXNaM3BlYUVvX2g5T0hJUHV3Q3FXZUdlZk5lRmoxVnBnaENpdW1lMXpPb2lwSmt3Tkx3dHdJamNDZ0VqYmc1OEF6ZHBPY01fLUtKYXBUeFJlYk9ZclM3dExTUlZfb2xjZG9PWGUtZ0ctVktCeTRUclJkdE9zNUdydTBqdlNyUGMwZXh6OHV2MkFoYXV0aERhdGFYxcrUbtuZYVMj5mIkvf6KvF1ZzC0gYwKd4+myQgSJCUO2RQAAAAC5P9lh8uZGL7EiggAiR954AEEBzzMqulVa/1QLDFjUXIyqQRLPaVXgI3BOTb4enX0uApu+Hm5Db+LoAxtNtPPXNw1qkIR6Isk+UABUzgvsAijDoqUBAgMmIAEhWCACJyweJ5aGUeFWycOhX/jCeAcTVjAxnbZnJmxj+aLWtyJYIAOY6jc/2y5iT60VYTtZaeBvsQIwgU/XR9Fax7xtatkY"}}
Hope it helps.
What is the difference between the 2 options described in the README for loading FIDO2 Metadata?
I downloaded the metadata from the FIDO test suite client and the I used option "Loading FIDO2 metadata from a directory". With this option the tests pass.
The another option "Configuring MDSv3 metadata" replaces the first one? I tried to pass the tests loading MDSv3 metadata from the web site and removing the local metadata files but the tests failed. It seems that the aaguid
is not found in the downloaded metadata.
Thanks in advance
Get this error when I start my phoenix server
[notice] TLS :client: In state :wait_cert_cr at ssl_handshake.erl:2129 generated CLIENT ALERT: Fatal - Bad Certificate
- {:bad_crls, :no_relevant_crls}
[info] Elixir.Wax.Metadata: failed to download MDSv3 metadata, error: {:error, {:failed_connect, [{:to_address, {~c"mds.fidoalliance.org", 443}}, {:inet, [:inet], {:tls_alert, {:bad_certificate, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2129 generated CLIENT ALERT: Fatal - Bad Certificate\n {bad_crls,no_relevant_crls}"}}}]}}
To pass the tests for section MakeCredential: Platform Attestations It is required to uncomment the following line code in Wax.AttestationStatementFormat.TPM
.
++ ["id:FFFFF1D0"]
# fake ID for conformance tool testing, uncomment only for testing
Maybe this should be included in the README somewhere because It is not explicitly mentioned.
I was looking on hex.pm for the docs.
Is this library not on hex? Could I please request it is added to hex.pm I lost some time looking for it and it also took me a moment to realize the Wax package on there is in fact nothing to do with this library https://hex.pm/packages/wax
I noticed that the issued_at
value in Wax.Challenge
is set using :erlang.monotonic_time/1
. Is there a reason for this choice? It seems a bit problematic to me, since:
Shouldn't the value be the unix time instead? Also, the timeouts in the WebAuthn specification are defined in milliseconds. I think it would be good to use millisecond values in the library as well, to avoid confusion. So in short, DateTime.to_unix(DateTime.utc_now(), :millisecond)
.
Hi, I've been looking to see if I can contribute, or use Wax for my purposes.
Just spotted that there is an open branch with a lot of stuff on and don't want to duplicate work.
Could you open a PR for that branch?
The worker currently runs in the test env. I don't think that'd desirable. I'm not sure how you'd like to handle the config to turn it off though.
Hi,
First thank you for this implementation of FIDO2, not an easy specification.
I encounter an issue with apparently the x5c from the authenticator:
Wax.register(
webauthn_params[:attestation_object],
webauthn_params[:client_data],
webauthn_params[:challenge]
) #=> {:error,
%Wax.MetadataStatementNotFoundError{
message: "Authenticator metadata was not found"
}}
Any clues?
Hey, Thank you for putting this library together.
wax_challenge = Wax.new_registration_challenge(timeout: 60000, attestation: "direct")
%{
challenge: challenge,
rp: %{
name: "New project",
id: wax_challenge.rp_id
},
user: %{
id: "eWFzaA",
name: email,
displayName: email
},
pubKeyCredParams: [%{alg: -7, type: "public-key"}],
timeout: 60000,
excludeCredentials: [],
authenticatorSelection: %{
residentKey: "preferred",
requireResidentKey: false,
userVerification: "preferred"
},
attestation: wax_challenge.attestation,
extensions: %{
credProps: true
}
}
Wax.register(attestationObject, Jason.encode!(client_data), wax_challenge)
This register check is resulting in a invalid_signature error
att_stmt: %{
"alg" => -7,
"sig" => <<48, 68, 2, 32, 56, 54, 135, 30, 158, 60, 11, 248, 135, 0, 42, 205,
49, 221, 249, 110, 75, 7, 192, 21, 170, 253, 63, 74, 201, 139, 188, 57, 163,
107, 209, 120, 2, 32, 98, 166, 82, 102, 56, 6, 187, 185, 79, 227, ...>>
}
auth_data: %Wax.AuthenticatorData{
rp_id_hash: <<73, 150, 13, 229, 136, 14, 140, 104, 116, 52, 23, 15, 100, 118,
96, 91, 143, 228, 174, 185, 162, 134, 50, 199, 153, 92, 243, 186, 131, 29,
151, 99>>,
flag_user_present: true,
flag_user_verified: true,
flag_attested_credential_data: true,
flag_extension_data_included: false,
sign_count: 0,
attested_credential_data: %Wax.AttestedCredentialData{
aaguid: <<173, 206, 0, 2, 53, 188, 198, 10, 100, 139, 11, 37, 241, 240, 85,
3>>,
credential_id: <<186, 112, 253, 223, 5, 161, 237, 236, 203, 160, 140, 238,
231, 128, 165, 108, 153, 13, 157, 69, 107, 150, 157, 56, 34, 141, 188,
226, 66, 6, 14, 90>>,
credential_public_key: %{
-3 => <<72, 216, 196, 201, 21, 117, 51, 16, 163, 218, 138, 237, 87, 201,
189, 146, 97, 119, 139, 82, 130, 136, 1, 247, 129, 158, 252, 170, 8,
151, 131, 22>>,
-2 => <<222, 33, 77, 199, 209, 75, 66, 58, 24, 173, 9, 7, 21, 143, 56, 41,
74, 239, 253, 144, 253, 201, 254, 87, 58, 88, 182, 86, 220, 170, 179,
80>>,
-1 => 1,
1 => 2,
3 => -7
}
},
extensions: nil,
raw_bytes: <<73, 150, 13, 229, 136, 14, 140, 104, 116, 52, 23, 15, 100, 118,
96, 91, 143, 228, 174, 185, 162, 134, 50, 199, 153, 92, 243, 186, 131, 29,
151, 99, 69, 0, 0, 0, 0, 173, 206, 0, 2, ...>>
}
client_data_hash: <<16, 4, 67, 196, 5, 13, 93, 42, 85, 76, 118, 75, 192, 27, 69, 131, 231, 211,
153, 249, 55, 63, 125, 57, 148, 180, 67, 137, 77, 172, 128, 154>>
msg: <<73, 150, 13, 229, 136, 14, 140, 104, 116, 52, 23, 15, 100, 118, 96, 91, 143,
228, 174, 185, 162, 134, 50, 199, 153, 92, 243, 186, 131, 29, 151, 99, 69, 0,
0, 0, 0, 173, 206, 0, 2, 53, 188, 198, 10, 100, 139, 11, 37, 241, ...>>
digest: :sha256
sig: <<48, 68, 2, 32, 56, 54, 135, 30, 158, 60, 11, 248, 135, 0, 42, 205, 49, 221,
249, 110, 75, 7, 192, 21, 170, 253, 63, 74, 201, 139, 188, 57, 163, 107, 209,
120, 2, 32, 98, 166, 82, 102, 56, 6, 187, 185, 79, 227, 23, 198, ...>>
key: {{:ECPoint,
<<4, 222, 33, 77, 199, 209, 75, 66, 58, 24, 173, 9, 7, 21, 143, 56, 41, 74,
239, 253, 144, 253, 201, 254, 87, 58, 88, 182, 86, 220, 170, 179, 80, 72,
216, 196, 201, 21, 117, 51, 16, 163, 218, 138, 237, 87, 201, ...>>},
{:namedCurve, {1, 2, 840, 10045, 3, 1, 7}}}
error: %Wax.AttestationVerificationError{type: :packed, reason: :invalid_signature}
Am I doing anything obviously wrong here?
I'm getting this crash from Wax on startup. I'm guessing the structure of FIDO's metadata has changed?
[error] Task #PID<0.1813.0> started from Wax.Metadata terminating
** (ArgumentError) incorrect padding
(elixir) lib/base.ex:1107: Base.do_decode64url/2
(wax) lib/wax/metadata.ex:226: Wax.Metadata.update_metadata_statement/2
(elixir) lib/task/supervised.ex:90: Task.Supervised.invoke_mfa/2
(elixir) lib/task/supervised.ex:35: Task.Supervised.reply/5
(stdlib) proc_lib.erl:249: :proc_lib.init_p_do_apply/3
Function: #Function<3.92563671/0 in Wax.Metadata.process_metadata_toc/2>
Args: []
It looks like a similar error here: techgaun/auth0_ex#10 with the proposed fix of Base.url_decode64!/2
with padding: false
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.