tanguilp / wax Goto Github PK

View Code? Open in Web Editor NEW

178.0 14.0 14.0 388 KB

WebAuthn for Elixir

Home Page: https://hexdocs.pm/wax_

License: Apache License 2.0

Elixir 100.00%

fido2 webauthn

wax's People

Stargazers

Watchers

Forkers

ericsullivan tomciopp konnexionsgmbh leishman tfiedlerdejanze braveh4rt vishnuvaradaraj parabaymobileinc sax patatoid jammystuff kpanic augusto1024 joshrieken

wax's Issues

Use Mint for HTTP requests

Instead of HTTPoison

(UndefinedFunctionError) function :asn1ct.compile/2 is undefined (

Hiya, thanks a lot for this library! I've gotten Wax working locally, but when I try to deploy to my server I'm having issues with asn1ct. I see the calls to it in priv/android_key/AndroidKeyAttestationV1 but it doesn't seem to be a dependency. Have you see these issues?

Cheers!

Full crash log

2019-03-08T21:26:09.974426+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  | 21:26:09.973 [info] Application wax exited: exited in: Wax.Application.start(:normal, [])
2019-03-08T21:26:09.974439+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  |     ** (EXIT) an exception was raised:
2019-03-08T21:26:09.974465+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  |             :asn1ct.compile('/app/lib/wax-0.1.1/priv/android_key/AndroidKeyAttestationV1.asn1', [outdir: '/app/lib/wax-0.1.1/priv/android_key/asn_generated'])
2019-03-08T21:26:09.974440+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  |         ** (UndefinedFunctionError) function :asn1ct.compile/2 is undefined (module :asn1ct is not available)
2019-03-08T21:26:09.974499+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  |             (wax) lib/wax/attestation_statement_format/android_key.ex:347: Wax.AttestationStatementFormat.AndroidKey.install_asn1_module/0
2019-03-08T21:26:09.974622+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  |             (kernel) application_master.erl:273: :application_master.start_it_old/4
2019-03-08T21:26:09.974621+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  |             (wax) lib/wax/application.ex:8: Wax.Application.start/2
2019-03-08T21:26:11.575074+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  | {"Kernel pid terminated",application_controller,"{application_start_failure,wax,{bad_return,{{'Elixir.Wax.Application',start,[normal,[]]},{'EXIT',{undef,[{asn1ct,compile,[\"/app/lib/wax-0.1.1/priv/android_key/AndroidKeyAttestationV1.asn1\",[{outdir,\"/app/lib/wax-0.1.1/priv/android_key/asn_generated\"}]],[]},{'Elixir.Wax.AttestationStatementFormat.AndroidKey',install_asn1_module,0,[{file,\"lib/wax/attestation_statement_format/android_key.ex\"},{line,347}]},{'Elixir.Wax.Application',start,2,[{file,\"lib/wax/application.ex\"},{line,8}]},{application_master,start_it_old,4,[{file,\"application_master.erl\"},{line,273}]}]}}}}}"}
2019-03-08T21:26:11.579166+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  |
2019-03-08T21:26:11.575092+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  | Kernel pid terminated (application_controller) ({application_start_failure,wax,{bad_return,{{'Elixir.Wax.Application',start,[normal,[]]},{'EXIT',{undef,[{asn1ct,compile,["/app/lib/wax-0.1.1/priv/andro
2019-03-08T21:26:13.596870+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  | Crash dump is being written to: erl_crash.dump...done
2019-03-08T21:26:14.473527+00:00 ido-api[ido-api-2963338555-8gsv1]: web.1  | exited with code 1

Remove unused asn1ex dependency

Check COSE key credential alg matches alg provided by metadata

See discussion https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/d2ah4A1sLps/m/qNTcZmYwAwAJ

:algs_mismatch during attestation verification for Android Safetynet

Hey, thank you for the library.

I'm testing direct attestation verification with an Android device, and I'm getting the following error:

%Wax.AttestationVerificationError{type: :safetynet, reason: :algs_mismatch}

Poking at the code yielded that authenticationAlgorithms is ["secp256r1_ecdsa_sha256_raw"] while jws_alg is RS256. It seems the code expects either secp256r1_ecdsa_sha256_raw and ES256 or rsassa_pkcsv15_sha256_raw and RS256.

I tested with two Android phones with Android 13.

Any ideas? I don't know what other information is relevant to the issue.

On a related matter, I tested it with a Windows 11 laptop, and it also failed but with a %Wax.AttestationVerificationError{type: :tpm, reason: :invalid_pub_area} error. I can open a second issue for that if necessary.

Remove Tesla client

Hi. I'm looking at wax and noticed at that deps section in mix.exs brings in the tesla web client, but I can't see anywhere in the code where it is used.

Is it a leftover from the past that can be safely removed? I'd rather not have dependencies loaded that aren't actually being used.

Thanks

FunctionClauseError no function clause matching in Wax.Metadata.Statement.user_verification_method/1

Wax is crashing on startup for me. I get this message numerous times, until my server actually runs out of memory and erlang crashes.

[error] Task Wax.Metadata started from #PID<0.3294.0> terminating
** (FunctionClauseError) no function clause matching in Wax.Metadata.Statement.user_verification_method/1
    (wax_ 0.3.0) lib/wax/metadata/statement.ex:434: Wax.Metadata.Statement.user_verification_method(2048)
    (wax_ 0.3.0) lib/wax/metadata/statement.ex:349: anonymous fn/1 in Wax.Metadata.Statement.from_json!/1
    (elixir 1.10.0) lib/enum.ex:1396: Enum."-map/2-lists^map/1-0-"/2
    (elixir 1.10.0) lib/enum.ex:1396: Enum."-map/2-lists^map/1-0-"/2
    (wax_ 0.3.0) lib/wax/metadata/statement.ex:342: Wax.Metadata.Statement.from_json!/1
    (elixir 1.10.0) lib/task/supervised.ex:90: Task.Supervised.invoke_mfa/2
    (elixir 1.10.0) lib/task/supervised.ex:35: Task.Supervised.reply/5
    (stdlib 3.9.2) proc_lib.erl:249: :proc_lib.init_p_do_apply/3
Function: #Function<7.27430003/0 in Wax.Metadata.process_metadata_toc/2>
    Args: []

The only changes I've made to my codebase in the last few days are other unrelated packages- ex_aws, pow, phoenix_live_dashboard, so I don't think any of them could be causing this. Any idea what's going on?

Incorrect :type values set for Wax.AttestationVerificationErrors

I think there are some copy-paste typos in the verify logic for the AttestationStatementFormat.FIDOU2F and Wax.AttestationStatementFormat.AppleAnonymous modules. For the former, the :type value for any AttestationVerificationError returned should probably be :fido_u2f, and for the latter, :apple.

Also, are these :type values supposed to be the same as those in the Wax.Attestation.statement_format typespec?

In which case, :apple or :apple_anonymous should be added to that typespec, and :safetynet should be :android_safetynet, and possibly :apple should be :apple_anonymous...

Remove custom cert verification in tpm routine

In lib/wax/attestation_statement_format/tpm.ex, a custom cert verification function is used, because OTP22 doesn't support certificate policies extension when marked as critical.

This ought to be removed as soon as OTP (and Wax's minimum OTP version) supports it.

Can we use this to migrate existing U2F keys?

Hi @tanguilp !

Thank you for all the work put into building this library.

Since I have previously registered U2F keys I was wondering if this library would be able to support the migration of existing keys.

Thanks in advance

Implement CRL check when verifying TOC metadata

CRLs can be found here: https://fidoalliance.org/metadata/

Looks excessively complicated to implement with the Erlang SSL API, compared with the security gains it would provide.

fix: String.slice() warning

Module: Wax.AttestationStatementFormat.TPM
Issue: Calling String.slice(2..-1) raises a warning because is deprecated for new Elixir versions.
Fix: Replace current code by String.slice(2..-1//1)

I only can create an issue, not a PR but I have the fix running locally.

Wax doesn't handle failures elegantly

My current IP is flagged for spam from a number of domains (including CloudFlare). This causes this error from Wax unless I run through a VPN:

[error] GenServer Wax.Metadata terminating
** (FunctionClauseError) no function clause matching in Wax.Metadata.handle_info/2
    (wax) lib/wax/metadata.ex:101: Wax.Metadata.handle_info({:ssl_closed, {:sslsocket, {:gen_tcp, #Port<0.63>, :tls_connection, :undefined}, [#PID<0.631.0>, #PID<0.630.0>]}}, [serial_number: 0])
    (stdlib) gen_server.erl:637: :gen_server.try_dispatch/4
    (stdlib) gen_server.erl:711: :gen_server.handle_msg/6
    (stdlib) proc_lib.erl:249: :proc_lib.init_p_do_apply/3
Last message: {:ssl_closed, {:sslsocket, {:gen_tcp, #Port<0.63>, :tls_connection, :undefined}, [#PID<0.631.0>, #PID<0.630.0>]}}
State: [serial_number: 0]

The failure body is a HTML page with status 403.

I'm also getting this failure when starting up my server with my VPN enabled:

[error] GenServer Wax.Metadata terminating
** (stop) exited in: Task.await(%Task{owner: #PID<0.367.0>, pid: #PID<0.570.0>, ref: #Reference<0.2688299539.1131151361.214542>}, 5000)
    ** (EXIT) time out
    (elixir) lib/task.ex:577: Task.await/2
    (wax) lib/wax/metadata.ex:174: anonymous fn/1 in Wax.Metadata.process_metadata_toc/2
    (elixir) lib/enum.ex:769: Enum."-each/2-lists^foreach/1-0-"/2
    (elixir) lib/enum.ex:769: Enum.each/2
    (wax) lib/wax/metadata.ex:171: Wax.Metadata.process_metadata_toc/2
    (wax) lib/wax/metadata.ex:76: Wax.Metadata.handle_continue/2
    (stdlib) gen_server.erl:637: :gen_server.try_dispatch/4
    (stdlib) gen_server.erl:388: :gen_server.loop/7
    (stdlib) proc_lib.erl:249: :proc_lib.init_p_do_apply/3
Last message: {:continue, :update_metadata}
State: [serial_number: 0]

Wax then resumes update and everything seems to be working properly.

Let me know what other info would be helpful!

Allow adding custom non-MDSv2 metadata

Android SafetyNet Test vector

Hi,

I can see in your tests that you also get stuck with the Android SafetyNet Attestation.
With my Android smartphone, I finally managed to get a valid attestation.
I use it in my tests:

{"id":"Ac8zKrpVWv9UCwxY1FyMqkESz2lV4CNwTk2-Hp19LgKbvh5uQ2_i6AMbTbTz1zcNapCEeiLJPlAAVM4L7AIow6I","type":"public-key","rawId":"Ac8zKrpVWv9UCwxY1FyMqkESz2lV4CNwTk2+Hp19LgKbvh5uQ2/i6AMbTbTz1zcNapCEeiLJPlAAVM4L7AIow6I=","response":{"clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoia21uczQzQ1dWc3diTW92cktQa2dkMWxFcGM2TFpkZmswVVFfbnVaYnAwMGpXNUM2MVBFVzFkTmFwdFowR2tySUs5V1J0YUFYV2tuZElFRUJnTklDUnciLCJvcmlnaW4iOiJodHRwczpcL1wvd2ViYXV0aG4ubW9yc2VsbGkuZnIiLCJhbmRyb2lkUGFja2FnZU5hbWUiOiJjb20uYW5kcm9pZC5jaHJvbWUifQ==","attestationObject":"o2NmbXRxYW5kcm9pZC1zYWZldHluZXRnYXR0U3RtdKJjdmVyaDE0Nzk5MDM3aHJlc3BvbnNlWRS9ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbmcxWXlJNld5Sk5TVWxHYTJwRFEwSkljV2RCZDBsQ1FXZEpVVkpZY205T01GcFBaRkpyUWtGQlFVRkJRVkIxYm5wQlRrSm5hM0ZvYTJsSE9YY3dRa0ZSYzBaQlJFSkRUVkZ6ZDBOUldVUldVVkZIUlhkS1ZsVjZSV1ZOUW5kSFFURlZSVU5vVFZaU01qbDJXako0YkVsR1VubGtXRTR3U1VaT2JHTnVXbkJaTWxaNlRWSk5kMFZSV1VSV1VWRkVSWGR3U0ZaR1RXZFJNRVZuVFZVNGVFMUNORmhFVkVVMFRWUkJlRTFFUVROTlZHc3dUbFp2V0VSVVJUVk5WRUYzVDFSQk0wMVVhekJPVm05M1lrUkZURTFCYTBkQk1WVkZRbWhOUTFaV1RYaEZla0ZTUW1kT1ZrSkJaMVJEYTA1b1lrZHNiV0l6U25WaFYwVjRSbXBCVlVKblRsWkNRV05VUkZVeGRtUlhOVEJaVjJ4MVNVWmFjRnBZWTNoRmVrRlNRbWRPVmtKQmIxUkRhMlIyWWpKa2MxcFRRazFVUlUxNFIzcEJXa0puVGxaQ1FVMVVSVzFHTUdSSFZucGtRelZvWW0xU2VXSXliR3RNYlU1MllsUkRRMEZUU1hkRVVWbEtTMjlhU1doMlkwNUJVVVZDUWxGQlJHZG5SVkJCUkVORFFWRnZRMmRuUlVKQlRtcFlhM293WlVzeFUwVTBiU3N2UnpWM1QyOHJXRWRUUlVOeWNXUnVPRGh6UTNCU04yWnpNVFJtU3pCU2FETmFRMWxhVEVaSWNVSnJOa0Z0V2xaM01rczVSa2N3VHpseVVsQmxVVVJKVmxKNVJUTXdVWFZ1VXpsMVowaEROR1ZuT1c5MmRrOXRLMUZrV2pKd09UTllhSHAxYmxGRmFGVlhXRU40UVVSSlJVZEtTek5UTW1GQlpucGxPVGxRVEZNeU9XaE1ZMUYxV1ZoSVJHRkROMDlhY1U1dWIzTnBUMGRwWm5NNGRqRnFhVFpJTDNob2JIUkRXbVV5YkVvck4wZDFkSHBsZUV0d2VIWndSUzkwV2xObVlsazVNRFZ4VTJ4Q2FEbG1jR293TVRWamFtNVJSbXRWYzBGVmQyMUxWa0ZWZFdWVmVqUjBTMk5HU3pSd1pYWk9UR0Y0UlVGc0swOXJhV3hOZEVsWlJHRmpSRFZ1Wld3MGVFcHBlWE0wTVROb1lXZHhWekJYYUdnMVJsQXpPV2hIYXpsRkwwSjNVVlJxWVhwVGVFZGtkbGd3YlRaNFJsbG9hQzh5VmsxNVdtcFVORXQ2VUVwRlEwRjNSVUZCWVU5RFFXeG5kMmRuU2xWTlFUUkhRVEZWWkVSM1JVSXZkMUZGUVhkSlJtOUVRVlJDWjA1V1NGTlZSVVJFUVV0Q1oyZHlRbWRGUmtKUlkwUkJWRUZOUW1kT1ZraFNUVUpCWmpoRlFXcEJRVTFDTUVkQk1WVmtSR2RSVjBKQ1VYRkNVWGRIVjI5S1FtRXhiMVJMY1hWd2J6UlhObmhVTm1veVJFRm1RbWRPVmtoVFRVVkhSRUZYWjBKVFdUQm1hSFZGVDNaUWJTdDRaMjU0YVZGSE5rUnlabEZ1T1V0NlFtdENaMmR5UW1kRlJrSlJZMEpCVVZKWlRVWlpkMHAzV1VsTGQxbENRbEZWU0UxQlIwZEhNbWd3WkVoQk5reDVPWFpaTTA1M1RHNUNjbUZUTlc1aU1qbHVUREprTUdONlJuWk5WRUZ5UW1kbmNrSm5SVVpDVVdOM1FXOVpabUZJVWpCalJHOTJURE5DY21GVE5XNWlNamx1VERKa2VtTnFTWFpTTVZKVVRWVTRlRXh0VG5sa1JFRmtRbWRPVmtoU1JVVkdha0ZWWjJoS2FHUklVbXhqTTFGMVdWYzFhMk50T1hCYVF6VnFZakl3ZDBsUldVUldVakJuUWtKdmQwZEVRVWxDWjFwdVoxRjNRa0ZuU1hkRVFWbExTM2RaUWtKQlNGZGxVVWxHUVhwQmRrSm5UbFpJVWpoRlMwUkJiVTFEVTJkSmNVRm5hR2cxYjJSSVVuZFBhVGgyV1ROS2MweHVRbkpoVXpWdVlqSTVia3d3WkZWVmVrWlFUVk0xYW1OdGQzZG5aMFZGUW1kdmNrSm5SVVZCWkZvMVFXZFJRMEpKU0RGQ1NVaDVRVkJCUVdSM1EydDFVVzFSZEVKb1dVWkpaVGRGTmt4TldqTkJTMUJFVjFsQ1VHdGlNemRxYW1RNE1FOTVRVE5qUlVGQlFVRlhXbVJFTTFCTVFVRkJSVUYzUWtsTlJWbERTVkZEVTFwRFYyVk1Tblp6YVZaWE5rTm5LMmRxTHpsM1dWUktVbnAxTkVocGNXVTBaVmswWXk5dGVYcHFaMGxvUVV4VFlta3ZWR2g2WTNweGRHbHFNMlJyTTNaaVRHTkpWek5NYkRKQ01HODNOVWRSWkdoTmFXZGlRbWRCU0ZWQlZtaFJSMjFwTDFoM2RYcFVPV1ZIT1ZKTVNTdDRNRm95ZFdKNVdrVldla0UzTlZOWlZtUmhTakJPTUVGQlFVWnRXRkU1ZWpWQlFVRkNRVTFCVW1wQ1JVRnBRbU5EZDBFNWFqZE9WRWRZVURJM09IbzBhSEl2ZFVOSWFVRkdUSGx2UTNFeVN6QXJlVXhTZDBwVlltZEpaMlk0WjBocWRuQjNNbTFDTVVWVGFuRXlUMll6UVRCQlJVRjNRMnR1UTJGRlMwWlZlVm8zWmk5UmRFbDNSRkZaU2t0dldrbG9kbU5PUVZGRlRFSlJRVVJuWjBWQ1FVazVibFJtVWt0SlYyZDBiRmRzTTNkQ1REVTFSVlJXTm10aGVuTndhRmN4ZVVGak5VUjFiVFpZVHpReGExcDZkMG8yTVhkS2JXUlNVbFF2VlhORFNYa3hTMFYwTW1Nd1JXcG5iRzVLUTBZeVpXRjNZMFZYYkV4UldUSllVRXg1Um1wclYxRk9ZbE5vUWpGcE5GY3lUbEpIZWxCb2RETnRNV0kwT1doaWMzUjFXRTAyZEZnMVEzbEZTRzVVYURoQ2IyMDBMMWRzUm1sb2VtaG5iamd4Ukd4a2IyZDZMMHN5VlhkTk5sTTJRMEl2VTBWNGEybFdabllyZW1KS01ISnFkbWM1TkVGc1pHcFZabFYzYTBrNVZrNU5ha1ZRTldVNGVXUkNNMjlNYkRabmJIQkRaVVkxWkdkbVUxZzBWVGw0TXpWdmFpOUpTV1F6VlVVdlpGQndZaTl4WjBkMmMydG1aR1Y2ZEcxVmRHVXZTMU50Y21sM1kyZFZWMWRsV0daVVlra3plbk5wYTNkYVltdHdiVkpaUzIxcVVHMW9kalJ5YkdsNlIwTkhkRGhRYmpod2NUaE5Na3RFWmk5UU0ydFdiM1F6WlRFNFVUMGlMQ0pOU1VsRlUycERRMEY2UzJkQmQwbENRV2RKVGtGbFR6QnRjVWRPYVhGdFFrcFhiRkYxUkVGT1FtZHJjV2hyYVVjNWR6QkNRVkZ6UmtGRVFrMU5VMEYzU0dkWlJGWlJVVXhGZUdSSVlrYzVhVmxYZUZSaFYyUjFTVVpLZG1JelVXZFJNRVZuVEZOQ1UwMXFSVlJOUWtWSFFURlZSVU5vVFV0U01uaDJXVzFHYzFVeWJHNWlha1ZVVFVKRlIwRXhWVVZCZUUxTFVqSjRkbGx0Um5OVk1teHVZbXBCWlVaM01IaE9la0V5VFZSVmQwMUVRWGRPUkVwaFJuY3dlVTFVUlhsTlZGVjNUVVJCZDA1RVNtRk5SVWw0UTNwQlNrSm5UbFpDUVZsVVFXeFdWRTFTTkhkSVFWbEVWbEZSUzBWNFZraGlNamx1WWtkVloxWklTakZqTTFGblZUSldlV1J0YkdwYVdFMTRSWHBCVWtKblRsWkNRVTFVUTJ0a1ZWVjVRa1JSVTBGNFZIcEZkMmRuUldsTlFUQkhRMU54UjFOSllqTkVVVVZDUVZGVlFVRTBTVUpFZDBGM1oyZEZTMEZ2U1VKQlVVUlJSMDA1UmpGSmRrNHdOWHByVVU4NUszUk9NWEJKVW5aS2VucDVUMVJJVnpWRWVrVmFhRVF5WlZCRGJuWlZRVEJSYXpJNFJtZEpRMlpMY1VNNVJXdHpRelJVTW1aWFFsbHJMMnBEWmtNelVqTldXazFrVXk5a1RqUmFTME5GVUZwU2NrRjZSSE5wUzFWRWVsSnliVUpDU2pWM2RXUm5lbTVrU1UxWlkweGxMMUpIUjBac05YbFBSRWxMWjJwRmRpOVRTa2d2VlV3clpFVmhiSFJPTVRGQ2JYTkxLMlZSYlUxR0t5dEJZM2hIVG1oeU5UbHhUUzg1YVd3M01Va3laRTQ0UmtkbVkyUmtkM1ZoWldvMFlsaG9jREJNWTFGQ1ltcDRUV05KTjBwUU1HRk5NMVEwU1N0RWMyRjRiVXRHYzJKcWVtRlVUa001ZFhwd1JteG5UMGxuTjNKU01qVjRiM2x1VlhoMk9IWk9iV3R4TjNwa1VFZElXR3Q0VjFrM2IwYzVhaXRLYTFKNVFrRkNhemRZY2twbWIzVmpRbHBGY1VaS1NsTlFhemRZUVRCTVMxY3dXVE42Tlc5Nk1rUXdZekYwU2t0M1NFRm5UVUpCUVVkcVoyZEZlazFKU1VKTWVrRlBRbWRPVmtoUk9FSkJaamhGUWtGTlEwRlpXWGRJVVZsRVZsSXdiRUpDV1hkR1FWbEpTM2RaUWtKUlZVaEJkMFZIUTBOelIwRlJWVVpDZDAxRFRVSkpSMEV4VldSRmQwVkNMM2RSU1UxQldVSkJaamhEUVZGQmQwaFJXVVJXVWpCUFFrSlpSVVpLYWxJclJ6UlJOamdyWWpkSFEyWkhTa0ZpYjA5ME9VTm1NSEpOUWpoSFFURlZaRWwzVVZsTlFtRkJSa3AyYVVJeFpHNUlRamRCWVdkaVpWZGlVMkZNWkM5alIxbFpkVTFFVlVkRFEzTkhRVkZWUmtKM1JVSkNRMnQzU25wQmJFSm5aM0pDWjBWR1FsRmpkMEZaV1ZwaFNGSXdZMFJ2ZGt3eU9XcGpNMEYxWTBkMGNFeHRaSFppTW1OMldqTk9lVTFxUVhsQ1owNVdTRkk0UlV0NlFYQk5RMlZuU21GQmFtaHBSbTlrU0ZKM1QyazRkbGt6U25OTWJrSnlZVk0xYm1JeU9XNU1NbVI2WTJwSmRsb3pUbmxOYVRWcVkyMTNkMUIzV1VSV1VqQm5Ra1JuZDA1cVFUQkNaMXB1WjFGM1FrRm5TWGRMYWtGdlFtZG5ja0puUlVaQ1VXTkRRVkpaWTJGSVVqQmpTRTAyVEhrNWQyRXlhM1ZhTWpsMlduazVlVnBZUW5aak1td3dZak5LTlV4NlFVNUNaMnR4YUd0cFJ6bDNNRUpCVVhOR1FVRlBRMEZSUlVGSGIwRXJUbTV1TnpoNU5uQlNhbVE1V0d4UlYwNWhOMGhVWjJsYUwzSXpVazVIYTIxVmJWbElVRkZ4TmxOamRHazVVRVZoYW5aM1VsUXlhVmRVU0ZGeU1ESm1aWE54VDNGQ1dUSkZWRlYzWjFwUksyeHNkRzlPUm5ab2MwODVkSFpDUTA5SllYcHdjM2RYUXpsaFNqbDRhblUwZEZkRVVVZzRUbFpWTmxsYVdpOVlkR1ZFVTBkVk9WbDZTbkZRYWxrNGNUTk5SSGh5ZW0xeFpYQkNRMlkxYnpodGR5OTNTalJoTWtjMmVIcFZjalpHWWpaVU9FMWpSRTh5TWxCTVVrdzJkVE5OTkZSNmN6TkJNazB4YWpaaWVXdEtXV2s0ZDFkSlVtUkJka3RNVjFwMUwyRjRRbFppZWxsdGNXMTNhMjAxZWt4VFJGYzFia2xCU21KRlRFTlJRMXAzVFVnMU5uUXlSSFp4YjJaNGN6WkNRbU5EUmtsYVZWTndlSFUyZURaMFpEQldOMU4yU2tORGIzTnBjbE50U1dGMGFpODVaRk5UVmtSUmFXSmxkRGh4THpkVlN6UjJORnBWVGpnd1lYUnVXbm94ZVdjOVBTSmRmUS5leUp1YjI1alpTSTZJbVoxUlZsb0szaFhVRkEzZUhCNVVUZzVhbGh3Y0ZGT05tMWlNV2RYWnpNM1JsQnZOM05VU2pFeFVFMDlJaXdpZEdsdFpYTjBZVzF3VFhNaU9qRTFORGcwT0RneU5UazRNamtzSW1Gd2ExQmhZMnRoWjJWT1lXMWxJam9pWTI5dExtZHZiMmRzWlM1aGJtUnliMmxrTG1kdGN5SXNJbUZ3YTBScFoyVnpkRk5vWVRJMU5pSTZJa0YyV0hGcE1FSnRiVXRKYm1KSVlqTXlaalI2VldoMmVqUmxjR3BwU25RM2EwdE5SMmhUZDNjeFJGVTlJaXdpWTNSelVISnZabWxzWlUxaGRHTm9JanAwY25WbExDSmhjR3REWlhKMGFXWnBZMkYwWlVScFoyVnpkRk5vWVRJMU5pSTZXeUk0VURGelZ6QkZVRXBqYzJ4M04xVjZVbk5wV0V3Mk5IY3JUelV3UldRclVrSkpRM1JoZVRGbk1qUk5QU0pkTENKaVlYTnBZMGx1ZEdWbmNtbDBlU0k2ZEhKMVpYMC5DQldQQ1FNaDBIdjhSTllZc05HTGVuci16RVEyY3o2Q25xalZhblZKOXV1b0d5WFpkc19mRTkwbFRjN0tpYVFMNExWSDl1TnNLWjdyN0xZSzRHTHhHekNqWklwZFlFZUIwdWxaWEN1bDdaVFI2MzZmODBWZmxkZ0dJdDRocWJ6S3dsd0EwNEZJN3ZpbDZjbkNJRHQ4SHVyTzVwRnJIdDVhUkpVcUxnOWhPT3VOaDVYS1JQS29aVTZyQlg5eVhxUmFtbl9SbWd6SkEwRGpqcXNaM3BlYUVvX2g5T0hJUHV3Q3FXZUdlZk5lRmoxVnBnaENpdW1lMXpPb2lwSmt3Tkx3dHdJamNDZ0VqYmc1OEF6ZHBPY01fLUtKYXBUeFJlYk9ZclM3dExTUlZfb2xjZG9PWGUtZ0ctVktCeTRUclJkdE9zNUdydTBqdlNyUGMwZXh6OHV2MkFoYXV0aERhdGFYxcrUbtuZYVMj5mIkvf6KvF1ZzC0gYwKd4+myQgSJCUO2RQAAAAC5P9lh8uZGL7EiggAiR954AEEBzzMqulVa/1QLDFjUXIyqQRLPaVXgI3BOTb4enX0uApu+Hm5Db+LoAxtNtPPXNw1qkIR6Isk+UABUzgvsAijDoqUBAgMmIAEhWCACJyweJ5aGUeFWycOhX/jCeAcTVjAxnbZnJmxj+aLWtyJYIAOY6jc/2y5iT60VYTtZaeBvsQIwgU/XR9Fax7xtatkY"}}

Hope it helps.

FIDO2 Metadata

What is the difference between the 2 options described in the README for loading FIDO2 Metadata?

I downloaded the metadata from the FIDO test suite client and the I used option "Loading FIDO2 metadata from a directory". With this option the tests pass.

The another option "Configuring MDSv3 metadata" replaces the first one? I tried to pass the tests loading MDSv3 metadata from the web site and removing the local metadata files but the tests failed. It seems that the aaguid is not found in the downloaded metadata.

Thanks in advance

Error on MakeCredential: Platform attestations P-2 test

Env
Erlang OTP-26.2.1
Elixir v1.16.2

Issue
Running the FIDO conformance tests, section MakeCredential: Platform attestations test P-2, I am getting an exception on erlang library :public_key.

This is the test failing:

Bad Certificate Error

Get this error when I start my phoenix server

[notice] TLS :client: In state :wait_cert_cr at ssl_handshake.erl:2129 generated CLIENT ALERT: Fatal - Bad Certificate
 - {:bad_crls, :no_relevant_crls}
[info] Elixir.Wax.Metadata: failed to download MDSv3 metadata, error: {:error, {:failed_connect, [{:to_address, {~c"mds.fidoalliance.org", 443}}, {:inet, [:inet], {:tls_alert, {:bad_certificate, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2129 generated CLIENT ALERT: Fatal - Bad Certificate\n {bad_crls,no_relevant_crls}"}}}]}}

Passing FIDO test suite for tpm format

To pass the tests for section MakeCredential: Platform Attestations It is required to uncomment the following line code in Wax.AttestationStatementFormat.TPM.

  ++ ["id:FFFFF1D0"]
  # fake ID for conformance tool testing, uncomment only for testing

Maybe this should be included in the README somewhere because It is not explicitly mentioned.

Publish on hex.pm

I was looking on hex.pm for the docs.

Is this library not on hex? Could I please request it is added to hex.pm I lost some time looking for it and it also took me a moment to realize the Wax package on there is in fact nothing to do with this library https://hex.pm/packages/wax

Should challenge.issued_at use unix time?

I noticed that the issued_at value in Wax.Challenge is set using :erlang.monotonic_time/1. Is there a reason for this choice? It seems a bit problematic to me, since:

This value is monotonically increasing, but not strictly monotonically increasing. Consecutive calls can produce the same result.
The produced value is not the same on different runtime instances. If a challenge is generated on one node, stored in a session, and the verification happens to be handled on a different node, the timeout detection may fail.

Shouldn't the value be the unix time instead? Also, the timeouts in the WebAuthn specification are defined in milliseconds. I think it would be good to use millisecond values in the library as well, to avoid confusion. So in short, DateTime.to_unix(DateTime.utc_now(), :millisecond).

What is the 0.2.0 branch for

Hi, I've been looking to see if I can contribute, or use Wax for my purposes.
Just spotted that there is an open branch with a lot of stuff on and don't want to duplicate work.

Could you open a PR for that branch?

disable worker(Wax.Metadata, []) during tests

The worker currently runs in the test env. I don't think that'd desirable. I'm not sure how you'd like to handle the config to turn it off though.

"Authenticator metadata was not found" error

Hi,

First thank you for this implementation of FIDO2, not an easy specification.

I encounter an issue with apparently the x5c from the authenticator:

Wax.register(
webauthn_params[:attestation_object],
webauthn_params[:client_data],
webauthn_params[:challenge]
) #=> {:error,
%Wax.MetadataStatementNotFoundError{
message: "Authenticator metadata was not found"
}}

Any clues?

Wax CoseKey verification failing

Hey, Thank you for putting this library together.

wax_challenge = Wax.new_registration_challenge(timeout: 60000, attestation: "direct")

%{
      challenge: challenge,
      rp: %{
        name: "New project",
        id: wax_challenge.rp_id
      },
      user: %{
        id: "eWFzaA",
        name: email,
        displayName: email
      },
      pubKeyCredParams: [%{alg: -7, type: "public-key"}],
      timeout: 60000,
      excludeCredentials: [],
      authenticatorSelection: %{
        residentKey: "preferred",
        requireResidentKey: false,
        userVerification: "preferred"
      },
      attestation: wax_challenge.attestation,
      extensions: %{
        credProps: true
      }
    }

Wax.register(attestationObject, Jason.encode!(client_data), wax_challenge)

This register check is resulting in a invalid_signature error

att_stmt: %{
  "alg" => -7,
  "sig" => <<48, 68, 2, 32, 56, 54, 135, 30, 158, 60, 11, 248, 135, 0, 42, 205,
    49, 221, 249, 110, 75, 7, 192, 21, 170, 253, 63, 74, 201, 139, 188, 57, 163,
    107, 209, 120, 2, 32, 98, 166, 82, 102, 56, 6, 187, 185, 79, 227, ...>>
}
auth_data: %Wax.AuthenticatorData{
  rp_id_hash: <<73, 150, 13, 229, 136, 14, 140, 104, 116, 52, 23, 15, 100, 118,
    96, 91, 143, 228, 174, 185, 162, 134, 50, 199, 153, 92, 243, 186, 131, 29,
    151, 99>>,
  flag_user_present: true,
  flag_user_verified: true,
  flag_attested_credential_data: true,
  flag_extension_data_included: false,
  sign_count: 0,
  attested_credential_data: %Wax.AttestedCredentialData{
    aaguid: <<173, 206, 0, 2, 53, 188, 198, 10, 100, 139, 11, 37, 241, 240, 85,
      3>>,
    credential_id: <<186, 112, 253, 223, 5, 161, 237, 236, 203, 160, 140, 238,
      231, 128, 165, 108, 153, 13, 157, 69, 107, 150, 157, 56, 34, 141, 188,
      226, 66, 6, 14, 90>>,
    credential_public_key: %{
      -3 => <<72, 216, 196, 201, 21, 117, 51, 16, 163, 218, 138, 237, 87, 201,
        189, 146, 97, 119, 139, 82, 130, 136, 1, 247, 129, 158, 252, 170, 8,
        151, 131, 22>>,
      -2 => <<222, 33, 77, 199, 209, 75, 66, 58, 24, 173, 9, 7, 21, 143, 56, 41,
        74, 239, 253, 144, 253, 201, 254, 87, 58, 88, 182, 86, 220, 170, 179,
        80>>,
      -1 => 1,
      1 => 2,
      3 => -7
    }
  },
  extensions: nil,
  raw_bytes: <<73, 150, 13, 229, 136, 14, 140, 104, 116, 52, 23, 15, 100, 118,
    96, 91, 143, 228, 174, 185, 162, 134, 50, 199, 153, 92, 243, 186, 131, 29,
    151, 99, 69, 0, 0, 0, 0, 173, 206, 0, 2, ...>>
}
client_data_hash: <<16, 4, 67, 196, 5, 13, 93, 42, 85, 76, 118, 75, 192, 27, 69, 131, 231, 211,
  153, 249, 55, 63, 125, 57, 148, 180, 67, 137, 77, 172, 128, 154>>
msg: <<73, 150, 13, 229, 136, 14, 140, 104, 116, 52, 23, 15, 100, 118, 96, 91, 143,
  228, 174, 185, 162, 134, 50, 199, 153, 92, 243, 186, 131, 29, 151, 99, 69, 0,
  0, 0, 0, 173, 206, 0, 2, 53, 188, 198, 10, 100, 139, 11, 37, 241, ...>>
digest: :sha256
sig: <<48, 68, 2, 32, 56, 54, 135, 30, 158, 60, 11, 248, 135, 0, 42, 205, 49, 221,
  249, 110, 75, 7, 192, 21, 170, 253, 63, 74, 201, 139, 188, 57, 163, 107, 209,
  120, 2, 32, 98, 166, 82, 102, 56, 6, 187, 185, 79, 227, 23, 198, ...>>
key: {{:ECPoint,
  <<4, 222, 33, 77, 199, 209, 75, 66, 58, 24, 173, 9, 7, 21, 143, 56, 41, 74,
    239, 253, 144, 253, 201, 254, 87, 58, 88, 182, 86, 220, 170, 179, 80, 72,
    216, 196, 201, 21, 117, 51, 16, 163, 218, 138, 237, 87, 201, ...>>},
 {:namedCurve, {1, 2, 840, 10045, 3, 1, 7}}}
error: %Wax.AttestationVerificationError{type: :packed, reason: :invalid_signature}

Am I doing anything obviously wrong here?

incorrect padding crashing Wax on app start

I'm getting this crash from Wax on startup. I'm guessing the structure of FIDO's metadata has changed?

[error] Task #PID<0.1813.0> started from Wax.Metadata terminating
** (ArgumentError) incorrect padding
    (elixir) lib/base.ex:1107: Base.do_decode64url/2
    (wax) lib/wax/metadata.ex:226: Wax.Metadata.update_metadata_statement/2
    (elixir) lib/task/supervised.ex:90: Task.Supervised.invoke_mfa/2
    (elixir) lib/task/supervised.ex:35: Task.Supervised.reply/5
    (stdlib) proc_lib.erl:249: :proc_lib.init_p_do_apply/3
Function: #Function<3.92563671/0 in Wax.Metadata.process_metadata_toc/2>
    Args: []

It looks like a similar error here: techgaun/auth0_ex#10 with the proposed fix of Base.url_decode64!/2 with padding: false.

tanguilp / wax Goto Github PK

wax's People

Stargazers

Watchers

Forkers

wax's Issues

Recommend Projects

Recommend Topics

Recommend Org