Windows Hello Web Authentication doesn't work for direct TPM attestation
Categories
(Core :: DOM: Web Authentication, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox98 | --- | fixed |
People
(Reporter: astroman3D, Assigned: rmf, NeedInfo)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Steps to reproduce:
Make sure you're on Windows 10 (I'm on version 1909). I'm using Firefox 75.0 64-bit.
- Go to eg https:://webauthn.io, but really any website which requires WebAuthn direct attestation.
- Perform a WebAuthn registration with attestation type set to direct.
Actual results:
The WebAuthn registration call itself is successful, but returns attestation type none.
Expected results:
The WebAuthn registration call is successful with attestation type tpm.
Note that what probably should have happened is the prompt from https://bugzilla.mozilla.org/show_bug.cgi?id=1430150 should have appeared, but this didn't happen. I have tried using older versions of Firefox eg Firefox v66, and have tried using a new profile, but to no avail.
|
||
Comment 2•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Comment 3•5 years ago
|
||
Resetting severity to default of --.
|
|
||
Comment 4•5 years ago
|
||
The priority flag is not set for this bug.
:jcj, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Comment 5•5 years ago
|
||
Just to clarify, are you seeing the Windows Hello dialog, or do you have Hello disabled and are seeing the standard Firefox dialog?
|
|
||
Comment 6•5 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (non,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)
I'm seeing the Windows Hello dialog, and am not seeing any Firefox dialog.
|
|
||
Comment 8•4 years ago
|
||
So it does work for me for a removable CTAP2 token, but I don't have the necessary hardware to test a TPM attestation. Probably something in https://searchfox.org/mozilla-central/source/dom/webauthn/WinWebAuthnManager.cpp is not expressly permitting TPMs, but I'm not sure off-hand what that might be.
I do note that the Windows Hello header has a comment:
// Note, new fields will be added to the following data structure to
// support additional attestation format types, such as, TPM.
// When fields are added, the dwVersion will be incremented.
... which kind of implies this might not be available to Firefox yet. Akshay, if you have a free moment, do you know off-hand if that's expected given this version of the Hello interface we're using?
Yes, we've noticed more recently as well that CTAP2 tokens (eg Yubikeys) which use the packed attestation format do work in Firefox.
This bug is specific to Firefox, in Chrome TPM attestations work fine, and from a very cursory glance at their source code, they are using the same Windows Hello header as Firefox is.
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 10•3 years ago
|
||
Does this still fail for you on the latest FF release? I'm on FF92 and if I pick direct TPM attestation on webauthn.io it succeeds and returns attestation type direct.
(However, I do not get the prompt from https://bugzilla.mozilla.org/show_bug.cgi?id=1430150 so maybe that's something else to look into)
Can you confirm whether you get correct attestation type as well?
|
Reporter | |
Comment 11•3 years ago
|
||
Yes, this still fails for me. I've just tried in FF 93.0 (64 bit). To make things clearer, here's some better steps to reproduce this:
- Go to https://webauthn.io
- Open up FF devtools
- Enter some username, select Direct attestion type and Platform (TPM) authenticator type
- Click Register, action the Windows Hello prompt that appears
- In the JS console, it will log the credential that's created. FF gives you a link (on the right-hand side) to navigate to the JS code that produced the console log. Go to that line of code and add a breakpoint. This should be on the code:
console.log("PublicKeyCredential Created"); console.log(newCredential); - Refresh the page. The breakpoint should remain
- Enter some username, select Direct attestion type and Platform (TPM) authenticator type. Click Register. Action the Windows Hello prompt that appears.
- You should now end up in the debugger
- Copy-paste the JS code here into the JS console and press Enter. This adds cbor decoding capability.
- Type this code into the JS console:
CBOR.decode(newCredential.response.attestationObject)
Expected
you see output in the JS console that looks like:
{fmt: 'tpm', attStmt: {…}, authData: Uint8Array(359)}
Actual
you see output in the JS console that looks like:
Object { fmt: "none", attStmt: {}, authData: Uint8Array(359) }
|
|
Assignee | |
Comment 12•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 13•3 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:rmf, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Updated•3 years ago
|
|
||
Comment 14•3 years ago
|
||
|
||
Comment 15•3 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•2 years ago
|
Description
•