Closed Bug 1694336 Opened 3 years ago Closed 2 years ago

Web Authentication: getting a "none" attestation format even when requesting "indirect" or "direct" in Firefox 85.0.2

Categories

(Core :: DOM: Web Authentication, defect)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 85
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
98 Branch
Tracking Flags:
Tracking Status
firefox98 --- fixed

People

(Reporter: kubek2k, Assigned: dveditz)

References

Details

Attachments

(2 files)

message.JPG
140.72 KB, image/jpeg
Details
Bug 1694336 - Web Authentication: Only send "none" attestation if it was requested (by server or user) r=dveditz
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36

Steps to reproduce:

Go to https://psteniusubi.github.io/webauthn-tester/credential-create.html and require attestation "indirect" or "direct"

Actual results:

The attestationObject has attestation in format "none"

Expected results:

as per https://www.w3.org/TR/webauthn-2/#sctn-none-attestation and https://www.w3.org/TR/webauthn-2/#enum-attestation-convey the attestation in any other than "none" format should be returned (in my case "packed" for yubikey)

The Bugbug bot thinks this bug should belong to the 'Firefox Build System::Lint and Formatting' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Lint and Formatting
Product: Firefox → Firefox Build System
Component: Lint and Formatting → DOM: Web Authentication
Product: Firefox Build System → Core

Hi kubek2k,

Am I missing any step?

I accessed your shared link https://psteniusubi.github.io/webauthn-tester/credential-create.html
Then chose indirect/direct (tried both) for publicKey.attestation field
Should I fill any other field before hitting credentials.crate() ?

I'm asked to enter security password to USB port.
Best,
Clara

Flags: needinfo?(kubek2k)

Hello Clara - the point is that after you give the password the attestation format is "none" instead of any other format and this is against the spec.

Flags: needinfo?(kubek2k)

With attestation "direct" I get a format "fido-u2f", but with "indirect" I do get a format of "none" (on MacOS).

Assignee: nobody → dveditz
Blocks: webauthn-ctap2
Severity: -- → S3

The old behavior (only send attestation, if attestation-type was "direct" and "none" otherwise) broke the spec.
Only send "none", if directly requested by RP or the user.

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:dveditz, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(dveditz)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(dveditz)
Pushed by dveditz@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2d160fe7a7ce
Web Authentication: Only send "none" attestation if it was requested (by server or user) r=dveditz

https://hg.mozilla.org/mozilla-central/rev/2d160fe7a7ce

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox98: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch
Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: