Closed Bug 1694336 Opened 1 year ago Closed 4 months ago

Web Authentication: getting a "none" attestation format even when requesting "indirect" or "direct" in Firefox 85.0.2

Categories

(Core :: DOM: Web Authentication, defect)

Firefox 85
Unspecified
macOS
defect

Tracking

()

RESOLVED FIXED
98 Branch
Tracking Status
firefox98 --- fixed

People

(Reporter: kubek2k, Assigned: dveditz)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36

Steps to reproduce:

Go to https://psteniusubi.github.io/webauthn-tester/credential-create.html and require attestation "indirect" or "direct"

Actual results:

The attestationObject has attestation in format "none"

Expected results:

as per https://www.w3.org/TR/webauthn-2/#sctn-none-attestation and https://www.w3.org/TR/webauthn-2/#enum-attestation-convey the attestation in any other than "none" format should be returned (in my case "packed" for yubikey)

The Bugbug bot thinks this bug should belong to the 'Firefox Build System::Lint and Formatting' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Lint and Formatting
Product: Firefox → Firefox Build System
Component: Lint and Formatting → DOM: Web Authentication
Product: Firefox Build System → Core

Hi kubek2k,

Am I missing any step?

I accessed your shared link https://psteniusubi.github.io/webauthn-tester/credential-create.html
Then chose indirect/direct (tried both) for publicKey.attestation field
Should I fill any other field before hitting credentials.crate() ?

I'm asked to enter security password to USB port.
Best,
Clara

Flags: needinfo?(kubek2k)

Hello Clara - the point is that after you give the password the attestation format is "none" instead of any other format and this is against the spec.

Flags: needinfo?(kubek2k)

With attestation "direct" I get a format "fido-u2f", but with "indirect" I do get a format of "none" (on MacOS).

Assignee: nobody → dveditz
Severity: -- → S3

The old behavior (only send attestation, if attestation-type was "direct" and "none" otherwise) broke the spec.
Only send "none", if directly requested by RP or the user.

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:dveditz, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(dveditz)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(dveditz)
Pushed by dveditz@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2d160fe7a7ce
Web Authentication: Only send "none" attestation if it was requested (by server or user) r=dveditz
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch
Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.