Closed Bug 1711427 Opened 3 years ago Closed 2 years ago

CBOR decoding checks differ between Chrome and Nightly for Feitian ePass FIDO2 NFC (K9) key

Categories

(Core :: DOM: Web Authentication, defect)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 90
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jimdoe, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0

Steps to reproduce:

Register Feitian ePass FIDO2 NFC (K9) key as per https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key#user-registration-and-management-of-fido2-security-keys

Actual results:

Key was successfully registered

Expected results:

key should not have registered as per reasons suggested by Chrome/Brave/Edge style Chromium based browsers. They report in the chrome://device-log for FIDO events the following.

FIDOError[2021/05/14 19:42:01.198392] type_conversions.cc:242 Unexpected CtapDeviceResponseCode: 18

FIDOError[2021/05/14 19:42:01.198289] authenticator_data.cc:72 CBOR decoding of authenticator data extensions failed (Map keys must be strictly monotonically increasing based on byte length and then by byte-wise lexical order.) from A26B686D61632D736563726574F56B6372656450726F7465637401

Windows 10 reports in its webathn event log the following for a successful registration attempt when using Firefox.

Cbor decode MakeCredential response.

TransactionId: {2dfd0a73-3615-4016-83bc-7367edb2a138}
AttestationFormatType: packed
RpIdHash: 0xE1011854B4CEA0CE26B2AA5AB433C24DC130031C242DBE6E386A6B99D395ADDC
Flags: 0xC5
SignCount: 0xB2
AAGuid: {ee041bce-25e5-4cdb-8f86-897fd6418464}
CredentialId: 0xAE81D1084F3DCB6656D619238F3175095A84E27DDA3F06B1B98DAC81D3A841F9
U2fPublicKey: false
PublicKey: 0xA50102032620012158200C3B2BC22033E36612A967DB4A760D59E8E6DB84B4E56CD49F5FE10D04CD3B56225820DC6DB3A7AA8F3B246EEC56E0F85328EB14944A006EAEA3E275BE34429BF97484
Response: 0xA301667061636B65640258B2E1011854B4CEA0CE26B2AA5AB433C24DC130031C242DBE6E386A6B99D395ADDCC5000000B2EE041BCE25E54CDB8F86897FD64184640020AE81D1084F3DCB6656D619238F3175095A84E27DDA3F06B1B98DAC81D3A841F9A50102032620012158200C3B2BC22033E36612A967DB4A760D59E8E6DB84B4E56CD49F5FE10D04CD3B56225820DC6DB3A7AA8F3B246EEC56E0F85328EB14944A006EAEA3E275BE34429BF97484A16B686D61632D736563726574F503A363616C672663736967584730450220012EDDC796D78F6265B4CA98BE9968F278A3FBD3CD914F53C16D3D0DB1621D080221009F14B407159AB86459CCDF7B37EEA2005C6E1CDD1051E9457D758074A58C3CBF637835638259023F3082023B308201E1A00302010202101DF2B55A51DC4B6885A3D99E697FED12300A06082A8648CE3D0403023049310B3009060355040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6F67696573311B301906035504030C124665697469616E204649444F2043412030343020170D3138303532313030303030305A180F32303333303532303233353935395A3068310B3009060355040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6F6769657331223020060355040B0C1941757468656E74696361746F72204174746573746174696F6E3116301406035504030C0D4654204649444F3220303433303059301306072A8648CE3D020106082A8648CE3D03010703420004B27E0E8E39001F54EC9B6F4FE8841903764520A876EB698D3CC00D7D5B4DC3CCD95632A31A13ACBD67F38F3D62B2A5A0DC0CA52896400DC9AD39788BEA288045A38189308186301D0603551D0E04160414DD3244171A67ABBF52200773D13CCF3796AE77B1301F0603551D2304183016801493237066C51DCEC4AB1C2BAD84C1F3E71DCE6067300C0603551D130101FF040230003013060B2B0601040182E51C0201010404030204303021060B2B0601040182E51C01010404120410EE041BCE25E54CDB8F86897FD6418464300A06082A8648CE3D040302034800304502203F16E910B2A1BD7FAC33D43DA681B9663867DD6FA2D7CB9D274707F7FCF1B1B1022100A33BB88152391FC652BB9B7DE31832E5026B9AD3E37AC94F25A6F44EABF344D65901FE308201FA308201A0A003020102021018152B41B743AE6DB41599C3B17D8209300A06082A8648CE3D040302304B310B3009060355040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6F67696573311D301B06035504030C144665697469616E204649444F20526F6F742043413020170D3138303532303030303030305A180F32303338303531393233353935395A3049310B3009060355040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6F67696573311B301906035504030C124665697469616E204649444F2043412030343059301306072A8648CE3D020106082A8648CE3D03010703420004C5A11656398A9216FC72BB28BA4A698539BF8F472B066CC8402A9DA49FD02433EBB54767470F5D877A9C4E2E9B7047D25AF85BCE203DC64551EAD9DB71EBB833A3663064301D0603551D0E0416041493237066C51DCEC4AB1C2BAD84C1F3E71DCE6067301F0603551D230418301680144BBD872611AD1C89CF0458BE70D2088C6B1623B730120603551D130101FF040830060101FF020100300E0603551D0F0101FF040403020106300A06082A8648CE3D040302034800304502207FB540C43F46961624BD132548B44ADF04B661718FE42C32BA5F9AD40C706AB5022100FAC5A67DDCD5C7F79158A4190568995BAEC753E27A954A4E3221F79E4A60C2F1

Windows logs the following for Edge for a failed attempt (corresponding to FIDO log extract pasted above).

Cbor decode MakeCredential response.

TransactionId: {2fc36489-d82a-4f6b-b136-b9439efbdf58}
AttestationFormatType: packed
RpIdHash: 0xE1011854B4CEA0CE26B2AA5AB433C24DC130031C242DBE6E386A6B99D395ADDC
Flags: 0xC5
SignCount: 0x177
AAGuid: {ee041bce-25e5-4cdb-8f86-897fd6418464}
CredentialId: 0xED3B8390E6EA0EA4FE2C70047DA0B8580AE69207439A72EE6221CF48AFD0D4CF
U2fPublicKey: false
PublicKey: 0xA50102032620012158202C9493F4F53BE436EBF861017F692B6C8708974533504F99C24C84466528BB9B225820CD1AC9249A175CB96F1640F825545A83602494D9AC4C637CB777737DD58E5859
Response: 0xA301667061636B65640258BFE1011854B4CEA0CE26B2AA5AB433C24DC130031C242DBE6E386A6B99D395ADDCC500000177EE041BCE25E54CDB8F86897FD64184640020ED3B8390E6EA0EA4FE2C70047DA0B8580AE69207439A72EE6221CF48AFD0D4CFA50102032620012158202C9493F4F53BE436EBF861017F692B6C8708974533504F99C24C84466528BB9B225820CD1AC9249A175CB96F1640F825545A83602494D9AC4C637CB777737DD58E5859A26B686D61632D736563726574F56B6372656450726F746563740103A363616C67266373696758483046022100AEECF2347D2767DD530E2CF5ACD3020B00BCA990308812D46CEDDD2F8BEB774B02210099AE8FA864474CE290864B7617FB91B2B59EAA54947EAE5363E230EC0107CC52637835638259023F3082023B308201E1A00302010202101DF2B55A51DC4B6885A3D99E697FED12300A06082A8648CE3D0403023049310B3009060355040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6F67696573311B301906035504030C124665697469616E204649444F2043412030343020170D3138303532313030303030305A180F32303333303532303233353935395A3068310B3009060355040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6F6769657331223020060355040B0C1941757468656E74696361746F72204174746573746174696F6E3116301406035504030C0D4654204649444F3220303433303059301306072A8648CE3D020106082A8648CE3D03010703420004B27E0E8E39001F54EC9B6F4FE8841903764520A876EB698D3CC00D7D5B4DC3CCD95632A31A13ACBD67F38F3D62B2A5A0DC0CA52896400DC9AD39788BEA288045A38189308186301D0603551D0E04160414DD3244171A67ABBF52200773D13CCF3796AE77B1301F0603551D2304183016801493237066C51DCEC4AB1C2BAD84C1F3E71DCE6067300C0603551D130101FF040230003013060B2B0601040182E51C0201010404030204303021060B2B0601040182E51C01010404120410EE041BCE25E54CDB8F86897FD6418464300A06082A8648CE3D040302034800304502203F16E910B2A1BD7FAC33D43DA681B9663867DD6FA2D7CB9D274707F7FCF1B1B1022100A33BB88152391FC652BB9B7DE31832E5026B9AD3E37AC94F25A6F44EABF344D65901FE308201FA308201A0A003020102021018152B41B743AE6DB41599C3B17D8209300A06082A8648CE3D040302304B310B3009060355040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6F67696573311D301B06035504030C144665697469616E204649444F20526F6F742043413020170D3138303532303030303030305A180F32303338303531393233353935395A3049310B3009060355040613025553311D301B060355040A0C144665697469616E20546563686E6F6C6F67696573311B301906035504030C124665697469616E204649444F2043412030343059301306072A8648CE3D020106082A8648CE3D03010703420004C5A11656398A9216FC72BB28BA4A698539BF8F472B066CC8402A9DA49FD02433EBB54767470F5D877A9C4E2E9B7047D25AF85BCE203DC64551EAD9DB71EBB833A3663064301D0603551D0E0416041493237066C51DCEC4AB1C2BAD84C1F3E71DCE6067301F0603551D230418301680144BBD872611AD1C89CF0458BE70D2088C6B1623B730120603551D130101FF040830060101FF020100300E0603551D0F0101FF040403020106300A06082A8648CE3D040302034800304502207FB540C43F46961624BD132548B44ADF04B661718FE42C32BA5F9AD40C706AB5022100FAC5A67DDCD5C7F79158A4190568995BAEC753E27A954A4E3221F79E4A60C2F1

I am not sure if fault is within Chrome or Firefox yet.
Can you please validate the observations and determine if the key registration should have succeeded in Firefox?

The Bugbug bot thinks this bug should belong to the 'Core::Audio/Video: Playback' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Audio/Video: Playback
Product: Firefox → Core
Component: Audio/Video: Playback → DOM: Web Authentication

Seems related to how WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT extension is handled between Chrome based browsers vs Firefox.

The authentication extensions don't have anything related to WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT when the key is used with Firefox. But when Chrome/Edge/Brave are used WEBAUTHN_EXTENSIONS_IDENTIFIER_CRED_PROTECT is present.

I am new to CBOR specs and WebAuthn so am learning on the fly.
I'm keen to hear the conclusions from someone once this item is triaged :)

I got confirmation from Feitian that this is a fault in their K9 key 2019 model.

This is known issue. FEITIAN has updated recently (Dec 2020). Below is the issue summary:
FEITIAN released the FIDO2 security key in 2019. And at that time, FEITIAN tested all use cases and there was no issue.
But afterwards, Chrome browser updated and Microsoft Edge moved to Chromium Edge. Then this issue arose.
This is related to credProtect, which is not sorted canonically.
Thanks,
Nick
FEITIAN Technologies

Blocks: webauthn-ctap2
Severity: -- → S3
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.