PublicKeyCredentialDescriptors isn't in CTAP2 canonical CBOR encoding form.
Categories
(Core :: DOM: Web Authentication, defect, P2)
Tracking
()
People
(Reporter: cgh.block, Assigned: jschanck)
References
Details
Attachments
(1 file)
|
74.47 KB,
image/png
|
Details |
截圖 2023-03-20 下午3.49.20.png
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Steps to reproduce:
URL:https://webauthn.io
Browser / Version: Firefox 111.0
Operating System: Mac OS X 10.15
Tested Another Browser: Yes Chrome
When "security.webauthn.ctap2 = true" ,
I try to auth. my authenticator after I finished register my authenticator.
I got few error from my authenticator
Actual results:
I got the fido hid log from wireshark and decode the GetAssertion message by cbor.me.
The following is decoded GetAssertion's parameters.
{1: "webauthn.io", 2: h'97FA0EBF41EEA91AF8524CE499415C4973F455D3A09889A6F0B50D74A1E928C3', 3: [{"type": "public-key", "id": h'18597179D385ED3D0700EAF6C5198DC88FDCD40343B2599D8EC2BB8AE9CD0204729C5954A88403E77995684E40523A284786E8B733B3AA629D38F4CC8F073220'}], 5: {"up": true}, 6: h'DC86853290616AB0FCBAF5AAAAF592E2', 7: 1}
I found the allowList(0x03) data is not in CTAP2 canonical CBOR encoding form.
The fido spec. asks all encoders MUST serialize CBOR in the CTAP2 canonical CBOR encoding form without duplicate map keys.
The key "type" shouldn't be set before the key "id".
Expected results:
The key "id" should be set before the key "type".
|
||
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
Assignee | |
Comment 2•2 years ago
|
||
I've filed a patch upstream https://github.com/mozilla/authenticator-rs/pull/235.
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 3•2 years ago
|
||
GH, could you test with Nightly 113 (>= 20230327093043)?
|
|
Assignee | |
Updated•2 years ago
|
Description
•