Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Webauthn u2f attestation certificate not found #173

Open
phavekes opened this issue Jan 10, 2025 · 1 comment
Open

Webauthn u2f attestation certificate not found #173

phavekes opened this issue Jan 10, 2025 · 1 comment
Assignees
@pablothedude
Labels
webauthn

Comments

@phavekes
Copy link
Member

When using an yubikey 4, the key is used as an u2f authenticator. There is an attestation certificate available in the attestationObject and the publicKeyCredentialSource, but the key isn't accepted and the logs show 0 StatusReports tested.

It seems the certificate is in another field for u2f, and is therefore not used for validation of the fido-key.

See these logs:

{
   "message":"Checking the authenticator attestation response",
   "context":{
      "authenticatorAttestationResponse":{
         "clientDataJSON":{
            "data":{
               "type":"webauthn.create",
               "challenge":"nJEi1o2qmVABVkSMtKeU304prllkNXSxezH35lRlsi92G0k77-yNi2-DK1aC3L3AADoLScNeQi-u6iCaOh5a9g",
               "origin":"https://webauthn.test2.surfconext.nl",
               "crossOrigin":false
            },
            "type":"webauthn.create",
            "challenge":"��\"֍��P\u0001VD�����N)�Yd5t�{1��Te�/v\u001bI;�썋o�+V�ܽ�\u0000:\u000bI�^B/�� �:\u001eZ�",
            "origin":"https://webauthn.test2.surfconext.nl",
            "topOrigin":null,
            "crossOrigin":false,
            "tokenBinding":null,
            "rawData":"{\"type\":\"webauthn.create\",\"challenge\":\"nJEi1o2qmVABVkSMtKeU304prllkNXSxezH35lRlsi92G0k77-yNi2-DK1aC3L3AADoLScNeQi-u6iCaOh5a9g\",\"origin\":\"https://webauthn.test2.surfconext.nl\",\"crossOrigin\":false}"
         },
         "attestationObject":{
            "metadataStatement":null,
            "rawAttestationObject":"�cfmthfido-u2fgattStmt�csigXF0D\u0002 u=�Ħ�������R�y;|�����;�\t$�Q�\u0002 MO\b��.�\u0014����˰f�}�2�lȁ\r�ΥP��cx5c�Y\u0002S0�\u0002O0�\u00017�\u0003\u0002\u0001\u0002\u0002\u0004<h)M0\r\u0006\t*�H��\r\u0001\u0001\u000b\u0005\u00000.1,0*\u0006\u0003U\u0004\u0003\u0013#Yubico U2F Root CA Serial 4572006310 \u0017\r140801000000Z\u0018\u000f20500904000000Z011/0-\u0006\u0003U\u0004\u0003\f&Yubico U2F EE Serial 239257348111179010Y0\u0013\u0006\u0007*�H�=\u0002\u0001\u0006\b*�H�=\u0003\u0001\u0007\u0003B\u0000\u0004��g��w��P1q�,MEJ�sfu\u001aH����j: �ykN�+�{�z\u0014�\u0010��hGo�W��}�/�(kƣ \u0002\u000ec�;090\"\u0006\t+\u0006\u0001\u0004\u0001��\n\u0002\u0004\u00151.3.6.1.4.1.41482.1.50\u0013\u0006\u000b+\u0006\u0001\u0004\u0001��\u001c\u0002\u0001\u0001\u0004\u0004\u0003\u0002\u0005 0\r\u0006\t*�H��\r\u0001\u0001\u000b\u0005\u0000\u0003�\u0001\u0001\u0000��\rQ\t~�\u0015���y�ă@�gӗ.�jg��p�`�DY�8B�\b\u001eq�S�\u001b#�%��\u0000�G1\u0018R\u0006�\u0019)���f�?�3R*�X�� �����${d�Ʀ!J�پs6���\u0018?�KR\u0018u�����\n[\u001e\u0004*8v�K����-��s�dAȔ�|٤�}�=���G��GS�Z\b������6�Т�ΥaZ��H\u0010��w�fD��k��!��������I>N�3�\u0016\u0007q��1s\u0012\u000f�S聨�@�2�<4h,��N]���\"\u001f�R��A�\u0014��\u000f:�?,[��hauthDataX��]��~�4���,\u000b\u0013\u001d\u001b�lHh\"��ݯ�\u0003�$�A\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@�x\u0007��-e�m�g�GP�Q*\u0007�^@�qd�A��\u0014�Hy���H����+�!F\\C`�)��~_��ܲ�\"\u000e\"٥\u0001\u0002\u0003& \u0001!X �t��鏈VL���K�n;_h�}��>4�Z�d�a\u0018+\"X �D��\u001d\r\b:�v\f��\u0014��L���ʵ��-M�\u001e?�",
            "attStmt":{
               "fmt":"fido-u2f",
               "attStmt":{
                  "sig":"0D\u0002 u=�Ħ�������R�y;|�����;�\t$�Q�\u0002 MO\b��.�\u0014����˰f�}�2�lȁ\r�ΥP��",
                  "x5c":[
                     "0�\u0002O0�\u00017�\u0003\u0002\u0001\u0002\u0002\u0004<h)M0\r\u0006\t*�H��\r\u0001\u0001\u000b\u0005\u00000.1,0*\u0006\u0003U\u0004\u0003\u0013#Yubico U2F Root CA Serial 4572006310 \u0017\r140801000000Z\u0018\u000f20500904000000Z011/0-\u0006\u0003U\u0004\u0003\f&Yubico U2F EE Serial 239257348111179010Y0\u0013\u0006\u0007*�H�=\u0002\u0001\u0006\b*�H�=\u0003\u0001\u0007\u0003B\u0000\u0004��g��w��P1q�,MEJ�sfu\u001aH����j: �ykN�+�{�z\u0014�\u0010��hGo�W��}�/�(kƣ \u0002\u000ec�;090\"\u0006\t+\u0006\u0001\u0004\u0001��\n\u0002\u0004\u00151.3.6.1.4.1.41482.1.50\u0013\u0006\u000b+\u0006\u0001\u0004\u0001��\u001c\u0002\u0001\u0001\u0004\u0004\u0003\u0002\u0005 0\r\u0006\t*�H��\r\u0001\u0001\u000b\u0005\u0000\u0003�\u0001\u0001\u0000��\rQ\t~�\u0015���y�ă@�gӗ.�jg��p�`�DY�8B�\b\u001eq�S�\u001b#�%��\u0000�G1\u0018R\u0006�\u0019)���f�?�3R*�X�� �����${d�Ʀ!J�پs6���\u0018?�KR\u0018u�����\n[\u001e\u0004*8v�K����-��s�dAȔ�|٤�}�=���G��GS�Z\b������6�Т�ΥaZ��H\u0010��w�fD��k��!��������I>N�3�\u0016\u0007q��1s\u0012\u000f�S聨�@�2�<4h,��N]���\"\u001f�R��A�\u0014��\u000f:�?,[��"
                  ]
               },
               "trustPath":{
                  "type":"Webauthn\\TrustPath\\CertificateTrustPath",
                  "x5c":[
                     "-----BEGIN CERTIFICATE-----\nMIICTzCCATegAwIBAgIEPGgpTTANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\nMDBaGA8yMDUwMDkwNDAwMDAwMFowMTEvMC0GA1UEAwwmWXViaWNvIFUyRiBFRSBT\nZXJpYWwgMjM5MjU3MzQ4MTExMTc5MDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAS932eT23eUw1Axce0sTUVK2XNmdRpIuqXZ+bVqOiCBeWtO3yvNe5J6FJMQ+8Ro\nR2/8V5KpfbYvoChrxqMgAg5jozswOTAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4x\nLjQxNDgyLjEuNTATBgsrBgEEAYLlHAIBAQQEAwIFIDANBgkqhkiG9w0BAQsFAAOC\nAQEAqsANUQl+7BWkhrN5vMSDQPhn05cuzmpn+6Rw42DGRFnwrThC0/8IHnHqiVOX\nGyP5JcCtAMJHMRhSBvCzqRkp+5G3ZrU/4TNSKoNYuNEgtKv7f+jvJHtk/8amIUrB\n2b5zNv3g86gYP5NLUhh19eP3iYCvlwpbHgQqOHbXS6i+7+kt0uNzzGRByJStfNmk\n9H2tPaT+r0eRmEdT41oInOTL49PINurQoqfOpWFa1+RIEIbDd7NmRNL7mWu84psh\nrbiV95OC7sVJPk7BM8IWfwdx9ZkxcxIP8o1T6IGol0DBMs88NGgsu89OXb3B4IAi\nH4dSmYFB3RSW1w86sD8sW8B/rQ==\n-----END CERTIFICATE-----\n"
                  ]
               },
               "type":"basic"
            },
            "authData":{
               "authData":"�]��~�4���,\u000b\u0013\u001d\u001b�lHh\"��ݯ�\u0003�$�A\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@�x\u0007��-e�m�g�GP�Q*\u0007�^@�qd�A��\u0014�Hy���H����+�!F\\C`�)��~_��ܲ�\"\u000e\"٥\u0001\u0002\u0003& \u0001!X �t��鏈VL���K�n;_h�}��>4�Z�d�a\u0018+\"X �D��\u001d\r\b:�v\f��\u0014��L���ʵ��-M�\u001e?�",
               "rpIdHash":"�]��~�4���,\u000b\u0013\u001d\u001b�lHh\"��ݯ�\u0003�$�",
               "flags":"A",
               "signCount":0,
               "attestedCredentialData":{
                  "aaguid":"00000000-0000-0000-0000-000000000000",
                  "credentialId":"pngH//UtZeJt/Ge1R1CpUSoH5V5A7nFk5kGU9RTGSHmso+KfSJ6kmeaCK8UhRlxDYNopith+X7Ss3LLDIg4i2Q==",
                  "credentialPublicKey":"pQECAyYgASFYINt07s/pj4hWTPfuxku2bjtfaMd9rYg+NIhat2TYYRgrIlgg5IJEweaDHQ0IOuB2DJiPFM/JTPHL2Mq1++UtTaAeP6g="
               },
               "extensions":null
            }
         },
         "transports":[
            "usb"
         ]
      },
      "publicKeyCredentialCreationOptions":{
         "rp":{
            "name":"SURFsecureID",
            "icon":"https://webauthn.test2.surfconext.nl/images/header-logo.png"
         },
         "user":{
            "name":"5b11392c-b802-45fc-aa15-c55f417bfb4a",
            "id":"NWIxMTM5MmMtYjgwMi00NWZjLWFhMTUtYzU1ZjQxN2JmYjRh",
            "displayName":"SURFsecureID"
         },
         "challenge":"nJEi1o2qmVABVkSMtKeU304prllkNXSxezH35lRlsi92G0k77-yNi2-DK1aC3L3AADoLScNeQi-u6iCaOh5a9g",
         "pubKeyCredParams":[
            {
               "type":"public-key",
               "alg":-7
            },
            {
               "type":"public-key",
               "alg":-257
            }
         ],
         "timeout":60000,
         "authenticatorSelection":{
            "requireResidentKey":false,
            "userVerification":"preferred",
            "authenticatorAttachment":"cross-platform"
         },
         "attestation":"indirect"
      },
      "host":"webauthn.test2.surfconext.nl"
   },
   "level":200,
   "level_name":"INFO",
   "channel":"app",
   "datetime":"2025-01-10T09:32:48+01:00",
   "extra":{
      "server":"webauthn.test2.surfconext.nl",
      "application":"Webauthn",
      "request_id":"754cf54070dbfd7c14a98d37a37b4d91"
   }
}{
   "message":"The attestation is valid",
   "context":{
      
   },
   "level":200,
   "level_name":"INFO",
   "channel":"app",
   "datetime":"2025-01-10T09:32:48+01:00",
   "extra":{
      "server":"webauthn.test2.surfconext.nl",
      "application":"Webauthn",
      "request_id":"754cf54070dbfd7c14a98d37a37b4d91"
   }
}{
   "message":"Public Key Credential Source",
   "context":{
      "publicKeyCredentialSource":{
         "publicKeyCredentialId":"pngH__UtZeJt_Ge1R1CpUSoH5V5A7nFk5kGU9RTGSHmso-KfSJ6kmeaCK8UhRlxDYNopith-X7Ss3LLDIg4i2Q",
         "type":"public-key",
         "transports":[
            "usb"
         ],
         "attestationType":"basic",
         "trustPath":{
            "type":"Webauthn\\TrustPath\\CertificateTrustPath",
            "x5c":[
               "-----BEGIN CERTIFICATE-----\nMIICTzCCATegAwIBAgIEPGgpTTANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ\ndWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw\nMDBaGA8yMDUwMDkwNDAwMDAwMFowMTEvMC0GA1UEAwwmWXViaWNvIFUyRiBFRSBT\nZXJpYWwgMjM5MjU3MzQ4MTExMTc5MDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\nAAS932eT23eUw1Axce0sTUVK2XNmdRpIuqXZ+bVqOiCBeWtO3yvNe5J6FJMQ+8Ro\nR2/8V5KpfbYvoChrxqMgAg5jozswOTAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4x\nLjQxNDgyLjEuNTATBgsrBgEEAYLlHAIBAQQEAwIFIDANBgkqhkiG9w0BAQsFAAOC\nAQEAqsANUQl+7BWkhrN5vMSDQPhn05cuzmpn+6Rw42DGRFnwrThC0/8IHnHqiVOX\nGyP5JcCtAMJHMRhSBvCzqRkp+5G3ZrU/4TNSKoNYuNEgtKv7f+jvJHtk/8amIUrB\n2b5zNv3g86gYP5NLUhh19eP3iYCvlwpbHgQqOHbXS6i+7+kt0uNzzGRByJStfNmk\n9H2tPaT+r0eRmEdT41oInOTL49PINurQoqfOpWFa1+RIEIbDd7NmRNL7mWu84psh\nrbiV95OC7sVJPk7BM8IWfwdx9ZkxcxIP8o1T6IGol0DBMs88NGgsu89OXb3B4IAi\nH4dSmYFB3RSW1w86sD8sW8B/rQ==\n-----END CERTIFICATE-----\n"
            ]
         },
         "aaguid":"00000000-0000-0000-0000-000000000000",
         "credentialPublicKey":"pQECAyYgASFYINt07s_pj4hWTPfuxku2bjtfaMd9rYg-NIhat2TYYRgrIlgg5IJEweaDHQ0IOuB2DJiPFM_JTPHL2Mq1--UtTaAeP6g",
         "userHandle":"NWIxMTM5MmMtYjgwMi00NWZjLWFhMTUtYzU1ZjQxN2JmYjRh",
         "counter":0,
         "otherUI":null,
         "backupEligible":false,
         "backupStatus":false,
         "uvInitialized":false
      }
   },
   "level":100,
   "level_name":"DEBUG",
   "channel":"app",
   "datetime":"2025-01-10T09:32:48+01:00",
   "extra":{
      "server":"webauthn.test2.surfconext.nl",
      "application":"Webauthn",
      "request_id":"754cf54070dbfd7c14a98d37a37b4d91"
   }
}{
   "message":"Invalid attestation \"Of the 0 StatusReports tested, none met one of the required FIDO Certified statuses,\n                        or the status was explicitly denied. Reports tested: \"\"\"",
   "context":{
      "nameId":"5b11392c-b802-45fc-aa15-c55f417bfb4a",
      "sari":"_fa354b6836f86ecb9ca2945e5571bfe010ccd4d9b11b3de3640f8b6558a9"
   },
   "level":300,
   "level_name":"WARNING",
   "channel":"app",
   "datetime":"2025-01-10T09:32:48+01:00",
   "extra":{
      "server":"webauthn.test2.surfconext.nl",
      "application":"Webauthn",
      "request_id":"754cf54070dbfd7c14a98d37a37b4d91"
   }
}
@phavekes phavekes transferred this issue from OpenConext/Stepup-Project Jan 10, 2025
@johanib
Copy link
Contributor

johanib commented Jan 29, 2025

Timebox: 4h

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pablothedude pablothedude

Labels
webauthn
Projects
PHP development
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@phavekes @pablothedude @johanib