Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getAssertion: Skip attStmt if attestationFormatsPreference is not set #98

Closed
robin-nitrokey opened this issue Oct 2, 2024 · 0 comments · Fixed by #99
Closed

getAssertion: Skip attStmt if attestationFormatsPreference is not set #98

robin-nitrokey opened this issue Oct 2, 2024 · 0 comments · Fixed by #99
Labels
bug Something isn't working

Comments

@robin-nitrokey
Copy link
Member

If attestationFormatsPreference is absent or a single element list of the string "none", omit attestation from the output.

https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#sctn-getAssert-authnr-alg

The current implementation defaults to packed instead (as for makeCredential):

fido-authenticator/src/ctap2.rs

Lines 1676 to 1677 in 0fdecc9

let att_stmt_fmt =
SupportedAttestationFormat::select(data.attestation_formats_preference.as_ref());

fido-authenticator/src/ctap2.rs

Lines 2019 to 2023 in 0fdecc9

fn select(preference: Option<&AttestationFormatsPreference>) -> Option<Self> {
let Some(preference) = preference else {
// no preference, default to packed format
return Some(Self::Packed);
};

@robin-nitrokey robin-nitrokey added the bug Something isn't working label Oct 2, 2024
robin-nitrokey added a commit that referenced this issue Oct 2, 2024
@robin-nitrokey
get_assertion: Skip attStmt unless requested
2d8629c 
For makeCredential, a missing attestation format preference list
means that we should use the default format (packed).  For getAssertion,
it means that we should skip the attestation statement entirely.
Previously, we implemented the makeCredential algorithm for both cases.
This caused an incompatibility with firefox because it fails on
unexpected fields in the response (in this case, the attestation
statement).  This patch fixes this issue and applies the correct default
for getAssertion requests.

Fixes: #98
@robin-nitrokey robin-nitrokey mentioned this issue Oct 2, 2024
Merged
@daringer daringer mentioned this issue Oct 2, 2024
Closed
robin-nitrokey added a commit that referenced this issue Oct 2, 2024
@robin-nitrokey
get_assertion: Skip attStmt unless requested
141abd7 
For makeCredential, a missing attestation format preference list
means that we should use the default format (packed).  For getAssertion,
it means that we should skip the attestation statement entirely.
Previously, we implemented the makeCredential algorithm for both cases.
This caused an incompatibility with firefox because it fails on
unexpected fields in the response (in this case, the attestation
statement).  This patch fixes this issue and applies the correct default
for getAssertion requests.

Fixes: #98
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

get_assertion: Skip attStmt unless requested Nitrokey/fido-authenticator
1 participant
@robin-nitrokey