[webauthn-lib] App broken after composer update

[it-spiderman]

Our implementation of WebAuthn using webauthn-lib got broken after running composer update.
We pinpointed the issue to the update of https://github.com/web-auth/cose-lib from 2.0.3 to 2.1.

Problem occurs here https://github.com/web-auth/cose-lib, seems that our key retrurns signature of length 71, while expected is 64. (Using FIDO2 usb key)

Since the signature handling is done compeltely by the library, we are not sure how to deal with this issue.
Temporarely we worked around the issue by manually requiring 2.0.3 in main composer.json.

What are the recommendations for resolving this?

Thank you

[Spomky]

Hello @it-spiderman,

I am sorry to read that you have an issue with the new minor version.
Can you tell me when this exception is thrown: registration of the device or authentication of the user?

Is it possible to have additional information such as the credential options, response or pk source?
At least the complete trace of the exception?

Thanks

[it-spiderman]

Hello @Spomky,

This only occurs on authentication step - key registration works fine.
We are basically using the code as it is on:
https://github.com/web-auth/webauthn-framework/blob/master/doc/webauthn/PublicKeyCredentialRequest.md#example-1

`[1d4ed64ca2b16c9cd768826a] /wmf-2fa/index.php?title=Special:UserLogin&returnto=Main+Page InvalidArgumentException from line 37 of /var/www/html/wmf-2fa/extensions/WebAuthn/vendor/web-auth/cose-lib/src/Algorithm/Signature/ECDSA/ECSignature.php: Invalid signature length.

Backtrace:

#0 /var/www/html/wmf-2fa/extensions/WebAuthn/vendor/web-auth/cose-lib/src/Algorithm/Signature/ECDSA/ES256.php(37): Cose\Algorithm\Signature\ECDSA\ECSignature::toAsn1(string, integer)
#1 /var/www/html/wmf-2fa/extensions/WebAuthn/vendor/web-auth/webauthn-lib/src/AuthenticatorAssertionResponseValidator.php(156): Cose\Algorithm\Signature\ECDSA\ES256->verify(string, Cose\Key\Key, string)
#2 /var/www/html/wmf-2fa/extensions/WebAuthn/src/Key/WebAuthnKey.php(489): Webauthn\AuthenticatorAssertionResponseValidator->check(string, Webauthn\AuthenticatorAssertionResponse, Webauthn\PublicKeyCredentialRequestOptions, MediaWiki\Extension\WebAuthn\Request, string)
#3 /var/www/html/wmf-2fa/extensions/WebAuthn/src/Key/WebAuthnKey.php(285): MediaWiki\Extension\WebAuthn\Key\WebAuthnKey->authenticationCeremony(string, Webauthn\PublicKeyCredentialRequestOptions)
#4 /var/www/html/wmf-2fa/extensions/WebAuthn/src/Module/WebAuthn.php(114): MediaWiki\Extension\WebAuthn\Key\WebAuthnKey->verify(array, MediaWiki\Extension\OATHAuth\OATHUser)
#5 /var/www/html/wmf-2fa/extensions/WebAuthn/src/Authenticator.php(239): MediaWiki\Extension\WebAuthn\Module\WebAuthn->verify(MediaWiki\Extension\OATHAuth\OATHUser, array)
#6 /var/www/html/wmf-2fa/extensions/WebAuthn/src/Auth/WebAuthnSecondaryAuthenticationProvider.php(88): MediaWiki\Extension\WebAuthn\Authenticator->continueAuthentication(array)
#7 /var/www/html/wmf-2fa/extensions/OATHAuth/src/Auth/SecondaryAuthenticationProvider.php(65): MediaWiki\Extension\WebAuthn\Auth\WebAuthnSecondaryAuthenticationProvider->continueSecondaryAuthentication(User, array)
#8 /var/www/html/wmf-2fa/includes/auth/AuthManager.php(650): MediaWiki\Extension\OATHAuth\Auth\SecondaryAuthenticationProvider->continueSecondaryAuthentication(User, array)
#9 /var/www/html/wmf-2fa/includes/specialpage/AuthManagerSpecialPage.php(355): MediaWiki\Auth\AuthManager->continueAuthentication(array)
#10 /var/www/html/wmf-2fa/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)`

Thank you for your support

[Spomky]

Thaks for the details.
It looks like you have web-auth/cose-lib v2.1 and web-auth/webauthn-lib v2.0. Is it correct?
If yes, I see from where the issue comes from and I will fix that in few hours.

[it-spiderman]

Correct, "web-auth/webauthn-lib": "v2.0.3", which requires "web-auth/cose-lib": "^2.0" (resolves to 2.1.4)

Thank you!

[Spomky]

That's great. Let me a few moment to fix it.
You will be able to use web-auth/webauthn-lib v2.0 with web-auth/cose-lib v2.1.
If everything is fine you will be able to update web-auth/webauthn-lib to v2.1 as well.

Please note that there is also a bug in the JS script in the example (see #87): the challenge and IDs in allowedCredentials are base64url safe and not base64 encoded.

If you use the example for your JS code, you will have an issue. If you use another JS library that is fully compliant with the specification you should not have any trouble.

You will find scripts that work in demo.zip.

I let this issue opened until you correctly upgraded your application.

[Spomky]

Should be fixed in v2.1.5 now.
Can you confirm it is now fine wor you?

I also updated the JS script in the example. Don’t forget to update it too if you are using it.

[it-spiderman]

Everything is working, thank you very much

[Spomky]

That's a good news. Sorry for the inconvenient.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.