Comments (10)
I think you are seeing bytes with zeros in them, often show up as some variation on @ when printed or viewed in an editor.
from webauthn.
I think you are seeing bytes with zeros in them, often show up as some variation on @ when printed or viewed in an editor.
Thanks. Why would it be zero? Any way to retrieve the aaguid otherwise (at php or js level)?
from webauthn.
You could print it as hex bytes using PHP’s bin2hex function.
I don’t think there’s any reason it shouldn’t be zero. The authenticator device isn’t required to supply anything there.
you’d have a hard time intercepting it earlier. It is the 16 bytes starting at offset 37 in the authData field of the data provided by the key. But that is wrapped up in CBOR by the key, which is a binary encoding of JSON, which is hard work to unpack manually. This code further wraps it in JSON for ease of sending to the server.
from webauthn.
You could print it as hex bytes using PHP’s bin2hex function.
I don’t think there’s any reason it shouldn’t be zero. The authenticator device isn’t required to supply anything there.
you’d have a hard time intercepting it earlier. It is the 16 bytes starting at offset 37 in the authData field of the data provided by the key. But that is wrapped up in CBOR by the key, which is a binary encoding of JSON, which is hard work to unpack manually. This code further wraps it in JSON for ease of sending to the server.
Yes, CBOR is hard to decode. Ok, let me ask the question in a different way - how can we get the key's AAGUD to be able to limit only certain AAGUIDs? We know this is technically possible (Microsoft has implemented it in Azure)
from webauthn.
It’s supplied by the device. The code just passes it along to PHP. If the device (and/or browser or other intermediary) isn’t supplying it, it’s hard to see what could be done.
from webauthn.
It’s supplied by the device. The code just passes it along to PHP. If the device (and/or browser or other intermediary) isn’t supplying it, it’s hard to see what could be done.
I am using the same key with other libraries/test tools using the same browser and they "see" its AAGUID. I suspect this is some of the settings I played with in this implementation. I currently have attestation as "none", would this play any role?
from webauthn.
So I just tried it. Windows Hello gets all zeros, whatever downstream method I choose (I tried both PIN and Yubico 2). I also tried BitWarden, and that has some data in that field, though I'm not sure what it is saying, other than being numeric. But it clearly is capable of being set by the device. So I think you need to look downstream from the PHP.
I currently have attestation as "none"
Not sure where you mean. Do you mean in prepareChallengeForRegistration where it assigns to $result->attestation?
from webauthn.
I currently have attestation as "none"
Not sure where you mean. Do you mean in prepareChallengeForRegistration where it assigns to $result->attestation?
Yes,
$result->attestation = null;
from webauthn.
OK, that's per the original code. With it like that, as I mentioned, BitWarden is supplying data in the aaguid field, so I doubt it is that.
from webauthn.
According to the W3C spec, the four possible values for this are none, indirect, direct and enterprise. You could try those.
https://www.w3.org/TR/webauthn-2/#attestation-conveyance
They don't make any difference when I try it here.
from webauthn.
Related Issues (20)
- Icon in rp
- Bio-metric Authentication HOT 12
- Trim unnecessary stuff HOT 2
- Timeout not implemented? HOT 2
- iphone safari browser is not working HOT 8
- Windows + FIDO + Securitykey return fmt as packed in the attestationobject
- `composer require` fails with InvalidArgumentException HOT 2
- Firefox has started returning an error on registration HOT 1
- Safari: registration failed: Bad Request: cannot decode key response (5) HOT 3
- Setting unknown property: appid for local host HOT 4
- 500 / Couldn't initiate registration HOT 2
- phpseclib3 HOT 4
- Multiple Keys per user HOT 3
- couldn't initiate login: SyntaxError: Unexpected end of JSON input: HOT 2
- Add support for discoverable credentials (passkeys) HOT 1
- problem authenticating - abort HOT 5
- Android 9 fails to offer choice of finger print HOT 1
- iOS 17.4.1
- 1Password passkeys
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.