You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My Test Environment:
OS: Windows 11 Home
Version: 23H2
OS Build: 22631.3880
Browser: Brave (Brave 1.68.137 Chromium: 127.0.6533.100 (Official Build) (64 bit)
Actual library version I used is 0.11.1 but Version selection of issue template is not shown so selected 0.11.0.
I encountered below error when using this library at registration logic with Windows Hello.
Unable to validate attestation signature statement during attestation validation: invalid certificate chain from MDS: x509: unhandled critical extension
When I used version 0.10.2 of this library, this error never happened.
I tried using metadata.Provider feature so I guessed it is the reason.
I read some code and found the reason.
paste above code into main.go and static/register.html
go mod init if at the first time
go run .
then access to localhost:8081 and do WebAuthn registration
the error will be printed on the terminal
Expectations
Currently, I would skip this check by using metadata/providers/memory.WithValidateTrustAnchor(false) option.
But I think this additional validation feature is maybe unnecessary because custom trust anchor verification logics looks already implemented for each attestation type. Otherwise I think verification features should be merged in different way.
(note that this is only my opinion from my narrow (not understanding all of features of this library and not perfectly understanding certificate verification) perspective)
Documentation
No response
The text was updated successfully, but these errors were encountered:
Thanks for reporting, and the very detailed report. This is unlikely to be a bug here but to be an issue with that particular MDS entry. I'll take a closer look soon to make sure. There are narrower expectations of an MDS3 entry than a standard X.509 certificate.
The reason this happens now and not prior is no trust anchor validation was done previously. This was the intent of the major change in 0.11. It's likely disabling that option would work around it.
Yeah okay so I think it's specifically a bug in the new functionality which is optional. Specifically because the AIK certificate is parsed via stdlib the SAN critical extension isn't parsed since the stdlib ignores the ASN.1 tag that's part of the SAN extension for TPM 2.0 AIK certificates.
Because there is now additional logic to validate the attestation against the MDS now the error occurs. I'll put up a PR for you to test. The idea is that if the certificate is parsed and the type is TPM, and the parsed certificate has not had that critical extension parsed we will reparse it internally to determine if that's actually accurate and update the certificate accordingly.
Version
0.11.0
Description
Thank you for developing this library
My Test Environment:
OS: Windows 11 Home
Version: 23H2
OS Build: 22631.3880
Browser: Brave (Brave 1.68.137 Chromium: 127.0.6533.100 (Official Build) (64 bit)
Actual library version I used is 0.11.1 but Version selection of issue template is not shown so selected 0.11.0.
I encountered below error when using this library at registration logic with Windows Hello.
When I used version 0.10.2 of this library, this error never happened.
I tried using metadata.Provider feature so I guessed it is the reason.
I read some code and found the reason.
The error happens here.
webauthn/protocol/attestation.go
Lines 257 to 259 in cf1758a
and when I was debugging the code in
x509.ParseCertificate
in standard library, I reached hereunhandled = true
https://github.com/golang/go/blob/72735094660a475a69050b7368c56b25346f5406/src/crypto/x509/parser.go#L691
after that, reaches here
https://github.com/golang/go/blob/72735094660a475a69050b7368c56b25346f5406/src/crypto/x509/parser.go#L819-L821
and then in
x5c.Verify
finally reaches herehttps://github.com/golang/go/blob/72735094660a475a69050b7368c56b25346f5406/src/crypto/x509/verify.go#L564-L566
parseSANExtension
in standard library is here.https://github.com/golang/go/blob/72735094660a475a69050b7368c56b25346f5406/src/crypto/x509/parser.go#L374-L417
By the way, at attestation_tpm.go, custom certificate extension validation logic exists like below.
webauthn/protocol/attestation_tpm.go
Lines 175 to 182 in 9ca2fae
and custom
parseSANExtension
which is not compatible with standard librarywebauthn/protocol/attestation_tpm.go
Lines 301 to 336 in 9ca2fae
that's why this error happens.
Reproduction
static/register.html
main.go
(sorry, the code may be bit dirty)
go mod init
if at the first timego run .
localhost:8081
and do WebAuthn registrationExpectations
Currently, I would skip this check by using
metadata/providers/memory.WithValidateTrustAnchor(false)
option.But I think this additional validation feature is maybe unnecessary because custom trust anchor verification logics looks already implemented for each attestation type. Otherwise I think verification features should be merged in different way.
(note that this is only my opinion from my narrow (not understanding all of features of this library and not perfectly understanding certificate verification) perspective)
Documentation
No response
The text was updated successfully, but these errors were encountered: