Bug 247344

Summary:	[WebAuthn] Incorrect RP ID hash when using U2F keys
Product:	WebKit	Reporter:	pascoe <pascoe>
Component:	WebKit Misc.	Assignee:	pascoe <pascoe>
Status:	NEW
Severity:	Major	CC:	gianluca.varisco, joost.vandijk, webkit-bug-importer
Priority:	P1	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

pascoe@apple.com

Reported 2022-11-01 16:33:51 PDT

This causes registrations to fail whenever we fall back to U2F or the key only supports U2F.

Attachments
Add attachment proposed patch, testcase, etc.

pascoe@apple.com

Comment 1 2022-11-01 16:34:00 PDT

rdar://100466116

Joost van Dijk

Comment 2 2022-11-04 02:00:09 PDT

To reproduce: Point your browser at https://demo.yubico.com/webauthn-technical/registration and use your U2F security key to register a FIDO credential. When the RP ID Hash mismatch occurs, you will get an error message: Wrong RP ID hash in response. OR Point your browser at https://webauthn.io/ and click Advanced Settings. In the Registration Settings, Uncheck "Require User Verification" and select "Cross-Platform" as Authenticator Attachment. Then click "Register" and use your U2F security key to register a FIDO credential. When the RP ID Hash mismatch occurs, you will get an error message: Registration failed: Unexpected RP ID hash.

pascoe@apple.com

Comment 3 2022-11-28 08:07:28 PST

rdar://102718464

pascoe@apple.com

Comment 4 2022-11-28 08:17:06 PST

Pull request: https://github.com/WebKit/WebKit/pull/6862

pascoe@apple.com

Comment 5 2022-11-28 10:51:56 PST

rdar://100466116

Joost van Dijk

Comment 6 2023-11-02 02:14:43 PDT

Seems to be resolved with Safari 17.1

Note You need to log in before you can comment on or make changes to this bug.