Bug 209645 - [WebAuthn] Relaxing signature length requirements for U2fRegister
Summary: [WebAuthn] Relaxing signature length requirements for U2fRegister
Status: VERIFIED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: Safari Technology Preview
Hardware: Mac macOS 10.15
: P2 Normal
Assignee: Jiewen Tan
URL:
Keywords: InRadar
Depends on:
Blocks: 181943
  Show dependency treegraph
 
Reported: 2020-03-27 02:22 PDT by nuno.sung
Modified: 2020-06-15 13:05 PDT (History)
4 users (show)

See Also:


Attachments
Progress stops like this. (320.02 KB, image/jpeg)
2020-03-27 02:22 PDT, nuno.sung
no flags Details
Patch (4.19 KB, patch)
2020-05-13 18:23 PDT, Jiewen Tan
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description nuno.sung 2020-03-27 02:22:07 PDT
Created attachment 394713 [details]
Progress stops like this.

[Environment]
Test Device: MacBook Pro (2013)
OS: macOS 10.15.4
Safari 13.1 (15609.1.20.111.8)
Safari Technology Preview Release 103

[Repro Steps]
1.Click 2-step verification item.
2.Click "Add security key" item.
3.Select USB item.
4.Click next button.
5.Insert one Security Key, wait it to start blinking and touch it.
6.Sometimes the registration progress stops and the Security Key stop blinking.

[Result]
Below are the reproducible rate on different Security Keys
- Yubico Security Key : 1/8
- Google U2F key: 1/5
- Yubikey 4 : 1/5
Comment 1 nuno.sung 2020-03-29 22:05:55 PDT
Just see a similar issue "70-byte attestation signature will be rejected" described in
https://medium.com/@darconeous/thoughts-on-apples-fido2-support-44a2aadcf093
Comment 2 Jiewen Tan 2020-05-13 16:03:51 PDT
This behavior seems to be only reproducible with Google. I tried Google, and it reproduced. I tried https://webauthntest.azurewebsites.net but failed. Wondering if this is actually an issue with quirks we did for Google.
Comment 3 Radar WebKit Bug Importer 2020-05-13 16:04:14 PDT
<rdar://problem/63204591>
Comment 4 Jiewen Tan 2020-05-13 18:23:45 PDT
Created attachment 399322 [details]
Patch
Comment 5 Brent Fulgham 2020-05-14 15:24:14 PDT
Comment on attachment 399322 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=399322&action=review

r=me

> Source/WebCore/ChangeLog:12
> +        It should actually be [70, 72]. However, as a middleware to relay the messages, user agents

Should we add a console message about this so web developers could see the message was out-of-bounds?
Comment 6 Jiewen Tan 2020-05-14 15:43:28 PDT
Comment on attachment 399322 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=399322&action=review

Thanks Brent for the r+.

>> Source/WebCore/ChangeLog:12
>> +        It should actually be [70, 72]. However, as a middleware to relay the messages, user agents
> 
> Should we add a console message about this so web developers could see the message was out-of-bounds?

Probably yes. Not sure why developers would care the range though.
Comment 7 EWS 2020-05-14 16:49:07 PDT
Committed r261723: <https://trac.webkit.org/changeset/261723>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 399322 [details].
Comment 8 Jiewen Tan 2020-05-14 17:05:26 PDT
(In reply to nuno.sung from comment #0)
> Created attachment 394713 [details]
> Progress stops like this.
> 
> [Environment]
> Test Device: MacBook Pro (2013)
> OS: macOS 10.15.4
> Safari 13.1 (15609.1.20.111.8)
> Safari Technology Preview Release 103
> 
> [Repro Steps]
> 1.Click 2-step verification item.
> 2.Click "Add security key" item.
> 3.Select USB item.
> 4.Click next button.
> 5.Insert one Security Key, wait it to start blinking and touch it.
> 6.Sometimes the registration progress stops and the Security Key stop
> blinking.
> 
> [Result]
> Below are the reproducible rate on different Security Keys
> - Yubico Security Key : 1/8
> - Google U2F key: 1/5
> - Yubikey 4 : 1/5

Hi, please follow our STP updates to verify the fix.
Comment 9 nuno.sung 2020-06-15 01:58:41 PDT
Sorry for my late reply.
I can verify this issue on the same MacBook Pro
macOS 10.15.5
Safari Technology Preview Release 108

- Yubico Security Key NFC (test with USB): 0/20
- Google U2F key: 0/20
- ATKey.Pro : 0/20
Comment 10 Jiewen Tan 2020-06-15 13:05:40 PDT
(In reply to nuno.sung from comment #9)
> Sorry for my late reply.
> I can verify this issue on the same MacBook Pro
> macOS 10.15.5
> Safari Technology Preview Release 108
> 
> - Yubico Security Key NFC (test with USB): 0/20
> - Google U2F key: 0/20
> - ATKey.Pro : 0/20

Thanks, Nuno.