NEW 275357
Incorrect serialization of WebAuthn CollectedClientData 
https://bugs.webkit.org/show_bug.cgi?id=275357
Summary Incorrect serialization of WebAuthn CollectedClientData
garciacampos.sergio
Reported 2024-06-11 05:42:03 PDT
Not sure this is reported in the correct Component, if it's isn't please let me know. The webauthn specification indicates that the encoding of the "CollectedClientData" must follow some strict rules, This is stated clearly in the specification in point "5.8.1.1. Serialization" https://www.w3.org/TR/webauthn/#clientdatajson-serialization here is an example of the value returned by safari where you can see the ordering of the elements is not correct: {"type":"webauthn.get","challenge":"AYiqf4hnXuSy7ea0nnLY07cZKYHxDQu7ptax5yKIGJwA","origin":"http://localhost:5173"}" but safari is not compliant with the standard and this makes it impossible to verify the signature when using the limited verification algorithm. It works as expected on Google Chrome. It probably affects other hardware and OSs
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-06-18 05:43:13 PDT
<rdar://problem/130073946>
Karl Dubost
Comment 2 2024-06-18 23:15:44 PDT
After this sentence in https://www.w3.org/TR/webauthn/#clientdatajson-serialization > The serialization algorithm works by appending successive byte strings to an, initially empty, partial result until the complete result is obtained. It follows a sequence of things that should be appended. 1. {"type": 2. ,"challenge": 3. ,"origin": 4. ,"crossOrigin": 5. } And in https://www.w3.org/TR/webauthn/#clientdatajson-development 5.8.1.3. Future development > They also must not change the serialization algorithm to change the order in which those fields are serialized. This is probably handled by https://searchfox.org/wubkat/rev/15ad704057e0d342d10b792f6108eaeed7accbd7/Source/WebCore/Modules/webauthn/WebAuthenticationUtils.cpp#160-182 @garciacampos.sergio You mentioned that: > the value returned by safari where you can see the ordering of the elements is not correct: with the example being: 1. type 2. challenge 3. origin The order seems to be the same. Or did you mean there is a missing "crossOrigin"?
garciacampos.sergio
Comment 3 2024-06-21 03:21:34 PDT
> This is probably handled by https://searchfox.org/wubkat/rev/15ad704057e0d342d10b792f6108eaeed7accbd7/Source/WebCore/Modules/webauthn/WebAuthenticationUtils.cpp#160-182 i see there that "topOrigin" might be place before "crossOrigin" > The order seems to be the same. Or did you mean there is a missing "crossOrigin"? For some reason i thought the order was wrong but it's not. Sorry about the mess. It's just missing the "crossOrign" Ideally it think webkit should follow the described algorithm more closely, and actually build it using bytes directly as mentioned in the spec. That will guarantee that no weird escaping or whitespace can later break the "Limited Verification Algorithm"
Note You need to log in before you can comment on or make changes to this bug.