SimpleWebAuthn icon indicating copy to clipboard operation
SimpleWebAuthn copied to clipboard
verified publisher icon MasterKale

Verifying attestation with a public key using OKP make the server package to crash

Open Julien-Pires opened this issue 7 months ago • 1 comments

Describe the issue

When trying to verify an attestation, with the server library, using a credential having a public key using OKP, verifyOKP function crash with following error:

TypeError: Cannot read properties of undefined (reading 'fromBuffer')
    at verifyOKP (file:///home/node/app/node_modules/.pnpm/@[email protected]/node_modules/@simplewebauthn/server/esm/helpers/iso/isoCrypto/verifyOKP.js:36:25)

When reviewing the file verifyOKP.js, the error come from this line x: isoBase64URL.fromBuffer(x).

The issue is that the import path is not correct and is going one folder up too far.

Current import: import { isoBase64URL } from '../../index.js'; Correct import: import { isoBase64URL } from '../index.js';.

Reproduction Steps

  1. Create a credential with a public key using OKP
  2. Start an authentication workflow with the same credential
  3. Verify the attestation with simplewebauthn/server

Expected behavior

Attestation verification succeed

SimpleWebAuthn Libraries

@simplewebauthn/[email protected]

Julien-Pires avatar May 22 '25 14:05 Julien-Pires

Hello @Julien-Pires can you please provide a registration response that causes the problem? Ideally as a sample of how you're calling the registration verification method.

MasterKale avatar May 22 '25 15:05 MasterKale

Closing for now due to inactivity. Feel free to re-open later with code I can use to reproduce locally.

MasterKale avatar Jul 05 '25 20:07 MasterKale

Sorry for not answering earlier.

We tried to understand what was happening. The bug seems to occurred only on our AWS instance. We tried to reproduce the environment locally and trigger the bug, without success so far.

But we still have ideas on what is going on, it looks to be related to a loop with file import. 

So we had a look at the code and following file packages/server/src/helpers/iso/isoCrypto/verifyOKP.ts is importing packages/server/src/helpers/iso/isoBase64URL.ts. The import of isoBase64URL.ts is done by importing the index.ts in the folder packages/server/src/helpers/iso. By doing it this way, in this case, it creates an import loop. Most packages loaders could handle this, but for an unknown reason, and on our instance specifically, it doesn't work.

We managed to fix the issue by patching the package and replacing line 2 in packages/server/src/helpers/iso/isoCrypto/verifyOKP.ts:

// Before
import { isoBase64URL } from '../../index.ts';

// After
import { isoBase64URL } from '../isoBase64URL.ts';

Even if this bug will probably have a very rare occurrence, I strongly suggest to avoid those import loop to be 100% safe and directly import desired file.

Julien-Pires avatar Jul 15 '25 09:07 Julien-Pires