webauthn
webauthn copied to clipboard
davidearl
aaguid empty
Hello, When I try to log the aaguid ( in the register function, $ao->attData->aaguid ) I gives me a strange text like "^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@"
What could have caused this? Anyone seen this before?
Regards Emin
I think you are seeing bytes with zeros in them, often show up as some variation on @ when printed or viewed in an editor.
I think you are seeing bytes with zeros in them, often show up as some variation on @ when printed or viewed in an editor.
Thanks. Why would it be zero? Any way to retrieve the aaguid otherwise (at php or js level)?
You could print it as hex bytes using PHP’s bin2hex function.
I don’t think there’s any reason it shouldn’t be zero. The authenticator device isn’t required to supply anything there.
you’d have a hard time intercepting it earlier. It is the 16 bytes starting at offset 37 in the authData field of the data provided by the key. But that is wrapped up in CBOR by the key, which is a binary encoding of JSON, which is hard work to unpack manually. This code further wraps it in JSON for ease of sending to the server.
You could print it as hex bytes using PHP’s bin2hex function.
I don’t think there’s any reason it shouldn’t be zero. The authenticator device isn’t required to supply anything there.
you’d have a hard time intercepting it earlier. It is the 16 bytes starting at offset 37 in the authData field of the data provided by the key. But that is wrapped up in CBOR by the key, which is a binary encoding of JSON, which is hard work to unpack manually. This code further wraps it in JSON for ease of sending to the server.
Yes, CBOR is hard to decode. Ok, let me ask the question in a different way - how can we get the key's AAGUD to be able to limit only certain AAGUIDs? We know this is technically possible (Microsoft has implemented it in Azure)
It’s supplied by the device. The code just passes it along to PHP. If the device (and/or browser or other intermediary) isn’t supplying it, it’s hard to see what could be done.
It’s supplied by the device. The code just passes it along to PHP. If the device (and/or browser or other intermediary) isn’t supplying it, it’s hard to see what could be done.
I am using the same key with other libraries/test tools using the same browser and they "see" its AAGUID. I suspect this is some of the settings I played with in this implementation. I currently have attestation as "none", would this play any role?
So I just tried it. Windows Hello gets all zeros, whatever downstream method I choose (I tried both PIN and Yubico 2). I also tried BitWarden, and that has some data in that field, though I'm not sure what it is saying, other than being numeric. But it clearly is capable of being set by the device. So I think you need to look downstream from the PHP.
I currently have attestation as "none"
Not sure where you mean. Do you mean in prepareChallengeForRegistration where it assigns to $result->attestation?
I currently have attestation as "none"
Not sure where you mean. Do you mean in prepareChallengeForRegistration where it assigns to $result->attestation?
Yes, $result->attestation = null;
OK, that's per the original code. With it like that, as I mentioned, BitWarden is supplying data in the aaguid field, so I doubt it is that.
According to the W3C spec, the four possible values for this are none, indirect, direct and enterprise. You could try those. https://www.w3.org/TR/webauthn-2/#attestation-conveyance
They don't make any difference when I try it here.