Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebAuthn conformance: Binary properties in responses should be ArrayBuffers, not Uint8Arrays #11079

Open
1 task done
msizanoen1 opened this issue Sep 16, 2024 · 1 comment
Open
1 task done

WebAuthn conformance: Binary properties in responses should be ArrayBuffers, not Uint8Arrays #11079

msizanoen1 opened this issue Sep 16, 2024 · 1 comment
Labels
browser Browser Extension bug

Comments

@msizanoen1
Copy link

msizanoen1 commented Sep 16, 2024
edited
Loading

Steps To Reproduce

  1. Create a passkey for Yandex
  2. Attempt to log into Yandex with passkey

Expected Result

Login succeeds

Actual Result

Login fails

Screenshots or Videos

No response

Additional Context

The WebAuthn specification clearly states that ArrayBuffer is used to represent binary properties in credential responses. However Bitwarden uses Uint8Array instead which is nonconformant and confuses certain applications that require the type of such properties to be ArrayBuffer specifically (e.g. Yandex, 1Password web app, etc.)

Code exhibiting nonconformant behavior:

clients/apps/browser/src/autofill/fido2/utils/webauthn-utils.ts

Lines 61 to 89 in b0e0e71

const credential = {
id: result.credentialId,
rawId: Fido2Utils.stringToBuffer(result.credentialId),
type: "public-key",
authenticatorAttachment: "platform",
response: {
clientDataJSON: Fido2Utils.stringToBuffer(result.clientDataJSON),
attestationObject: Fido2Utils.stringToBuffer(result.attestationObject),
getAuthenticatorData(): ArrayBuffer {
return Fido2Utils.stringToBuffer(result.authData);
},
getPublicKey(): ArrayBuffer {
return Fido2Utils.stringToBuffer(result.publicKey);
},
getPublicKeyAlgorithm(): number {
return result.publicKeyAlgorithm;
},
getTransports(): string[] {
return result.transports;
},
} as AuthenticatorAttestationResponse,
getClientExtensionResults: () => ({
credProps: result.extensions.credProps,
}),
} as PublicKeyCredential;

clients/apps/browser/src/autofill/fido2/utils/webauthn-utils.ts

Lines 123 to 135 in b0e0e71

const credential = {
id: result.credentialId,
rawId: Fido2Utils.stringToBuffer(result.credentialId),
type: "public-key",
response: {
authenticatorData: Fido2Utils.stringToBuffer(result.authenticatorData),
clientDataJSON: Fido2Utils.stringToBuffer(result.clientDataJSON),
signature: Fido2Utils.stringToBuffer(result.signature),
userHandle: Fido2Utils.stringToBuffer(result.userHandle),
} as AuthenticatorAssertionResponse,
getClientExtensionResults: () => ({}),
authenticatorAttachment: "platform",
} as PublicKeyCredential;

Operating System

Linux

Operating System Version

No response

Web Browser

Chrome

Browser Version

No response

Build Version

2024.9.0

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@msizanoen1 msizanoen1 added browser Browser Extension bug labels Sep 16, 2024
@Neonwarden
Copy link

Hi there,

This has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
browser Browser Extension bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@msizanoen1 @Neonwarden