fix(webauthn): refuse U2F downgrade when credProtect enforce or largeBlob required#201
Open
AlfioEmanueleFresta wants to merge 2 commits into
Open
fix(webauthn): refuse U2F downgrade when credProtect enforce or largeBlob required#201AlfioEmanueleFresta wants to merge 2 commits into
AlfioEmanueleFresta wants to merge 2 commits into
Conversation
AlfioEmanueleFresta
force-pushed
the
fix/u2f-downgrade-credprotect-largeblob
branch
from
be87913 to
596d733
Compare
…eBlob required MakeCredentialRequest::is_downgradable() previously rejected only when ES256 was unsupported, resident_key was Required, or user_verification was Required. Requests carrying credProtect with enforce_policy or largeBlob: required were silently downgraded into U2F credentials that could not honour those guarantees. Extend the predicate to also refuse the downgrade when: - extensions.cred_protect.enforce_policy is true and policy is stricter than UserVerificationOptional; - extensions.large_blob.support == Required. Both checks mirror the FIDO2 path's existing enforcement in Ctap2MakeCredentialsRequestExtensions::from_webauthn_request. Refs: WebAuthn L3 section 10.1.5; CTAP 2.1 sections 10.2 and 12.1.
…lacks largeBlobs Previously the FIDO2 path emitted a warn! when extensions.largeBlob.support == Required and the device did not advertise the largeBlobs option, then forwarded the request as if largeBlob were preferred. The device returned success but ignored the extension, leaving the caller with no signal that the requested extension was dropped. Return Err(CtapError::UnsupportedExtension) in this case, mirroring the existing credProtect enforcement immediately above. Also re-export MakeCredentialLargeBlobExtensionInput from ops::webauthn so the type required to construct MakeCredentialsRequestExtensions::large_blob is part of the public API surface. Refs: WebAuthn L3 section 10.1.5; CTAP 2.1 section 12.1.
AlfioEmanueleFresta
force-pushed
the
fix/u2f-downgrade-credprotect-largeblob
branch
from
596d733 to
690e326
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When the platform negotiates CTAP1/U2F (because the authenticator does not speak CTAP2),
is_downgradable()was permitting the downgrade even for requests that asked for capabilities U2F cannot provide: an RP that setenforceCredentialProtectionPolicy=truewithuserVerificationRequiredwould end up with an unprotected U2F credential, and an RP that asked forlargeBlob: requiredwould get a credential with no blob storage. Both are silent capability strips with no signal to the RP.This change makes
is_downgradable()refuse the downgrade for those two cases, and surfaces the same enforcement forlargeBlob: requiredon the FIDO2 path when the authenticator does not advertise the extension (previously awarn!-only path), matching the existingcredProtecthandling immediately above it.Changes
MakeCredentialRequest::is_downgradable()returns false whenextensions.cred_protect.enforce_policyis set with a policy stricter thanUserVerificationOptional.MakeCredentialRequest::is_downgradable()returns false whenextensions.large_blob.support == Required.Ctap2MakeCredentialsRequestExtensions::from_webauthn_requestreturnsErr(CtapError::UnsupportedExtension)forlargeBlob: requiredagainst devices without thelargeBlobsoption.References