Default to U2F register when client pin is set |
|||||||
Issue descriptionUntil client pin support is launched, default to U2F register request when CTAP2 make credential request is received on devices with client pin set to avoid guaranteed failure.
,
Aug 2
With CTAP2 enabled by default in m69, this will break existing devices on the market that currently fall back to U2F and have clientPin set.
,
Aug 3
,
Aug 4
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/77b5c42d14ae45e36618a94bfe77a56c92ccef54 commit 77b5c42d14ae45e36618a94bfe77a56c92ccef54 Author: Jun Choi <hongjunchoi@chromium.org> Date: Sat Aug 04 03:26:03 2018 Default to U2F register when client pin is set According to the CTAP spec, CTAP2 authenticators will always error out when MakeCredential request with an empty "pinAuth" parameter is received to a device that has client pin already set. This prevents any users with CTAP2 devices with client pin set to use Chrome as a client. Until client pin command is implemented on Chrome, use U2F register request when possible when we know that the device has client pin set. Bug: 870131 Change-Id: Ia26d991f2b92e46c0d67625e25d88365d1d72089 Reviewed-on: https://chromium-review.googlesource.com/1159726 Reviewed-by: Jun Choi <hongjunchoi@chromium.org> Reviewed-by: Kim Paulhamus <kpaulhamus@chromium.org> Commit-Queue: Kim Paulhamus <kpaulhamus@chromium.org> Cr-Commit-Position: refs/heads/master@{#580737} [modify] https://crrev.com/77b5c42d14ae45e36618a94bfe77a56c92ccef54/device/fido/fido_test_data.h [modify] https://crrev.com/77b5c42d14ae45e36618a94bfe77a56c92ccef54/device/fido/make_credential_task.cc [modify] https://crrev.com/77b5c42d14ae45e36618a94bfe77a56c92ccef54/device/fido/make_credential_task_unittest.cc
,
Aug 6
Requesting merge request of https://chromium-review.googlesource.com/c/chromium/src/+/1159726 to M69. Justification for merge: Currently, Chrome provides support for CTAP2 new generation security keys without "client pin" feature that enables users to set pin to the hardware security key token to add extra security. On the other hand, Microsoft Edge supports CTAP2 security keys, and they enforce users to set client pin whenever possible. Such enforcement is not required by the official CTAP specification--which has not been finalized yet-- and this results in Chrome not being able to support any users of CTAP2 security keys who already used his/her security key with Microsoft Edge. In order to prevent this failure, we will default to using legacy U2F transport protocol if we know in advance that this particular failure will occur. How safe is this fix: While CTAP2 security keys are support by default, it is guarded behind a UI feature flag "enable-web-authentication-ctap2-support".
,
Aug 6
This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 6
+awhalley@ (Security TPM) for M69 merge review
,
Aug 6
Thanks for the detail hongjunchoi@ govind@ - good for 69
,
Aug 6
Approving merge to M69 branch 3497 based on comment #8. Please merge now so we can pick it up for this week Beta release. Thank you.
,
Aug 6
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/daf9cdf1b3af168cf6d9b1e96d2d27664a2bbe0b commit daf9cdf1b3af168cf6d9b1e96d2d27664a2bbe0b Author: Jun Choi <hongjunchoi@chromium.org> Date: Mon Aug 06 20:00:33 2018 Default to U2F register when client pin is set According to the CTAP spec, CTAP2 authenticators will always error out when MakeCredential request with an empty "pinAuth" parameter is received to a device that has client pin already set. This prevents any users with CTAP2 devices with client pin set to use Chrome as a client. Until client pin command is implemented on Chrome, use U2F register request when possible when we know that the device has client pin set. Bug: 870131 Change-Id: Ia26d991f2b92e46c0d67625e25d88365d1d72089 Reviewed-on: https://chromium-review.googlesource.com/1159726 Reviewed-by: Jun Choi <hongjunchoi@chromium.org> Reviewed-by: Kim Paulhamus <kpaulhamus@chromium.org> Commit-Queue: Kim Paulhamus <kpaulhamus@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#580737}(cherry picked from commit 77b5c42d14ae45e36618a94bfe77a56c92ccef54) Reviewed-on: https://chromium-review.googlesource.com/1163969 Cr-Commit-Position: refs/branch-heads/3497@{#431} Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753} [modify] https://crrev.com/daf9cdf1b3af168cf6d9b1e96d2d27664a2bbe0b/device/fido/fido_test_data.h [modify] https://crrev.com/daf9cdf1b3af168cf6d9b1e96d2d27664a2bbe0b/device/fido/make_credential_task.cc [modify] https://crrev.com/daf9cdf1b3af168cf6d9b1e96d2d27664a2bbe0b/device/fido/make_credential_task_unittest.cc |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by kpaulhamus@chromium.org
, Aug 2