New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 877226 link

Starred by 2 users
Status: Fixed
Owner:
martinkr@google.com
Closed: Aug 27
Cc:
engedy@chromium.org
cbrand@google.com
aczeskis@google.com
agl@chromium.org
kenrb@chromium.org
martinkr@google.com
ssoneff@google.com
kpaulhamus@chromium.org
jdoerrie@chromium.org
mknowles@chromium.org
Components:
EstimatedDays: ----
NextAction: 2018-08-24
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

WebAuthn request promise may be resolved immediately for some incompliant keys

Project Member Reported by martinkr@google.com, Aug 23 
We have become aware of some FIDO tokens that, counter to the CTAP2 spec, may return CTAP2_ERR_INVALID_CREDENTIAL without prior user interaction in response to a GetAssertion request for which they do not hold a credential. The spec-compliant behavior would be to first complete the user presence test, and then respond with CTAP2_ERR_NO_CREDENTIALS (see https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#authenticatorGetAssertion, step 8).

Upon receiving this error, Chrome cancelled the request with a corresponding error. This means that in these cases, a request's promise would be resolved immediately without user interaction. This issue was recently fixed in crrev.com/c/1185220. Filing this bug to track a potential merge to M69.

Comment 1 by martinkr@google.com, Aug 23

Labels: -Pri-3 Merge-Request-69 OS-Linux OS-Mac OS-Windows Pri-2
Owner: martinkr@google.com
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 23

Labels: -Merge-Request-69 Merge-Review-69 Hotlist-Merge-Review
This bug requires manual review: We are only 11 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by kpaulhamus@chromium.org, Aug 23 

(For merge reviewers) The upshot of this bug is a severe violation of user privacy. Relying Parties should not be able to query, without user consent, whether a device does or does not contain a known credential. This can let a malicious RP identify a user via probing.

https://w3c.github.io/webauthn/#sec-assertion-privacy

Comment 4 by martinkr@google.com, Aug 23

Status: Assigned (was: Fixed)

Comment 5 by gov...@chromium.org, Aug 23

NextAction: 2018-08-24
crrev.com/c/1185220 is not in canary yet, pls update bug with canary result tommrow. Also how safe is the change to merge to M69 this late in release cycle?

Comment 6 by monor...@bugs.chromium.org, Aug 24 

The NextAction date has arrived: 2018-08-24

Comment 7 by gov...@chromium.org, Aug 24 

How is the change looking in canary so far?

Comment 8 by martinkr@google.com, Aug 24 

The change made it into canary today. 

It's a safe change that only affects security key devices that return a certain type of error code in response to a request for which the device doesn't have a matching credential. We tested this scenario on affected devices this morning in Canary, and it now shows the behavior that we intended to achieve with the change.

Comment 9 by gov...@chromium.org, Aug 24

Labels: -Merge-Review-69 Merge-Approved-69
Approving merge for crrev.com/c/1185220  to M69 branch 3497 based on comments #3 and #8.

Comment 10 by martinkr@google.com, Aug 27

Status: Fixed (was: Assigned)
Merge to M69 has been landed in https://chromium.googlesource.com/chromium/src/+/36eaaa643f3076f5b80b83f2516760a39799c8aa.
Project Member

Comment 11 by bugdroid1@chromium.org, Aug 27

Labels: -merge-approved-69 merge-merged-3497
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/36eaaa643f3076f5b80b83f2516760a39799c8aa

commit 36eaaa643f3076f5b80b83f2516760a39799c8aa
Author: Martin Kreichgauer <martinkr@google.com>
Date: Mon Aug 27 16:25:41 2018

[M69] device/fido: fix an issue in authenticator error response handling

1) Change FidoRequestHandler to not terminate a WebAuthn request when a
request handler replies with the CTAP2_ERR_INVALID_CREDENTIAL or
CTAP2_ERR_CREDENTIAL_NOT_VALID CTAP2 error codes. These error codes do
not indicate that the user has interacted with the authenticator and
we therefore must not resolve the  WebAuthN request promise upon
receiving such an error.

2) Remove kCtap2ErrCredentialNotValid since
CTAP2_ERR_CREDENTIAL_NOT_VALID has recently been dropped from the CTAP2
spec.

3) Change references to kCtap2ErrCredentialNotValid in U2F code to
kCtap2ErrNoCredentials in order to not change behavior of that code with
regards to request canceling.

(cherry picked from commit 52f4995e5f4c3db27916274d20bc54aa78db13b7)

Bug:  877226 
Change-Id: Ied8dd2c8b4af939d6b922c0007520b90d3a92388
Reviewed-on: https://chromium-review.googlesource.com/1185220
Commit-Queue: Martin Kreichgauer <martinkr@google.com>
Reviewed-by: Kim Paulhamus <kpaulhamus@chromium.org>
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Reviewed-by: Jun Choi <hongjunchoi@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#585575}
Reviewed-on: https://chromium-review.googlesource.com/1189183
Cr-Commit-Position: refs/branch-heads/3497@{#814}
Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753}
[modify] https://crrev.com/36eaaa643f3076f5b80b83f2516760a39799c8aa/device/fido/fido_constants.h
[modify] https://crrev.com/36eaaa643f3076f5b80b83f2516760a39799c8aa/device/fido/fido_request_handler.h
[modify] https://crrev.com/36eaaa643f3076f5b80b83f2516760a39799c8aa/device/fido/get_assertion_task_unittest.cc
[modify] https://crrev.com/36eaaa643f3076f5b80b83f2516760a39799c8aa/device/fido/u2f_sign_operation.cc
[modify] https://crrev.com/36eaaa643f3076f5b80b83f2516760a39799c8aa/device/fido/u2f_sign_operation_unittest.cc

Sign in to add a comment