New issue
Advanced search Search tips

Issue 921155 link

Starred by 1 user
Status: Fixed
Owner:
martinkr@google.com
Closed: Jan 17
Cc:
kenrb@chromium.org
martinkr@google.com
engedy@chromium.org
ssoneff@google.com
kpaulhamus@chromium.org
jdoerrie@chromium.org
mknowles@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Windows WebAuthn integration should avoid requesting direct attestation when not required

Project Member Reported by martinkr@google.com, Jan 11 
The Windows 10 WebAuthn integration currently always asks for direct attestation and strips the attestation statements afterwards if the site didn't request it. We should only ask the Windows API for attestation if the RP requests it because generating the attestation in the TPM might be expensive.
Project Member

Comment 1 by bugdroid1@chromium.org, Jan 17 (6 days ago) 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a9abd0dbbd53d26af345e566a308051bf8843430

commit a9abd0dbbd53d26af345e566a308051bf8843430
Author: Martin Kreichgauer <martinkr@chromium.org>
Date: Thu Jan 17 01:21:28 2019

fido: only request direct attestation from Windows when necessary

The WinWebAuthnApiAuthenticator currently always requests DIRECT attestation
from the Windows WebAuthn API and relies on AuthenticatorImpl to strip the
attestation statement later if necessary. This changes the behavior to only
request attestation when actually requested by the RP in order to avoid
unneccessarily generating an attestation signature in cases where that is
computationally expensive.

Bug:  921155 
Change-Id: I2f39f5e85ea2be56cff1df87bc5464374dabf911
Reviewed-on: https://chromium-review.googlesource.com/c/1414310
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Adam Langley <agl@chromium.org>
Commit-Queue: Martin Kreichgauer <martinkr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#623497}
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/content/browser/webauth/authenticator_impl.cc
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/content/browser/webauth/authenticator_impl.h
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/content/browser/webauth/authenticator_type_converters.cc
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/content/browser/webauth/authenticator_type_converters.h
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/device/fido/ctap_make_credential_request.cc
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/device/fido/ctap_make_credential_request.h
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/device/fido/fido_constants.h
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/device/fido/u2f_command_constructor.cc
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/device/fido/u2f_register_operation_unittest.cc
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/device/fido/win/authenticator.cc
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/device/fido/win/type_conversions.cc
[modify] https://crrev.com/a9abd0dbbd53d26af345e566a308051bf8843430/device/fido/win/type_conversions.h

Comment 2 by martinkr@google.com, Jan 17 (6 days ago)

Status: Fixed (was: Assigned)

Sign in to add a comment