Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

isCertRevoked cannot work for the root cert which does not include the Subject Key Identifier field

See original GitHub issue

Hello SimpleWebAuthn team,

Recently we are doing some spiking based on the SimpleWebAuthn, and we found that after we initialized the MetaDataService, the IDMelon(A software authenticator on iOS and Android) generated RegistrationOption cannot pass the MDS check, we did some investigation on the SimpleWebAuthn server library and found the isCertRevoked cannot work if the CA cert doesn’t include the Subject Key Identifier, the right side is the root cert of the IDMelon we got from the FIDO2 MDS(AAGUID: 820D89ED-D65A-409E-85CB-F73F0578F82A), which didn’t include the Subject Key Identifier field, it only includes the Authority Key Identifier which does not have the kid field image (2)

we create a unit test to reproduce this issue, put it into (verifyAttestationWithMetadata.test.ts):

test('should verify attestation', async () => {
  const metadataStatement: MetadataStatement = {
    "legalHeader": "Submission of this statement and retrieval and use of this statement indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/.",
    "aaguid": "820d89ed-d65a-409e-85cb-f73f0578f82a",
    "description": "Vancosys iOS Authenticator",
    "authenticatorVersion": 2,
    "protocolFamily": "fido2",
    "schema": 3,
    "upv": [
      {
        "major": 1,
        "minor": 0
      }
    ],
    "authenticationAlgorithms": [
      "secp256r1_ecdsa_sha256_raw"
    ],
    "publicKeyAlgAndEncodings": [
      "cose"
    ],
    "attestationTypes": [
      "basic_full"
    ],
    "userVerificationDetails": [
      [
        {
          "userVerificationMethod": "faceprint_internal"
        },
        {
          "userVerificationMethod": "voiceprint_internal"
        },
        {
          "userVerificationMethod": "passcode_internal"
        },
        {
          "userVerificationMethod": "eyeprint_internal"
        },
        {
          "userVerificationMethod": "handprint_internal"
        },
        {
          "userVerificationMethod": "fingerprint_internal"
        },
        {
          "userVerificationMethod": "pattern_internal"
        },
        {
          "userVerificationMethod": "location_internal"
        },
        {
          "userVerificationMethod": "presence_internal"
        }
      ]
    ],
    "keyProtection": [
      "hardware",
      "secure_element"
    ],
    "matcherProtection": [
      "on_chip"
    ],
    "cryptoStrength": 128,
    "attachmentHint": [
      "external"
    ],
    "tcDisplay": [],
    "attestationRootCertificates": [
      "MIIB/zCCAaSgAwIBAgIUPbddlpEdAdN+fm8JFanUXurNZy8wCgYIKoZIzj0EAwIwQTEkMCIGA1UECgwbVmFuY29zeXMgRGF0YSBTZWN1cml0eSBJbmMuMRkwFwYDVQQDDBBWYW5jb3N5cyBSb290IENBMCAXDTIwMTEwNDA2NDQxN1oYDzIwNzAxMDIzMDY0NDE3WjBBMSQwIgYDVQQKDBtWYW5jb3N5cyBEYXRhIFNlY3VyaXR5IEluYy4xGTAXBgNVBAMMEFZhbmNvc3lzIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqViASimcpJwCb531/VekYHfNuRkIPeFkQq7FNyWkFiWPjKk1GDSAxJruB4GB3qdyTnRhpWF3Lvm4hzbBtZfy3o3gwdjBmBgNVHSMEXzBdoUWkQzBBMSQwIgYDVQQKDBtWYW5jb3N5cyBEYXRhIFNlY3VyaXR5IEluYy4xGTAXBgNVBAMMEFZhbmNvc3lzIFJvb3QgQ0GCFD23XZaRHQHTfn5vCRWp1F7qzWcvMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAOGjcwJUT7A/ER+5pACEPrOg79wbE/h8YMYUgymrXR6GAiEA7N6U3EWeQweMOmTOqavtWCdYCsMJcop9p13l9QbohDo="
    ],
    "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAM1BMVEUtmc3y+fyWzOZis9rK5fI6n9B8v+Cw2ezl8vlHptNVrNbX7Paj0ulvud293++JxuP///89HRvpAAAAEXRSTlP/////////////////////ACWtmWIAAABsSURBVHgBxdPBCoAwDIPh/yDise//tIIQCZo6RNGdtuWDstFSg/UOgMiADQBJ6J4iCwS4BgzBuEQHCoFa+mdM+qijsDMVhBfdoRFaAL4nAe6AeghODYPnsaNyLuAqg5AHwO9AYu5BmqEPhncFmecvM5KKQHMAAAAASUVORK5CYII=",
    "authenticatorGetInfo": {
      "versions": [
        "FIDO_2_0"
      ],
      "extensions": [
        "hmac-secret"
      ],
      "aaguid": "820d89edd65a409e85cbf73f0578f82a",
      "options": {
        "plat": false,
        "rk": true,
        "up": true,
        "uv": true
      },
      "maxMsgSize": 2048
    }
  };

  // Extracted from an actual TPM|ECC response
  const x5c = [
      'MIIB6TCCAY+gAwIBAgIJAJz56pzvu76hMAoGCCqGSM49BAMCMEExJDAiBgNVBAoMG1ZhbmNvc3lzIERhdGEgU2VjdXJpdHkgSW5jLjEZMBcGA1UEAwwQVmFuY29zeXMgUm9vdCBDQTAgFw0xODEyMjIxNzQzMjhaGA8yMDY4MTIwOTE3NDMyOFowfDELMAkGA1UEBhMCQ0ExJDAiBgNVBAoMG1ZhbmNvc3lzIERhdGEgU2VjdXJpdHkgSW5jLjEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEjMCEGA1UEAwwaVmFuY29zeXMgaU9TIEF1dGhlbnRpY2F0b3IwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATZVzbtmSJbzsoN6mfdD+t1LV52zB+LWN0UusmV9+sRmfNB49adqPQ+h0JOlEwfL4zkbMmuDr6JhBRKJ5/c0SkeozMwMTAMBgNVHRMBAf8EAjAAMCEGCysGAQQBguUcAQEEBBIEEIINie3WWkCehcv3PwV4+CowCgYIKoZIzj0EAwIDSAAwRQIgV7++U2fQyy6Qido7fDhsi5Grrt76LTgZ5XJlA9UKEVECIQDJO0YHevdU77VlZ+Of58oKMjWD3SkzC1SWSlhl3nezHQ=='
  ];
  const credentialPublicKey = 'pQECAyYgASFYINuJbeLdkZwgKtUw2VSopICTTO5PKdj95GXJ7JCsQi7iIlggxygEp0_P0oMXhfw2BjtL0M7-yIpnk5uSHc0oNkXfdJw';

  const verified = await verifyAttestationWithMetadata({
    statement: metadataStatement,
    credentialPublicKey: base64url.toBuffer(credentialPublicKey),
    x5c,
  });

  expect(verified).toEqual(true);
})

It will raise an error:

Error: Could not validate certificate path with any metadata root certificates: Cannot read properties of undefined (reading 'hex')

Thanks

Issue Analytics

  • State:closed
  • Created 9 months ago
  • Comments:10 (6 by maintainers)

github_iconTop GitHub Comments

2reactions
MasterKalecommented, Dec 11, 2022

I’ve posted about this root certificate issue in the fido-dev mailing list:

https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/hhPYsFmhTaI

I believe that the FIDO Alliance should contact the IDMelon devs and request that they fix their root certificate issue in their authenticator metadata.

1reaction
zkwzkcommented, Dec 19, 2022

thanks a lot @MasterKale, will check on my side and will update here later

Read more comments on GitHub >

github_iconTop Results From Across the Web

Issues · MasterKale/SimpleWebAuthn - GitHub
isCertRevoked cannot work for the root cert which does not include the Subject Key Identifier field. #302 opened 7 days ago by zkwzk....
Read more >
CA cert without Subject Key Identifier causes issuance failure
Consequently, the Certificate Authority (CA) failed to issue certificates if the CA signing certificate does not have the Subject Key Identifier (SKI) ...
Read more >
Root CA and Authority Key Identifier - TechNet - Microsoft
Is it possible to have the Authority Key Identifier (AKI) included in ... AKI is not necessary in the root certificate as it...
Read more >
The difference between Subject Key Identifier and ...
My intuition is that the subjectKeyIdentifier is the hash of the public-key of the certificate and the sha1Fingerprint is the hash of the ......
Read more >
Clark Anton (@Mooneye14@hachyderm.io) - Hachyderm.io
isCertRevoked cannot work for the root cert which does not include the Subject Key Identifier field · Issue #302 · MasterKale/SimpleWebAuthnGitHub.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Deadlock publishing a message after start/stop the rabbitmq service

Next page

Error when calling browserSupportsWebAuthnAutofill() if navigator.credentials is not defined