[webauthn] Bug: getAssertion accidentally calls authenticatorGetAssertion in first factor mode from Emil Lundberg via GitHub on 2017-11-13 (public-webauthn@w3.org from November 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 13 Nov 2017 16:07:14 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-273484275-1510589232-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Bug: getAssertion accidentally calls authenticatorGetAssertion in first factor mode ==
Step 16 of [§5.1.4.1][get] instructs to for each `authenticator`

1. Let `allowCredentialDescriptirList` be `options.allowCredentials` filtered to contain only the credentials bound to this `authenticator`.
2. If `allowCredentialDescriptorList` is empty, call `authenticatorGetAssertion` in first factor mode (i.e. with no `allowCredentialDescriptorList` argument)
3. If `allowCredentialDescriptorList` is not empty, call `authenticatorGetAssertion` in second factor mode (i.e. with a nonempty `allowCredentialDescriptorList` argument)

This means that if the RP sends `allowList: [{ type: "public-key", id: "AAAA" }]` and there is a 1st factor capable authenticator available which the client can identify as bound to the credential `BBBB` but not `AAAA`, the client will still call `authenticatorGetAssertion` on that authenticator with no `allowCredentialDescriptorList` argument. The authenticator will (with the user's consent) happily comply and return an assertion by credential `BBBB` instead of `AAAA`, and the RP will be confused.

Some possible solutions:

 1. Remove the filtering step from `getAssertion` completely and let the similar filtering step in [`authenticatorGetAssertion`][authnr-get] do all the work. This has the drawback that unnecessarily many bytes may be sent to external authenticators.
2. Move the 1st factor mode invocation branch to before filtering, and skip the authenticator completely if `options.allowCredentials` is nonempty and is known to not intersect with the credentials available on the authenticator.

[get]: https://w3c.github.io/webauthn/#discover-from-external-source
[authnr-get]: https://w3c.github.io/webauthn/#op-get-assertion

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/685 using your GitHub account

Received on Monday, 13 November 2017 16:07:18 UTC