Yubico/libfido2

WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT is defined with wrong value

ntwerdochlib opened this issue · 1 comments

ntwerdochlib commented

What version of libfido2 are you using?
v1.12.0

What operating system are you running?
Microsoft Windows

What application are you using in conjunction with libfido2?
N/A

How does the problem manifest itself?
The values defined in src/webauthn.h for direct and indirect are inverted:

#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY 0 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE 1 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT 2 #define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT 3

Per https://learn.microsoft.com/en-us/windows/win32/webauthn/webauthn-constants:
WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY (0) WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE (1) WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT (2) WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT (3)
Is the problem reproducible?
Yes. When registering a credential under Windows, the libfido2 code defaults the dwAttestationConeyancePreference to WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT, which is defined as

What are the steps that lead to the problem?
Call fido_dev_make_cred() under Windows

Does the problem happen with different authenticators?
Yes

Please include the output of fido2-token -L.

fido2-token -L 
$ fido2-token -L

Please include the output of fido2-token -I.

fido2-token -I 
$ fido2-token -I <device>

Please include the output of FIDO_DEBUG=1.

FIDO_DEBUG=1 
$ export FIDO_DEBUG=1
$ <command1>
$ <command2>
(...)
$ <commandn>
LDVG commented

Hi,

We use a copy of webauthn.h as retrieved from the microsoft/webauthn repository which has the same values for the attestation conveyance. The same header file contained in the Windows SDK also has the same definitions.

Running the code, I believe the defines are correct and Microsoft's documentation incorrect (i.e. the aaguid/attestation statement does not look anonymized to me when using WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT). Do you have an example of this implementation exhibiting the wrong behavior?