Skip to content

Instantly share code, notes, and snippets.

@daisukenishino2

daisukenishino2/1. Response from makeCredentialOptions WebAPI.json

Created March 3, 2019 06:42
Show Gist options
  • Save daisukenishino2/f09fb400fa2186aead4b6f8cad59ab38 to your computer and use it in GitHub Desktop.
Save daisukenishino2/f09fb400fa2186aead4b6f8cad59ab38 to your computer and use it in GitHub Desktop.
Download ZIP
fido2-net-lib https://github.com/abergs/fido2-net-lib を分析している (2019/03/03) 。
Raw
1. Response from makeCredentialOptions WebAPI.json
{
"rp": {
"id": "localhost",
"name": "Fido2 test"
},
"user": {
"name": "aaa@example.com",
"id": "YWFhQGV4YW1wbGUuY29t",
"displayName": "Display aaa@example.com"
},
"challenge": "U8iy6iV6nyXjWph2he3KwA",
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -257
},
{
"type": "public-key",
"alg": -37
},
{
"type": "public-key",
"alg": -35
},
{
"type": "public-key",
"alg": -258
},
{
"type": "public-key",
"alg": -38
},
{
"type": "public-key",
"alg": -36
},
{
"type": "public-key",
"alg": -259
},
{
"type": "public-key",
"alg": -39
},
{
"type": "public-key",
"alg": -65535
}
],
"timeout": 60000,
"attestation": "none",
"authenticatorSelection": {
"requireResidentKey": false,
"userVerification": "preferred"
},
"excludeCredentials": [],
"extensions": {
"exts": true,
"uvi": true,
"loc": true,
"uvm": true,
"biometricPerfBounds": {
"FAR": 3.40282347e+38,
"FRR": 3.40282347e+38
}
},
"status": "ok",
"errorMessage": ""
}
Raw
2. Parameter of navigator.credentials.create()
{
"rp": {
"id": "localhost",
"name": "Fido2 test"
},
"user": {
"name": "aaa@example.com",
"id": {ArrayBuffer(15)},
"displayName": "Display aaa@example.com"
},
"challenge": {ArrayBuffer(16)},
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -257
},
{
"type": "public-key",
"alg": -37
},
{
"type": "public-key",
"alg": -35
},
{
"type": "public-key",
"alg": -258
},
{
"type": "public-key",
"alg": -38
},
{
"type": "public-key",
"alg": -36
},
{
"type": "public-key",
"alg": -259
},
{
"type": "public-key",
"alg": -39
},
{
"type": "public-key",
"alg": -65535
}
],
"timeout": 60000,
"attestation": "none",
"authenticatorSelection": {
"requireResidentKey": false,
"userVerification": "preferred"
},
"excludeCredentials": [],
"extensions": {
"exts": true,
"uvi": true,
"loc": true,
"uvm": true,
"biometricPerfBounds": {
"FAR": 3.40282347e+38,
"FRR": 3.40282347e+38
}
},
"status": "ok",
"errorMessage": ""
}
Raw
3. Return of navigator.credentials.create()
{
"id": "XgQL5lEqNiwJjR20PbJ2jeohu_C9IU8a03umfcXaHpF8qz_7oZx9bPgViOMWm7J7RaZYCo_oglDbDenGfwd5IA",
"rawId": "ArrayBuffer(64)",
"response(AuthenticatorAttestationResponse)": {
"attestationObject": "ArrayBuffer(226)",
"clientDataJSON": "ArrayBuffer(98)"
},
"type": "public-key",
}
Raw
4. Request to makeCredential WebAPI.json
{
"id": "XgQL5lEqNiwJjR20PbJ2jeohu_C9IU8a03umfcXaHpF8qz_7oZx9bPgViOMWm7J7RaZYCo_oglDbDenGfwd5IA",
"rawId": "XgQL5lEqNiwJjR20PbJ2jeohu_C9IU8a03umfcXaHpF8qz_7oZx9bPgViOMWm7J7RaZYCo_oglDbDenGfwd5IA",
"type": "public-key",
"extensions": {},
"response": {
"AttestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjESZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NBAAAAOwAAAAAAAAAAAAAAAAAAAAAAQF4EC-ZRKjYsCY0dtD2ydo3qIbvwvSFPGtN7pn3F2h6RfKs_-6GcfWz4FYjjFpuye0WmWAqP6IJQ2w3pxn8HeSClAQIDJiABIVggZYp4zvvIsAa45MBTfKoDArfr9G4JslQzHNBQiHoiIEQiWCA7Cs8aAvbCGX6IjPOf0zV8E7ynD-01sKg8boDbr4kLRQ",
"clientDataJson": "eyJjaGFsbGVuZ2UiOiJVOGl5NmlWNm55WGpXcGgyaGUzS3dBIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMjkiLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0"
}
}
Raw
5. Response from makeCredential WebAPI.json
{
"result": {
"publicKey": "pQECAyYgASFYIGWKeM77yLAGuOTAU3yqAwK36_RuCbJUMxzQUIh6IiBEIlggOwrPGgL2whl-iIzzn9M1fBO8pw_tNbCoPG6A26-JC0U",
"user": {
"name": "aaa@example.com",
"id": "YWFhQGV4YW1wbGUuY29t",
"displayName": "Display aaa@example.com"
},
"credType": "none",
"aaguid": "00000000-0000-0000-0000-000000000000",
"credentialId": "XgQL5lEqNiwJjR20PbJ2jeohu/C9IU8a03umfcXaHpF8qz/7oZx9bPgViOMWm7J7RaZYCo/oglDbDenGfwd5IA==",
"counter": 59,
"status": null,
"errorMessage": null
},
"status": "ok",
"errorMessage": ""
}
Raw
7. Response from assertionOptions WebAPI.json
{
"challenge": "w9PA4LdyXmYeYgC12J6_6Q",
"timeout": 60000,
"rpId": "localhost",
"allowCredentials": [
{
"type": "public-key",
"id": "XgQL5lEqNiwJjR20PbJ2jeohu_C9IU8a03umfcXaHpF8qz_7oZx9bPgViOMWm7J7RaZYCo_oglDbDenGfwd5IA"
}
],
"userVerification": "discouraged",
"extensions": {
"appid": "https://localhost:44329",
"txAuthSimple": "FIDO",
"txAuthGenericArg": {
"contentType": "text/plain",
"content": "RklETw=="
},
"uvi": true,
"loc": true,
"uvm": true
},
"status": "ok",
"errorMessage": ""
}
Raw
8. Parameter of navigator.credentials.get()
{
"challenge": {
"0": 195,
"1": 211,
"2": 192,
"3": 224,
"4": 183,
"5": 114,
"6": 94,
"7": 102,
"8": 30,
"9": 98,
"10": 0,
"11": 181,
"12": 216,
"13": 158,
"14": 191,
"15": 233
},
"timeout": 60000,
"rpId": "localhost",
"allowCredentials": [
{
"type": "public-key",
"id": {
"0": 94,
"1": 4,
"2": 11,
"3": 230,
"4": 81,
"5": 42,
"6": 54,
"7": 44,
"8": 9,
"9": 141,
"10": 29,
"11": 180,
"12": 61,
"13": 178,
"14": 118,
"15": 141,
"16": 234,
"17": 33,
"18": 187,
"19": 240,
"20": 189,
"21": 33,
"22": 79,
"23": 26,
"24": 211,
"25": 123,
"26": 166,
"27": 125,
"28": 197,
"29": 218,
"30": 30,
"31": 145,
"32": 124,
"33": 171,
"34": 63,
"35": 251,
"36": 161,
"37": 156,
"38": 125,
"39": 108,
"40": 248,
"41": 21,
"42": 136,
"43": 227,
"44": 22,
"45": 155,
"46": 178,
"47": 123,
"48": 69,
"49": 166,
"50": 88,
"51": 10,
"52": 143,
"53": 232,
"54": 130,
"55": 80,
"56": 219,
"57": 13,
"58": 233,
"59": 198,
"60": 127,
"61": 7,
"62": 121,
"63": 32
}
}
],
"userVerification": "discouraged",
"extensions": {
"appid": "https://localhost:44329",
"txAuthSimple": "FIDO",
"txAuthGenericArg": {
"contentType": "text/plain",
"content": "RklETw=="
},
"uvi": true,
"loc": true,
"uvm": true
},
"status": "ok",
"errorMessage": ""
}
Raw
9. Return of navigator.credentials.get()
{
"id": "XgQL5lEqNiwJjR20PbJ2jeohu_C9IU8a03umfcXaHpF8qz_7oZx9bPgViOMWm7J7RaZYCo_oglDbDenGfwd5IA",
"rawId": "ArrayBuffer(64) {}",
"response(AuthenticatorAssertionResponse)": {
"authenticatorData": "ArrayBuffer(37) {}",
"clientDataJSON": "ArrayBuffer(202) {}",
"signature": "ArrayBuffer(71) {}",
"userHandle": "ArrayBuffer(0) {}",
},
"type": "public-key",
}
Raw
A. Request to makeAssertion WebAPI.json
{
"id": "XgQL5lEqNiwJjR20PbJ2jeohu_C9IU8a03umfcXaHpF8qz_7oZx9bPgViOMWm7J7RaZYCo_oglDbDenGfwd5IA",
"rawId": "XgQL5lEqNiwJjR20PbJ2jeohu_C9IU8a03umfcXaHpF8qz_7oZx9bPgViOMWm7J7RaZYCo_oglDbDenGfwd5IA",
"type": "public-key",
"extensions": {
"appid": false
},
"response": {
"authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MBAAAAPQ",
"clientDataJson": "eyJjaGFsbGVuZ2UiOiJ3OVBBNExkeVhtWWVZZ0MxMko2XzZRIiwibmV3X2tleXNfbWF5X2JlX2FkZGVkX2hlcmUiOiJkbyBub3QgY29tcGFyZSBjbGllbnREYXRhSlNPTiBhZ2FpbnN0IGEgdGVtcGxhdGUuIFNlZSBodHRwczovL2dvby5nbC95YWJQZXgiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDo0NDMyOSIsInR5cGUiOiJ3ZWJhdXRobi5nZXQifQ",
"signature": "MEUCIAOzC-3dbiDcyZtlIEP39EOctwQNe8XMXNtqKs71fOi3AiEAsOiKJr_qF7oCsDuYlAYdaN_nDot1EAAAwykbF-B8aXg"
}
}
Raw
B. Response to makeAssertion WebAPI.json
{
"credentialId": "XgQL5lEqNiwJjR20PbJ2jeohu/C9IU8a03umfcXaHpF8qz/7oZx9bPgViOMWm7J7RaZYCo/oglDbDenGfwd5IA==",
"counter": 61,
"status": "ok",
"errorMessage": ""
}
@daisukenishino2
Copy link
Author

daisukenishino2 commented Mar 15, 2019
edited
Loading

ちょっと疑問(2つ以上のカギの登録)

概要

fido2-net-libのストア設計を見ると、
公開鍵が複数登録可能に見えるが本当か?

確認

重複登録

認証器を重複して登録仕様とすると、
FIDO2Serverは、excludeCredentialsに以下の様に値を設定する。

"excludeCredentials": [
    {
        "type": "public-key",
        "id": "xzJdD_Fl8_MlGjM00owaGLIdAklEnNktohB5wuaylsWlzAxbuOcIks7eXN4yVFy4or1ZyVKCgEAv6iSGNqOJAg"
    }
],

例外発生

この公開鍵は、当該認証器が生成したものであると判別できるようで、Chromeのnavigator.credentials.create()メソッドから「The user attempted to register an authenticator that contains one of the credentials already registered with the relying party.」というメッセージが返される。
image

結論

異なる認証器を使用すれば、
2つ以上のカギを登録可能であるため、
削除処理はリスト形式にする必要がある。

※ ただし、Googleなんかは1つしか登録できない(Microsoftは不明)。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment