SimpleWebAuthn: A handful of server errors coming from Windows devices
Hi @MasterKale ! We’re using SimpleWebAuth at https://github.com/padloc/padloc (server and client) and we’ve been seeing quite a few errors for Windows devices, failing authentication. These vary, but always fall into one of these two:
Error: PubArea unique is not same as public key x and y (TPM|ECC)
at verifyAttestationTPM (/padloc/packages/server/node_modules/@simplewebauthn/server/src/registration/verifications/tpm/verifyAttestationTPM.ts:115:13)
at verifyRegistrationResponse (/padloc/packages/server/node_modules/@simplewebauthn/server/src/registration/verifyRegistrationResponse.ts:223:42)
at WebAuthnServer.activateAuthenticator (/padloc/packages/server/src/auth/webauthn.ts:116:80)
Stack Trace:
Error: Public key algorithm [object Object] did not match any metadata algorithms [] (TPM)
at verifyAttestationTPM (/padloc/packages/server/node_modules/@simplewebauthn/server/src/registration/verifications/tpm/verifyAttestationTPM.ts:267:13)
at runMicrotasks ()
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at verifyRegistrationResponse (/padloc/packages/server/node_modules/@simplewebauthn/server/src/registration/verifyRegistrationResponse.ts:223:16)
at WebAuthnServer.activateAuthenticator (/padloc/packages/server/src/auth/webauthn.ts:116:48)
We’re wondering if there’s something we should do differently, or if these are a symptom of something else (like Windows Hello)?
Thanks!
FYI @MaKleSoft
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 28 (15 by maintainers)
Commits related to this issue
- Add missing translations check Also send params for the authenticator endpoint when it fails, so we can try to see if there's any helpful information there (related to the Windows errors reported in ... — committed to padloc/padloc by BrunoBernardino 2 years ago
- Add missing translations check (#530) * Add missing translations check Also send params for the authenticator endpoint when it fails, so we can try to see if there's any helpful information there ... — committed to padloc/padloc by BrunoBernardino 2 years ago
- Upgrade webauthn for the server To confirm the fix in https://github.com/MasterKale/SimpleWebAuthn/issues/238 — committed to padloc/padloc by BrunoBernardino 2 years ago
- Update simplewebauthn/server as per https://github.com/MasterKale/SimpleWebAuthn/issues/238#issuecomment-1211594270 — committed to padloc/padloc by BrunoBernardino 2 years ago
Yes, that’s correct, both are improvements to server. I figured out how to fix the second bug already, I’m just confirming some values with industry contacts for a bit of validation of my fix. I can probably release the second fix within the next few days to close out this issue.
Alright, I found the metadata statement for aaguid
"08987058-cadc-4b81-b6e1-30de50dcbe96"in that response. It’s for a “Windows Hello Hardware Authenticator”, and the statement defines the followingauthenticationAlgorithms:Unfortunately I wasn’t able to map this algorithm to COSE info because the FIDO registry I referenced at the time didn’t have values for this one. I see that v2.2 of the registry does at least reference it, so I’ll attempt to define COSE info for at least this algorithm. I’m pretty sure once I can do that then the second error will go away.
Stay tuned 👀
@MasterKale yeah it verifies just fine without the meta service. I also tried using the mds3.fidoalliance.org URL.
For what it’s worth. When I exclusively set the allowed pubKeyCredential to -257 it got past this particular error but then hit the following one about the attestation statement alg not matching
Hi @MasterKale the AAGUID is:
08987058-cadc-4b81-b6e1-30de50dcbe96Windows 11 Pro 22H2 Build: 22621.1992
Hope this helps!
@AdamJessop That looks like you’re getting an ECC public key back from Windows Hello but FIDO Metadata hasn’t updated to include the ECC parameters as a supported algorithm. I’ll ask around and see if anyone on FIDO’s side can update this.
I’ll need the AAGUID of that statement, though. Can you please provide that, or a JSON Hello response I can’t pull it out of myself, along with Windows version (and build number too if you can)?
It appears that this issue has reared it’s head again, or at least that is what I am seeing using 7.4.0
Thanks for the heads up @MasterKale . I’ve updated it in https://github.com/padloc/padloc/commit/dd5bf222833e36279eb8c04664616e6ea17db4c5 and will deploy in a bit.
@BrunoBernardino I received confirmation today from a member of the FIDO Alliance that the MDS metadata statements for those Windows Hello registrations incorrectly included the unsupported algorithm
"rsa_emsa_pkcs1_sha256_raw"in their list of authentication algorithms. The very latest metadata was regenerated (as of several hours ago), and the statements should now include"rsassa_pkcsv15_sha256_raw"instead.Practically speaking, you should do the following as soon as you can:
MetadataService.initialize()is called again)That should get you into the “right” metadata state any avoid any further metadata-related issues due to references to those the EMSA algorithms.
Thanks @MasterKale we’ve had it running for over 12 hours with no issues so far, I’ll close this issue and will comment/reopen if something else shows up.
Thank you again so much!
Ok, here we go:
And here the resulting error message again:
Thanks! Your response is amazing as always.
Yes, we’re using
MetadataServicewith the default mds server.We’ve started logging the input params for these requests yesterday. I’ll send send you a sample as soon as the error occurs again.
@BrunoBernardino I just landed #239 which should solve that first issue you mentioned. I’ll cut a release with that fix sometime this weekend.
I would bet there is some sort of parsing error for that first case, Windows currently only does RSA keys for TPM attestations with Windows Hello.