FIDO2 device registration not working with Firefox on Windows
@davidc reported that in Firefox on Windows FIDO2 device registration with a Yubikey 5C NFC fails. I was able to reproduce the problem with a Solokey in Firefox 98.0.2 on Windows. The POST /mfa/setup/webauthn/complete
request fails with an exception:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/flask/app.py", line 2091, in __call__
return self.wsgi_app(environ, start_response)
File "/usr/lib/python3.10/site-packages/flask/app.py", line 2076, in wsgi_app
response = self.handle_exception(e)
File "/usr/lib/python3.10/site-packages/flask/app.py", line 2073, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python3.10/site-packages/flask/app.py", line 1518, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python3.10/site-packages/flask/app.py", line 1516, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python3.10/site-packages/flask/app.py", line 1502, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
File "/home/julian/cccv/uffd/uffd/session/views.py", line 114, in decorator
return func(*args, **kwargs)
File "/home/julian/cccv/uffd/uffd/csrf/csrf.py", line 27, in decorator
return func(*args, **kwargs)
File "/home/julian/cccv/uffd/uffd/mfa/views.py", line 164, in setup_webauthn_complete
att_obj = AttestationObject(data["attestationObject"])
File "/usr/lib/python3.10/site-packages/fido2/ctap2/base.py", line 435, in __init__
self.auth_data = AuthenticatorData(data[AttestationObject.KEY.AUTH_DATA])
File "/usr/lib/python3.10/site-packages/fido2/ctap2/base.py", line 300, in __init__
self.credential_data, rest = AttestedCredentialData.unpack_from(rest)
File "/usr/lib/python3.10/site-packages/fido2/ctap2/base.py", line 246, in unpack_from
parts = cls.parse(data)
File "/usr/lib/python3.10/site-packages/fido2/ctap2/base.py", line 217, in parse
cred_id = reader.read(reader.unpack(">H"))
File "/usr/lib/python3.10/site-packages/fido2/utils.py", line 140, in read
raise ValueError(
ValueError: Not enough data to read (need: 8401, had: 132).
Minimal example with data from registration attempts with Firefox 98.0.1 on Linux and Firefox 98.0.2 on Windows using the same Solokey authenticator:
from fido2.ctap2 import AttestationObject
attestationObject_firefox_linux = b'\xa3cfmtdnonegattStmt\xa0hauthDataX\xb4!?\x19@\x0f\xe9v\x1c5K\x92:\xeb|\xc5\xc5L\xf7\xfa\xbf.\xef\x1a\xc6\xa4\xf4\x88\xb84\x86\x05\x11A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x000/\x93\xc5\x10\x04\x10\xc3|a\x18\x07\x8a\xc6\x87\xa3\x82\xb4\xc8\x81\x19\xff\xca\x88\xed\xa9\xbb\xf1!^s"\x05\xd6(\xfcX\xee\xc0\x8e\xca\xf1\xbf\x84\x91\xb2@\xdc\x05\xa5\x01\x02\x03& \x01!X w\xaf{\xf0\xe8j\xce\x0b:\x99\xfb7\xd3\xe2\xab\xaf\xd6JE\xac\xb0\x0bV%\xb0\xe0\x13\n\x0f\x15\xee\x8e"X v\x0e\xed\xf0\xfc\xfea\xb4\xd5\x8d\x8a\x81\xe8\x03\xf3Z\xb1+\x9f\x1b+q#\x16\x8dP\xd0\xee\xed(\xd8\x0e'
attestationObject_firefox_windows = b'\xa3cfmtdnonegattStmt\xa0hauthDataX\xbb!?\x19@\x0f\xe9v\x1c5K\x92:\xeb|\xc5\xc5L\xf7\xfa\xbf.\xef\x1a\xc6\xa4\xf4\x88\xb84\x86\x05\x11A\x00\x00\x07O\x00\x00FGJ\xd3b>\x07\x11\xda\xad\xf6Q\xdb_ \xd1e\x08D>^\xa1\xd6\xcd\x9f\xa2\xc5\xac\xe1\xd7\x98\t\x13\xb7c!?\x19@\x0f\xe9v\x1c5K\x92:\xeb|\xc5\xc5L\xf7\xfa\xbf.\xef\x1a\xc6\xa4\xf4\x88\xb84\x86\x05\x11O\x07\x00\x00\xa5\x01\x02\x03& \x01!X \r\xaet\xd8\x18\xd0\xff\x9dnL9\xd6\xb9\x1a\x9f\xc7O\xe0\xc5\xeb\xea\xd1\x8d\x80\xb5\x06\xe9\xa3\x8a\xd0\xe6\x85"X \x02\x0cy\x945O\xca\xaa\xa1\xed<*\xd4\x0bc}\x13*\x01\xa2\xfa\xff;\xb1\xf4\xde\xc4\x9c\x81\xbb\x95\xae'
AttestationObject(attestationObject_firefox_linux) # works
AttestationObject(attestationObject_firefox_windows) # raises a ValueError
I found this Firefox bug report that looks related. It describes that a sequence of 16 \x00
bytes is wrongly collapsed into a single byte. attestationObject_firefox_linux
contains a sequence of 16 \x00
bytes, attestationObject_firefox_windows
does not. Also registration on https://webauthn.io/ does not seem to work in Firefox on Windows too. So I guess it is a recent regression in Firefox.