Bug 247344

Summary: [WebAuthn] Incorrect RP ID hash when using U2F keys
Product: WebKit Reporter: pascoe <pascoe>
Component: WebKit Misc.Assignee: pascoe <pascoe>
Status: NEW ---    
Severity: Major CC: gianluca.varisco, joost.vandijk, webkit-bug-importer
Priority: P1 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description pascoe@apple.com 2022-11-01 16:33:51 PDT 
This causes registrations to fail whenever we fall back to U2F or the key only supports U2F.
Comment 1 pascoe@apple.com 2022-11-01 16:34:00 PDT 
rdar://100466116
Comment 2 Joost van Dijk 2022-11-04 02:00:09 PDT 
To reproduce:

Point your browser at https://demo.yubico.com/webauthn-technical/registration and use your U2F security key to register a FIDO credential. When the RP ID Hash mismatch occurs, you will get an error message: Wrong RP ID hash in response.

OR

Point your browser at https://webauthn.io/ and click Advanced Settings. In the Registration Settings, Uncheck "Require User Verification" and select "Cross-Platform" as Authenticator Attachment. Then click "Register" and use your U2F security key to register a FIDO credential.

When the RP ID Hash mismatch occurs, you will get an error message: Registration failed: Unexpected RP ID hash.
Comment 3 pascoe@apple.com 2022-11-28 08:07:28 PST 
rdar://102718464
Comment 4 pascoe@apple.com 2022-11-28 08:17:06 PST 
Pull request: https://github.com/WebKit/WebKit/pull/6862
Comment 5 pascoe@apple.com 2022-11-28 10:51:56 PST 
rdar://100466116
Comment 6 Joost van Dijk 2023-11-02 02:14:43 PDT 
Seems to be resolved with Safari 17.1