247344 – [WebAuthn] Incorrect RP ID hash when using U2F keys

Bug 247344 - [WebAuthn] Incorrect RP ID hash when using U2F keys

Summary: [WebAuthn] Incorrect RP ID hash when using U2F keys

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P1 Major
Assignee:	pascoe@apple.com

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-11-01 16:33 PDT by pascoe@apple.com
Modified:	2023-11-02 02:14 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description pascoe@apple.com 2022-11-01 16:33:51 PDT

This causes registrations to fail whenever we fall back to U2F or the key only supports U2F.

Comment 1 pascoe@apple.com 2022-11-01 16:34:00 PDT

rdar://100466116

Comment 2 Joost van Dijk 2022-11-04 02:00:09 PDT

To reproduce:

Point your browser at https://demo.yubico.com/webauthn-technical/registration and use your U2F security key to register a FIDO credential. When the RP ID Hash mismatch occurs, you will get an error message: Wrong RP ID hash in response.

OR

Point your browser at https://webauthn.io/ and click Advanced Settings. In the Registration Settings, Uncheck "Require User Verification" and select "Cross-Platform" as Authenticator Attachment. Then click "Register" and use your U2F security key to register a FIDO credential.

When the RP ID Hash mismatch occurs, you will get an error message: Registration failed: Unexpected RP ID hash.

Comment 3 pascoe@apple.com 2022-11-28 08:07:28 PST

rdar://102718464

Comment 4 pascoe@apple.com 2022-11-28 08:17:06 PST

Pull request: https://github.com/WebKit/WebKit/pull/6862

Comment 5 pascoe@apple.com 2022-11-28 10:51:56 PST

rdar://100466116

Comment 6 Joost van Dijk 2023-11-02 02:14:43 PDT

Seems to be resolved with Safari 17.1