Skip to content

Commit 60f3fa9

Browse files
ynojimavietj
ynojima
authored and
vietj
committed
Remove NoneAttestationAsyncVerififer from verifier list
Adding NoneAttestationAsyncVerififer here causes attestation check bypass
1 parent d6256b8 commit 60f3fa9

File tree

2 files changed

+33
-1
lines changed

2 files changed

+33
-1
lines changed

vertx-auth-webauthn4j/src/main/java/io/vertx/ext/auth/webauthn4j/impl/WebAuthn4JImpl.java

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -166,7 +166,6 @@ public WebAuthn4JImpl(Vertx vertx, WebAuthn4JOptions options) {
166166

167167
webAuthnManager = new WebAuthnAsyncManager(
168168
Arrays.asList(
169-
new NoneAttestationStatementAsyncVerifier(),
170169
new FIDOU2FAttestationStatementAsyncVerifier(),
171170
new PackedAttestationStatementAsyncVerifier(),
172171
new TPMAttestationStatementAsyncVerifier(),

vertx-auth-webauthn4j/src/test/java/io/vertx/tests/attestation/AttestationTest.java

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,39 @@ public void testNoneAttestation(TestContext should) {
114114
});
115115
}
116116

117+
@Test
118+
public void testNoneAttestationShouldFailWhenDirectAttestationIsRequested(TestContext should) {
119+
final Async test = should.async();
120+
121+
WebAuthn4J webAuthN = WebAuthn4J.create(
122+
rule.vertx(),
123+
new WebAuthn4JOptions()
124+
.setRelyingParty(new RelyingParty().setName("FIDO Examples Corporation"))
125+
.setAttestation(Attestation.DIRECT)
126+
)
127+
.credentialStorage(database);
128+
129+
JsonObject packedFullAttestationWebAuthnSample = new JsonObject()
130+
.put("rawId", "AAii3V6sGoaozW7TbNaYlJaJ5br8TrBfRXnofZO6l2suc3a5tt_XFuFkFA_5eabU80S1PW0m4IZ79BS2kQO7Zcuy2vf0ESg18GTLG1mo5YSkIdqL2J44egt-6rcj7NedSEwxa_uuxUYBtHNnSQqDmtoUAfM9LSWLl65BjKVZNGUp9ao33mMSdVfQQ0bHze69JVQvLBf8OTiZUqJsOuKmpqUc")
131+
.put("id", "AAii3V6sGoaozW7TbNaYlJaJ5br8TrBfRXnofZO6l2suc3a5tt_XFuFkFA_5eabU80S1PW0m4IZ79BS2kQO7Zcuy2vf0ESg18GTLG1mo5YSkIdqL2J44egt-6rcj7NedSEwxa_uuxUYBtHNnSQqDmtoUAfM9LSWLl65BjKVZNGUp9ao33mMSdVfQQ0bHze69JVQvLBf8OTiZUqJsOuKmpqUc")
132+
.put("type", "public-key")
133+
.put("response", new JsonObject()
134+
.put("clientDataJSON", "eyJjaGFsbGVuZ2UiOiIzM0VIYXYtaloxdjlxd0g3ODNhVS1qMEFSeDZyNW8tWUhoLXdkN0M2alBiZDdXaDZ5dGJJWm9zSUlBQ2Vod2Y5LXM2aFhoeVNITy1ISFVqRXdaUzI5dyIsImNsaWVudEV4dGVuc2lvbnMiOnt9LCJoYXNoQWxnb3JpdGhtIjoiU0hBLTI1NiIsIm9yaWdpbiI6Imh0dHBzOi8vbG9jYWxob3N0Ojg0NDMiLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0=")
135+
.put("attestationObject", "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVkBJkmWDeWIDoxodDQXD2R2YFuP5K65ooYyx5lc87qDHZdjQQAAAAAAAAAAAAAAAAAAAAAAAAAAAKIACKLdXqwahqjNbtNs1piUlonluvxOsF9Feeh9k7qXay5zdrm239cW4WQUD_l5ptTzRLU9bSbghnv0FLaRA7tly7La9_QRKDXwZMsbWajlhKQh2ovYnjh6C37qtyPs151ITDFr-67FRgG0c2dJCoOa2hQB8z0tJYuXrkGMpVk0ZSn1qjfeYxJ1V9BDRsfN7r0lVC8sF_w5OJlSomw64qampRylAQIDJiABIVgguxHN3W6ehp0VWXKaMNie1J82MVJCFZYScau74o17cx8iWCDb1jkTLi7lYZZbgwUwpqAk8QmIiPMTVQUVkhGEyGrKww=="));
136+
137+
webAuthN.authenticate(
138+
new WebAuthn4JCredentials()
139+
.setUsername("paulo")
140+
.setOrigin("https://localhost:8443")
141+
.setWebauthn(packedFullAttestationWebAuthnSample)
142+
.setChallenge("33EHav-jZ1v9qwH783aU-j0ARx6r5o-YHh-wd7C6jPbd7Wh6ytbIZosIIACehwf9-s6hXhySHO-HHUjEwZS29w"))
143+
.onFailure(err->{
144+
test.complete();
145+
})
146+
.onSuccess(user -> should.fail());
147+
}
148+
149+
117150
@Test
118151
public void testNoneAttestationWithNonZeroAAGUID(TestContext should) {
119152
final Async test = should.async();

0 commit comments

Comments
 (0)