Page MenuHomePhabricator
Create Task
Maniphest T363652

publicKey.pubKeyCredParams is missing at least one of the default algorithm identifiers: ES256 and RS256
Closed, ResolvedPublic
Actions

Description

When I start the WebAuthn key setup process in Chrome, it logs this in the console:

Registrator.js:81 publicKey.pubKeyCredParams is missing at least one of the default algorithm identifiers: ES256 and RS256. This can result in registration failures on incompatible authenticators. See https://chromium.googlesource.com/chromium/src/+/main/content/browser/webauth/pub_key_cred_params.md for details

(It doesn't seem to cause any problems with setting up the key, at least not on my Android phone.)

The API payload is "pubKeyCredParams": [ { "type": "public-key", "alg": -7 } ] which per the spec is ES256. Maybe a Chrome bug?

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Authenticator: Pass more pub key creds to getRegisterInfomediawiki/extensions/WebAuthnREL1_43+21 -1
Authenticator: Pass more pub key creds to getRegisterInfomediawiki/extensions/WebAuthnmaster+21 -1
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Apr 28 2024, 5:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 28 2024, 5:58 PM
Tgr added a comment.May 11 2024, 9:41 AM

The API payload is "pubKeyCredParams": [ { "type": "public-key", "alg": -7 } ] which per the spec is ES256. Maybe a Chrome bug?

Reading comprehension fail - the warning quite clearly says that we should support both ES256 and RS256, and we only support one of them.

There relevant parts of the code seem to be WebAuthnKey::authenticationCeremony() which does support a bunch of different algos:

$coseAlgorithmManager = new Manager();
$coseAlgorithmManager->add( new ES256() );
$coseAlgorithmManager->add( new ES512() );
$coseAlgorithmManager->add( new EdDSA() );
$coseAlgorithmManager->add( new RS1() );
$coseAlgorithmManager->add( new RS256() );
$coseAlgorithmManager->add( new RS512() );

and Authenticator::getRegisterInfo() which tells the client we only support ES256:

$publicKeyCredParametersList = [
	new PublicKeyCredentialParameters(
		'public-key',
		Algorithms::COSE_ALGORITHM_ES256
	)
];

so this seems self-inflicted.

The practical effect seems to be that we don't support Windows Hello. From the above Chrome doc page:

However, developers should be aware that excluding either of the default identifiers has compatibility risks. In particular, RS256 is necessary for compatibility with Microsoft Windows platform authenticators. ES256 is a widely supported algorithm and is compatible with most other platform authenticators and roaming authenticators.

Reedy moved this task from Backlog to Bugs on the MediaWiki-extensions-OATHAuth board.Aug 31 2024, 4:23 PM
Tgr mentioned this in T376021: Migrate WebAuthn on Wikimedia wikis to central domain.Sep 30 2024, 10:04 AM
Tgr mentioned this in T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis.Apr 10 2025, 3:17 PM
gerritbot added a comment.May 3 2025, 10:41 AM

Change #1141049 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/WebAuthn@master] Authenticator: Pass more pub key creds to getRegisterInfo

https://gerrit.wikimedia.org/r/1141049

gerritbot added a project: Patch-For-Review.May 3 2025, 10:41 AM
gerritbot added a comment.May 3 2025, 12:59 PM

Change #1141049 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@master] Authenticator: Pass more pub key creds to getRegisterInfo

https://gerrit.wikimedia.org/r/1141049

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.28; 2025-05-06).May 3 2025, 1:00 PM
Maintenance_bot removed a project: Patch-For-Review.May 3 2025, 1:30 PM
Tgr closed this task as Resolved.May 3 2025, 1:44 PM
Tgr assigned this task to Reedy.
gerritbot added a comment.Sep 23 2025, 9:22 AM

Change #1190597 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/WebAuthn@REL1_43] Authenticator: Pass more pub key creds to getRegisterInfo

https://gerrit.wikimedia.org/r/1190597

gerritbot added a project: Patch-For-Review.Sep 23 2025, 9:22 AM
gerritbot added a comment.Sep 23 2025, 9:46 AM

Change #1190597 merged by Reedy:

[mediawiki/extensions/WebAuthn@REL1_43] Authenticator: Pass more pub key creds to getRegisterInfo

https://gerrit.wikimedia.org/r/1190597

Maintenance_bot removed a project: Patch-For-Review.Sep 23 2025, 10:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits