Android Fido direct attestation failing for yubikey(cross-platform) with message sig verification failed

[Poonam Chaudhary]

Hi,

Android Fido direct attestation failing for yubikey(cross-platform) with message-  signature (FIDO-U2F) verification failed. For platform( fingerprint)  it is working fine

Attaching here screenshot for fidoapi params passed.

We analyzed and found out its happening because CleintDataJson is generated by Android fido API is different than sent by Our Virtual server( browser client)

For example:

Step1: CleintDataJson  by virtual Server(browser client)  coming as request: 

{
  “type”:“webauthn.create”,
  “challenge”:“xyz”,
  “origin”:“https://webauthn.io”,
  “crossOrigin”:false,
  “other_keys_can_be_added_here”:“do not compare clientDataJSON against a template. See https://goo.gl/yabPex”
}

Step2: we set challenge and clientDatahash in Fido2PrivilegedApiClient 

Step3: Android Fido returns result credentials with different client data json { "type":"webauthn.create", "challenge":""xyz-base64 encoded", "origin":"https:\/\/webauthn.io", "androidPackageName":"com.citrix.Receiver" }

Below is a flow diagram to help in understanding Thanks

Poonam Chaudhary

[Adam Langley]

On Friday, February 24, 2023 at 3:56:53 AM UTC-8 Poonam Chaudhary wrote:

Hi,

Android Fido direct attestation failing for yubikey(cross-platform) with message-  signature (FIDO-U2F) verification failed. For platform( fingerprint)  it is working fine

Overriding the clientDataJSON hash has never been supported for external security keys, only the platform authenticator, so this is expected. Sounds like you would like it to work for external devices too. Thank you for the feedback, we'll take that onboard.

Cheers

AGL 

[Poonam Chaudhary]

Thanks for the info Adam, If any public ticket is created for cross-platform hash override, we would like to follow.