WebAuthn Authenticator Registration fail when Yubikey5+Chrome+ResidentKey

[DTonoki]

Description

WebAuthn Authenticator Registration fail when Yubikey5+Chrome+ResidentKey

Steps to reproduce

Config WebAuthn(Registor) module with Residentkey = true.

Do Authenticator Registration with Chrome and Yubikey5.

Expected Results

Registration Complete

Actual Results

Registration fail

Enviroment

OpenAM15-SNAPSHOT
OpenAM14-RELEASE

Debug Log

debug log
ERROR: WebAuthnValidator.validateCreateResponse : Error validating response. User handle is 7fba47c1-d769-4ae6-8d66-
1c03bcb8add7
java.io.UncheckedIOException: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Cannot construct instan
ce of java.io.Serializable (no Creators, like default construct, exist): abstract types either need to be mapped t
o concrete types, have custom deserializer, or contain additional type information
at [Source: (ByteArrayInputStream); line: -1, column: 13] (through reference chain: java.util.LinkedHashMap["credPr
otect"])
at com.webauthn4j.converter.util.CborConverter.readValue(CborConverter.java:86)
at com.webauthn4j.converter.AuthenticatorDataConverter.convertToExtensions(AuthenticatorDataConverter.java:145)

References

CTAP2.1 Draft

https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html

[DTonoki]

It can reproduce only Linux environment.
Windows 10 has no problem.

[DTonoki]

https://chromium.googlesource.com/chromium/src/+/aa78995e9afb8da09fbe17ae0759527a669198c6%5E!

[DTonoki]

End of AuthData has credProtect text.
6B6372656450726F7465637402
6B=text(11)
372656450726F74656374=credProtect
02=unsigned(2)

[DTonoki]

webauthn4j/webauthn4j#260

[DTonoki]

Should use Webauthn4J 0.11.1 or higher and jackson-2.10 or higher to resolve parse error.

[tsujiguchitky]

The reproduction situation in my case is as follows.

Enviroment

• Server
  • OpenAM 14.0.0
• Client
  • macOS Catalina (10.15.5)
  • Chrome 83.0.4103.116 (Official Build)
  • Yubikey 5 NFC (Firmware v5.2.4)

Debug Log

WebAuthnRegister:07/06/2020 12:30:59:600 PM JST: Thread[ajp-bio-8009-exec-9,5,main]: TransactionId[5d81cb52-6371-4b6b-9dcf-fbb63a39b052-678]
ERROR: WebAuthnValidator.validateCreateResponse : Error validating response. User handle is 32bf23d8-e834-4429-b27c-751c557d9f19
com.webauthn4j.converter.exception.DataConversionException: Input data does not match expected form
        at com.webauthn4j.converter.util.CborConverter.readValue(CborConverter.java:86)
        at com.webauthn4j.converter.AuthenticatorDataConverter.convertToExtensions(AuthenticatorDataConverter.java:142)
        at com.webauthn4j.converter.AuthenticatorDataConverter.convert(AuthenticatorDataConverter.java:119)
        at com.webauthn4j.converter.jackson.deserializer.AuthenticatorDataDeserializer.deserialize(AuthenticatorDataDeserializer.java:50)
        at com.webauthn4j.converter.jackson.deserializer.AuthenticatorDataDeserializer.deserialize(AuthenticatorDataDeserializer.java:32)
        at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:530)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:528)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeUsingPropertyBasedWithExternalTypeId(BeanDeserializer.java:945)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeWithExternalTypeId(BeanDeserializer.java:853)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:324)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:159)
        at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4013)
        at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3091)
        at com.webauthn4j.converter.util.CborConverter.readValue(CborConverter.java:73)
        at com.webauthn4j.converter.AttestationObjectConverter.convert(AttestationObjectConverter.java:69)
        at com.webauthn4j.validator.WebAuthnRegistrationContextValidator.validate(WebAuthnRegistrationContextValidator.java:213)
        at jp.co.osstech.openam.authentication.modules.webauthn.WebAuthn4JValidatorImpl.validateCreateResponse(WebAuthn4JValidatorImpl.java:83)
        at jp.co.osstech.openam.authentication.modules.webauthn.WebAuthnRegister.storeAuthenticator(WebAuthnRegister.java:245)
        at jp.co.osstech.openam.authentication.modules.webauthn.WebAuthnRegister.process(WebAuthnRegister.java:131)
        at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1056)
        at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1224)
        ...
Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: value is out of range
 at [Source: (ByteArrayInputStream); line: -1, column: 13] (through reference chain: java.util.LinkedHashMap["credProtect"])
        at com.webauthn4j.converter.jackson.deserializer.ExtensionAuthenticatorOutputDeserializer.deserialize(ExtensionAuthenticatorOutputDeserializer.java:63)
        at com.webauthn4j.converter.jackson.deserializer.ExtensionAuthenticatorOutputDeserializer.deserialize(ExtensionAuthenticatorOutputDeserializer.java:36)
        at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringKeyMap(MapDeserializer.java:527)
        at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:364)
        at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:29)
        at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:344)
        at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:29)
        at com.fasterxml.jackson.databind.DeserializationContext.readValue(DeserializationContext.java:760)
        at com.fasterxml.jackson.databind.DeserializationContext.readValue(DeserializationContext.java:747)
        at com.webauthn4j.converter.jackson.deserializer.AuthenticationExtensionsAuthenticatorOutputsEnvelopeDeserializer.deserialize(AuthenticationExtensionsAuthenticatorOutputsEnvelopeDeserializer.java:42)
        at com.webauthn4j.converter.jackson.deserializer.AuthenticationExtensionsAuthenticatorOutputsEnvelopeDeserializer.deserialize(AuthenticationExtensionsAuthenticatorOutputsEnvelopeDeserializer.java:30)
        at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4013)
        at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3070)
        at com.webauthn4j.converter.util.CborConverter.readValue(CborConverter.java:84)
        ... 105 more