NullPointerException when using Virtual Authenticator to register and login with a passkey

[pandoras-toolbox]

When a Virtual Authenticator in the Chrome browser development tools is used when registering a passkey or login with a passkey there is an error inside forgeops, a NullPointerException. We are using version 7.4.1 or forgeops.

The Virtual Authenticator is not just a Google product but a W3C standard. With Selenium it is also possible to use a Virtual Authenticator, even for other browsers than Chrome. It is used for test automation. If the Virtual Authenticator cannot be used with forgeops then registration and login with passkeys has to be tested fully in a manual way, which is too much effort.

The class org.forgerock.openam.auth.nodes.webauthn.WebAuthnRegistrationNode delegates the verification of the certificate to the class org.forgerock.openam.auth.nodes.webauthn.flows.RegisterFlow that parses the attestation data using the class org.forgerock.openam.auth.nodes.webauthn.flows.encoding.AttestationDecoder: In the method getAttestationVerifier from the value "fmt" = "packed" the class org.forgerock.openam.auth.nodes.webauthn.flows.formats.PackedVerifier is selected.

Then, when the verification is performed, in this latter class, in the method performCertAttestation the operation below returns null because the certificate provided by the Virtual Authenticator doesn't have that value.

byte[] extensionBytes = cert.getExtensionValue("1.3.6.1.4.1.45724.1.1.4");

The elaboration fails on that line with a NullPointerException:

} else if (!MessageDigest.isEqual(attestationObject.authData.attestedCredentialData.aaguid, Arrays.copyOfRange(extensionBytes, 4, 20))) {

To me that seems to be a bug. Please take a look at the specification:

In the section "Verification Procedure" in number 2 it defines:

If attestnCert contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the aaguid in authenticatorData.

But in your implementation you assume that it is always present.

Can you please check that information I have given to you? If you confirm that it is a bug and when you fix it, can you please test registration and login of passkeys with using the Virtual Authenticator in Chrome?

[lee-baines]

Hi @pandoras-toolbox. Thanks for highlighting. I'll need to raise this with the PingAM product team. The forgeops team only manages the Kubernetes manifests.

[pandoras-toolbox]

Thank you @lee-baines ! Please let me know as soon as you have some answers.

[lee-baines]

Hi @pandoras-toolbox. Feedback from the AM team that they believe this issue was resolved in a fix in 7.5.1 onwards so upgrading forgeops to the latest version of forgeops which supports 7.5.1, should fix it.

[pandoras-toolbox]

Thank you @lee-baines ! We will try that version out.