Hi,
I have been testing Passkeys and there has been quite a few devices that can be enrolled as WebAuthN Tokens in PrivacyIDEA, including Android Passkeys,MacOS Cloud, Edge…
Unfortunately, Chrome gives the following Invalid Signature
Error.
Any ideas where this goes wrong?
Has anyone successfully configured PrivacyIDEA to use Passkeys with Chrome?
It would be a huge usability gain if that was supported, too.
Cheers,
Johannes
Traceback (most recent call last):
File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/tokens/webauthn.py", line 1188, in verify_attestation_statement
_verify_signature(credential_public_key, alg, verification_data, signature)
File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/tokens/webauthn.py", line 2044, in _verify_signature
public_key.verify(signature, data, ECDSA(SHA256()))
File "/opt/privacyidea/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/ec.py", line 315, in verify
_ecdsa_sig_verify(self._backend, self, signature, data)
File "/opt/privacyidea/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/ec.py", line 122, in _ecdsa_sig_verify
raise InvalidSignature
cryptography.exceptions.InvalidSignature
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/privacyidea/lib/python3.10/site-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/opt/privacyidea/lib/python3.10/site-packages/flask/app.py", line 1952, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/opt/privacyidea/lib/python3.10/site-packages/flask/app.py", line 1821, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/opt/privacyidea/lib/python3.10/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/opt/privacyidea/lib/python3.10/site-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/opt/privacyidea/lib/python3.10/site-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/api/lib/prepolicy.py", line 158, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/api/lib/prepolicy.py", line 158, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/api/lib/prepolicy.py", line 158, in policy_wrapper
return wrapped_function(*args, **kwds)
[Previous line repeated 20 more times]
File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/api/lib/prepolicy.py", line 156, in policy_wrapper
self.function(request=self.request,
File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/api/lib/prepolicy.py", line 2055, in webauthntoken_allowed
) = WebAuthnRegistrationResponse.verify_attestation_statement(fmt=att_obj.get('fmt'),
File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/tokens/webauthn.py", line 1190, in verify_attestation_statement
raise RegistrationRejectedException('Invalid signature received.')
privacyidea.lib.tokens.webauthn.RegistrationRejectedException: Invalid signature received.