Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test_verify_attestation_android_key_hardware_authority fails after 2025-02-02 #243

Open
bmwiedemann opened this issue Jan 25, 2025 · 1 comment
Open

test_verify_attestation_android_key_hardware_authority fails after 2025-02-02 #243

bmwiedemann opened this issue Jan 25, 2025 · 1 comment

Comments

@bmwiedemann
Copy link

While working on reproducible builds for openSUSE, I found that our python-webauthn 2.5.0 package fails a test when the system clock is set after 2025-02-02

In Debian and openSUSE, you could reproduce this with

osc checkout openSUSE:Factory/python-webauthn && cd $_
osc build --vm-type=kvm --noservice --clean --build-opt=--vm-custom-opt="-rtc base=2025-02-03T00:00:00" standard

or maybe libfaketime or just set your system time 8 days ahead...

Please ensure that tests keep passing (e.g. mock the current time).

     def verify_android_key(
         *,
         attestation_statement: AttestationStatement,
         attestation_object: bytes,
         client_data_json: bytes,
         credential_public_key: bytes,
         pem_root_certs_bytes: List[bytes],
     ) -> bool:
         """Verify an "android-key" attestation statement
     
         See https://www.w3.org/TR/webauthn-2/#sctn-android-key-attestation
     
         Also referenced: https://source.android.com/docs/security/features/keystore/attestation
         """
         if not attestation_statement.sig:
             raise InvalidRegistrationResponse(
                 "Attestation statement was missing signature (Android Key)"
             )
     
         if not attestation_statement.alg:
             raise InvalidRegistrationResponse(
                 "Attestation statement was missing algorithm (Android Key)"
             )
 
         if not attestation_statement.x5c:
             raise InvalidRegistrationResponse("Attestation statement was missing x5c (Android Key)")
 
         # x5c includes a root certificate, so break it up accordingly
         x5c_no_root = attestation_statement.x5c[:-1]
         x5c_root_cert = attestation_statement.x5c[-1]
         
         x5c_root_cert_x509 = x509.load_der_x509_certificate(x5c_root_cert, default_backend())
         x5c_root_cert_pem = x5c_root_cert_x509.public_bytes(Encoding.PEM)
     
         # Make sure x509 forms a complete, valid cert chain
         try:
             validate_certificate_chain(
                 x5c=x5c_no_root,
                 pem_root_certs_bytes=[x5c_root_cert_pem],
             )
         except InvalidCertificateChain as err:
 >           raise InvalidRegistrationResponse(f"{err} (Android Key)")
 E           webauthn.helpers.exceptions.InvalidRegistrationResponse: Certificate chain could not be validated (Android Key)
             
 ../../BUILDROOT/python-webauthn-2.5.0-1.1.x86_64/usr/lib/python3.12/site-packages/webauthn/registration/formats/android_key.py:83: InvalidRegistrationResponse
 =========================== short test summary info ============================
 FAILED tests/test_verify_registration_response_android_key.py::TestVerifyRegistrationResponseAndroidKey::test_verify_attestation_android_key_hardware_authority
 ======================== 1 failed, 178 passed in 0.58s =========================
@jwag956
Copy link

jwag956 commented Jan 26, 2025

FWIW - I use https://pypi.org/project/freezegun/ in my unit tests for Flask-Security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bmwiedemann @jwag956