0

I m creating passwordless login with u2f key. My application encrypting some data so always on login i need to decrypt them. First i wanna use key AGGUID but i cant get it on navigator.credentials.get(), only getting this with navigator.credentials.create() so i left this idea.

I m using Yubico key.

I found option to save some data on key by userHandle parameter on create() and read this on get(). On read i always retrive userHandle:ArrayBuffer(1).

Data passing to create()

attestation: "direct" 
authenticatorSelection: {authenticatorAttachment: 'cross-platform', userVerification: 'required', requireResidentKey: true, residentKey: 'required'} 
challenge: Uint8Array(32) [113, 73, 120, 104, 50, 115, 117, 82, 57, 109, 111, 81, 119, 85, 65, 120, 69, 105, 108, 114, 112, 103, 53, 101, 68, 65, 73, 89, 85, 67, 71, 67, buffer: ArrayBuffer(32), byteLength: 32, byteOffset: 0, length: 32, Symbol(Symbol.toStringTag): 'Uint8Array'] 
pubKeyCredParams: [{…}] 
rp: {id: 'domain', name: 'localhost'} 
timeout: 10000 
user: {id: Uint8Array(1), name: 'hello@netrizon.eu', displayName: 'Świerżewski'} 
userHandle: Uint8Array(32) [113, 73, 120, 104, 50, 115, 117, 82, 57, 109, 111, 81, 119, 85, 65, 120, 69, 105, 108, 114, 112, 103, 53, 101, 68, 65, 73, 89, 85, 67, 71, 67, buffer: ArrayBuffer(32)

Data passing to get()

allowCredentials: [{…}]
challenge: Uint8Array(32) [68, 78, 65, 120, 97, 80, 56, 50, 78, 117, 71, 89, 86, 108, 86, 117, 65, 111, 114, 121, 78, 97, 105, 98, 81, 80, 104, 82, 101, 74, 86, 82, buffer: ArrayBuffer(32), byteLength: 32, byteOffset: 0, length: 32, Symbol(Symbol.toStringTag): 'Uint8Array']
rpId: "domain"
timeout: 60000
userVerification: "required"

Data received from get()

authenticatorAttachment: null
id: "m-ru-po_y16wehn_I6zum2AVKCnXGXYLrQHlb7Ff6-O42KLluFpQS50vKfLGUKzX"
rawId: ArrayBuffer(48)
response: AuthenticatorAssertionResponse
authenticatorData: ArrayBuffer(37)
clientDataJSON: ArrayBuffer(138)
signature: ArrayBuffer(71)
userHandle: ArrayBuffer(1)
[[Prototype]]: AuthenticatorAssertionResponse
type: "public-key"

userHandle retrived from get() is always ArrayBuffer(1) even if i dont pass this parameter on create().

Swiru
  • 1

1 Answers1

1

If you're using a U2F device then it mightn't store the userHandle. This value is intended for discoverable credentials on FIDO2 devices, so you might need to set residentKey=required in order to have it persisted. It's also not recommended for using as an encryption key because it'll can be disclosed without user verification.

The intended API for getting encryption keys is the prf extension. You can use this in Chromium (with a compatible security key) by flipping chrome://flags/#enable-experimental-web-platform-features. (I should get around to default-enabling it).

agl
  • 1,129
  • 5
  • 6