英文:
WebAuthn userHandle
问题
get()方法中检索到的userHandle始终为ArrayBuffer(1),即使我在create()中没有传递此参数。
英文:
I m creating passwordless login with u2f key. My application encrypting some data so always on login i need to decrypt them. First i wanna use key AGGUID but i cant get it on navigator.credentials.get(), only getting this with navigator.credentials.create() so i left this idea.
I m using Yubico key.
I found option to save some data on key by userHandle parameter on create() and read this on get().
On read i always retrive userHandle:ArrayBuffer(1).
Data passing to create()
attestation: "direct"
authenticatorSelection: {authenticatorAttachment: 'cross-platform', userVerification: 'required', requireResidentKey: true, residentKey: 'required'}
challenge: Uint8Array(32) [113, 73, 120, 104, 50, 115, 117, 82, 57, 109, 111, 81, 119, 85, 65, 120, 69, 105, 108, 114, 112, 103, 53, 101, 68, 65, 73, 89, 85, 67, 71, 67, buffer: ArrayBuffer(32), byteLength: 32, byteOffset: 0, length: 32, Symbol(Symbol.toStringTag): 'Uint8Array']
pubKeyCredParams: [{…}]
rp: {id: 'domain', name: 'localhost'}
timeout: 10000
user: {id: Uint8Array(1), name: 'hello@netrizon.eu', displayName: 'Świerżewski'}
userHandle: Uint8Array(32) [113, 73, 120, 104, 50, 115, 117, 82, 57, 109, 111, 81, 119, 85, 65, 120, 69, 105, 108, 114, 112, 103, 53, 101, 68, 65, 73, 89, 85, 67, 71, 67, buffer: ArrayBuffer(32)
Data passing to get()
allowCredentials: [{…}]
challenge: Uint8Array(32) [68, 78, 65, 120, 97, 80, 56, 50, 78, 117, 71, 89, 86, 108, 86, 117, 65, 111, 114, 121, 78, 97, 105, 98, 81, 80, 104, 82, 101, 74, 86, 82, buffer: ArrayBuffer(32), byteLength: 32, byteOffset: 0, length: 32, Symbol(Symbol.toStringTag): 'Uint8Array']
rpId: "domain"
timeout: 60000
userVerification: "required"
Data received from get()
authenticatorAttachment: null
id: "m-ru-po_y16wehn_I6zum2AVKCnXGXYLrQHlb7Ff6-O42KLluFpQS50vKfLGUKzX"
rawId: ArrayBuffer(48)
response: AuthenticatorAssertionResponse
authenticatorData: ArrayBuffer(37)
clientDataJSON: ArrayBuffer(138)
signature: ArrayBuffer(71)
userHandle: ArrayBuffer(1)
[[Prototype]]: AuthenticatorAssertionResponse
type: "public-key"
userHandle retrived from get() is always ArrayBuffer(1) even if i dont pass this parameter on create().
答案1
得分: 1
如果您使用的是U2F设备,则可能不会存储userHandle。这个值是为FIDO2设备上的可发现凭证设计的,所以您可能需要设置residentKey=required以便将其持久化。不建议将其用作加密密钥,因为它可能在没有用户验证的情况下被披露。
获取加密密钥的预期API是prf扩展。您可以在Chromium中使用此功能(与兼容的安全密钥一起)通过启用chrome://flags/#enable-experimental-web-platform-features。 (我应该在默认情况下启用它)。
英文:
If you're using a U2F device then it mightn't store the userHandle. This value is intended for discoverable credentials on FIDO2 devices, so you might need to set residentKey=required in order to have it persisted. It's also not recommended for using as an encryption key because it'll can be disclosed without user verification.
The intended API for getting encryption keys is the prf extension. You can use this in Chromium (with a compatible security key) by flipping chrome://flags/#enable-experimental-web-platform-features. (I should get around to default-enabling it).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论