Passkey support doesn't provide getAuthenticatorData for WebAuthn

[ForNeVeR]

Expected Behavior

I am trying to authenticate using Passkey on a test site of WebAuthn.NET library (sources are here), and it doesn't work: the library throws an exception when trying to access response.getAuthenticatorData function on the received object.

Current Behavior

The following snippet throws an error, because there's no getAuthenticatorData function:

const responseAuthenticatorData = newCredential.response?.getAuthenticatorData();

(newCredential.response here is meant to be an AuthenticatorAttestationResponse, here's a link to the spec)

Link to the corresponding JS sources.

Possible Solution

keepasssc-browser should implement a corresponding part of the spec and provide all the methods required by the spec on its response object somehow.

Steps to Reproduce (for bugs)

(Copied from my report at dodobrands/WebAuthn.Net#1)

I'm trying to use KeePassXC's passkey support with WebAuthn.Net, and it fails.

My environment is Windows 11.

1. Install the latest snapshot version KeePassXC (only that one supports passkeys for now).
2. Start KeePassXC, open or create a database.
3. In the KeePassXC settings, enable the browser support, also install the Chrome extension.
4. In the browser extension settings, enable Passkey generator:
   
5. Try to register at https://webauthn.vanbukin.com

Expected result: same as with other passkey providers, it should generate a new passkey and authenticate.
Actual result: KeePassXC successfully shows its window to generate the passkey, but nothing happens after I generate it. The KeePassXC window just closes.

In the browser console, I see the following error message:

Uncaught (in promise) TypeError: newCredential.response?.getAuthenticatorData is not a function
   at completeRegistration (lib.js:129:71)
   at HTMLButtonElement.onRegisterButtonHandler (register.js:100:42)

Note that KeePassXC works well on the test site https://webauthn.io/, so I believe it is a problem with WebAuthn.Net.

Debug info

KeePassXC - Version 2.8.0-snapshot
Build Type: Snapshot
Revision: 681a0f5

Qt 5.15.6
Debugging mode is disabled.

Operating system: Windows 10 Version 2009
CPU architecture: x86_64
Kernel: winnt 10.0.22631

Enabled extensions:
- Auto-Type
- Browser Integration
- Passkeys
- SSH Agent
- KeeShare
- YubiKey
- Quick Unlock

Cryptographic libraries:
- Botan 2.19.1

KeePassXC-Browser Version: 1.8.10
Operating system: Win
Browser: Chrome 120.0.6099.130

[varjolintu]

We currently don't support any attestation with the Passkey feature.

[ForNeVeR]

Is there some formal description of what parts of the spec (and which spec then) are supported by this plugin? Like, for example, does it support the webauthn spec at all, and on what level?

[varjolintu]

See keepassxreboot/keepassxc#8825 for the current support.

[Szer]

We currently don't support any attestation with the Passkey feature.

Could it be better to respond with "None"-attestation format for forward compatibility?

There was a problem where the server assumed only the latest level of the spec from the client and was looking for attestation in the response.

[vanbukin]

@varjolintu
In the #2178, you wrapped the response to PublicKeyCredential. This led to an error when calling the getAuthenticatorData() function in KeePassXC version 2.7.8.
This happens because at the time of calling this line of code, publicKey.response has the following structure:

{
    "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVkBZ8g1D_AzJTBVGNHi09dMVmpPEGId9Nb25ACq-N1pt3GvRQAAAAD9sUGyXYREPoo1RpjCBaUCACCRhZd9KtFBTPoFmf84gjsknzJQid7HJypxH7NYDDX1M6QBAwM5AQAgWQEAvOOYcaDBS4DRyjgWTUJzJWY_drlY-Fafi3iatAqy1kxKixVWMn5sFWDoxm23Fh2UpC6M6ZbEztLCC7b2wNJkiJ_pfAofIoj1yhxjEKvInhmZO47oqeJgWHgZIwFD_6d4PN9Q0DF770muJybO3M5hXoIMlpPakUsHg7xU-RyPdzhANKjOI_3l4u-1hI7BYWtg7xU-3jJ2jrFK8wxhUtwOjAeZd33cVSSoL-JvJOg6pn0a3XTBvPwrSh-nqnjkVBeePJ_XuFs9dExbX4UDTK0yYG6hWNNLaR8koYtZa22SVqiALA4gFBz6ar10TyTOei1VuPGc8vqGF0AO5eTHDzwCDSFDAQAB",
    "clientDataJSON": "eyJjaGFsbGVuZ2UiOiJHTG9rNUJYNTVfZ0xxVUF5S09yVkMza1lpVEw3WWJia0I4Sm9TMkVvWTh3IiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvcmlnaW4iOiJodHRwczovL3dlYmF1dGhuLmRvZG8uZGV2IiwidHlwZSI6IndlYmF1dGhuLmNyZWF0ZSJ9",
    "clientExtensionResults": {}
}

There is no authenticatorData property in the publicKey.response object, so undefined is passed to the base64ToArrayBuffer function, after which an exception occurs.

Therefore, issue is still present in the current version of KeePassXC (2.7.8).

[varjolintu]

@vanbukin Thanks for letting me know. I'll check it out.

[varjolintu]

@vanbukin There's another bug in the page. It also checks for getPublicKey() but does not allow null for answer, even if it's a valid response according to: https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-authenticatorattestationresponse-getpublickey

EDIT: I got the site working.

[varjolintu]

This is now fixed for KeePassXC 2.7.9.