Unknown keyword: :curve (ArgumentError) occurs when registering a passkey using the ECC algorithm #10

majora-mask · 2024-11-21T05:10:17Z

When registering a passkey in Windows 11, if some conditions are met, the title exception will occur and registration will fail.

Condition

Windows 11 23H2
Google Chrome 131.0.6778.86
Turn off “Offer to save passwords and passkeys” in Google Password Manager settings
Hardware TPM2.0 is used (I am not sure, but this was necessary in my verification)

Environments

Ruby: 3.1.4
Rails: 6.1.7.4 (also had the same problem with 7.0.8.5)
OpenSSL Gem: 3.2.0
OpenSSL Library Version: OpenSSL 1.1.1.w 11 Sep 2023
webauthn-ruby Gem: 3.1.0
tpm-key-attestation Gem: 0.12.0
openssl-signature_algorithm Gem: 1.3.0

Code for WebAuthn::Credential.options_for_create

WebAuthn::Credential.options_for_create(
  user: {
    id: user.webauthn_id,
    name: user.username
  },
  exclude: user.webauthn_credentials.pluck(:external_id),
  authenticator_selection: {
    authenticator_attachment: :platform,
    resident_key: :preferred,
    user_verification: :required,
  },
  attestation: "direct"
)

Error Details

/Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/openssl-signature_algorithm-1.3.0/lib/openssl/signature_algorithm/rsa.rb:39:in `initialize': unknown keyword: :curve (ArgumentError)
  from /Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/tpm-key_attestation-0.12.0/lib/tpm/certify_validator.rb:47:in `new'
  from /Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/tpm-key_attestation-0.12.0/lib/tpm/certify_validator.rb:47:in `valid_signature?'
  from /Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/tpm-key_attestation-0.12.0/lib/tpm/certify_validator.rb:34:in `valid?'
  from /Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/tpm-key_attestation-0.12.0/lib/tpm/key_attestation.rb:63:in `valid?'
  from /Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/attestation_statement/tpm.rb:48:in `valid_key_attestation?'
  from /Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/attestation_statement/tpm.rb:23:in `valid?'
  from /Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/attestation_object.rb:41:in `valid_attestation_statement?'
  from /Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/authenticator_attestation_response.rb:80:in `valid_attestation_statement?'
  from /Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/authenticator_response.rb:64:in `verify_item'
  from /Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/authenticator_attestation_response.rb:45:in `verify'
  from /Users/majora-mask/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/public_key_credential_with_attestation.rb:15:in `verify'
  from /Users/majora-mask/IdeaProjects/webauthn-demo/app/controllers/webauthn_credentials_controller.rb:1:in `create'
  from /Users/majora-mask/IdeaProjects/webauthn-demo/app/controllers/webauthn_credentials_controller.rb:39:in `create'

Investigated

On Windows 11 22H2 and later, a passkey may be created using the ECC algorithm. https://learn.microsoft.com/en-us/windows/whats-new/whats-new-windows-11-version-22h2
In this case, a curve parameter is added to the arguments passed to the OpenSSL::SignatureAlgorithm::RSA class of this Gem, but since the initialize side only receives the hash_function parameter ArgumentError.
- https://github.com/cedarcode/tpm-key_attestation/blob/9cae9bbd3fc62941b6314147b9875fe32bf10aa0/lib/tpm/certify_validator.rb#L62
- openssl-signature_algorithm/lib/openssl/signature_algorithm/rsa.rb
  
  Line 39 in 323447b
  
  def initialize(hash_function: self.class::ACCEPTED_HASH_FUNCTIONS.first)
We can work around this by setting the attestation in options_for_create to none , but we don't want to do that.

Please investigate the cause and correct the problem!

The text was updated successfully, but these errors were encountered:

santiagorodriguez96 · 2024-11-29T23:36:44Z

Hey! Thank you taking the time to report the issue!

I think this is more of an issue of tpm-key_attestation that it's trying to initialize a OpenSSL::SignatureAlgorithm::RSA but incorrectly passing an curve keyword argument. I've opened this same issue in tpm-key_attestation to move the discussion there 🙂

majora-mask · 2024-11-30T18:24:16Z

I'm very grateful for your investigation of the issue.

I look forward to continuing to work with you.

santiagorodriguez96 self-assigned this Nov 22, 2024

santiagorodriguez96 mentioned this issue Nov 29, 2024

Unknown keyword: :curve (ArgumentError) occurs when registering a passkey using the ECC algorithm cedarcode/tpm-key_attestation#28

Closed

santiagorodriguez96 closed this as completed Nov 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unknown keyword: :curve (ArgumentError) occurs when registering a passkey using the ECC algorithm #10

Unknown keyword: :curve (ArgumentError) occurs when registering a passkey using the ECC algorithm #10

majora-mask commented Nov 21, 2024

santiagorodriguez96 commented Nov 29, 2024

majora-mask commented Nov 30, 2024

Unknown keyword: :curve (ArgumentError) occurs when registering a passkey using the ECC algorithm #10

Unknown keyword: :curve (ArgumentError) occurs when registering a passkey using the ECC algorithm #10

Comments

majora-mask commented Nov 21, 2024

Condition

Environments

Code for WebAuthn::Credential.options_for_create

Error Details

Investigated

santiagorodriguez96 commented Nov 29, 2024

majora-mask commented Nov 30, 2024