Skip to content

WebAuthn::U2fMigrator returns the attestation certificate spec failing with OpenSSL v3.3+ #463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
santiagorodriguez96 opened this issue May 9, 2025 · 4 comments
Open

WebAuthn::U2fMigrator returns the attestation certificate spec failing with OpenSSL v3.3+ #463

santiagorodriguez96 opened this issue May 9, 2025 · 4 comments

Comments

@santiagorodriguez96
Copy link
Contributor

Ruby 3.4 and OpenSSSL 3.4:

bundle exec rspec

Randomized with seed 62669
======================================================
OpenSSL library version is: OpenSSL 3.4.1 11 Feb 2025
======================================================

..F....................................................................................................................................................................................................................

Failures:

  1) WebAuthn::U2fMigrator returns the attestation certificate
     Failure/Error: @attestation_trust_path ||= [OpenSSL::X50[9](https://github.com/cedarcode/webauthn-ruby/actions/runs/14938618077/job/41971670972#step:6:10)::Certificate.new(Base64.strict_decode64(@certificate))]

     OpenSSL::X509::CertificateError:
       PEM_read_bio_X509: no start line (Expecting: CERTIFICATE)
     # ./lib/webauthn/u2f_migrator.rb:46:in 'OpenSSL::X509::Certificate#initialize'
     # ./lib/webauthn/u2f_migrator.rb:46:in 'Class#new'
     # ./lib/webauthn/u2f_migrator.rb:46:in 'WebAuthn::U2fMigrator#attestation_trust_path'
     # ./spec/webauthn/u2f_migrator_spec.rb:46:in 'block (2 levels) in <top (required)>'

Finished in 1.2 seconds (files took 0.26522 seconds to load)
359 examples, 1 failure

Failed examples:

rspec ./spec/webauthn/u2f_migrator_spec.rb:45 # WebAuthn::U2fMigrator returns the attestation certificate

Randomized with seed 62669

Ruby 3.3 and OpenSSL 3.3

bundle exec rspec

Randomized with seed 4621
======================================================
OpenSSL library version is: OpenSSL 3.3.3 11 Feb 2025
======================================================

....................................................................................................................................................................................................................................................................................................................................................................F..

Failures:

  1) WebAuthn::U2fMigrator returns the attestation certificate
     Failure/Error: @attestation_trust_path ||= [OpenSSL::X509::Certificate.new(Base64.strict_decode64(@certificate))]

     OpenSSL::X509::CertificateError:
       PEM_read_bio_X509: no start line (Expecting: CERTIFICATE)
     # ./lib/webauthn/u2f_migrator.rb:46:in 'OpenSSL::X509::Certificate#initialize'
     # ./lib/webauthn/u2f_migrator.rb:46:in 'Class#new'
     # ./lib/webauthn/u2f_migrator.rb:46:in 'WebAuthn::U2fMigrator#attestation_trust_path'
     # ./spec/webauthn/u2f_migrator_spec.rb:46:in 'block (2 levels) in <top (required)>'

Finished in 1.27 seconds (files took 0.27736 seconds to load)
359 examples, 1 failure

Failed examples:

rspec ./spec/webauthn/u2f_migrator_spec.rb:45 # WebAuthn::U2fMigrator returns the attestation certificate

Randomized with seed 4621

Ruby 3.4 and OpenSSL 3.2

bundle exec rspec

Randomized with seed 41045
======================================================
OpenSSL library version is: OpenSSL 3.2.4 11 Feb 2025
======================================================

.......................................................................................................................................................................................................................................................................................................................................................................

Finished in 1.22 seconds (files took 0.25562 seconds to load)
359 examples, 0 failures

Randomized with seed 41045
@santiagorodriguez96
Copy link
Contributor Author

It seems that there's an issue when trying to build an OpenSSL::X509::Certificate using the certificate that we have for u2f credentials in our seeds:

require "bundler/inline"

gemfile(true) do
  source "https://rubygems.org"
  gem "activesupport", "~> 8.0.0"
  gem "minitest", "~> 5.25.0"
  gem "openssl", "~> 3.3.0"
  gem "base64", "~> 0.2.0"
end

require "openssl"
require "base64"
require "active_support"
require "minitest/autorun"

class BugTest < ActiveSupport::TestCase
  def test_1
    puts "======================================================"
    puts "OpenSSL library version is: #{OpenSSL::OPENSSL_VERSION}"
    puts "======================================================"
    puts

    OpenSSL::X509::Certificate.new(Base64.strict_decode64(<<~CERT.strip))
      MIIBNDCB26ADAgECAgp2ubKB51u9YwjcMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQfqziP5Gobu7FmIoFH0WCaD15knMWpIiLgeero1dVBVt2qo62PNI6GktGDUkzCwoj5pENTzTFVDUqAZTHDHTN1oxcwFTATBgsrBgEEAYLlHAIBAQQEAwIFIDAKBggqhkjOPQQDAgNIADBFAiEAwaOmji8WpyFGJwV/YrtyjJ4D56G6YtBGUk5FbSwvP3MCIAtfeOURqhgSn28jbZITIn2StOZ+31PoFt+wXZ3IuQ/e
    CERT
  end
end

<<-OUTPUT
# Running:

======================================================
OpenSSL library version is: OpenSSL 3.4.1 11 Feb 2025
======================================================

E

Finished in 0.000562s, 1779.3592 runs/s, 0.0000 assertions/s.

  1) Error:
BugTest#test_1:
OpenSSL::X509::CertificateError: PEM_read_bio_X509: no start line (Expecting: CERTIFICATE)
    repro.rb:23:in `initialize'
    repro.rb:23:in `new'
    repro.rb:23:in `test_1'

1 runs, 0 assertions, 0 failures, 1 errors, 0 skips
OUTPUT

@santiagorodriguez96
Copy link
Contributor Author

I tried spinning up a u2f application (using ruby-u2f) in order to get a new response to see if that fixed the issue... but every response that I was able to generate contain an invalid certificate as the one that we currently have – even when using the cert bytes coming from the client's response to generate the certificate 🤔

I think the issue might be related to the way the certificates associated with the keys were generated?

@santiagorodriguez96
Copy link
Contributor Author

santiagorodriguez96 commented May 16, 2025
edited
Loading

The issue seems to be related to the fact that the certificate do not start with the -----BEGIN CERTIFICATE----- and end with the -----END CERTIFICATE----- as, after adding those lines, the error changes to:

PEM_read_bio_X509: ASN1 lib (OpenSSL::X509::CertificateError)

This is the script that I used to reproduce it:

require "bundler/inline"

gemfile(true) do
  source "https://rubygems.org"
  gem "activesupport", "~> 8.0.0"
  gem "minitest", "~> 5.25.0"
  gem "openssl", "~> 3.3.0"
  gem "base64", "~> 0.2.0"
end

require "openssl"
require "base64"
require "active_support"
require "minitest/autorun"

class BugTest < ActiveSupport::TestCase
  def test_1
    puts "======================================================"
    puts "OpenSSL library version is: #{OpenSSL::OPENSSL_VERSION}"
    puts "======================================================"
    puts

    raw_cert = <<~CERT.strip
      -----BEGIN CERTIFICATE-----
      MIIBNDCB26ADAgECAgp2ubKB51u9YwjcMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQfqziP5Gobu7FmIoFH0WCaD15knMWpIiLgeero1dVBVt2qo62PNI6GktGDUkzCwoj5pENTzTFVDUqAZTHDHTN1oxcwFTATBgsrBgEEAYLlHAIBAQQEAwIFIDAKBggqhkjOPQQDAgNIADBFAiEAwaOmji8WpyFGJwV/YrtyjJ4D56G6YtBGUk5FbSwvP3MCIAtfeOURqhgSn28jbZITIn2StOZ+31PoFt+wXZ3IuQ/e
      -----END CERTIFICATE-----
    CERT
    certificate = OpenSSL::X509::Certificate.new raw_cert
  end
end

<<-OUTPUT
# Running:

======================================================
OpenSSL library version is: OpenSSL 3.4.1 11 Feb 2025
======================================================

E

Finished in 0.000724s, 1381.2156 runs/s, 0.0000 assertions/s.

  1) Error:
BugTest#test_1:
OpenSSL::X509::CertificateError: PEM_read_bio_X509: ASN1 lib
    repro.rb:28:in `initialize'
    repro.rb:28:in `new'
    repro.rb:28:in `test_1'

1 runs, 0 assertions, 0 failures, 1 errors, 0 skips
OUTPUT

@santiagorodriguez96
Copy link
Contributor Author

@bdewater perhaps you can shed more light on this issue 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@santiagorodriguez96