3

I am trying to leverage the CTAP hmac-secret extension to retrieve a key for symmetric encryption in a web browser. I have Yubikey5 which implements this extension. I read through the CTAP specs, but I cannot find a reference how to do it once I get the assertion data.

Here's my simplified code:

var getCredentialDefaultArgs = {
  publicKey: {
    timeout: 60000,
    allowCredentials: myCredentials,
    challenge: myUint8Array,
    extensions: {
      hmacGetSecret: {
        salt1: "01234567890ABCDEF"
      }
    }
  }
}

navigator.credentials.get(getCredentialDefaultArgs)
.then((assertion) => {
  console.log("assertion", assertion.response.authenticatorData);
  // How do I get my symmetric secret from the authenticatorData ?
  // log just shows: ArrayBuffer(37) {byteLength: 37}
})
.catch((err) => {
  console.log("assertion error", err);
});

I have not been able to find a single working example in JavaScript that would utilize this feature in a web browser.

ucipass
  • 923
  • 1
  • 8
  • 21
  • I haven't got any samples, do see this answer: https://stackoverflow.com/questions/58475657/webauthn-extension-hmacsecret-with-yubikey – aseigler Nov 28 '21 at 18:08
  • I think this could be potentially done in Javascript but you would have to do all the heavy lifting yourself, as it's not implemented in the browsers. – aseigler Nov 28 '21 at 18:09
  • Oh, is it possible that the extension is filtered out by the web browser? There's a response so I assumed that the authenticatorData had the extension data. – ucipass Nov 29 '21 at 02:06
  • 1
    37 bytes is the minimum length for authenticator data, no extension data is present. – aseigler Nov 29 '21 at 13:12
  • 1
    yes, I was wondering if the OS or the browser is even passing this info along. I saw somebody mentioning in a Google group that the extension is only implemented in.create() but not in .get(). I am a little disappointed that this may not be possible on a web application independent of a backend service. – ucipass Nov 29 '21 at 21:09

2 Answers2

6

This extension is currently reserved only for platforms. WebAuthn does not have access to it. Might change in future.

Ackermann Yuriy
  • 537
  • 3
  • 10
3

I also wish there was a way to store a secret alongside a WebAuthn credential. :/

Adding to @ackermann-yuriy 's answer: The links I've found RE blocked support for this extension:

Right now (early 2022), the Large Blob Extension seems like the best approach for storing a secret in the authenticator associated with the credential. The good new is that it's shipping in Chromium. The bad news is that it's behind a flag and not yet implemented in Firefox or Safari.

crimbo
  • 10,308
  • 8
  • 51
  • 55
  • Update: The Large Blob Extension is enabled in desktop Chromium 113 https://www.w3.org/TR/webauthn-3/#sctn-large-blob-extension – crimbo Mar 21 '23 at 18:44