[webauthn] An issue about setAttestationChallenge() in "android-key" attestation statement from caileb2017 via GitHub on 2017-05-08 (public-webauthn@w3.org from May 2017)

From: caileb2017 via GitHub <sysbot+gh@w3.org>
Date: Mon, 08 May 2017 01:37:10 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-226915100-1494207428-sysbot+gh@w3.org>

caileb2017 has just created a new issue for https://github.com/w3c/webauthn:

== An issue about setAttestationChallenge() in "android-key" attestation statement ==
I'm testing about "android-key" attestation statement of FIDO2.0 and I got an issue.
The test code that I tried it is like the code below.
```
String challenge = "f9084f24ac8c33 ... 3c6ef635cdd75746516"; // **this data size is 103 bytes**
KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(name, KeyProperties.PURPOSE_SIGN )
   .setAttestationChallenge(challenge.getBytes())
   .setUserAuthenticationRequired(true)
   .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
   .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1"));
mKeyGenerator.initialize(builder.build());
mKeyGenerator.generateKeyPair();
```

and it occures an error below.
```
java.security.ProviderException: Failed to generate attestation certificate chain
    at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.getAttestationChain(AndroidKeyStoreKeyPairGeneratorSpi.java:631)
    at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.createCertificateChain(AndroidKeyStoreKeyPairGeneratorSpi.java:519)
    at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:502)
    at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:699)
    ...
Caused by: android.security.KeyStoreException: Invalid input length
    at android.security.KeyStore.getKeyStoreException(KeyStore.java:1097)
    at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.getAttestationChain(AndroidKeyStoreKeyPairGeneratorSpi.java:632)
    at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.createCertificateChain(AndroidKeyStoreKeyPairGeneratorSpi.java:519) 
    at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:502) 
    at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:699) 
    ...
```

I used "setAttestationChallenge()" function as mentioned FIDO Specification on W3C.
I think that the function has a limit size and it is smaller than the size of our challege value(attToBeSigned = authenticatorData + clientHash).
how do you think about this case? 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/456 using your GitHub account

Received on Monday, 8 May 2017 01:37:16 UTC