- From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
- Date: Fri, 08 Sep 2017 12:30:36 +0000
- To: public-webauthn@w3.org
Regarding https://github.com/w3c/webauthn/pull/539#issuecomment-327450132:
The following code will be merged with the attestation statement format specific verification procedure in U2F Attestation Statement format.
<section>
<h3>Verification of authenticatorMakeCredential Response</h3>
<p>
Platform forwards authenticatorMakeCredential response to RP which follows following procedure to verify it
<a href="#fig-u2f-compat-makeCredential">(Fig: Mapping: WebAuthn authenticatorMakeCredential to and from CTAP1/U2F Registration Messages)</a>:
</p>
<ol>
<li>Confirms the format of attestation statement is of "fido-u2f" type.</li>
<li>Unpack CTAP2 Authenticator Data.</li>
<li>Verify that passed <code>rp.id</code> SHA-256 hash matches with Authenticator Data’s <code>rp.id</code> Hash field.</li>
<li>Capture public key from the certificate.</li>
<li>
Convert COSE_KEY formatted credential public key to CTAP1/U2F public Key format.
<ul>
<li>
Let <code>publicKeyU2F</code> represents converted CTAP1/U2F public representation of COSE_KEY and
set first byte as 0x04 which signifies uncompressed ECC key format
</li>
<li>Extract "-2" (representing x coordinate) from COSE_KEY representation, confirm its size to be of 32 bytes and concatenate it with <code>publicKeyU2F</code></li>
<li>Extract "-3" (representing y coordinate) from COSE_KEY representation, confirm its size to be of 32 bytes and concatenate it with <code>publicKeyU2F</code></li>
</ul>
</li>
<li>Calculate SHA-256 (0x00 | SHA-256(<code>rp.id</code>) | clientDataHash | CredentialID | <code>publicKeyU2F</code>).</li>
<li>Verify attestationStatement signature using above hash and public key.</li>
</ol>
</section>
--
GitHub Notification of comment by rlin1
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/539#issuecomment-328090374 using your GitHub account
Received on Friday, 8 September 2017 12:30:31 UTC