Re: [webauthn] Provide the public key in `AuthenticatorAttestationResponse` (#1363)

Using `exportKey()` from `CryptoKey` works for me.

I only selected PEM because it's already base64 encoded (easy to send to the server), and I could provide it directly to [`openssl_verify()`](https://php.net/openssl_verify).

Admittedly I'm not sure if I should be trusting the PEM value like that, as it's a value that's come from the (potentially hostile) user - as in, could they provide a value that's dangerous? denial of service?

I've also had a look at some of the other projects (notes below), and while most seem to work with the X and Y values directly, PEM/DER was fairly common.

---

<details>
 <summary>Notes on other projects</summary><br />

**Go**: [duo-labs/webauthn](https://github.com/duo-labs/webauthn); uses `X/Y` values.

* [/protocol/webauthncose/webauthncose.go](https://github.com/duo-labs/webauthn/blob/07abdb9841e92e5cd5643abc9e2bea4575b9b740/protocol/webauthncose/webauthncose.go#L81)
* [/protocol/webauthncose/webauthncose.go](https://github.com/duo-labs/webauthn/blob/07abdb9841e92e5cd5643abc9e2bea4575b9b740/protocol/webauthncose/webauthncose.go#L96)
* [https://golang.org/pkg/crypto/ecdsa/](https://golang.org/pkg/crypto/ecdsa/#Verify)

**Go**: [koesie10/webauthn](https://github.com/koesie10/webauthn); uses `PEM`, then the `x509` Go library to check signature.

* [/webauthn/login.go](https://github.com/koesie10/webauthn/blob/61460705ee9a41a0e90e03dc7a16913c67840561/webauthn/login.go#L144)
* [/protocol/assertion.go](https://github.com/koesie10/webauthn/blob/61460705ee9a41a0e90e03dc7a16913c67840561/protocol/assertion.go#L107)
* [https://golang.org/pkg/crypto/x509/](https://golang.org/pkg/crypto/x509/#Certificate.CheckSignature)

**Java**: [google/webauthndemo](https://github.com/google/webauthndemo/); looks like `X/Y` values.

* [/src/main/java/com/google/webauthn/gaedemo/crypto/Crypto.java](https://github.com/google/webauthndemo/blob/8c588e670f31807b6bd069b8cf71798baa9a673b/src/main/java/com/google/webauthn/gaedemo/crypto/Crypto.java#L156)
* [/src/main/java/com/google/webauthn/gaedemo/server/U2fServer.java](https://github.com/google/webauthndemo/blob/b1e45b4cbcb1746299f1cc63c4c9ce5421770f0f/src/main/java/com/google/webauthn/gaedemo/server/U2fServer.java#L93)

**Java**: [webauthn4j/webauthn4j](https://github.com/webauthn4j/webauthn4j/); stored in `JWS`, and converts to `DER` for use with verify().

* [/webauthn4j-core/src/main/java/com/webauthn4j/data/jws/JWS.java](https://github.com/webauthn4j/webauthn4j/blob/ea0ada2801491aa5a47abd2cde0d6ecb5035f30e/webauthn4j-core/src/main/java/com/webauthn4j/data/jws/JWS.java#L79)

**NodeJS**: [fido-alliance/webauthn-demo](https://github.com/fido-alliance/webauthn-demo); uses `PEM`.

* [/utils.js](https://github.com/fido-alliance/webauthn-demo/blob/1760b0b691e1d9fde2f730128e3b0ea3f54be7e1/utils.js#L217)
* [https://nodejs.org/api/crypto.html](https://nodejs.org/api/crypto.html#crypto_verify_verify_object_signature_signatureencoding)

**.Net**: [abergs/fido2-net-lib](https://github.com/abergs/fido2-net-lib/); looks like `X/Y` values, but also `DER` formatting.

* [/Src/Fido2/AttestationFormat/FidoU2f.cs](https://github.com/abergs/fido2-net-lib/blob/e2ea460f6ef4f106fe8cf8b1db5231cfa5b92ae8/Src/Fido2/AttestationFormat/FidoU2f.cs#L109)
* [/Src/Fido2/CryptoUtils.cs](https://github.com/abergs/fido2-net-lib/blob/e2ea460f6ef4f106fe8cf8b1db5231cfa5b92ae8/Src/Fido2/CryptoUtils.cs#L98)
* [/Src/Fido2/Objects/CredentialPublicKey.cs](https://github.com/abergs/fido2-net-lib/blob/e2ea460f6ef4f106fe8cf8b1db5231cfa5b92ae8/Src/Fido2/Objects/CredentialPublicKey.cs#L123)

<br />

* [/Demo/Controller.cs](https://github.com/abergs/fido2-net-lib/blob/a87081c1162dad9175483a42907dadf4bd2fc85d/Demo/Controller.cs#L229)
* [/Src/Fido2/AuthenticatorAssertionResponse.cs](https://github.com/abergs/fido2-net-lib/blob/a87081c1162dad9175483a42907dadf4bd2fc85d/Src/Fido2/AuthenticatorAssertionResponse.cs#L165)
* [/Src/Fido2/AuthenticatorAttestationResponse.cs](https://github.com/abergs/fido2-net-lib/blob/a87081c1162dad9175483a42907dadf4bd2fc85d/Src/Fido2/AuthenticatorAttestationResponse.cs#L207)
* [/Src/Fido2/AttestationFormat/FidoU2f.cs](https://github.com/abergs/fido2-net-lib/blob/e2ea460f6ef4f106fe8cf8b1db5231cfa5b92ae8/Src/Fido2/AttestationFormat/FidoU2f.cs#L94)

**Python**: [duo-labs/py_webauthn](https://github.com/duo-labs/py_webauthn/), uses `X/Y`.

* [/webauthn/webauthn.py](https://github.com/duo-labs/py_webauthn/blob/a48ab13c06ad2c44cdf226cc6b8483d45b350691/webauthn/webauthn.py#L1105)
* [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers)

**Ruby**: [cedarcode/webauthn-ruby](https://github.com/cedarcode/webauthn-ruby), uses `X/Y`.

* [/lib/webauthn/public_key.rb](https://github.com/cedarcode/webauthn-ruby/blob/114a96d20be6504116dc8fcb2570633eb89ab160/lib/webauthn/public_key.rb#L25)
* [/lib/webauthn/authenticator_assertion_response.rb](https://github.com/cedarcode/webauthn-ruby/blob/4dc71eb7a8bf512648c86c536147824c4295e2fe/lib/webauthn/authenticator_assertion_response.rb#L57)

</details>

-- 
GitHub Notification of comment by craigfrancis
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1363#issuecomment-578525869 using your GitHub account

Received on Sunday, 26 January 2020 17:49:54 UTC