- From: Craig Francis via GitHub <sysbot+gh@w3.org>
- Date: Sun, 26 Jan 2020 17:49:49 +0000
- To: public-webauthn@w3.org
Using `exportKey()` from `CryptoKey` works for me. I only selected PEM because it's already base64 encoded (easy to send to the server), and I could provide it directly to [`openssl_verify()`](https://php.net/openssl_verify). Admittedly I'm not sure if I should be trusting the PEM value like that, as it's a value that's come from the (potentially hostile) user - as in, could they provide a value that's dangerous? denial of service? I've also had a look at some of the other projects (notes below), and while most seem to work with the X and Y values directly, PEM/DER was fairly common. --- <details> <summary>Notes on other projects</summary><br /> **Go**: [duo-labs/webauthn](https://github.com/duo-labs/webauthn); uses `X/Y` values. * [/protocol/webauthncose/webauthncose.go](https://github.com/duo-labs/webauthn/blob/07abdb9841e92e5cd5643abc9e2bea4575b9b740/protocol/webauthncose/webauthncose.go#L81) * [/protocol/webauthncose/webauthncose.go](https://github.com/duo-labs/webauthn/blob/07abdb9841e92e5cd5643abc9e2bea4575b9b740/protocol/webauthncose/webauthncose.go#L96) * [https://golang.org/pkg/crypto/ecdsa/](https://golang.org/pkg/crypto/ecdsa/#Verify) **Go**: [koesie10/webauthn](https://github.com/koesie10/webauthn); uses `PEM`, then the `x509` Go library to check signature. * [/webauthn/login.go](https://github.com/koesie10/webauthn/blob/61460705ee9a41a0e90e03dc7a16913c67840561/webauthn/login.go#L144) * [/protocol/assertion.go](https://github.com/koesie10/webauthn/blob/61460705ee9a41a0e90e03dc7a16913c67840561/protocol/assertion.go#L107) * [https://golang.org/pkg/crypto/x509/](https://golang.org/pkg/crypto/x509/#Certificate.CheckSignature) **Java**: [google/webauthndemo](https://github.com/google/webauthndemo/); looks like `X/Y` values. * [/src/main/java/com/google/webauthn/gaedemo/crypto/Crypto.java](https://github.com/google/webauthndemo/blob/8c588e670f31807b6bd069b8cf71798baa9a673b/src/main/java/com/google/webauthn/gaedemo/crypto/Crypto.java#L156) * [/src/main/java/com/google/webauthn/gaedemo/server/U2fServer.java](https://github.com/google/webauthndemo/blob/b1e45b4cbcb1746299f1cc63c4c9ce5421770f0f/src/main/java/com/google/webauthn/gaedemo/server/U2fServer.java#L93) **Java**: [webauthn4j/webauthn4j](https://github.com/webauthn4j/webauthn4j/); stored in `JWS`, and converts to `DER` for use with verify(). * [/webauthn4j-core/src/main/java/com/webauthn4j/data/jws/JWS.java](https://github.com/webauthn4j/webauthn4j/blob/ea0ada2801491aa5a47abd2cde0d6ecb5035f30e/webauthn4j-core/src/main/java/com/webauthn4j/data/jws/JWS.java#L79) **NodeJS**: [fido-alliance/webauthn-demo](https://github.com/fido-alliance/webauthn-demo); uses `PEM`. * [/utils.js](https://github.com/fido-alliance/webauthn-demo/blob/1760b0b691e1d9fde2f730128e3b0ea3f54be7e1/utils.js#L217) * [https://nodejs.org/api/crypto.html](https://nodejs.org/api/crypto.html#crypto_verify_verify_object_signature_signatureencoding) **.Net**: [abergs/fido2-net-lib](https://github.com/abergs/fido2-net-lib/); looks like `X/Y` values, but also `DER` formatting. * [/Src/Fido2/AttestationFormat/FidoU2f.cs](https://github.com/abergs/fido2-net-lib/blob/e2ea460f6ef4f106fe8cf8b1db5231cfa5b92ae8/Src/Fido2/AttestationFormat/FidoU2f.cs#L109) * [/Src/Fido2/CryptoUtils.cs](https://github.com/abergs/fido2-net-lib/blob/e2ea460f6ef4f106fe8cf8b1db5231cfa5b92ae8/Src/Fido2/CryptoUtils.cs#L98) * [/Src/Fido2/Objects/CredentialPublicKey.cs](https://github.com/abergs/fido2-net-lib/blob/e2ea460f6ef4f106fe8cf8b1db5231cfa5b92ae8/Src/Fido2/Objects/CredentialPublicKey.cs#L123) <br /> * [/Demo/Controller.cs](https://github.com/abergs/fido2-net-lib/blob/a87081c1162dad9175483a42907dadf4bd2fc85d/Demo/Controller.cs#L229) * [/Src/Fido2/AuthenticatorAssertionResponse.cs](https://github.com/abergs/fido2-net-lib/blob/a87081c1162dad9175483a42907dadf4bd2fc85d/Src/Fido2/AuthenticatorAssertionResponse.cs#L165) * [/Src/Fido2/AuthenticatorAttestationResponse.cs](https://github.com/abergs/fido2-net-lib/blob/a87081c1162dad9175483a42907dadf4bd2fc85d/Src/Fido2/AuthenticatorAttestationResponse.cs#L207) * [/Src/Fido2/AttestationFormat/FidoU2f.cs](https://github.com/abergs/fido2-net-lib/blob/e2ea460f6ef4f106fe8cf8b1db5231cfa5b92ae8/Src/Fido2/AttestationFormat/FidoU2f.cs#L94) **Python**: [duo-labs/py_webauthn](https://github.com/duo-labs/py_webauthn/), uses `X/Y`. * [/webauthn/webauthn.py](https://github.com/duo-labs/py_webauthn/blob/a48ab13c06ad2c44cdf226cc6b8483d45b350691/webauthn/webauthn.py#L1105) * [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers) **Ruby**: [cedarcode/webauthn-ruby](https://github.com/cedarcode/webauthn-ruby), uses `X/Y`. * [/lib/webauthn/public_key.rb](https://github.com/cedarcode/webauthn-ruby/blob/114a96d20be6504116dc8fcb2570633eb89ab160/lib/webauthn/public_key.rb#L25) * [/lib/webauthn/authenticator_assertion_response.rb](https://github.com/cedarcode/webauthn-ruby/blob/4dc71eb7a8bf512648c86c536147824c4295e2fe/lib/webauthn/authenticator_assertion_response.rb#L57) </details> -- GitHub Notification of comment by craigfrancis Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1363#issuecomment-578525869 using your GitHub account
Received on Sunday, 26 January 2020 17:49:54 UTC