Re: [webauthn] Provide the public key in `AuthenticatorAttestationResponse` (#1363)

Using `exportKey()` from `CryptoKey` works for me.

I only selected PEM because it's already base64 encoded (easy to send to the server), and I could provide it directly to [`openssl_verify()`](

Admittedly I'm not sure if I should be trusting the PEM value like that, as it's a value that's come from the (potentially hostile) user - as in, could they provide a value that's dangerous? denial of service?

I've also had a look at some of the other projects (notes below), and while most seem to work with the X and Y values directly, PEM/DER was fairly common.


 <summary>Notes on other projects</summary><br />

**Go**: [duo-labs/webauthn](; uses `X/Y` values.

* [/protocol/webauthncose/webauthncose.go](
* [/protocol/webauthncose/webauthncose.go](
* [](

**Go**: [koesie10/webauthn](; uses `PEM`, then the `x509` Go library to check signature.

* [/webauthn/login.go](
* [/protocol/assertion.go](
* [](

**Java**: [google/webauthndemo](; looks like `X/Y` values.

* [/src/main/java/com/google/webauthn/gaedemo/crypto/](
* [/src/main/java/com/google/webauthn/gaedemo/server/](

**Java**: [webauthn4j/webauthn4j](; stored in `JWS`, and converts to `DER` for use with verify().

* [/webauthn4j-core/src/main/java/com/webauthn4j/data/jws/](

**NodeJS**: [fido-alliance/webauthn-demo](; uses `PEM`.

* [/utils.js](
* [](

**.Net**: [abergs/fido2-net-lib](; looks like `X/Y` values, but also `DER` formatting.

* [/Src/Fido2/AttestationFormat/FidoU2f.cs](
* [/Src/Fido2/CryptoUtils.cs](
* [/Src/Fido2/Objects/CredentialPublicKey.cs](

<br />

* [/Demo/Controller.cs](
* [/Src/Fido2/AuthenticatorAssertionResponse.cs](
* [/Src/Fido2/AuthenticatorAttestationResponse.cs](
* [/Src/Fido2/AttestationFormat/FidoU2f.cs](

**Python**: [duo-labs/py_webauthn](, uses `X/Y`.

* [/webauthn/](
* [](

**Ruby**: [cedarcode/webauthn-ruby](, uses `X/Y`.

* [/lib/webauthn/public_key.rb](
* [/lib/webauthn/authenticator_assertion_response.rb](


GitHub Notification of comment by craigfrancis
Please view or discuss this issue at using your GitHub account

Received on Sunday, 26 January 2020 17:49:54 UTC