- From: Craig Francis via GitHub <sysbot+gh@w3.org>
- Date: Thu, 30 Jan 2020 13:21:47 +0000
- To: public-webauthn@w3.org
@grzuy, thanks for the overview.
I'm just wondering if we could go a bit further, rather than every project needing to include multiple libraries/dependencies, could we get the requirements down to 0?
As in, avoid any parsing, and simply have the browser provide you something that can be:
1. Sent via a POST request.
2. Stored, probably in a database.
3. Used directly in the signature verification step.
In PHP, if the browser provided the key with PEM encoding, the signature checking step can be done with the core functions provided by PHP:
<?php
$key = '-----BEGIN PUBLIC KEY----- [...] -----END PUBLIC KEY-----'; // PEM Encoded
$verify = base64_decode($response['authenticatorData']);
$verify .= hash('sha256', base64_decode($response['clientDataJSON']), true);
$signature = base64_decode($response['signature']);
if (openssl_verify($verify, $signature, $key, OPENSSL_ALGO_SHA256) === 1) {
// Success
}
?>
So when it comes to Ruby, is there anything built in that can do the signature verification step? and if so, what format(s) does the key need to be in?
--
GitHub Notification of comment by craigfrancis
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1363#issuecomment-580249564 using your GitHub account
Received on Thursday, 30 January 2020 13:21:48 UTC