Re: [webauthn] Provide the public key in `AuthenticatorAttestationResponse` (#1363)

Anybody have a working Java code snippet on how to verify the publicKey (from AuthenticatorAttestationResponse.getPublicKey()) on the Java server side?

This is what I have and it runs through but I always get isCorrect==false

byte[] clientDataJSON = Base64UrlUtil.decode(json.getAsString("response.clientDataJSON"));
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] clientDataHash = md.digest(clientDataJSON);
byte[] authenticatorData = Base64UrlUtil.decode(json.getAsString("response.authenticatorData"));
ByteBuffer signatureBase = ByteBuffer.allocate(authenticatorData.length+clientDataHash.length).put(authenticatorData).put(clientDataHash);

byte[] signature = Base64UrlUtil.decode(json.getAsString("response.signature"));

KeyFactory kf = KeyFactory.getInstance("EC");
X509EncodedKeySpec ks = new X509EncodedKeySpec(Base64UrlUtil.decode(<<publicKey from previous AuthenticatorAttestationResponse.getPublicKey()>>));
PublicKey publicKey = kf.generatePublic(ks);

Signature sig = Signature.getInstance("SHA256withECDSA");
boolean isCorrect = sig.verify(signature);

PS: AuthenticatorAttestationResponse.getPublicKey() is really great! I just spent 3 days trying to CBOR decode everything in Java on the server before I found this.

Any advice what I am missing in my code to verify the authenticatorData using the signature is highly appreciated!

GitHub Notification of comment by CrazyChris75
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Monday, 21 September 2020 13:38:26 UTC