- From: CrazyChris75 via GitHub <sysbot+gh@w3.org>
- Date: Mon, 21 Sep 2020 13:38:24 +0000
- To: public-webauthn@w3.org
Anybody have a working Java code snippet on how to verify the publicKey (from AuthenticatorAttestationResponse.getPublicKey()) on the Java server side?
This is what I have and it runs through but I always get isCorrect==false
```
byte[] clientDataJSON = Base64UrlUtil.decode(json.getAsString("response.clientDataJSON"));
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] clientDataHash = md.digest(clientDataJSON);
byte[] authenticatorData = Base64UrlUtil.decode(json.getAsString("response.authenticatorData"));
ByteBuffer signatureBase = ByteBuffer.allocate(authenticatorData.length+clientDataHash.length).put(authenticatorData).put(clientDataHash);
byte[] signature = Base64UrlUtil.decode(json.getAsString("response.signature"));
KeyFactory kf = KeyFactory.getInstance("EC");
X509EncodedKeySpec ks = new X509EncodedKeySpec(Base64UrlUtil.decode(<<publicKey from previous AuthenticatorAttestationResponse.getPublicKey()>>));
PublicKey publicKey = kf.generatePublic(ks);
Signature sig = Signature.getInstance("SHA256withECDSA");
sig.initVerify(publicKey);
sig.update(signatureBase);
boolean isCorrect = sig.verify(signature);
```
PS: AuthenticatorAttestationResponse.getPublicKey() is really great! I just spent 3 days trying to CBOR decode everything in Java on the server before I found this.
Any advice what I am missing in my code to verify the authenticatorData using the signature is highly appreciated!
--
GitHub Notification of comment by CrazyChris75
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1363#issuecomment-696120575 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 21 September 2020 13:38:26 UTC