[webauthn] Unclear/underspecified signature formats (#1721)

infinisil has just created a new issue for https://github.com/w3c/webauthn:

== Unclear/underspecified signature formats ==
In many places, the specification doesn't declare formats of signatures clearly. This issue is a summary of the current state of the specification.

## Assertion signature

Generating an assertion signature is partially specified in step 11 of [6.3.3. The _authenticatorGetAssertion_ Operation](https://w3c.github.io/webauthn/#sctn-op-get-assertion):

> Let signature be the [assertion signature](https://w3c.github.io/webauthn/#assertion-signature) of the concatenation `authenticatorData || hash` using the [privateKey](https://w3c.github.io/webauthn/#public-key-credential-source-privatekey) of selectedCredential as shown in [Figure 4](https://w3c.github.io/webauthn/#fig-signature), below.


This section however doesn't specify what the "Sign" block of the signature does. Instead this can be found later in [6.5.5 Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures](https://w3c.github.io/webauthn/#sctn-signature-attestation-types), containing a rather confusing explanation:

> - For COSEAlgorithmIdentifier -7 (ES256), and other ECDSA-based algorithms, the `sig` value MUST be encoded as an ASN.1 DER Ecdsa-Sig-Value, as defined in [\[RFC3279\]](https://w3c.github.io/webauthn/#biblio-rfc3279) section 2.2.3.

The title mentions assertion signatures, but `sig` usually refers to the attestation signatures, does this apply to both?

And what is the COSEAlgorithmIdentifier for assertion signatures? Section 6.3.3 makes no mention of any signature algorithm.

> It is RECOMMENDED that any new attestation formats defined not use ASN.1 encodings, but instead represent signatures as equivalent fixed-length byte arrays without internal structure, using the same representations as used by COSE signatures as defined in [\[RFC8152\]](https://w3c.github.io/webauthn/#biblio-rfc8152) and [\[RFC8230\]](https://w3c.github.io/webauthn/#biblio-rfc8230).
> The below signature format definitions satisfy this requirement and serve as examples for deriving the same for other signature algorithms not explicitly mentioned here:

These paragraphs seems to again be specific to attestation signatures, indicating that attestation statement formats can choose the signature encoding themselves. However it doesn't say anything about assertion signatures.

## Attestation signatures

Again from the above section we also don't really have anything as for attestation signatures. Let's look at individual attestation statement formats:

### [packed](https://w3c.github.io/webauthn/#sctn-packed-attestation)

:x: Doesn't specify the format of the `sig` field.

> If [Basic](https://w3c.github.io/webauthn/#basic) or [AttCA](https://w3c.github.io/webauthn/#attca) [attestation](https://w3c.github.io/webauthn/#attestation) is in use, the authenticator produces the sig by concatenating authenticatorData and clientDataHash, and signing the result using an [attestation private key](https://w3c.github.io/webauthn/#attestation-private-key) selected through an authenticator-specific mechanism.

> If [self attestation](https://w3c.github.io/webauthn/#self-attestation) is in use, the authenticator produces sig by concatenating authenticatorData and clientDataHash, and signing the result using the credential private key.

### [tpm](https://w3c.github.io/webauthn/#sctn-tpm-attestation)

:heavy_check_mark: Does specify the format:

> sig: The [attestation signature](https://w3c.github.io/webauthn/#attestation-signature), in the form of a TPMT\_SIGNATURE structure as specified in [\[TPMv2-Part2\]](https://w3c.github.io/webauthn/#biblio-tpmv2-part2) section 11.3.4.

> Generate a signature using the procedure specified in [\[TPMv2-Part3\]](https://w3c.github.io/webauthn/#biblio-tpmv2-part3) Section 18.2, using the attestation private key and setting the `extraData` parameter to the digest of attToBeSigned using the hash algorithm corresponding to the "alg" signature algorithm. (For the "RS256" algorithm, this would be a SHA-256 digest.)

### [android-key](https://w3c.github.io/webauthn/#sctn-android-key-attestation)

:x: Doesn't specify the format

> The authenticator produces sig by concatenating authenticatorData and clientDataHash, and signing the result using the credential private key.

### [android-safetynet](https://w3c.github.io/webauthn/#sctn-android-safetynet-attestation)

:heavy_check_mark: Doesn't have a `sig` field, but a `response` one instead, of which the format is specified.

> response: The [UTF-8 encoded](https://encoding.spec.whatwg.org/#utf-8-encode) result of the getJwsResult() call of the SafetyNet API. This value is a JWS [\[RFC7515\]](https://w3c.github.io/webauthn/#biblio-rfc7515) object (see [SafetyNet online documentation](https://developer.android.com/training/safetynet/attestation#compat-check-response)) in Compact Serialization.

### [fido-u2f](https://w3c.github.io/webauthn/#sctn-fido-u2f-attestation)

:heavy_check_mark: Does specify the format

> Generate a Registration Response Message as specified in [\[FIDO-U2F-Message-Formats\]](https://w3c.github.io/webauthn/#biblio-fido-u2f-message-formats) [Section 4.3](https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#registration-response-message-success), with the application parameter set to the SHA-256 hash of the [RP ID](https://w3c.github.io/webauthn/#rp-id) that the given [credential](https://w3c.github.io/webauthn/#public-key-credential) is [scoped](https://w3c.github.io/webauthn/#scope) to, the challenge parameter set to clientDataHash, and the key handle parameter set to the [credential ID](https://w3c.github.io/webauthn/#credential-id) of the given credential. Set the raw signature part of this Registration Response Message (i.e., without the [user public key](https://w3c.github.io/webauthn/#user-public-key), key handle, and attestation certificates) as sig and set the attestation certificates of the attestation public key as x5c.

### [none](https://w3c.github.io/webauthn/#sctn-none-attestation)

(has no signature)

### [apple](https://w3c.github.io/webauthn/#sctn-apple-anonymous-attestation)

(has no signature)

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1721 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 25 April 2022 19:11:55 UTC