[webauthn] Assertion signatures: raw or ASN.1 encoded? (#1829) from Arnaud Dagnelies via GitHub on 2022-11-23 (public-webauthn@w3.org from November 2022)

From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
Date: Wed, 23 Nov 2022 10:27:39 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1461474993-1669199258-sysbot+gh@w3.org>

dagnelies has just created a new issue for https://github.com/w3c/webauthn:

== Assertion signatures: raw or ASN.1 encoded? ==
Currently, according to the specs https://w3c.github.io/webauthn/#sctn-signature-attestation-types , some authentication signatures are provided "raw" while others are "ASN.1" wrapped. This caused some difficulties, for example https://gist.github.com/philholden/50120652bfe0498958fd5926694ba354 because it is both unexpected and rather hidden in the specs.

> 6.5.6. Signature Formats for Packed Attestation, FIDO U2F Attestation, and **Assertion Signatures**
>
> [...] For COSEAlgorithmIdentifier **-7** (ES256) [...] the sig value **MUST be encoded as an ASN.1** [...]
> [...] For COSEAlgorithmIdentifier **-257** (RS256) [...] The signature is **not ASN.1 wrapped**.
> [...] For COSEAlgorithmIdentifier **-37** (PS256) [...] The signature is **not ASN.1 wrapped**.

Moreover, what about the -8 algo that is also recommended? Is it provided ASN.1 wrapped or Raw? 

Ideally, this information should also be cross referenced in some other sections, since it is critical for a proper verification of the signature. For example, either of https://w3c.github.io/webauthn/#sctn-op-get-assertion or https://w3c.github.io/webauthn/#sctn-verifying-assertion

Thanks

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1829 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 23 November 2022 10:27:41 UTC