- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 20 May 2024 14:50:13 +0000
- To: public-webauthn@w3.org
emlun has just created a new issue for https://github.com/w3c/webauthn:
== supplementalPubKeys attestation incompatible with most verification procedures ==
The `supplementalPubKeys` extension states [for its attestation signing procedure](https://w3c.github.io/webauthn/#sctn-supplemental-public-keys-attestation-calculations):
>Therefore when calculating an attestation for a supplemental public key, the inputs are:
>- For `authData`, substitute the concatenation of the byte string h’737570706c656d656e74616c5075624b657973206174746573746174696f6e2e00ffffffff' and the value of _aaguid_ from the extension output.
>- For `hash`, substitute the concatenation of the _spk_ and _nonce_ fields from the extension output. (The nonce MAY be empty.)
However, this is incompatible with most of the attestation verification procedures since most of them extract one or more fields from the `authData` argument:
- [`packed` attestation](https://w3c.github.io/webauthn/#sctn-packed-attestation):
- >(If _x5c_ is present:) If _attestnCert_ contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the [`aaguid`](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-aaguid) in _authenticatorData_.
- The AAGUID does exist in its normal location in the modified `authData` argument, but the `AT` flag is set to zero, so implementations may refuse to access it and/or reject the data structure due to unknown trailing bytes.
- >(If _x5c_ is not present:) Validate that _alg_ matches the algorithm of the [`credentialPublicKey`](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-credentialpublickey) in _authenticatorData_.
- [`tpm` attestation](https://w3c.github.io/webauthn/#sctn-tpm-attestation):
- >Verify that the public key specified by the `parameters` and `unique` fields of _pubArea_ is identical to the [`credentialPublicKey`](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-credentialpublickey) in the [`attestedCredentialData`](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata) in _authenticatorData_.
- [`android-key` attestation](https://w3c.github.io/webauthn/#sctn-android-key-attestation): (Perhaps not relevant to `supplementalPubKeys`?)
- >Verify that the public key in the first certificate in _x5c_ matches the [`credentialPublicKey`](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-credentialpublickey) in the [`attestedCredentialData`](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata) in _authenticatorData_.
- [`android-safetynet` attestation](https://w3c.github.io/webauthn/#sctn-android-safetynet-attestation) seems to be compatible.
- [`fido-u2f` attestation](https://w3c.github.io/webauthn/#sctn-fido-u2f-attestation): (probably not very relevant to `supplementalPubKeys`, but still)
- >Extract the claimed _rpIdHash_ from _authenticatorData_, and the claimed _credentialId_ and _credentialPublicKey_ from _authenticatorData_.[`attestedCredentialData`](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata).
- [`apple` attestation](https://w3c.github.io/webauthn/#sctn-apple-anonymous-attestation):
- >Verify that the [credential public key](https://w3c.github.io/webauthn/#credential-public-key) equals the Subject Public Key of _credCert_.
So existing implementations of these verification procedures may fail to verify a supplementalPubKeys attestation. The extension may need to specify modifications to the verification procedures, or adjust the extension's signing procedure to take arguments with the same structure as the original signing procedures.
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2075 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 20 May 2024 14:50:14 UTC