[webauthn] Incorrect ASN.1 tagging (INTEGER vs ENUMERATED) in Android Key Attestation test vector (#2373) from Unknown-Robot via GitHub on 2025-12-29 (public-webauthn@w3.org from December 2025)

From: Unknown-Robot via GitHub <noreply@w3.org>
Date: Mon, 29 Dec 2025 11:38:05 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-3767189368-1767008282-noreply@w3.org>

Unknown-Robot has just created a new issue for https://github.com/w3c/webauthn:

== Incorrect ASN.1 tagging (INTEGER vs ENUMERATED) in Android Key Attestation test vector ==
I am currently implementing WebAuthn verification logic and using the W3C test vectors for validation. I encountered an ASN.1 schema mismatch in the test case "**Android Key Attestation with ES256 Credential**".

The `KeyDescription` sequence in the `x5c` certificate extension seems to use an incorrect ASN.1 tag for the `SecurityLevel` fields.

According to the [Android Key Attestation specification](https://source.android.com/docs/security/features/keystore/attestation#attestation-v400), the `attestationSecurityLevel` and `keymintSecurityLevel` fields are defined as `ENUMERATED` :

```
KeyDescription ::= SEQUENCE {
    attestationVersion           INTEGER,
    attestationSecurityLevel     SecurityLevel,
    keyMintVersion               INTEGER,
    keyMintSecurityLevel         SecurityLevel,
    attestationChallenge         OCTET_STRING,
    uniqueId                     OCTET_STRING,
    softwareEnforced             AuthorizationList,
    hardwareEnforced             AuthorizationList,
}

SecurityLevel ::= ENUMERATED {
    Software                     (0),
    TrustedEnvironment           (1),
    StrongBox                    (2),
}
```

However, in the provided test vector, these fields are encoded as `INTEGER` (Tag `0x02`) instead of `ENUMERATED` (Tag `0x0A`).

After analyzing the `extnValue` of the `KeyDescription` extension from the test vector reveals the following structure:

- `attestationVersion`: `INTEGER` (Correct)
- `attestationSecurityLevel`: `INTEGER` **(Tag `0x02`) -> INCORRECT**
- `keymintVersion`: `INTEGER` (Correct)
- `keymintSecurityLevel`: `INTEGER` **(Tag `0x02`) -> INCORRECT**

The test vector should be updated or re-generated to use the correct ASN.1 DER encoding (Tag `0x0A`) for `SecurityLevel` fields, aligning it with the official Android specifications and modern device behavior.

**References**

- **Android Key Attestation Extension Schema** :
https://source.android.com/docs/security/features/keystore/attestation#attestation-v400

- **Android Key Attestation with ES256 Credential** :
https://w3c.github.io/webauthn/#sctn-test-vectors-android-key-es256

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2373 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 29 December 2025 11:38:06 UTC