[webauthn] Pull Request: Fix missing ASN.1 values in android-key test vector from Unknown-Robot via GitHub on 2026-01-23 (public-webauthn@w3.org from January 2026)

From: Unknown-Robot via GitHub <noreply@w3.org>
Date: Fri, 23 Jan 2026 15:43:18 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.opened-3203803384-1769182995-noreply@w3.org>

Unknown-Robot has just submitted a new pull request for https://github.com/w3c/webauthn:

== Fix missing ASN.1 values in android-key test vector ==
## Context

This PR fixes the Android Key Attestation test vector generation script. 

Currently, the `softwareEnforced` and `teeEnforced` values in the `attestation` extension (OID `1.3.6.1.4.1.11129.2.1.17`) of the generated certificate are empty sequences.

However, the WebAuthn Level 3 specification (Verification Procedure for Android Key Attestation) mandates verifying that:
- The value in the `AuthorizationList.origin` field is equal to `KM_ORIGIN_GENERATED`.
- The value in the `AuthorizationList.purpose` field is equal to `KM_PURPOSE_SIGN`.

## Changes

- Updated `webauthn-test-vectors.py` to replace the generic empty list with ASN.1 `SEQUENCE` constructions:
    - **`softwareEnforced`**: Explicit construction of empty `SEQUENCE` to represent `AuthorizationList`
    - **`teeEnforced`**: Explicit construction of `SEQUENCE` to represent `AuthorizationList` with fields :
        - `purpose` [Tag 1] : Encoded as a `EXPLICIT SET OF INTEGER` containing `KM_PURPOSE_SIGN` (integer `2`).
        - `origin` [Tag 702] : Encoded as an `EXPLICIT INTEGER` value `KM_ORIGIN_GENERATED` (integer `0`).
- Regenerated the test vector artifact `index.bs` with `test-vectors/inject-generated-content.sh`.

## References

- **WebAuthn Spec :** [Section 8.4. - Android Key Attestation Statement Format - Verification procedure](https://www.w3.org/TR/webauthn-3/#sctn-android-key-attestation)
    > The value in the `AuthorizationList.origin` field is equal to `KM_ORIGIN_GENERATED`.
    > The value in the `AuthorizationList.purpose` field is equal to `KM_PURPOSE_SIGN`.

- **Android Documentation :** [Key attestation - Attestation extension - Schema](https://source.android.com/docs/security/features/keystore/attestation#attestation-v400)

- **Android Source :** 
    - **KM_ORIGIN_GENERATED (0) :** [android.hardware.security.keymint.KeyOrigin](https://android.googlesource.com/platform//hardware/interfaces/+/master/security/keymint/aidl/android/hardware/security/keymint/KeyOrigin.aidl)
    - **KM_PURPOSE_SIGN (2) :** [android.hardware.security.keymint.KeyPurpose](https://android.googlesource.com/platform//hardware/interfaces/+/refs/heads/main/security/keymint/aidl/android/hardware/security/keymint/KeyPurpose.aidl)

## Notes to Maintainers

**1. Stacked PR**
This PR is based on the branch `issue-2373-android-key-test-vectors` (from PR #2373) to avoid merge conflicts, as suggested by @emlun.

**2. Future Improvements**
While reviewing the WebAuthn Level 3 spec (Section 8.4) regarding the "union of teeEnforced and softwareEnforced", I noticed we currently lack a test vector that exercises the "Software Only" or "Hybrid" path.

The current vector—once fixed by this PR—represents the "Ideal/Strict" path (TEE-backed). To fully validate the "Permissive Mode" logic in Relying Parties, it would be beneficial to add a separate test vector in the future where Purpose and Origin are located in `softwareEnforced`.

I would be happy to open a separate issue or follow-up PR to address this gap if the maintainers agree.

See https://github.com/w3c/webauthn/pull/2379


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 23 January 2026 15:43:19 UTC