-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement assertion #14
Conversation
Maybe we should look at how https://github.com/duo-labs/webauthn/blob/master/protocol/webauthncose/webauthncose.go implements it |
This fucking standard is beyond parody! The Signature in the cbor value is ASN.1 encoded signature. Using the function defined in [RFC8017], the signature is: |
Sorry this one. https://www.w3.org/TR/webauthn/#signature-attestation-types The COSE one isn't asn.1 but fixed size. But the one in websauthn is for backwards compatibility reasons. Wow :/ |
d24a28f
to
4c0911c
Compare
@duijf I fixed the signature code! I don't know what else needs to happen in this PR, so I give it back to you |
I managed to get this to work 🎉 Also found a bug in our cookie settings while I was at this: we didn't set the cookie path, so we would have separate sessions per URL of our application. I changed this to set all cookies on You can test this in your browser by keeping an eye on your devtools while doing:
(Admittedly, this is not a convincing demo and bad UX. We can clean that up later, the most important thing is that this works!) |
Cool. Just tried and it works! How about we add a However we can also clean up the "UX" of the demo in a later PR. |
This sounds nice! I would like to wait on #15 to land before we spend time on this though |
This generic @casSession@ function performs compare and swap over session data. This ensures we don't accidentally update something where we didn't expect it.
What a journey; what a ride. Assertion signatures now work! TODO: Clean up the code a bit?
This allows for nasty attacks otherwise. Also fix some warnings about unused variables
This was messing up our session management and was causing the wrong session keys to be sent to the server.
Rebased and resolved conflicts. Am going to merge this |
WIP PR to implement assertion.
Updated Ruud's test fixtures. The tests still fail on actually verifying the signature.