Fix Android attestation (#546)

* Fix Android attestation Android attestation had a circular dependency on the public key: The authenticatorData has a public key that was originally intended to be stuck in the ChallengeData for generating a new keypair. When calling this function the public key isn't available to us yet. We have made a change to bring this in line with other attestation formats (ie. packed attestation). * Update index.bs * Update index.bs
w3c · Sep 13, 2017 · db1be80 · db1be80
1 parent dcf7939
commit db1be80
Showing 1 changed file with 13 additions and 6 deletions.
diff --git a/index.bs b/index.bs
@@ -2424,19 +2424,26 @@ the attestation=] is consistent with the fields of the attestation certificate's
                           attStmt: androidStmtFormat
                       )
 
-    androidStmtFormat = bytes
+    androidStmtFormat = {
+                          alg: rsaAlgName / eccAlgName,
+                          sig: bytes,
+                          x5c: [ credCert: bytes, * (caCert: bytes) ]
+                        }
+
     ```
 
 : Signing procedure
 :: Let |authenticatorData| denote the [=authenticator data for the attestation=], and let |clientDataHash| denote the
     [=hash of the serialized client data=].
 
-    Concatenate |authenticatorData| and |clientDataHash| to form |attToBeSigned|.
-
-    Request an Android Key Attestation by calling "keyStore.getCertificateChain(myKeyUUID)") providing |attToBeSigned| as the
+    Request an Android Key Attestation by calling "keyStore.getCertificateChain(myKeyUUID)") providing |clientDataHash| as the
     challenge value (e.g., by using <a
     href="https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder.html#setAttestationChallenge(byte%5B%5D)">
-    setAttestationChallenge</a>), and set the attestation statement to the returned value.
+    setAttestationChallenge</a>). Set x5c to the returned value.
+
+    The authenticator produces |sig| by concatenating |authenticatorData| and |clientDataHash|,
+    and signing the result using the credential private key. It sets |alg| to the algorithm of the signature format.
+
 
 : Verification procedure
 :: Verification is performed as follows:
@@ -3183,7 +3190,7 @@ IANA "WebAuthn Attestation Statement Format Identifier" registry established by
 - Specification Document: Section [[#tpm-attestation]] of this specification
     <br/><br/>
 - WebAuthn Attestation Statement Format Identifier: android-key
-- Description: Platform-provided authenticators based on Android versions "N", and later, may provide this proprietary "hardware
+- Description: Platform-provided authenticators based on versions "N", and later, may provide this proprietary "hardware
     attestation" statement.
 - Specification Document: Section [[#android-key-attestation]] of this specification
     <br/><br/>