Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Determining length of attestedCredentialData when authenticator extensions present. #1012

Closed
futureimperfect opened this issue Jul 25, 2018 · 7 comments · Fixed by #1023
Closed

Determining length of attestedCredentialData when authenticator extensions present. #1012

futureimperfect opened this issue Jul 25, 2018 · 7 comments · Fixed by #1023
Assignees
@equalsJeffH
Labels
stat:pr-open type:editorial
Milestone
PropRec

Comments

@futureimperfect
Copy link
Contributor

futureimperfect commented Jul 25, 2018
edited by equalsJeffH
Loading

Pardon the confusion, but I'm having trouble figuring out how, as a Relying Party, to reliably determine the length of the attestedCredentialData in authenticator data when authenticator extensions are present.

According to the spec, attestedCredentialData's "length depends on the length of the credential ID and credential public key being attested." It also states the following regarding the length of both the attestedCredentialData and extensions:

"Note that the authenticator data describes its own length: If the AT and ED flags are not set, it is always 37 bytes long. The attested credential data (which is only present if the AT flag is set) describes its own length. If the ED flag is set, then the total length is 37 bytes plus the length of the attested credential data, plus the length of the CBOR map that follows."

The credentialPublicKey within attestedCredentialData is also of variable length. In the past, before handling extensions, I just took the rest of the authenticatorData after credentialId, and assumed that was the credentialPublicKey. I've noticed a handful of other implementations making this same assumption. However, if the ED flag is set, how does the Relying Party know the length of the credentialPublicKey? Is the solution just to figure out where the credentialPublicKey CBOR data structure ends? If so, maybe this should be made clear in the spec?

Thanks!
@equalsJeffH
Copy link
Contributor

@futureimperfect: where you say "However, if the AT flag is set..." do you mean to say "However, if the ED flag is set..." ?

@equalsJeffH
Copy link
Contributor

Is the solution just to figure out where the credentialPublicKey CBOR data structure ends?

AFAIK, yes.

If so, maybe this should be made clear in the spec?

ok, [type:Editorial] label added.

@futureimperfect
Copy link
Contributor Author

@futureimperfect: where you say "However, if the AT flag is set..." do you mean to say "However, if the ED flag is set..." ?

Yes, that's correct.

@equalsJeffH
Copy link
Contributor

ok, thx, i edited the OP to reflect that.

@equalsJeffH equalsJeffH added this to the PropRec milestone Aug 1, 2018
@equalsJeffH equalsJeffH self-assigned this Aug 1, 2018
equalsJeffH pushed a commit that referenced this issue Aug 2, 2018
fix #1012 determine attsCredData length
3934699
@equalsJeffH equalsJeffH mentioned this issue Aug 2, 2018
Merged
@equalsJeffH
Copy link
Contributor

see PR #1023

equalsJeffH added a commit that referenced this issue Aug 14, 2018
@equalsJeffH
fix #1012 determine Attested Credential Data length (#1023)
964aa6c 
* fix #1012 determine attsCredData length

* fix grammar
WebAuthnBot pushed a commit that referenced this issue Aug 14, 2018
Built by Travis-CI: 964aa6c fix #1012 determine Attested Credential D…
bdddc15 
…ata length (#1023)
WebAuthnBot pushed a commit that referenced this issue Aug 14, 2018
Built by Travis-CI: 964aa6c fix #1012 determine Attested Credential D…
e3bb12b 
…ata length (#1023)
@grzuy grzuy mentioned this issue Jan 8, 2019
Closed
@craigfrancis craigfrancis mentioned this issue Jan 19, 2020
Closed
@FrankZhangPA
Copy link

Hi, i was trying to save the credentialId into db as a column, so i need to know the max length of the credentialId, does anyone has idea about it?

@emlun
Copy link
Member

emlun commented Sep 23, 2022

@FrankZhangPA L3 will introduce a max length of 1023 bytes (see #1664). There wasn't a length limit in L2, so there could in theory exist authenticators that generate longer credential IDs, but it was judged very unlikely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@equalsJeffH equalsJeffH

Labels
stat:pr-open type:editorial
Projects
None yet
Milestone
PropRec
Development

Successfully merging a pull request may close this issue.

fix #1012 determine Attested Credential Data length w3c/webauthn
4 participants
@equalsJeffH @futureimperfect @emlun @FrankZhangPA