-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Determining length of attestedCredentialData
when authenticator extensions present.
#1012
Comments
@futureimperfect: where you say "However, if the AT flag is set..." do you mean to say "However, if the ED flag is set..." ? |
AFAIK, yes.
ok, [type:Editorial] label added. |
Yes, that's correct. |
ok, thx, i edited the OP to reflect that. |
see PR #1023 |
Hi, i was trying to save the credentialId into db as a column, so i need to know the max length of the credentialId, does anyone has idea about it? |
@FrankZhangPA L3 will introduce a max length of 1023 bytes (see #1664). There wasn't a length limit in L2, so there could in theory exist authenticators that generate longer credential IDs, but it was judged very unlikely. |
Pardon the confusion, but I'm having trouble figuring out how, as a Relying Party, to reliably determine the length of the
attestedCredentialData
in authenticator data when authenticator extensions are present.According to the spec,
attestedCredentialData
's "length depends on the length of the credential ID and credential public key being attested." It also states the following regarding the length of both theattestedCredentialData
andextensions
:"Note that the authenticator data describes its own length: If the AT and ED flags are not set, it is always 37 bytes long. The attested credential data (which is only present if the AT flag is set) describes its own length. If the ED flag is set, then the total length is 37 bytes plus the length of the attested credential data, plus the length of the CBOR map that follows."
The
credentialPublicKey
withinattestedCredentialData
is also of variable length. In the past, before handling extensions, I just took the rest of theauthenticatorData
aftercredentialId
, and assumed that was thecredentialPublicKey
. I've noticed a handful of other implementations making this same assumption. However, if the ED flag is set, how does the Relying Party know the length of thecredentialPublicKey
? Is the solution just to figure out where thecredentialPublicKey
CBOR data structure ends? If so, maybe this should be made clear in the spec?Thanks!
The text was updated successfully, but these errors were encountered: