We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In section 8.5 (https://www.w3.org/TR/webauthn/#android-safetynet-attestation) there are validation instructions for the Android SafetyNet Attestation Statement Format.
One of these states:
"Verify that the nonce in the response is identical to the concatenation of authenticatorData and clientDataHash."
This is actually wrong. The nonce actually seems to be: b64encode(sha256(authenticatorData + clientDataHash));
Please confirm with the Google team first, but that seems to be the needed check to me.
The text was updated successfully, but these errors were encountered:
https://w3c.github.io/webauthn/#android-safetynet-attestation
Verify that the nonce in the response is identical to the SHA-256 hash of the concatenation of authenticatorData and clientDataHash.
@sbweeden In future please submit issues against the Editorial Draft that located here: https://w3c.github.io/webauthn/
Proposing closing this with "non-issue"
Sorry, something went wrong.
I'll concede fair point on the location of the document to review. I won't quite concede on the "non-issue" statement.
The output of a sha256 operation is a byte array. The nonce in the jws payload of the response is a base64 encoded representation of this.
Clarify that SafetyNet response uses base64url
f25529d
Fixes w3c#1018.
We can indeed clarify that the JWS nonce field is base64 encoded. See #1021
selfissued
No branches or pull requests
In section 8.5 (https://www.w3.org/TR/webauthn/#android-safetynet-attestation) there are validation instructions for the Android SafetyNet Attestation Statement Format.
One of these states:
"Verify that the nonce in the response is identical to the concatenation of authenticatorData and clientDataHash."
This is actually wrong. The nonce actually seems to be:
b64encode(sha256(authenticatorData + clientDataHash));
Please confirm with the Google team first, but that seems to be the needed check to me.
The text was updated successfully, but these errors were encountered: