Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion signatures: raw or ASN.1 wrapped? #1829

Closed
dagnelies opened this issue Nov 23, 2022 · 3 comments
Closed

Assertion signatures: raw or ASN.1 wrapped? #1829

dagnelies opened this issue Nov 23, 2022 · 3 comments
Assignees
@MasterKale
Labels
type:editorial
Milestone
L3-WD-01

Comments

@dagnelies
Copy link

Currently, according to the specs https://w3c.github.io/webauthn/#sctn-signature-attestation-types , some authentication signatures are provided "raw" while others are "ASN.1" wrapped. This caused some difficulties, for example https://gist.github.com/philholden/50120652bfe0498958fd5926694ba354 because it is both unexpected and rather hidden in the specs.

6.5.6. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures

[...] For COSEAlgorithmIdentifier -7 (ES256) [...] the sig value MUST be encoded as an ASN.1 [...]
[...] For COSEAlgorithmIdentifier -257 (RS256) [...] The signature is not ASN.1 wrapped.
[...] For COSEAlgorithmIdentifier -37 (PS256) [...] The signature is not ASN.1 wrapped.

Moreover, what about the -8 algo that is also recommended? Is it provided ASN.1 wrapped or Raw?

Ideally, this information should also be cross referenced in some other sections, since it is critical for a proper verification of the signature. For example, either of https://w3c.github.io/webauthn/#sctn-op-get-assertion or https://w3c.github.io/webauthn/#sctn-verifying-assertion

Thanks
@dagnelies dagnelies changed the title Assertion signatures: raw or ASN.1 encoded? Assertion signatures: raw or ASN.1 wrapped? Nov 23, 2022
@MasterKale
Copy link
Contributor

For what it's worth I just finished a big refactor of my SimpleWebAuthn library to use the WebCrypto JS API for signature verification. Testing against FIDO Conformance and the test cases that I'd accumulated using real responses, it was always responses with public keys with kty: 2 (EC2) that required the unwrapping of the raw signature bytes from an ASN.1 structure. Public keys that mapped to kty: 1 (OKP, almost always with alg -8 [Ed25519]) and kty: 3 required no such manipulation. For kty: 2 the unwrapping has needed to occur regardless of the key's alg.

@nadalin nadalin added this to the L3-WD-01 milestone Nov 30, 2022
@ve7jtb
Copy link
Contributor

ve7jtb commented Jan 11, 2023

ES256 is inherited from U2F for backward compatibility. We can't change the wrapping for that alg.
It is already noted in the spec.

@nicksteele nicksteele assigned MasterKale and unassigned agl Jan 11, 2023
@MasterKale
Copy link
Contributor

Turns out the ASN.1 wrapping for ECDSA signatures is for historical U2F reasons. The spec calls this out as such:

Note: As CTAP1/U2F authenticators are already producing signatures values in this format, CTAP2 authenticators will also produce signatures values in the same format, for consistency reasons.

Given this context, there's not really anything to be done here without risking breaking compatibility with U2F authenticators.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MasterKale MasterKale

Labels
type:editorial
Projects
None yet
Milestone
L3-WD-01
Development

No branches or pull requests
5 participants
@agl @ve7jtb @MasterKale @dagnelies @nadalin