WebAuthn getPublicKey() works for ES256 keys but not for RS256 keys
Categories
(Core :: DOM: Web Authentication, defect, P1)
Tracking
()
People
(Reporter: arnaud.dagnelies, Assigned: jschanck)
References
Details
I can confirm that getPublicKey() works on FF nightly, as implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=1816520
However, this only works for ES256 keys and fails with RS256 keys. In the latter case, an empty string is returned by getPublicKey(). This impacts for example Win 11 Enterprise which uses RS256 keys (but not Win 11 Pro/Home which works just fine using ES256 keys!)
This is likely related to the different handling of both key types. Citing the "incredible" specs:
https://w3c.github.io/webauthn/#sctn-signature-attestation-types
6.5.6. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures
[...] For COSEAlgorithmIdentifier -7 (ES256) [...] the sig value MUST be encoded as an ASN.1 [...]
[...] For COSEAlgorithmIdentifier -257 (RS256) [...] The signature is not ASN.1 wrapped.
[...] For COSEAlgorithmIdentifier -37 (PS256) [...] The signature is not ASN.1 wrapped.
Dunno if it's useful to you, but here is also a page where you can teswt it out: https://webauthn.passwordless.id/demos/playground.html
|
Reporter | |
Comment 1•1 year ago
|
||
PS: I might also be completely wrong regarding the last paragraph. After all, the key and the signature are unrelated. I just noticed this discrepancy.
|
Assignee | |
Comment 2•1 year ago
|
||
Thanks, we're aware of this and have a patch upstream that we will merge before 119 goes to beta.
|
|
Assignee | |
Comment 3•1 year ago
|
||
Fixed as part of Bug 1853711.
|
|
Assignee | |
Updated•1 year ago
|
Description
•