-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"JSON serialization" in makeCredential probably needs to be defined more clearly #274
Comments
This applies to https://w3c.github.io/webauthn/#getAssertion step 5 as well. |
@bzbarsky : might you be able to point to extant specs that address this particular issue and that we can use as example(s) to work from? I've searched whatwg.org and w3.org and do not immediately discern applicable results. |
Webcrypto addresses this by explicitly taking an IDL dictionary, converting it to an ES object using https://heycam.github.io/webidl/#dictionary-to-es, then invoking the ES spec's However note that this is one place where the way the TR version does it is wrong and the way the editor's version does it is better; if you're going to copy verbiage here please copy it from their editor's draft. |
This is not true. There is no such expectation. Both makeCredential and getAssertion return the actual serialized string clientDataJSON as an ArrayBuffer along with their respective signatures. This should be enough for the RP to check the signature and to verify the contents of the clientData by parsing the stringified JSON. This was done specifically to avoid canonicalization issues like this one. |
Including by RPs? How are you going to enforce that? I expect RPs to end up with just such expectations, forcing implementations to de-facto converge on identical serializations.... This seems like a poster child for Postel's law, in fact: strictness in what you produce (the serialization) should lead to better interop here than allowing different serializations and hoping no one depends on the serialization details. |
https://w3c.github.io/webauthn/#dom-webauthentication-makecredential step 8 says:
where clientDataJSON is defined as:
and clientDataHash is defined as:
Unfortunately, RFC 7159 doesn't define a unique serialization format. For example, the following are all valid JSON serializations of the same data:
This is normally not a problem, because when parsed with a JSON parser they will all produce the same data structure. But here we're hashing the serialization here, and the expectation is presumably that the hash is stable for a given ClientData. That means the JSON serialization needs to be specified somewhat more strictly than just "any valid JSON serialization of this data"...
The text was updated successfully, but these errors were encountered: