mylofi/webauthn-local-client

investigate potential signature parsing bug

Open

#15 opened on Oct 11, 2024

View on GitHub
 (0 comments) (0 reactions) (1 assignee)JavaScript (9 forks)github user discovery
help wantedquestion

Repository metrics

Stars
 (179 stars)
PR merge metrics
 (PR metrics pending)

Description

Reference: https://gist.github.com/philholden/50120652bfe0498958fd5926694ba354#gistcomment-5229287

Claim is, some signatures may parse/verify incorrectly because of missing 2s-complement math on the parsed integers.

Apparent signature example:

const c = {
  id: 'dcYrMAXFosJ2vNyjsjlCKjL_lSk',
  rawId: 'dcYrMAXFosJ2vNyjsjlCKjL_lSk',
  response: {
    authenticatorData: 'SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MdAAAAAA',
    clientDataJSON: 'eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiUWwzVzJuVkxWTlFNNEd3VFJ0U084QSIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCJ9',
    signature: 'MEMCHwZ-ACr2CSpvtWwBE8nMdO_rvK5iV-VCWx0R9QGX3TICIFRXY-hO2J4w52BsIZ0aJKROxyOICPitFP8IgxuAvoYm',
    userHandle: 'ZBSnLGMxtip1ZNiryx-I0Q',
  },
  authenticatorAttachment: 'platform',
  clientExtensionResults: {},
  type: 'public-key',
}
// note plain Base64 encoding
const pk = 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJX4iup4PhjtjZYjAo44MYoG879m4+foQSsGMv/qqavFPusUdOilEXVWyFlaJQ6Cd0znXdZoXDrCdBkOHmZE/6A=='

The code that might be affected:

function parseSignature(algoCOSE,signature) {
	if (isPublicKeyAlgorithm("ES256",algoCOSE)) {
		// this algorithm's signature comes back ASN.1 encoded, per spec:
		//   https://www.w3.org/TR/webauthn-2/#sctn-signature-attestation-types
		let der = ASN1.parseVerbose(signature);
		return new Uint8Array([ ...der.children[0].value, ...der.children[1].value, ]);
	}
	// also per spec, other signature algorithms SHOULD NOT come back
	// in ASN.1, so for those, we just pass through without any parsing
	return signature;
}

Contributor guide