add additional data to challenge

[lfern]

I am making tests adding additional information to the challenge field in the generate_challenge_authenticate_inner method. I would like to confirm a specific transaction, and it seems my key is signing this new challenge successfully. But, do you think it is a good idea to do it this way, or is there another way to add custom data so the user key adds this data to create the signature? Thanks!

...
   fn generate_challenge_authenticate_inner(
        &self,
        creds: Vec<Credential>,
        policy: UserVerificationPolicy,
        extensions: Option<RequestAuthenticationExtensions>,
    ) -> Result<(RequestChallengeResponse, AuthenticationState), WebauthnError>
    where
        T: WebauthnConfig,
    {
        let chal = self.generate_challenge();
        // add 
        let new_chal = NewChallenge {
            original_challenge: chal.clone().into(),
            custom_data: "custom data to sign".to_string(),
        };

        let new_chal2 = serde_json::to_string(&new_chal).unwrap();
        let chal = Challenge::new(new_chal2.as_bytes().to_vec());

...

[Firstyear]

This is discussed at length in these issues:

w3c/webauthn#1595
w3c/webauthn#1608

The request was declined for various reasons. It was then brought up w3c/webcrypto#263 and it's likely that won't gain much traction either.

So I would be extremely hesitant to add this to this library without really good justification and extensive safety barriers.

You could find a way to adapt something like https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-hmac-secret-extension to assist with this using the hmac secret as an hmac key or similar. We'd need the hmac extension added to this library for the communication though.