Incorrect encoding of clientChallenge in FCL_Webauthn.sol

[evmBrahmin]

Description:

Issue:

In the FCL_Webauthn.sol contract, the WebAuthn_format function currently encodes the provided clientChallenge using Base64. However, according to the updated WebAuthn specification, the challenge within the clientData should be base64url encoded. This discrepancy can lead to a mismatch when comparing the hash of the two, especially if the challenge contains URL-safe characters.

Reference:

In the WebAuthn Level 1 specification:

• Under section 5.10: Supporting Data Structures, specifically 5.10.1 "Client Data Used in WebAuthn Signatures", the challenge is defined as:

  "challenge, of type DOMString
  This member contains the base64url encoding of the challenge provided by the Relying Party. See the §13.1 Cryptographic Challenges security consideration."

• Additionally, in Section 3: Dependencies, Base64url encoding is specified as:

  "The term Base64url Encoding refers to the base64 encoding using the URL- and filename-safe character set defined in Section 5 of [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the inclusion of any line breaks, whitespace, or other additional characters."

Potential Solution:

The encoding method used for clientChallenge in the WebAuthn_format function should be updated to use base64url without trailing = characters instead of plain base64. This would ensure that the resulting hashes are equivalent given the clientChallenge contains URL-safe characters and follows the specification precisely.

[rdubois-crypto]

related PR merged.