Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Issue #11: Replace Base64 encoding with Base64url encoding in WebAuthn_format #12

Merged
merged 1 commit into from
Sep 21, 2023
Merged

Fix Issue #11: Replace Base64 encoding with Base64url encoding in WebAuthn_format #12

merged 1 commit into from
Sep 21, 2023

Conversation

evmBrahmin
Copy link
Contributor

Summary

Detailed Changes

FCL_Webauthn.sol:

  • Transitioned to base64url encoding to ensure compatibility and correctness in encoding.
  • Encoding omits trailing '=' signs

Test File: FCL_Webauthn_Base64Url.t.sol

  • Uses mock data to simulate the WebAuthn Authentication API call and validate the new encoding logic.
    Mock Data:
response: 
  authenticatorData: "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MFAAAAAA"
  clientDataJSON: "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoibkNMX1h5SHd1QnNSUG1QMzIyMnBULTN2RWJJUm0wQ0l1SlprLTVvOHRsZyIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCIsImNyb3NzT3JpZ2luIjpmYWxzZX0"
  signature: "MEUCIECRE8S97mXV1Dwqqp3uF_CW3c6XvQMQrkrgjnx1lVnLAiEA00ucboY5T_qXn5MJdpYyzvid-8MROOS9-Q3QRPvqsl4"
  userHandle:"cUtqZTRBNGk0TTdDTFBGTVE4UFVOam5PU3RsRUlMdDRyOWpMdG00amtDRT0"
  • Explanation of Mock Data Derivation:
    • The response object is provided directly from the WebAuthn Authentication API call and provides several fields.
    • The authenticatorDataMock is the hex representation of bytes obtained by Base64URL decoding the authenticatorData from the above response.
    • The clientDataMock is derived from the clientDataJSON in the response, after Base64URL decoding and converting to hex representation of the decoded bytes.
    • The challengeMock represents bytes from Base64URL decoding the clientDataJSON.
    • The rsMock contains the r and s values of the signature. It's important to note that the provided signature in the response object is the Base64URL encoding of the DER encoding of the signature.
    • The QMock contains the x and y values of the public key, which is generated during the registration process.
  • Functions in the Test:
    • test_base64URL_format: Tests the new format and provides logs to illustrate the encoding.
    • test_webauthn_Base64URL_checkSignature: Validates the signature with the new encoding.
    • test_webauthn_format_details: Provides logs to understand the encoding process in detail.

Request:

Kindly review the modifications and the accompanying tests to validate their efficacy.
A thorough security audit is recommended before integrating these changes into a production environment.

@rdubois-crypto
Copy link
Owner

Thanks for this perfectly documented correction.

Concerning the (necessary) audit, it will come for production ready code which is not the case yet.

@rdubois-crypto rdubois-crypto merged commit 5d1b420 into rdubois-crypto:master Sep 21, 2023
@JohnGuilding JohnGuilding mentioned this pull request Sep 29, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@evmBrahmin @rdubois-crypto