PassKeys PublicKey

Hi, I've been looking at the Shiny PassKey example App.

There are the following lines:

// The attestationObject contains the user's new public key to store and use for subsequent sign-ins.
   let attestationObject = credentialRegistration.rawAttestationObject

The attestationObject is raw bytes and certainly doesn't look big enough to contain a public key. I was expecting to see a public key, can anyone confirm if a public key is accessible?

The help also says:

This object contains the public key. If you request it, it also contains the attestation statement.

This statement too, seems slightly wrong, it's an attestation from the get go

The help links off to this site: https://www.w3.org/TR/webauthn-2/#attestation-object

Can anyone shed any light on this, it's quite confusing

ah, reading the docs more, the key could be a cose key - but still, not sure how to extract it from the bytes

The spec uses some confusing terminology here. "Attestation" is a heavily overloaded term that can refer to three things: an "attestation" in the generic cryptography sense, an "attestation object", or an "attestation statement". When speaking, people often refer to all three simply as "attestation", further confusing the matter, but our documentation tries to be precise.

  • An attestation in cryptography is a generic term where one party "attests" to some statement cryptographically to another party.
  • In WebAuthn, an attestation object is the object you linked to in the spec. The attestation object is the WebAuthn-defined container object which holds the attested credential data. The attested credential data contains the public key.
  • In WebAuthn, an attestation statement is an optional field within the attestation object. The attestation statement, if present, attests to specific properties of the authenticator performing the attestation. Passkeys on Apple platforms don't provide an attestation statement, as that part of the spec wasn't designed with syncing credentials in mind and doesn't provide a meaningful way to attest to security properties when credentials can sync to new devices.

So to summarize: when registering a WebAuthn credential (such as a passkey) an attestation is performed. The result of an attestation in WebAuthn is an attestation object. The attestation object contains the public key, and may or may not also contain an attestation statement.

Thanks for that, just adding for future reference, it looks like the attestation object is in CBOR format.

How do you get the details out of the CBOR-formatted data?

You can decode the CBOR parts using https://cbor.me (after getting the data as hex bytes).

You can find the mappings for the public key data (which is COSE_Key-encoded) here: https://datatracker.ietf.org/doc/html/rfc8152. Or if you're lucky, your data matches up closely with one of the examples from https://www.w3.org/TR/webauthn/#sctn-encoded-credPubKey-examples.

(apologies for the delayed reply, just hoping this helps the next person who comes looking)

PassKeys PublicKey
 
 
Q