PassKeys PublicKey

Hi, I've been looking at the Shiny PassKey example App.

There are the following lines:

// The attestationObject contains the user's new public key to store and use for subsequent sign-ins.
   let attestationObject = credentialRegistration.rawAttestationObject

The attestationObject is raw bytes and certainly doesn't look big enough to contain a public key. I was expecting to see a public key, can anyone confirm if a public key is accessible?

The help also says:

This object contains the public key. If you request it, it also contains the attestation statement.

This statement too, seems slightly wrong, it's an attestation from the get go

The help links off to this site: https://www.w3.org/TR/webauthn-2/#attestation-object

Can anyone shed any light on this, it's quite confusing

Up vote post of ChrisAtWork Down vote post of ChrisAtWork
1.6k views
Posted by
ChrisAtWork
Reply
Add a Comment

Replies

ah, reading the docs more, the key could be a cose key - but still, not sure how to extract it from the bytes

Posted by
ChrisAtWork
Up vote reply of ChrisAtWork Down vote reply of ChrisAtWork
Add a Comment

The spec uses some confusing terminology here. "Attestation" is a heavily overloaded term that can refer to three things: an "attestation" in the generic cryptography sense, an "attestation object", or an "attestation statement". When speaking, people often refer to all three simply as "attestation", further confusing the matter, but our documentation tries to be precise.

  • An attestation in cryptography is a generic term where one party "attests" to some statement cryptographically to another party.
  • In WebAuthn, an attestation object is the object you linked to in the spec. The attestation object is the WebAuthn-defined container object which holds the attested credential data. The attested credential data contains the public key.
  • In WebAuthn, an attestation statement is an optional field within the attestation object. The attestation statement, if present, attests to specific properties of the authenticator performing the attestation. Passkeys on Apple platforms don't provide an attestation statement, as that part of the spec wasn't designed with syncing credentials in mind and doesn't provide a meaningful way to attest to security properties when credentials can sync to new devices.

So to summarize: when registering a WebAuthn credential (such as a passkey) an attestation is performed. The result of an attestation in WebAuthn is an attestation object. The attestation object contains the public key, and may or may not also contain an attestation statement.

Posted by
garrett-davidson
Post not yet marked as solved Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Add a Comment

Thanks for that, just adding for future reference, it looks like the attestation object is in CBOR format.

Posted by
ChrisAtWork
Up vote reply of ChrisAtWork Down vote reply of ChrisAtWork
Add a Comment

How do you get the details out of the CBOR-formatted data?

Posted by
adpq
Up vote reply of adpq Down vote reply of adpq
Add a Comment

You can decode the CBOR parts using https://cbor.me (after getting the data as hex bytes).

You can find the mappings for the public key data (which is COSE_Key-encoded) here: https://datatracker.ietf.org/doc/html/rfc8152. Or if you're lucky, your data matches up closely with one of the examples from https://www.w3.org/TR/webauthn/#sctn-encoded-credPubKey-examples.

(apologies for the delayed reply, just hoping this helps the next person who comes looking)

Posted by
jdoxey_anz
Up vote reply of jdoxey_anz Down vote reply of jdoxey_anz

  • While keys can be decoded this way, you almost certainly don't want to handle keys manually. Every algorithm has different information encoded for its keys and needs to be handled separately. I'd strongly recommend finding a well-supported cryptography library to handle keys for you. However, cbor.me is great for debugging! :)

    garrett-davidson
Add a Comment