WebAuthn/FIDO2: Verifying U2F Attestation

Ackermann Yuriy
Aug 3, 2018 · 2 min read

Please note that this is an advance post, and requires prior understanding of the FIDO2 attestations. You can read more about them here.


Some of those who have done work with U2F before are confused by FIDO2 U2F attestations. Previously U2F attestations were raw buffer, and now it is fancy CBOR structs. How does one verify these attestations, you might ask?

Before we start, we need to look at original U2F attestations:

Source: https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html

And now lets look at what you get from WebAuthn:

This is happening, because in FIDO2 we introduced CTAP1(U2F) to CTAP2 mapping. Here is a diagram of the process taken from CTAP2 specification:

Source: https://fidoalliance.org/specs/fido-v2.0-id-20180227/img/u2fcompat-makecredential.svg

So in order to verify signature we need to reconstruct the original signatureBase buffer. To do that we need:

  • application parameter — rpIdHash
  • challenge parameter — clientDataHash
  • keyHandle — credId
  • publicKey — a 65 byte ANSI encoded P256 public key

To get rpIdHash, credId and publicKey we need to parse authData as we’ve talked about it in my “Verifying FIDO2 responses” blog. The only problem we have is that in FIDO2 we are working with COSE public keys, where in U2F they are ANSI encode. So to re-encode key, we need to extract x and y coefficients from COSE key and merge them together, prepending 0x04.

With that resolved, we can merge ReserveByte, RPIDHash, ClientDataHash, CredId and PublicKey into signature base. Then we can PEM encode certificate in x5c array, or extract the public key, and use it to verify the signature:

If you are planing to support metadata service, then you can find attestationCertificateKeyIdentifier by calculating the SHA1 of the subjectKey structure as described in method 1 of the section 4.2.1.2 of the RFC5280.

If you like this post, you should read my horror story on verifying TPM2.0 attestation.

License

This article is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0). So you are free to read, share, etc. If you are interested in commercial use of this article, or wish to translate it to a different language, please contact ackermann(dot)yuriy(at)gmail(dot)com.

The code samples are licensed under MIT license.

Ackermann Yuriy

Written by

FIDO, Identity, Standards

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade