Skip to content

Commit eadf081

Browse files
james-d-elliottjames-d-elliott
committed
refactor: rebase
1 parent 3e8b028 commit eadf081

File tree

1 file changed

+8
-5
lines changed

1 file changed

+8
-5
lines changed

protocol/attestation_androidkey.go

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ package protocol
22

33
import (
44
"bytes"
5+
"context"
56
"crypto/x509"
67
"encoding/asn1"
78
"fmt"
@@ -29,7 +30,7 @@ func init() {
2930
// }
3031
//
3132
// Specification: §8.4. Android Key Attestation Statement Format (https://www.w3.org/TR/webauthn/#sctn-android-key-attestation)
32-
func verifyAndroidKeyFormat(att AttestationObject, clientDataHash []byte, _ metadata.Provider) (attestationType string, x5cs []any, err error) {
33+
func verifyAndroidKeyFormat(att AttestationObject, clientDataHash []byte, mds metadata.Provider) (attestationType string, x5cs []any, err error) {
3334
// Given the verification procedure inputs attStmt, authenticatorData and clientDataHash, the verification procedure is as follows:
3435
// §8.4.1. Verify that attStmt is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract
3536
// the contained fields.
@@ -66,12 +67,14 @@ func verifyAndroidKeyFormat(att AttestationObject, clientDataHash []byte, _ meta
6667
return "", nil, ErrAttestationFormat.WithDetails(fmt.Sprintf("Error parsing certificate from ASN.1 data: %+v", err)).WithError(err)
6768
}
6869

69-
signatureData := append(att.RawAuthData, clientDataHash...) //nolint:gocritic // This is intentional.
70-
71-
if _, err = attCert.Verify(x509.VerifyOptions{Roots: attAndroidKeyHardwareRootsCertPool}); err != nil {
72-
return "", nil, ErrInvalidAttestation.WithDetails(fmt.Sprintf("Signature validation error: %+v\n", err)).WithError(err)
70+
if mds != nil && mds.GetValidateTrustAnchor(context.Background()) {
71+
if _, err = attCert.Verify(x509.VerifyOptions{Roots: attAndroidKeyHardwareRootsCertPool}); err != nil {
72+
return "", nil, ErrInvalidAttestation.WithDetails(fmt.Sprintf("Signature validation error: %+v\n", err)).WithError(err)
73+
}
7374
}
7475

76+
signatureData := append(att.RawAuthData, clientDataHash...) //nolint:gocritic // This is intentional.
77+
7578
coseAlg := webauthncose.COSEAlgorithmIdentifier(alg)
7679
if err = attCert.CheckSignature(webauthncose.SigAlgFromCOSEAlg(coseAlg), signatureData, sig); err != nil {
7780
return "", nil, ErrInvalidAttestation.WithDetails(fmt.Sprintf("Signature validation error: %+v\n", err)).WithError(err)

0 commit comments

Comments
 (0)