I suggest trying with Xcode 15 Beta 7, it would also be great to see in your screenshot what scheme/target you are trying to build
Post
Replies
Boosts
Views
Activity
Here's what I'm seeing in the simulator, both windows appear to be fully active and intractable at the same time
This WWDC 2023 session mentions that the format is: MV-HEVC https://developer.apple.com/videos/play/wwdc2023/10071/
If someone knows the userID, what's stopping them from registering with the targets userID...essentially taking over their account?
gosh, ignore me, I found the magic, I had to set: "rpId" in navigator.credentials.get to be the ***** domain
It appears I get conflicting results, if my RP is the ***** domain it works, If I visit my site with a www subdomain, auth fails :-(
aha, Signature is ASN.1, this is now valid
verified = verifyingKey.verify(decodedSignature, signature_base, hashfunc=hashlib.sha256, sigdecode=sigdecode_der)
Update, this is slightly better, at least now I can see there is an issue with the signature, the authenticator is 37 bytes long, which breaks my generated signature:
32 bytes authenticator_data_bytes
32 bytes client_data_hash_bytes
signature = 64 bytes
I'm foolishly taking the first 32 bytes of the authenticator...seems very wrong
client_data_hash = hashlib.sha256()
client_data_hash.update(client_data_bytes)
client_data_hash_bytes = client_data_hash.digest()
key_from_dict = CoseKey.from_dict(key)
publicKeyU2F = b"".join([
#bytearray.fromhex('3059301306072a8648ce3d020106082a8648ce3d030107034200'),
(0x04).to_bytes(1, byteorder='big'),
key_from_dict.x,
key_from_dict.y
])
print("publicKeyU2F: {0}".format(publicKeyU2F))
signature_base = b"".join(
[
authenticator_data_bytes[0:32],
client_data_hash_bytes,
]
)
print("authenticator_data_bytes len: {}".format(len(authenticator_data_bytes)))
print("client_data_hash_bytes len: {}".format(len(client_data_hash_bytes)))
# vk = ecdsa.VerifyingKey.from_string(publicKeyU2F, curve=ecdsa.NIST256p, hashfunc=sha256) # the default is sha1
verifyingKey = ecdsa.VerifyingKey.from_string(publicKeyU2F, curve=ecdsa.NIST256p, hashfunc=sha256)
#verifyingKey = ecdsa.VerifyingKey.from_string(bytes.fromhex(keyasHex), curve=ecdsa.SECP256k1, hashfunc=sha256, valid_encodings=['raw'])
verified = verifyingKey.verify(signature_base, decodedSignature)
Gives a
ecdsa.keys.BadSignatureError: Signature verification failed
Thanks, I'm trying to get it working with a very specific use-case to begin with, reading the spec, it reads like this should work, unfortunately, I always get a bad signature error :-(
client_data_hash = hashlib.sha256()
client_data_hash.update(client_data_bytes) #credentialAssertion.rawClientDataJSON
client_data_hash_bytes = client_data_hash.digest()
publicKey = b"".join([
(0x04).to_bytes(1, byteorder='big'),
key_from_dict.x,
key_from_dict.y
])
signature_base = b"".join(
[
authenticator_data_bytes, #credentialAssertion.rawAuthenticatorData
client_data_hash_bytes,
]
)
signature_base_hash = hashlib.sha256()
signature_base_hash.update(signature_base)
signature_base_hash_bytes = signature_base_hash.digest()
vk = ecdsa.VerifyingKey.from_string(publicKey, curve=ecdsa.NIST256p, hashfunc=sha256) # the default is sha1
sig = decodedSignature #credentialAssertion.signature decoded from base64 to bytes
msg = signature_base_hash_bytes
try:
vk.verify(sig, msg)
print("good signature")
except BadSignatureError:
print("BAD SIGNATURE")
I've found the key in the authData section
hmmm, as noted here: https://developer.apple.com/forums/thread/708982 the engineer states passkeys have no statement...confusing
Thanks for that, just adding for future reference, it looks like the attestation object is in CBOR format.
ah, reading the docs more, the key could be a cose key - but still, not sure how to extract it from the bytes