Wallix webauthn lib

[netmiller]

Tricky question

Some years ago I have implemented fido2-based login for customers, using Yubikey authenticators. At the time I chose Wallix webauthn-library (https://github.com/wallix/webauthn#readme) but its support has ended 4 years ago. Still it is working pretty well . Version is 0.1.3 ( Oct 14, 2019 ).

Anyway I have started to change fido2-lib to SimpleWebAuthn , and registration is ok now, and I just started with authentication. Now the question: can I utilise/convert previous credentials with new lib.

RelyingParty-information is 100% same as earlier, and all new or renewed registrations I can forward to use new lib. But authentication will be smooth if possible to take relevant details from old credentials and still use SimpleWebAuth verifyAuthenticationResponse routine ?

Here is example of current credentials (wallix-webauthn) and also credentials saved by Simplewebauth : (latter is example from other app where I used SimpleWebAuthn two years ago)

Wallix-webauth-lib:
{
    "fmt": "packed",
    "publicKey": "BM8W+VCIdVvw8vvU81RkDuC22KjL1xnuclAAcB60/7YEZc0akX9REjxEbAgfHJ/oXS3ICyFOdS6uva61bAAheZw=",
    "counter": 1474,
    "credID": "GLrErrb3wISG3NezhDO3tr1U+G4kVKj4MKWGYtUB0mjSyf1XIN+dEOqiNODwVx/Br+WHM7eGqdhPx5f4D6QDdg=="
}

SimpleWebAuthn:
{
    "credentialID": "I0Fd4p6+Z0pS2R/UAfqEeUkq5zfeYafirY1dQ8ZafSL5As59YLhe4ZZe5sohlV5WLcypHnxSIgN8JagfBWafThW7IkPGBSTbq3vPnTiWFkmIv3v98GeQBp8/ue04cg53wUsPm8tPXtYpzVxJFsA4rQGgJqrslVJ1iRIZrD2AocY=",
    "credentialPublicKey": "pAEBAycgBiFYIAJPh1M4zysTgJ/T91mX1AFts+tj/Yzc7jaE7Gxo86zL",
    "counter": 1,
    "fmt": "packed",
    "aaguid": "b92c3f9a-c014-4056-887f-140a2501163b"
}

---

Main question: is it technically possible to use older creds with new lib?

Anyway I will encourage customers to make new registration quite soon, but there is 40-50 customers and I can't force them to re-register immediatelly . Of course it is possible if I can't fidn any other solution, but not very convenient.

[MasterKale]

Hello @netmiller, this is a fun question for someone like me!

In absolute terms there shouldn't be anything about those existing credID's or publicKey (very specifically using wallix names here) that would prevent you from using them for WebAuthn response verification with other libraries like SimpleWebAuthn.

Talking specifically about SimpleWebAuthn, it looks like you're using base64 to store credential ID and public key bytes; so long as you convert them to Uint8Arrays when passing them into verifyAuthenticationResponse() as the value of options.authenticator.credentialID and options.authenticator.credentialPublicKey respectively then there shouldn't be a problem to use those existing credentials with SimpleWebAuthn.

FYI you can import isoBase64URL from @simplewebauthn/server/helpers and use its support for base64 if needed:

import { isoBase64URL } from '@simplewebauthn/server/helpers';

const verification = await verifyAuthenticationResponse({
  // ...
  authenticator: {
    credentialID: isoBase64URL.toBuffer(wallix.credID, 'base64'),
    credentialPublicKey: isoBase64URL.toBuffer(wallix.publicKey, 'base64'),
    counter: wallix.counter
  },
});

There's nothing isoBase64URL does that other base64 libraries don't already do. Put another way, use of isoBase64URL is not a requirement for working with SimpleWebAuthn, it's only offered as a resource for projects that might not already have pulled in such a base64url/base64 helper library.

[MasterKale]

I'm going to convert this into a discussion now as this isn't reporting an issue with SimpleWebAuthn.