JSON property name for "signature" vs "signatureData"

[bugnuker]

We've been implementing Security Key support in our apps and websites. We started with U2F and are also looking at FIDO2, etc.

When using the Yubikit, we've found that it is returning a different payload than Android and browser API's.

Specifically, the "signature" element is named "signature" when using Yubikit, but it is "signatureData" in Android and in Chrome API's.

Examples below for U2F

Android:

{\"keyHandle\":\"bIap1cuTOBhl7VDd4Z56rFPkFJL0ow927f1kWI0SC3_oHjuTFxm7OUcHRrfavcjudIAkyuHiIC_WzKPAYaJPdA\",\"clientData\":\"eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiMWFhNTI2ZmY0NWE1MjYxMTkzMTkyNmI1MTAzY2JhMGFkMDA2ZTU2NjA3NzMwYWQ0NDI0NjgyYTViY2NhMWI5MCIsIm9yaWdpbiI6ImFuZHJvaWQ6YXBrLWtleS1oYXNoOjRqMFpQRFNEMnJSWmlDV0JqR051aFRBNDNCcmZyV0orYitRc2E2aGZkaGsifQ\",\"signatureData\":\"AQAAABMwRAIgGj4w86tSby8ltv8VfqHpiw1e9zYgi1hL0olPFj-33vkCIFTJuWgBZivOIHoVSd96zZpfyLjoHw-YMR01c5Xiq9zR\"}

iOS:

{\"clientData\":\"eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiNjMxMjAxMjJkZDdjMzYyNThlZDNmMjJlZDYzODEyYjNiM2EzMGUzZTRkZGEzY2E5MGQ4NzU1OGM2ZDI0NGJjYiIsIm9yaWdpbiI6Imh0dHBzOi8vbG9naW4uYXV0aGFybW9yLmNvbS9hcHAtaWQuanNvbiJ9\",\"keyHandle\":\"bIap1cuTOBhl7VDd4Z56rFPkFJL0ow927f1kWI0SC3_oHjuTFxm7OUcHRrfavcjudIAkyuHiIC_WzKPAYaJPdA\",\"signature\":\"AQAAABswRQIgcvZ1HlapFJxqDZY6Qdhjc70mvIL8lZMsUaEp7D/cCF0CIQDmoTFc7939LfCK/j6NuXw9f894mVrV6/+6kqG3gGqj4w==\"}

[imakhalova]

Hello @bugnuker ,

Thank you for the interest in using YubiKit. Can you please share more context where do you see such Json blobs?

As I understand you're talking about assertion request. I went to https://demo.yubico.com/ using browser to test webAuthN. And here is what is being sent to server when authenticating with key: {"requestId":"12b19eef-6b10-449b-9448-5d4e83beaea2","assertion":{"credentialId":"fuR1IDLARttVPEUkPiVyD9JFyGqWyZOsSGOibwQB9VdP6XXut4swNWaD46K4BFoENeIkgV2ss7ltdajwbS3m3A==","authenticatorData":"xGzvgq0bVGR3WR0Aiwh1nsPm0uy085R0v+ppaZJdA7cBAAAAAg==","clientDataJSON":"eyJjaGFsbGVuZ2UiOiJtY01xVndYNkZnOWM0cGJsNVpsOEZTTTN6TVU4VXFxT0VBbkVDcS1CYVpFIiwib3JpZ2luIjoiaHR0cHM6Ly9kZW1vLnl1Ymljby5jb20iLCJ0eXBlIjoid2ViYXV0aG4uZ2V0In0=","signature":"MEQCIGmswVl+h6jdBygf5nPXraqt685NbhmgcoZTo/hrSjDJAiAs62nW8VZPEdzL+LpgNOn/jU8sL4GjcjKjbTQW4z3U+Q==","userHandle":""}}

All of that data can be received from YubiKit to form such request. YubiKit itself doesn't return json blob. It returns you authenticator response object.

The same way as Android FIDO APIs

Can you share more details please. Repro steps, code snippets, screenshots?

[imakhalova]

For U2F API returns object YKFKeyU2FSignResponse. It has all the data to format json that you ask.

[bugnuker]

We're using U2F - and like you posted, the SignResponse has "signature" - we were converting these values to json. The U2F JavaScript API and Android API's return this payload, via json. We made a simple change to just map "signature" to "signatureData" and then it matches across all platforms.

Thanks!