Open santiagorodriguez96 opened 9 months ago
The verification procedure is failing to verify the certificateInfo
, specifically in this step:
Verify that attested contains a TPMS_CERTIFY_INFO structure as specified in [TPMv2-Part2] section 10.12.3, whose name field contains a valid Name for pubArea, as computed using the algorithm in the nameAlg field of pubArea using the procedure specified in [TPMv2-Part1] section 16. [source]
As stated in the WebAuthn spec – and as it's implemented in tpm-key_attestation
– we are using the nameAlg
field of the pubArea
to compute the name of the public object and since, on this case, the algorithm used for generate the name
in the certInfo
is different from the algorithm identified by pubArea
's nameAlg
– and thus both nameAlg
s differ –, the computed public object name is different from certInfo
's name
and therefore the verification fails.
The issue is that the conformance tests expect the verification to succeed given that they expect the public object name to be computed using the certInfo
's nameAlg
field .
However, it's currently not clear whether or not the WebAuthn spec is correct about how to verify a TPM attestation, so we might have to wait some time until this matter is clarified.
How to run FIDO2 conformance tests: https://github.com/cedarcode/webauthn-ruby/tree/master/spec/conformance.