Closed tcompiegne closed 3 years ago
@tcompiegne thanks for the catch. It is hard to test apple devices due to the nature of the attestations (short lived). Sadly we were tested during the last iOS betas and the alg was present.
The alg is only needed for the metadata validation which can be used in the future to "deny" devices that are known to have been compromised, yet I believe apple will handle this with a iOS update.
Nevertheless, I've made the field optional so older devices (with older os versions) may send the field and we can use it in that check too if present.
@pmlopes Thanks for the feedback.
Questions
Do not use this issue tracker to ask questions, instead use one of these channels. Questions will likely be closed without notice.
Version
Which version(s) did you encounter this bug ?
4.0.0
Context
I encountered an exception which looks suspicious while trying to use Apple FaceID device with direct attestation.
NPE at :
"alg" value does not exist.
Here the format of apple anonymous attestation :
https://w3c.github.io/webauthn/#sctn-apple-anonymous-attestation https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/
Steps to reproduce
Extra