1) The clientdatajson should just be passed through as a strong until after signature verification, at which time it could be unpacked for other types of verification.
2) The current handling of the json in this class is a little unorthodox and could lead to inconsistent ordering of json pairs. (i.e. the stuff involving bytes):
1) The clientdatajson should just be passed through as a strong until after signature verification, at which time it could be unpacked for other types of verification.
2) The current handling of the json in this class is a little unorthodox and could lead to inconsistent ordering of json pairs. (i.e. the stuff involving bytes):
https://github.com/google/webauthndemo/blob/37c77737a51f929a7601c3733b9a38af8a937fd0/src/main/java/com/google/webauthn/gaedemo/objects/AuthenticatorAttestationResponse.java