Security Issue: signature is not checked

[Alkorin]

Check signature if cert is NON-nil

[koesie10]

Thank you! The tests were using the wrong public key, which is why they failed, but that has also been fixed now.

[Alkorin]

You should maybe add some other tests like:

• cert == nil
• cert with wrong public key

To be sure that your library doesn't say "OK" even if it's the wrong public key

Thomas

Le lun. 12 nov. 2018 à 12:35, Koen Vlaswinkel notifications@github.com a écrit :

Thank you! The tests were using the wrong public key, which is why they failed, but that has also been fixed now.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/koesie10/webauthn/pull/4#issuecomment-437848317, or mute the thread https://github.com/notifications/unsubscribe-auth/AAXtsoxAxWQCoxD99SYdglVJmwFWq82jks5uuVz4gaJpZM4YZaKQ .

[koesie10]

Totally agree. However, the format of keys is binary, which makes it hard to construct valid or invalid responses. I also don't think there is some test suite which includes a list of valid/invalid responses.

[Alkorin]

I will definitely do some test suite because the library will be used for $WORK internal authentication.

I'll share with you if I have some valid & invalid responses ;)

Thomas

Le ven. 16 nov. 2018 à 21:52, Koen Vlaswinkel notifications@github.com a écrit :

Totally agree. However, the format of keys is binary, which makes it hard to construct valid or invalid responses. I also don't think there is some test suite which includes a list of valid/invalid responses.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/koesie10/webauthn/pull/4#issuecomment-439523665, or mute the thread https://github.com/notifications/unsubscribe-auth/AAXtsk_TjykkR2Lcxp4-o5CrkruDLe4pks5uvyWGgaJpZM4YZaKQ .