Because of this, when the x509 encoded EdDSA algo key spec is input into the keyFactor.generatePublic method, an InvalidKeySpecException is thrown because the keyFactory assumed it was a ECDSA instance. This means that, from what I've seen, all EdDSA algo keys are unable to authenticate...
I have asserted this is an issue with the RP and not the authenticator, because I tested if this error is thrown on an official YubiKey authenticator. To do that, I injected some javascript into my browser such that the pubKeyCredParams passed into navigator.credentials.create(..) only included the -8 algorithm (i.e. force the YubiKey to use EdDSA). This results in a successful registration with the server using -8, however on authentication the InvalidKeySpecException is thrown.
I believe the fix to this is just to handle the isEDDSAAlgorithm() case with a KeyFactory instance of "EdDSA". My MR shows this fix and I have confirmed it to work on a custom authenticator running locally where it previously did not.
Fix:
the
convert
function inUserKeyServiceImpl
does not handle the EdDSA case. It only handlesRSA
andECDSA
, this can be seen below:Because of this, when the x509 encoded EdDSA algo key spec is input into the
keyFactor.generatePublic
method, anInvalidKeySpecException
is thrown because thekeyFactory
assumed it was a ECDSA instance. This means that, from what I've seen, all EdDSA algo keys are unable to authenticate...I have asserted this is an issue with the RP and not the authenticator, because I tested if this error is thrown on an official YubiKey authenticator. To do that, I injected some javascript into my browser such that the
pubKeyCredParams
passed intonavigator.credentials.create(..)
only included the-8
algorithm (i.e. force the YubiKey to use EdDSA). This results in a successful registration with the server using -8, however on authentication theInvalidKeySpecException
is thrown.I believe the fix to this is just to handle the
isEDDSAAlgorithm()
case with a KeyFactory instance of "EdDSA". My MR shows this fix and I have confirmed it to work on a custom authenticator running locally where it previously did not. Fix: