In the process of deserializing AuthenticatorData within attestation.rs, it is observed that when the flags indicate an extension, and upon parsing the cbor map, it is found to be empty, this empty map is saved. However, during serialization, the presence of an empty map leads to the omission of the extension field, while the flags still indicate the presence of an extension. This inconsistency results in AuthenticatorData read in Firefox being one byte shorter than what is saved in cbor.
According to CTAP 2 specifications, it states: "If the authenticator does not include any extension data, it MUST set the ED flag to zero, and to one if extension data is included." I am uncertain whether an empty map qualifies as legal extension data, but for better compatibility, I suggest that authenticator-rs supports this behavior.
jschanck
commented
10 months ago
In the process of deserializing
AuthenticatorDatawithinattestation.rs, it is observed that when theflagsindicate an extension, and upon parsing thecbormap, it is found to be empty, this empty map is saved. However, during serialization, the presence of an empty map leads to the omission of theextensionfield, while theflagsstill indicate the presence of an extension. This inconsistency results inAuthenticatorDataread in Firefox being one byte shorter than what is saved incbor.According to CTAP 2 specifications, it states: "If the authenticator does not include any extension data, it MUST set the ED flag to zero, and to one if extension data is included." I am uncertain whether an empty map qualifies as legal extension data, but for better compatibility, I suggest that
authenticator-rssupports this behavior.