https://demo.rasc.ch/webauthn/#/registration - Does not work with self-attestation

[0x0ptr]

Hi Ralph!

I tried using your demo website using self-attestation [1] but it failed to register. There was no output in the Chrome console window. I had the same thing work when I used "basic" attestation. Also, I tried using the same self-attestation authenticator with Yubico [2] and https://webauthn.me/ and it works fine with self-attestation.

[1] https://www.w3.org/TR/webauthn/#self-attestation [2] https://demo.yubico.com/webauthn

Thanks!

[ralscha]

How can I test self-attestation?

[0x0ptr]

You have to have an authenticator that uses self-attestation [1] to sign the attestation object. The data returned back from the authenticator will not have an X.509 certificate in this case.

[1] https://www.w3.org/TR/webauthn/#self-attestation

[0x0ptr]

See https://github.com/Yubico/java-webauthn-server/blob/master/webauthn-server-core/src/main/java/com/yubico/webauthn/PackedAttestationStatementVerifier.java#L98

[ralscha]

I upgraded the demo to the latest version (1.6.0-RC1) of com.yubico:webauthn-server-core and increased the size of the credentials.public_key_cose field. It was too small in certain cases.

Not sure if this magically solves the self attestation problem. If you have time give it another try.

I was browsing through the public API of webauthn-server-core but haven't found a configuration option concerning self attestation. My expectation is that the library handles this case internally.

[0x0ptr]

Hi Ralph!

Works! Thanks!