search

webauthn-open-source / fido2-lib

A node.js library for performing FIDO 2.0 / WebAuthn server functionality
https://webauthn.io
MIT License
394 stars 118 forks source link

Possibly incorrect calculation for nonce in: android-safetynet attestation: nonce check hash failed #157

Open wparad opened 4 months ago

wparad commented 4 months ago

We got this request which we believe is 100% valid, but it fails nonce validation.

Attestation:

o2NmbXRxYW5kcm9pZC1zYWZldHluZXRnYXR0U3RtdKJjdmVyaTI0MDYxNTAzOGhyZXNwb25zZVkhVWV5SmhiR2NpT2lKU1V6STFOaUlzSW5nMVl5STZXeUpOU1VsR1lucERRMEpHWldkQmQwbENRV2RKVWtGTFpHWnhVbWx5TWpGMVpVTnBXWGxvVkZJeGNTOVpkMFJSV1VwTGIxcEphSFpqVGtGUlJVeENVVUYzVW1wRlRFMUJhMGRCTVZWRlFtaE5RMVpXVFhoSmFrRm5RbWRPVmtKQmIxUkhWV1IyWWpKa2MxcFRRbFZqYmxaNlpFTkNWRnBZU2pKaFYwNXNZM2xDVFZSRlRYaEZla0ZTUW1kT1ZrSkJUVlJEYTJSVlZYbENSRkZUUVhoU1JGRjNTR2hqVGsxcVVYZE5WRWsxVFVScmQwOVVTVEpYYUdOT1RXcFJkMDVFU1RSTlJHdDNUMVJKTVZkcVFXUk5Vbk4zUjFGWlJGWlJVVVJGZUVwb1pFaFNiR016VVhWWlZ6VnJZMjA1Y0ZwRE5XcGlNakIzWjJkRmFVMUJNRWREVTNGSFUwbGlNMFJSUlVKQlVWVkJRVFJKUWtSM1FYZG5aMFZMUVc5SlFrRlJSSGRyYVRWMWF5OU1VbFJ6YmtRdk1URk5ORmN3VWpZM1ZtaExPUzlSWTIxTldUWlFWRkJhUTNBdlJETm9TM1JNU2tOeGIwWXJOSE0zVlVWdVR6Rm5jU3Q2V201bmVFVjNSVXcwTlUxNGFuRlJUUzlKT1c1YWRFTnRSRlJRVkRObmFqZzVhVEZCTjJNMlJIbzRMMVU0UmxFNFNGbEhaazFrTTJkMFUwTjBUek0wYkhWQ1RYWnBTa2hOUmxndmVuaHBiWGx3WkVSalIyZDNWemN2VFVjMGFHUTRPVWR6YjJvMVMzTnBjM2haZFRSd1ltWlBiakZKVG1kWFEydDZjRU5yYm10cFVsUk9Oa1pPU2xORGNWbG5UMFp1WVdKaVUzZ3ZUbmRNUmtwMFVVMTJWRGN2UW1oalNYVkphWFJrTTFoNFFtdFRiVGhIYmpaV1NqaHJkVkEzWlZvNVdXSjVha3BNZUVkVVJXNXRWbmxDWVRsM05sZENZbEZMYWpKME9XSllMME53UjBSbFVraHBUVTVwT1VsUGVuaGliM0JIVkVnMlNDODNTWFpMYzFGaU5tVjZPWFpWZWtaa1FYWnNURzlEWkRVd0sxaENRV2ROUWtGQlIycG5aMG92VFVsSlEyVjZRVTlDWjA1V1NGRTRRa0ZtT0VWQ1FVMURRbUZCZDBWM1dVUldVakJzUWtGM2QwTm5XVWxMZDFsQ1FsRlZTRUYzUlhkRVFWbEVWbEl3VkVGUlNDOUNRVWwzUVVSQlpFSm5UbFpJVVRSRlJtZFJWVmhEZWlzck9VVTJUazkwZUVFNWEyRnRTSE13Wlc1WWFXRmpiM2RJZDFsRVZsSXdha0pDWjNkR2IwRlZTbVZKV1VSeVNsaHJXbEZ4TldSU1pHaHdRMFF6YkU5NmRVcEpkMlYzV1VsTGQxbENRbEZWU0VGUlJVVmlla0owVFVSblIwTkRjMGRCVVZWR1FucEJRbWhwZUc5a1NGSjNUMms0ZG1JeVRucGpRelYzWVRKcmRWb3lPWFphZVRsNlRESmtNR042Um10T1IyeDFaRU00ZVdKRlpGbE5TRlpVVlZoS1VWUlVRWGhDWjJkeVFtZEZSa0pSWTNkQmIxbHNZVWhTTUdORWIzWk1NMEp5WVZNMWJtSXlPVzVNTTBwc1kwYzRkbGt5Vm5sa1NFMTJXak5TZWsxWFVUQk1iVkpzWTJwQlpFSm5UbFpJVWtWRlJtcEJWV2RvU21oa1NGSnNZek5SZFZsWE5XdGpiVGx3V2tNMWFtSXlNSGRKVVZsRVZsSXdaMEpDYjNkSFJFRkpRbWRhYm1kUmQwSkJaMFYzUkVGWlMwdDNXVUpDUVVoWFpWRkpSa0Y2UVM5Q1owNVdTRkk0UlU5RVFUSk5SRk5uVFhGQmQyaHBOVzlrU0ZKM1QyazRkbGt6U25OamVUVjNZVEpyZFZveU9YWmFlVGx1WkVoTmVGcEVVbkJpYmxGMlYwUktTMDFyYUhsWWVtUlJZVlV3ZFZrelNuTk5TVWxDUWtGWlMwdDNXVUpDUVVoWFpWRkpSVUZuVTBJNVVWTkNPR2RFZDBGSVZVRlRURVJxWVRseGJWSjZVVkExVjI5REszQXdkelo0ZUZOQlkzUlhNMU41UWpKaWRTOXhlbTVaYUVoTlFVRkJSMDVXVEVsRVJrRkJRVUpCVFVGU2FrSkZRV2xDYkZkeGRXWTJVRGczVEM5ek9GcHZWWFZvVHpCemVFd3ZVVkF4YWk5ek5FWTVTelV3ZDFndk5FWlJkMGxuV0V4M1UxaFJRMHBaY0dNeFREVkpORTkwZG1kYVZFbGFSRGxpVWxSSmFGRTJWRGQzVVRWNFdXRnFORUZrZDBSMWVtUkNhekZrYzJGNmMxWmpkRFV5TUhwU1QybE5iMlJIWmt4NmN6TnpUbEpUUm14SFkxSXJNVzEzUVVGQldURlZjMmRNZDBGQlFVVkJkMEpKVFVWWlEwbFJSR0pETUhCRFkxWmpWREoyVUhrelF6bEtMMU5KZEhWc2IxUkRTekF4TkdWbU1qRXJWak5uV1VWcVZsRkphRUZKZFhCa2FWWm9lVEl4WTJFeGRFMVVhRU5GTDJSeWRYaHNWVGd3VDJSUWQyeHVUSFY1Wm05T1MwOXdUVUV3UjBOVGNVZFRTV0l6UkZGRlFrTjNWVUZCTkVsQ1FWRkNiVkZEUkRNcmVHWkZTeXRVYXpSUE9UQmtOMlkzTjJadVFWQXZhRFF4U0U1M05reGxWek5HWVZRM1VrY3dRVlJVTmpjME0zTnFkRU5QYUZwa1RVOTBNekZ4YVdaTGRWRlNOMGNyYVV0TmNuRnZabXBKVlROeVRHMW5lR1ZPYlVoUGIzaERWazl1TVdOcFIySjRZMjV6TDFsSmNHdE9iR2xDUW1sd2RqRTBPR1YyV1ZsUVNXaDBMMWhxUzB0UFlYZzNOa0UwY21FeVdGVklXSFpYU1RkWmFEUnRSblpKWkVObVdYZFVVR04wUjJKbmMySnRaVEkyYmtkS0wxaG9lRzl1VG1WTlZqTnRURU5yYkhSckwzTXhaV001WVhscU5FZ3daRWMxUVRkeFVrMVhlRmRGYjNkcVFUTk5iRzVvU0ZCUk0zWlpXRU5TWlhSRVdUQTRaVkpNTmpWS1pFRlFOM1J2Wlc0clIydDJOMkZzV204MFNsZ3piV2x5Y0dST1ZrcHpSRUkwYjJ0ak1UbHZNV3g2ZWtsdE1XRldjMHRSZEV0YVJpOXllQ3RwVHlzdlJtcFVZVFJVVlhkdWNuTnFNRTQ1U1ZkelJ6WWlMQ0pOU1VsR2FrUkRRMEV6VTJkQmQwbENRV2RKVGtGblEwOXpaMGw2VG0xWFRGcE5NMkp0ZWtGT1FtZHJjV2hyYVVjNWR6QkNRVkZ6UmtGRVFraE5VWE4zUTFGWlJGWlJVVWRGZDBwV1ZYcEZhVTFEUVVkQk1WVkZRMmhOV2xJeU9YWmFNbmhzU1VaU2VXUllUakJKUms1c1kyNWFjRmt5Vm5wSlJYaE5VWHBGVlUxQ1NVZEJNVlZGUVhoTlRGSXhVbFJKUmtwMllqTlJaMVZxUlhkSWFHTk9UV3BCZDA5RVJYcE5SRUYzVFVSUmVWZG9ZMDVOYW1OM1QxUk5kMDFFUVhkTlJGRjVWMnBDUjAxUmMzZERVVmxFVmxGUlIwVjNTbFpWZWtWcFRVTkJSMEV4VlVWRGFFMWFVakk1ZGxveWVHeEpSbEo1WkZoT01FbEdUbXhqYmxwd1dUSldla2xGZUUxUmVrVlVUVUpGUjBFeFZVVkJlRTFMVWpGU1ZFbEZUa0pKUkVaRlRrUkRRMEZUU1hkRVVWbEtTMjlhU1doMlkwNUJVVVZDUWxGQlJHZG5SVkJCUkVORFFWRnZRMmRuUlVKQlMzWkJjWEZRUTBVeU4yd3dkemw2UXpoa1ZGQkpSVGc1WWtFcmVGUnRSR0ZITjNrM1ZtWlJOR01yYlU5WGFHeFZaV0pWVVhCTE1IbDJNbkkyTnpoU1NrVjRTekJJVjBScVpYRXJia3hKU0U0eFJXMDFhalp5UVZKYWFYaHRlVkpUYW1oSlVqQkxUMUZRUjBKTlZXeGtjMkY2ZEVsSlNqZFBNR2N2T0RKeGFpOTJSMFJzTHk4emREUjBWSEY0YVZKb1RGRnVWRXhZU21SbFFpc3lSR2hyWkZVMlNVbG5lRFozVGpkRk5VNWpWVWd6VW1OelpXcGpjV280Y0RWVGFqRTVka0p0Tm1reFJtaHhURWQ1YldoTlJuSnZWMVpWUjA4emVIUkpTRGt4WkhObmVUUmxSa3RqWmt0V1RGZExNMjh5TVRrd1VUQk1iUzlUYVV0dFRHSlNTalZCZFRSNU1XVjFSa3B0TWtwTk9XVkNPRFJHYTNGaE0ybDJjbGhYVldWV2RIbGxNRU5SWkV0MmMxa3lSbXRoZW5aNGRIaDJkWE5NU25wTVYxbElhelUxZW1OU1FXRmpSRUV5VTJWRmRFSmlVV1pFTVhGelEwRjNSVUZCWVU5RFFWaFpkMmRuUm5sTlFUUkhRVEZWWkVSM1JVSXZkMUZGUVhkSlFtaHFRV1JDWjA1V1NGTlZSVVpxUVZWQ1oyZHlRbWRGUmtKUlkwUkJVVmxKUzNkWlFrSlJWVWhCZDBsM1JXZFpSRlpTTUZSQlVVZ3ZRa0ZuZDBKblJVSXZkMGxDUVVSQlpFSm5UbFpJVVRSRlJtZFJWVXBsU1ZsRWNrcFlhMXBSY1RWa1VtUm9jRU5FTTJ4UGVuVktTWGRJZDFsRVZsSXdha0pDWjNkR2IwRlZOVXM0Y2twdVJXRkxNR2R1YUZNNVUxcHBlblk0U1d0VVkxUTBkMkZCV1VsTGQxbENRbEZWU0VGUlJVVllSRUpoVFVOWlIwTkRjMGRCVVZWR1FucEJRbWhvY0c5a1NGSjNUMms0ZG1JeVRucGpRelYzWVRKcmRWb3lPWFphZVRsdVpFaE9lVTFVUVhkQ1oyZHlRbWRGUmtKUlkzZEJiMWxyWVVoU01HTkViM1pNTTBKeVlWTTFibUl5T1c1TU0wcHNZMGM0ZGxreVZubGtTRTEyV2pOU2VtTnFSWFZhUjFaNVRVUlJSMEV4VldSSWQxRjBUVU56ZDB0aFFXNXZRMWRIU1RKb01HUklRVFpNZVRscVkyMTNkV05IZEhCTWJXUjJZakpqZGxvelVucGpha1YyV2pOU2VtTnFSWFZaTTBwelRVVXdSMEV4VldSSlFWSkhUVVZSZDBOQldVZGFORVZOUVZGSlFrMUVaMGREYVhOSFFWRlJRakZ1YTBOQ1VVMTNTMnBCYjBKblozSkNaMFZHUWxGalEwRlNXV05oU0ZJd1kwaE5Oa3g1T1hkaE1tdDFXakk1ZGxwNU9YbGFXRUoyWXpKc01HSXpTalZNZWtGT1FtZHJjV2hyYVVjNWR6QkNRVkZ6UmtGQlQwTkJaMFZCU1ZaVWIza3lOR3AzV0ZWeU1ISkJVR001TWpSMmRWTldZa3RSZFZsM00yNU1abXhNWmt4b05VRlpWMFZsVm13dlJIVXhPRkZCVjFWTlpHTktObTh2Y1VaYVltaFlhMEpJTUZCT1kzYzVOM1JvWVdZeVFtVnZSRmxaT1VOckwySXJWVWRzZFdoNE1EWjZaRFJGUW1ZM1NEbFFPRFJ1Ym5KM2NGSXJORWRDUkZwTEsxaG9NMGt3ZEhGS2VUSnlaMDl4VGtSbWJISTFTVTFST0ZwVVYwRXplV3gwWVd0NlUwSkxXalpZY0VZd1VIQnhlVU5TZG5BdlRrTkhkakpMV0RKVWRWQkRTblp6WTNBeEwyMHljRlpVZEhsQ2FsbFFVbEVyVVhWRFVVZEJTa3RxZEU0M1VqVkVSbkptVkhGTlYzWlpaMVpzY0VOS1FtdDNiSFUzS3pkTFdUTmpWRWxtZWtVM1kyMUJUSE5yVFV0T1RIVkVlaXRTZWtOamMxbFVjMVpoVlRkV2NETjRURFl3VDFsb2NVWnJkVUZQVDNoRVdqWndTRTlxT1N0UFNtMVpaMUJ0VDFRMFdETXJOMHcxTVdaWVNubFNTRGxMWmt4U1VEWnVWRE14UkRWdWJYTkhRVTluV2pJMkx6aFVPV2h6UWxjeGRXODVhblUxWmxwTVdsaFdWbE0xU0RCSWVVbENUVVZMZVVkTlNWQm9SbGR5YkhRdmFFWlRNamhPTVhwaFMwa3dXa0pIUkRObldXZEVUR0pwUkZRNVprZFljM1J3YXl0R2JXTTBiMnhXYkZkUWVsaGxPREYyWkc5RmJrWmljalZOTWpjeVNHUm5TbGR2SzFkb1ZEbENXVTB3U21rcmQyUldiVzVTWm1aWVoyeHZSVzlzZFZST1kxZDZZelF4WkVad1owcDFPR1pHTTB4SE1HZHNNbWxpVTFscFEyazVZVFpvZGxVd1ZIQndha3A1U1ZkWWFHdEtWR05OU214UWNsZDRNVlo1ZEVWVlIzSllNbXd3U2tSM1VtcFhMelkxTm5Jd1MxWkNNREo0U0ZKTGRtMHlXa3RKTUROVVoyeE1TWEJ0VmtOTE0ydENTMnRMVG5CQ1RtdEdkRGh5YUdGbVkwTkxUMkk1U25ndk9YUndUa1pzVVZSc04wSXpPWEpLYkVwWGExSXhOMUZ1V25GV2NIUkdaVkJHVDFKdldtMUdlazA5SWl3aVRVbEpSbGxxUTBOQ1JYRm5RWGRKUWtGblNWRmtOekJPWWs1ek1pdFNjbkZKVVM5Rk9FWnFWRVJVUVU1Q1oydHhhR3RwUnpsM01FSkJVWE5HUVVSQ1dFMVJjM2REVVZsRVZsRlJSMFYzU2tOU1ZFVmFUVUpqUjBFeFZVVkRhRTFSVWpKNGRsbHRSbk5WTW14dVltbENkV1JwTVhwWlZFVlJUVUUwUjBFeFZVVkRlRTFJVlcwNWRtUkRRa1JSVkVWaVRVSnJSMEV4VlVWQmVFMVRVako0ZGxsdFJuTlZNbXh1WW1sQ1UySXlPVEJKUlU1Q1RVSTBXRVJVU1hkTlJGbDRUMVJCZDAxRVFUQk5iRzlZUkZSSk5FMUVSWGxQUkVGM1RVUkJNRTFzYjNkU2VrVk1UVUZyUjBFeFZVVkNhRTFEVmxaTmVFbHFRV2RDWjA1V1FrRnZWRWRWWkhaaU1tUnpXbE5DVldOdVZucGtRMEpVV2xoS01tRlhUbXhqZVVKTlZFVk5lRVpFUVZOQ1owNVdRa0ZOVkVNd1pGVlZlVUpUWWpJNU1FbEdTWGhOU1VsRFNXcEJUa0puYTNGb2EybEhPWGN3UWtGUlJVWkJRVTlEUVdjNFFVMUpTVU5EWjB0RFFXZEZRWFJvUlVOcGVEZHFiMWhsWWs4NWVTOXNSRFl6YkdGa1FWQkxTRGxuZG13NVRXZGhRMk5tWWpKcVNDODNOazUxT0dGcE5saHNOazlOVXk5cmNqbHlTRFY2YjFGa2MyWnVSbXc1TjNaMVprdHFObUozVTJsV05tNXhiRXR5SzBOTmJuazJVM2h1UjFCaU1UVnNLemhCY0dVMk1tbHRPVTFhWVZKM01VNUZSRkJxVkhKRlZHODRaMWxpUlhaekwwRnRVVE0xTVd0TFUxVnFRalpITURCcU1IVlpUMFJRTUdkdFNIVTRNVWs0UlRORGQyNXhTV2x5ZFRaNk1XdGFNWEVyVUhOQlpYZHVha2g0WjNOSVFUTjVObTFpVjNkYVJISllXV1pwV1dGU1VVMDVjMGh0YTJ4RGFYUkVNemh0TldGblNTOXdZbTlRUjJsVlZTczJSRTl2WjNKR1dsbEtjM1ZDTm1wRE5URXhjSHB5Y0RGYWEybzFXbEJoU3pRNWJEaExSV280UXpoUlRVRk1XRXd6TW1nM1RURmlTM2RaVlVnclJUUkZlazVyZEUxbk5sUlBPRlZ3YlhaTmNsVndjM2xWY1hSRmFqVmpkVWhMV2xCbWJXZG9RMDQyU2pORGFXOXFOazlIWVVzdlIxQTFRV1pzTkM5WWRHTmtMM0F5YUM5eWN6TTNSVTlsV2xaWWRFd3diVGM1V1VJd1pYTlhRM0oxVDBNM1dFWjRXWEJXY1RsUGN6WndSa3hMWTNkYWNFUkpiRlJwY25oYVZWUlJRWE0yY1hwcmJUQTJjRGs0WnpkQ1FXVXJaRVJ4Tm1SemJ6UTVPV2xaU0RaVVMxZ3ZNVmszUkhwcmRtZDBaR2w2YW10WVVHUnpSSFJSUTNZNVZYY3JkM0E1VlRkRVlrZExiMmRRWlUxaE0wMWtLM0IyWlhvM1Z6TTFSV2xGZFdFckszUm5lUzlDUW1wR1JrWjVNMnd6VjBad1R6bExWMmQ2TjNwd2JUZEJaVXRLZERoVU1URmtiR1ZEWm1WWWEydFZRVXRKUVdZMWNXOUpZbUZ3YzFwWGQzQmlhMDVHYUVoaGVESjRTVkJGUkdkbVp6RmhlbFpaT0RCYVkwWjFZM1JNTjFSc1RHNU5VUzh3YkZWVVltbFRkekZ1U0RZNVRVYzJlazh3WWpsbU5rSlJaR2RCYlVRd05ubExOVFp0UkdOWlFscFZRMEYzUlVGQllVOURRVlJuZDJkblJUQk5RVFJIUVRGVlpFUjNSVUl2ZDFGRlFYZEpRbWhxUVZCQ1owNVdTRkpOUWtGbU9FVkNWRUZFUVZGSUwwMUNNRWRCTVZWa1JHZFJWMEpDVkd0eWVYTnRZMUp2Y2xORFpVWk1NVXB0VEU4dmQybFNUbmhRYWtGbVFtZE9Wa2hUVFVWSFJFRlhaMEpTWjJVeVdXRlNVVEpZZVc5c1VVd3pNRVY2VkZOdkx5OTZPVk42UW1kQ1oyZHlRbWRGUmtKUlkwSkJVVkpWVFVaSmQwcFJXVWxMZDFsQ1FsRlZTRTFCUjBkSFYyZ3daRWhCTmt4NU9YWlpNMDUzVEc1Q2NtRlROVzVpTWpsdVRESmtlbU5xUlhkTFVWbEpTM2RaUWtKUlZVaE5RVXRIU0Zkb01HUklRVFpNZVRsM1lUSnJkVm95T1haYWVUbHVZek5KZUV3eVpIcGpha1YxV1ROS01FMUVTVWRCTVZWa1NIZFJjazFEYTNkS05rRnNiME5QUjBsWGFEQmtTRUUyVEhrNWFtTnRkM1ZqUjNSd1RHMWtkbUl5WTNaYU0wNTVUVk01Ym1NelNYaE1iVTU1WWtSQk4wSm5UbFpJVTBGRlRrUkJlVTFCWjBkQ2JXVkNSRUZGUTBGVVFVbENaMXB1WjFGM1FrRm5TWGRFVVZsTVMzZFpRa0pCU0ZkbFVVbEdRWGRKZDBSUldVeExkMWxDUWtGSVYyVlJTVVpCZDAxM1JGRlpTa3R2V2tsb2RtTk9RVkZGVEVKUlFVUm5aMFZDUVVSVGEwaHlSVzl2T1VNd1pHaGxiVTFZYjJnMlpFWlRVSE5xWW1SQ1drSnBUR2M1VGxJemREVlFLMVEwVm5obWNUZDJjV1pOTDJJMVFUTlNhVEZtZVVwdE9XSjJhR1JIWVVwUk0ySXlkRFo1VFVGWlRpOXZiRlZoZW5OaFRDdDVlVVZ1T1Zkd2NrdEJVMDl6YUVsQmNrRnZlVnBzSzNSS1lXOTRNVEU0Wm1WemMyMVliakZvU1ZaM05ERnZaVkZoTVhZeGRtYzBSblkzTkhwUWJEWXZRV2hUY25jNVZUVndRMXBGZERSWGFUUjNVM1I2Tm1SVVdpOURURUZPZURoTVdtZ3hTamRSU2xacU1tWm9UWFJtVkVweU9YYzBlak13V2pJd09XWlBWVEJwVDAxNUszRmtkVUp0Y0haMldYVlNOMmhhVERaRWRYQnplbVp1ZHpCVGEyWjBhSE14T0dSSE9WcExZalU1VldoMmJXRlRSMXBTVm1KT1VYQnpaek5DV214MmFXUXdiRWxMVHpKa01YaHZlbU5zVDNwbmFsaFFXVzkyU2twSmRXeDBlbXROZFRNMGNWRmlPVk42TDNscGJISmlRMmRxT0QwaVhYMC5leUp1YjI1alpTSTZJbFpVV1M5dVJHeE5aVXAxVG1OU1VGZEVNa1EwYms5S2FuRXpVMFprYmt0dWRWUTNVVEJ6ZFVWdFpFazlJaXdpZEdsdFpYTjBZVzF3VFhNaU9qRTNNRGc0TnpreE56YzRNeklzSW1Gd2ExQmhZMnRoWjJWT1lXMWxJam9pWTI5dExtZHZiMmRzWlM1aGJtUnliMmxrTG1kdGN5SXNJbUZ3YTBScFoyVnpkRk5vWVRJMU5pSTZJazlIUzFkemRFRlZZVTV6YldZeGJqSlRZMHh5Y1VzMGQwUm9TbUZpUkhCMlRsaEpPRzU0UlVnd1oyODlJaXdpWTNSelVISnZabWxzWlUxaGRHTm9JanAwY25WbExDSmhjR3REWlhKMGFXWnBZMkYwWlVScFoyVnpkRk5vWVRJMU5pSTZXeUk0VURGelZ6QkZVRXBqYzJ4M04xVjZVbk5wV0V3Mk5IY3JUelV3UldRclVrSkpRM1JoZVRGbk1qUk5QU0pkTENKaVlYTnBZMGx1ZEdWbmNtbDBlU0k2ZEhKMVpTd2laWFpoYkhWaGRHbHZibFI1Y0dVaU9pSkNRVk5KUXl4SVFWSkVWMEZTUlY5Q1FVTkxSVVFpTENKa1pYQnlaV05oZEdsdmJrbHVabTl5YldGMGFXOXVJam9pVkdobElHRndjQ0JwY3lCaGJHeHZkMnhwYzNSbFpDQjBieUIxYzJVZ2RHaGxJRk5oWm1WMGVVNWxkQ0JCZEhSbGMzUmhkR2x2YmlCQlVFa2dkVzUwYVd3Z2RHaGxJR1oxYkd3Z2RIVnlibVJ2ZDI0NklHaDBkSEJ6T2k4dlp5NWpieTl3YkdGNUwzTmhabVYwZVc1bGRDMTBhVzFsYkdsdVpTNGlmUS4wMC04Ty12NVUzZEVMOGRCWUpLLUFwSUF2dG9vQnREWVVaM2kwRUx2OXZmMk9hLXR3T3p4WXU2NXlTbGduTXAzTW8yY01Lbnk3NDdkT3pyLUt0MVp3YW41TTNmSVhKZkVkb2JvLU9GMDhGMkdFbWV6MmNrWDlxYlRmWHFCTnJwZm5SLW1hdDBuc25GMDlUYkVHdHFwNXRUTGdSbHpxU2NycTB0aDgzd1R3RlM0TmRlaHo2V09vUzZLUWI5ZTFJZG5WN19VaUM4Tk41LUpJUkJkaXdTTWR1cDNGWGRjeEM0aGNLbTg5eE1JRUtpVmhkTVQydkFoZVNhOW5ldjRIX0ZKRWM2QVprVUcxQXlHcjVDZTZ5Y3U0d2ZiUUxreG9OZVd6MVlScmlJSHB6M3BZM3o2NHkweDBXc19YN0RrUjltVGxuTlA1LWFZN3JycEl4Z2dzNkh5SEFoYXV0aERhdGFYxWiHBGErQpWVx2AXLIjp0SEMi63M47pz0B7WoB8RcCJCRQAAAAC5P9lh8uZGL7EiggAiR954AEEBFuBmM/gdJl8vG0a9UUBTrEOxLrzLMXtlqRe/5iY3u3oq1OdEZGI+lDEz2kmGQS1GKSXMq2CCYlUKm/o3bii59aUBAgMmIAEhWCCqvrmd+5SeUxZgrmYalsbVXC6xz3/YFO2IZgaf3S3kpSJYIML3XGsgqbfruhFpaoLIAjss7wSeZnP6+Iu8a6Xeh75e"
"clientJSON": {
        "type": "webauthn.create",
        "challenge": "Z29vZ2xlLW9hdXRoMnwxMTYzODgxMjk3OTI1OTk2MTA1ODc",
        "origin": "https://login.authress.io",
        "androidPackageName": "com.android.chrome"
    }

The nonce verses the calculated one is here: qYkhbhAq3oeUy9Umy0cGS8xNY5bVks9EwZPv2B1HS6E= versus: Lz33Fp8WyXCAB9t7Fk2N3J58XA9RfveYbCY1hCcTT2g=

The code contains this comment, we've reviewed the proceedure from https://www.w3.org/TR/webauthn/#android-safetynet-attestation and it looks like it should be correct, but we can't justify why this would be a problem. Any insight would be appreciated here.