webauthn::WebAuthn method verify_es256_assertion (protected)

 <instance of webauthn::WebAuthn[i]> verify_es256_assertion \
    [ -cose cose ] [ -sig sig ] [ -signedData signedData ]

Defined in packages/webauthn/tcl/webauthn-procs.tcl

Verify a WebAuthn assertion signature for an ES256 credential. Expects an EC2 / P-256 COSE key and verifies the signature over signedData using ECDSA with SHA-256.

Switches:
-cose (optional)
Parsed COSE_Key dict.
-sig (optional)
Signature returned by the authenticator.
-signedData (optional)
Binary signed data (authenticatorData || hash(clientDataJSON)).

Testcases:
No testcase defined.
Source code:
if {![dict exists $cose 1] || [dict get $cose 1] != 2} {
    throw {validation keytype-unsupported} "unsupported COSE kty (expected 2 EC2)"
}
if {![dict exists $cose 3] || [dict get $cose 3] != -7} {
    throw {validation alg-unsupported} "unsupported COSE alg (expected -7 ES256)"
}
if {![dict exists $cose -1] || [dict get $cose -1] != 1} {
    throw {validation curve-unsupported} "unsupported COSE crv (expected 1 P-256)"
}

if {[string length $sig] == 64} {
    throw {validation signature-format} "unexpected raw 64-byte signature; expected DER"
}

set pubpem [:cose_public_key_pem -cose $cose]

set ok [ns_crypto::md string  -digest sha256  -binary  -encoding binary  -verify $pubpem  -signature $sig  -- $signedData]

if {!$ok} {
    throw {validation signature-invalid} "signature verification failed"
}
XQL Not present:
Generic, PostgreSQL, Oracle
[ hide source ] | [ make this the default ]
Show another procedure: