webauthn::WebAuthn method verify_okp_signature_assertion (public)

 <instance of webauthn::WebAuthn[i]> verify_okp_signature_assertion \
    [ -cose cose ] [ -sig sig ] [ -signedData signedData ]

Defined in packages/webauthn/tcl/webauthn-procs.tcl

Verify a WebAuthn assertion signature for an OKP signature key. Expects an OKP COSE key (kty=1, alg=-8) using a signature-capable OKP curve such as Ed25519 or Ed448. X25519 and X448 are valid OKP agreement curves, but cannot verify WebAuthn assertions.

Switches:
-cose (optional)
Parsed COSE_Key dict.
-sig (optional)
Signature returned by the authenticator.
-signedData (optional)
Binary signed data.

Testcases:
No testcase defined.
Source code:
if {![dict exists $cose 1] || [dict get $cose 1] != 1} {
    throw {validation keytype-unsupported}  "unsupported COSE kty (expected 1 OKP)"
}
if {![dict exists $cose 3] || [dict get $cose 3] != -8} {
    throw {validation alg-unsupported}  "unsupported COSE alg (expected -8 EdDSA)"
}
if {![dict exists $cose -1] || ![dict exists $cose -2]} {
    throw {validation key-invalid}  "OKP COSE key missing curve/public key"
}

switch -- [dict get $cose -1] {
    6 - 7 {
        # Ed25519 / Ed448
    }
    4 - 5 {
        throw {validation curve-unsupported}  "OKP curve is for key agreement, not signatures"
    }
    default {
        throw {validation curve-unsupported}  "unsupported OKP curve \"[dict get $cose -1]\""
    }
}

set pubpem [:cose_public_key_pem -cose $cose]

set ok [ns_crypto::signature verify  -binary  -pem $pubpem  -signature $sig  -- $signedData]

if {!$ok} {
    throw {validation signature-invalid}  "signature verification failed"
}
XQL Not present:
Generic, PostgreSQL, Oracle
[ hide source ] | [ make this the default ]
Show another procedure: