0

I have integrated libfido2 library release dlls in my Windows application which is developed in c# for enrolling and authenticating the user via FIDO device. So, After enrolling the user I store the publicKey and CredentailId in the database generated from FidoCredential class and then authenticate the user using the same publicKey and CredentailId using the FidoAssertion class Verify method. So, As far as everything is working fine.

As This application also has integration over the Web so on web I have used WebAuthn for the FIDO2 for Enrolling and Authenticating the user. So, the enrollment and authentication on the web part also working fine.

But, When I try to authenticate the user on the windows application which uses libfido2 library by using the publicKey and CredentailId generated from WebAuthn it shows me the error of FIDO2 operation failed (InvalidSignature).

The same is also happening with the WebAuthn Assertion method that the public key and credentialId generated from libfido2 library are unable to authenticate using the WebAuthn Assertion method and throw the error PeterO.Cbor.CBORException Message: Too many bytes.

So, Please suggest a workaround for this problem as I am stuck here as these two apps are dependent on each other and required to enroll and authenticating the user at both ends using the public key and credentialId generated from any of the windows or web platforms.

FIDO Assertion Initialize at Windows Client(c#)

Fido2Settings.Flags = FidoFlags.Debug;
            using (var assert = new FidoAssertion())
            {
                using (var dev = new FidoDevice())
                {
                    dev.Open(device);
                    assert.SetClientData(Cd);
                    assert.Rp = rpId;
                    assert.SetExtensions(FidoExtensions.None);
                    var credId = Convert.FromBase64String(credentialId);
                    assert.AllowCredential(credId);
                    dev.GetAssert(assert, null);
                    dev.Close();
                }
                if (assert.Count != 1)
                {
                    throw new Exception($"{assert.Count} signatures required");
                }
                if (!_FidoDeviceSelected)
                {
                    Console.WriteLine("AuthData: {0}",Convert.ToBase64String(assert[0].AuthData.ToArray()));
                    Console.WriteLine("AuthData: {0}", Convert.ToBase64String(assert[0].Signature.ToArray()));
                    CompleteAuthentication(rpId, assert[0].AuthData, assert[0].Signature, FidoExtensions.None, publicKey);
                    return new ResponseDto(null, false);
                }
                else
                {
                    return new ResponseDto(null, true);
                }
            }

FIDO Assertion Complete at Windows Client(c#)

private void CompleteAuthentication(string rpId, ReadOnlySpan<byte> authData, ReadOnlySpan<byte> signature, FidoExtensions extensions, string publicKey)
    {
        byte[] keyBytes = Convert.FromBase64String(publicKey);
        using (var assert = new FidoAssertion())
        {
            assert.SetClientData(Cd);
            assert.Rp = rpId;
            assert.Count = 1;
            assert.SetAuthData(authData, 0);
            assert.SetExtensions(extensions);
            assert.SetSignature(signature, 0);
            assert.Verify(0, FidoCose.ES256, keyBytes);
        }
    }
Aditya Sharma
  • 1
  • 1
  • 1
    Tough to suggest without seeing the some of the code in question. That message from that library indicates the object you are passing in is either not CBOR encoded or it is malformed. – aseigler Nov 15 '22 at 13:16
  • Hi @aseigler, Thanks for your suggestion. I have added the code for the assertion function using the libfido2 library. As, I am able to perform the assertion on my web application using WebAuthn library as the public key and credential Id generated from my web application using the WebAuthN. But unable to assert using the same public key and credential Id in the above mentioned code. – Aditya Sharma Nov 16 '22 at 13:10

0 Answers0