Inconsistent Serialization/Deserialization Behavior with Empty Extension Data in attestation.rs

Question

Inconsistent Serialization/Deserialization Behavior with Empty Extension Data in attestation.rs

dangfan opened this issue 10 months ago · 1 comments

In the process of deserializing AuthenticatorData within attestation.rs, it is observed that when the flags indicate an extension, and upon parsing the cbor map, it is found to be empty, this empty map is saved. However, during serialization, the presence of an empty map leads to the omission of the extension field, while the flags still indicate the presence of an extension. This inconsistency results in AuthenticatorData read in Firefox being one byte shorter than what is saved in cbor.

According to CTAP 2 specifications, it states: "If the authenticator does not include any extension data, it MUST set the ED flag to zero, and to one if extension data is included." I am uncertain whether an empty map qualifies as legal extension data, but for better compatibility, I suggest that authenticator-rs supports this behavior.

Answer 1 · 2023-11-08T21:03:19.000Z

Thanks for the report!