Determining length of `attestedCredentialData` when authenticator extensions present.

Question

Determining length of `attestedCredentialData` when authenticator extensions present.

futureimperfect opened this issue 7 years ago · 7 comments

Pardon the confusion, but I'm having trouble figuring out how, as a Relying Party, to reliably determine the length of the attestedCredentialData in authenticator data when authenticator extensions are present.

According to the spec, attestedCredentialData's "length depends on the length of the credential ID and credential public key being attested." It also states the following regarding the length of both the attestedCredentialData and extensions:

"Note that the authenticator data describes its own length: If the AT and ED flags are not set, it is always 37 bytes long. The attested credential data (which is only present if the AT flag is set) describes its own length. If the ED flag is set, then the total length is 37 bytes plus the length of the attested credential data, plus the length of the CBOR map that follows."

The credentialPublicKey within attestedCredentialData is also of variable length. In the past, before handling extensions, I just took the rest of the authenticatorData after credentialId, and assumed that was the credentialPublicKey. I've noticed a handful of other implementations making this same assumption. However, if the ED flag is set, how does the Relying Party know the length of the credentialPublicKey? Is the solution just to figure out where the credentialPublicKey CBOR data structure ends? If so, maybe this should be made clear in the spec?

Thanks!

Answer 1 · 2018-07-25T21:27:36.000Z

@futureimperfect: where you say "However, if the AT flag is set..." do you mean to say "However, if the ED flag is set..." ?

Answer 2 · 2018-07-25T21:32:15.000Z

Is the solution just to figure out where the credentialPublicKey CBOR data structure ends?

AFAIK, yes.

If so, maybe this should be made clear in the spec?

ok, [type:Editorial] label added.

Answer 3 · 2018-07-26T00:14:09.000Z

@futureimperfect: where you say "However, if the AT flag is set..." do you mean to say "However, if the ED flag is set..." ?

Yes, that's correct.

Answer 4 · 2018-07-26T15:41:10.000Z

ok, thx, i edited the OP to reflect that.

Answer 5 · 2018-08-02T20:14:25.000Z

see PR #1023

Answer 6 · 2022-09-23T10:13:20.000Z

Hi, i was trying to save the credentialId into db as a column, so i need to know the max length of the credentialId, does anyone has idea about it?

Answer 7 · 2022-09-23T10:59:53.000Z

@FrankZhangPA L3 will introduce a max length of 1023 bytes (see #1664). There wasn't a length limit in L2, so there could in theory exist authenticators that generate longer credential IDs, but it was judged very unlikely.