Update sign extension to spec version 2

Author: emlun

examples/sign.py

@@ -33,10 +33,12 @@
 from fido2 import cbor
 from fido2.server import Fido2Server
 from fido2.utils import sha256, websafe_encode
-from fido2.cose import CoseKey, ES256
+from fido2.cose import CoseKey, ES256, ESP256, EdDSA
 from exampleutils import get_client
 import sys
 
+ESP256_2P = -70009  # Placeholder value
+
 uv = "discouraged"
 
 # Locate a suitable FIDO authenticator
@@ -53,17 +55,34 @@
     authenticator_attachment="cross-platform",
 )
 
+algorithms = [
+    ESP256_2P,
+]
+
 message = b"I am a message"
-ph_data = sha256(message)
+
+has_prehash_alg = any(alg in [ESP256_2P] for alg in algorithms)
+has_raw_alg = any(
+    alg
+    in [
+        EdDSA.ALGORITHM,
+        ES256.ALGORITHM,
+        ESP256.ALGORITHM,
+    ]
+    for alg in algorithms
+)
+
+if has_prehash_alg and has_raw_alg:
+    raise ValueError("Cannot mix algorithms with pre-hashed and raw message")
+
+data = message if has_raw_alg else sha256(message)
 
 # Create a credential
 result = client.make_credential(
     {
         **create_options["publicKey"],
         "extensions": {
-            "sign": {
-                "generateKey": {"algorithms": [ES256.ALGORITHM], "phData": ph_data}
-            }
+            "sign": {"generateKey": {"algorithms": algorithms, "tbs": data}}
         },
     }
 )
@@ -83,18 +102,25 @@
     )
     sys.exit(1)
 print("New credential created, with the sign extension.")
+if sign_key.algorithm not in algorithms:
+    print("Got unexpected algorithm in response:", sign_key.algorithm)
+    sys.exit(1)
 
 pk = CoseKey.parse(cbor.decode(sign_key.public_key))  # COSE key in bytes
-kh = sign_key.key_handle  # key handle in bytes
+kh = pk.get_ref()
+kh[3] = sign_key.algorithm
+if pk[1] == 2:  # EC2
+    kh[-1] = pk[-1]  # crv
+kh_bin = cbor.encode(kh)  # key handle in bytes
 print("public key", pk)
-print("keyHandle", sign_key["keyHandle"])
+print("keyHandle", kh)
 
 print("Test verify signature", sign_result["signature"])
 pk.verify(message, sign_result.signature)
 print("Signature verified!")
 
 message = b"New message"
-ph_data = sha256(message)
+data = message if has_raw_alg else sha256(message)
 
 # Prepare parameters for getAssertion
 request_options, state = server.authenticate_begin(credentials, user_verification=uv)
@@ -106,9 +132,9 @@
         "extensions": {
             "sign": {
                 "sign": {
-                    "phData": ph_data,
+                    "tbs": data,
                     "keyHandleByCredential": {
-                        websafe_encode(credentials[0].credential_id): kh,
+                        websafe_encode(credentials[0].credential_id): kh_bin,
                     },
                 },
             }

examples/sign_arkg.py

@@ -118,7 +118,7 @@
         "extensions": {
             "sign": {
                 "sign": {
-                    "phData": ph_data,
+                    "tbs": ph_data,
                     "keyHandleByCredential": {
                         websafe_encode(credentials[0].credential_id): kh,
                     },

fido2/ctap2/base.py

@@ -124,6 +124,7 @@ class AttestationResponse(_CborDataObject):
     att_stmt: dict[str, Any]
     ep_att: bool | None = None
     large_blob_key: bytes | None = None
+    unsigned_extension_outputs: dict[str, Any] | None = None
 
 
 @dataclass(eq=False, frozen=True)

fido2/ctap2/extensions.py

@@ -543,13 +543,13 @@ def make_credential(self, ctap, options, pin_protocol):
 @dataclass(eq=False, frozen=True)
 class _SignGenerateKeyInputs(_JsonDataObject):
     algorithms: Sequence[int]
-    ph_data: bytes | None = None
+    tbs: bytes | None = None
 
 
 @dataclass(eq=False, frozen=True)
 class _SignSignInputs(_JsonDataObject):
-    ph_data: bytes
     key_handle_by_credential: Mapping[str, bytes]
+    tbs: bytes
 
 
 @dataclass(eq=False, frozen=True)
@@ -561,7 +561,8 @@ class _SignInputs(_JsonDataObject):
 @dataclass(eq=False, frozen=True)
 class _SignGeneratedKey(_JsonDataObject):
     public_key: bytes
-    key_handle: bytes
+    algorithm: int
+    attestation_object: bytes
 
 
 @dataclass(eq=False, frozen=True)
@@ -604,8 +605,8 @@ def prepare_inputs(self, pin_token):
                 )
                 outputs = {3: gk.algorithms, 4: flags}
 
-                if gk.ph_data:
-                    outputs[0] = gk.ph_data
+                if gk.tbs:
+                    outputs[6] = gk.tbs
 
                 return {SignExtension.NAME: outputs}
 
@@ -614,8 +615,11 @@ def prepare_outputs(self, response, pin_token):
                 data = extensions.get(SignExtension.NAME)
                 if not data:
                     return None
+                att_obj_bytes = response.unsigned_extension_outputs[SignExtension.NAME][
+                    7
+                ]
                 att_obj = AttestationResponse.from_dict(
-                    cbor.decode(data[7])  # type: ignore
+                    cbor.decode(att_obj_bytes)  # type: ignore
                 )
                 cred_data = att_obj.auth_data.credential_data
                 assert cred_data is not None  # nosec
@@ -625,7 +629,8 @@ def prepare_outputs(self, response, pin_token):
                     SignExtension.NAME: _SignOutputs(
                         generated_key=_SignGeneratedKey(
                             public_key=cbor.encode(pk),
-                            key_handle=cbor.encode(pk.get_ref()),
+                            algorithm=data.get(3),
+                            attestation_object=att_obj_bytes,
                         ),
                         signature=data.get(6),
                     )
@@ -658,8 +663,8 @@ def prepare_inputs(self, selected, pin_token):
 
                 return {
                     SignExtension.NAME: {
-                        0: sign.ph_data,
-                        5: [kh],
+                        5: kh,
+                        6: sign.tbs,
                     }
                 }