In WebAuthn, the authenticator data contains the variable length attested credential data
followed by the extensions
, if any:
The attested credential data
is made variable because of the credential public key
field which is a CBOR map.
In case there are extensions, how to know in advance the byte length of this field, so that I can pass this field truncated without the extensions to a CBOR library?
The CBOR library I am using doesn't seem to handle extra bytes, and I don't know CBOR enough to know if there's a trick to compute the byte length of a map from its first bytes (or any other trick).
From what I understand there is no way to know in advance without using a CBOR decoder (or COSE Key parser) supporting "extra bytes" first, to determine where the "credential public key data" ends and where "extension data" starts.
There is an extra note discussing exactly this in the WebAuthn Level 2 Draft.
Determining attested credential data's length, which is variable, involves determining credentialPublicKey’s beginning location given the preceding credentialId’s length, and then determining the credentialPublicKey’s length (see also Section 7 of [RFC8152]).
FWIW, discussed in WebAuthn spec's GitHub issue also https://github.com/w3c/webauthn/issues/1012