webauthncborpasskey

What options should I pass to node-cbor to decode WebAuthN passkey authenticatorData?


To decode the AuthenticatorAttestationResponse: attestationObject property returned when attestationType: 'direct' is passed to .create(), this works:

const {decodeAllSync} = require("cbor");

// ...

const att1 = decodeAllSync(credential.response?.attestationObject, {required: true, encoding: 'base64url'})[0]

However, when I do the same for the authenticatorData

const data = decodeAllSync(credential.response?.authenticatorData, {required: true, encoding: 'base64url'})[0];

I get this error, whatever platform created the credential:

TypeError The encoded data was not valid for encoding utf-8 ERR_ENCODING_INVALID_ENCODED_DATA

I'm using Node 18, if that matters.

How should I go about decoding '.authenticatorData' ?


Solution

  • Authenticator data isn't CBOR encoded so you basically just need parse it with the knowledge below.

    The required fields are first 32 bytes that are the RPIDHash. The next byte are the flags. First bit of the flags is if there has been a User Presence check, second bit is reserved for future use, third bit is if User Verification has been done. Bits 4 through 6 are reserved, then seventh bit signal if there is attested credential data included and last bit says if there are any extensions included.

    After that the next 4 bytes are for the signature counter. The signature counter should tell how many times the authenticator has been used, but not all passkeys do.

    After this you have optional field of attested credentials if signaled by the flags.

    Attested Credential Data is structured with the first 16 bytes being the AAGUID of the authenticator, followed by 2 bytes indicating the length of the Credential ID and then the next would be the actual Credential ID. Finally you'd have the public key included in COSE format, and this is one of the two possible parts that are CBOR encoded.

    Either after the Attested Credential Data or straight after the signature counter depending on if Attested Credential Data is present you have Extensions. Extensions if present would always be CBOR encoded.