Signature Verification Failing

[insha]

Hi, I am evaluating using this wonderful library and I ran into a (hopefully) minor roadblock. I didn't want to open an issue, because I am not sure if it is something that I am doing or it an issue with the library.

I am able to register successfully and without issue. However, the issue surfaces when I try to authenticate.

The first part, generating authentication options, generate_authentication_options, is fairly straight forward and works flawlessly.

Then, from the device I am able to send back the data, that is generated on the device, back to the server. However, when the library tries to verify the signature it is failing with the error:

Could not verify authentication signature

I am not doing anything with the data that is generated on the device, other than sending it to the server as base64 encoded values.

Options sent to client (create using generate_authentication_options) as JSON (using options_to_json):

{
  "challenge": "Gt-J5rSJxO-d7u2S2zcETwGjDTKCZajJM-QmdPU9Am4", 
  "timeout": 60000, 
  "rpId": "<My Domain>", 
  "allowCredentials": [
    {
      "id": "VZcDKaqd_NSOlTqlLAOjJYbPVr8", 
      "type": "public-key"
    }
  ], 
  "userVerification": "required"
}

The data that is sent by the client to the server for verification:

credential_id: b'U\x97\x03)\xaa\x9d\xfc\xd4\x8e\x95:\xa5,\x03\xa3%\x86\xcfV\xbf'

authenticator_data: b'\xac\xb0\xdb\x8d\xad\xf57\x9c\x15>\xa8\x86j\x81w\x99S\x04\x90\xbd\xf4s\xfc\x8f\x8b\xacw3\xeb\xda\xabN\x1d\x00\x00\x00\x00'

client_data_json: b'{"type": "webauthn.get", "challenge": "Gt-J5rSJxO-d7u2S2zcETwGjDTKCZajJM-QmdPU9Am4", "origin": "<My Domain>"}'

signature: b'0E\x02!\x00\x94\xd6\xab\xc8\x94\xee\xacPc\xf0\x06\xf1\xf9E\xb3\x0e\x1a\xfa\x8f`\x017\xb1\x11\xed\xa2\xea^\xf6v\xf7X\x02 \x12-\xe8g\x8f\xb3\x05\xab[\x1a5\x17\x9f\x99^Ge\xffb\xd0\x14\xfc8I!\x87\xfd\xf8\xda-&['

The data when passed to verify_authentication_response method yields the error:

Could not verify authentication signature

The following is what I am persisting (in memory) for the user on the server:

{
    'id': b'>\xab\x7f\xd4T\x8a\x0b\xb2\xb8\n\x8e\xcc\x15\x17)\x9e\x174Y21\xad\xc3\xddH\xd54\x18\xa7(\xf1f', 
    'credentials': [
        {
            'credential_id': b'U\x97\x03)\xaa\x9d\xfc\xd4\x8e\x95:\xa5,\x03\xa3%\x86\xcfV\xbf', 
            'public_key': b'\xa5\x01\x02\x03& \x01!X \x13\x1e\x84\x97\xbeDd4*\x99\xb3^v\xea\xe5\xd5\xd2%\'\x9f\x89!.n2#\xd5y\xde\x11L\xea"X \xa7Z\n\xc2#iJ\xb1F\x96l\x83\x97\xfcBlh@\xa6K}L\x88\xffTfh\xae\x9f\x18\xca\xb5', 
            'sign_count': 0
        }
    ]
}

Any help will be greatly appreciated and thank you in advance.

[MasterKale]

Hello @insha, can you provide an example of how you're calling verify_authentication_response(), including how you're passing in e.g. that one credential dict in the "credentials" list above?

[insha]

Thank you for responding to my post so quickly. I really appreciate you for doing this.

The "credentials" list from my original post is from a dict called user_database that is populated using the register flow. This is the code snippet that populates the user_database:

try:
        verification = verify_registration_response(
            credential=registration_response,
            expected_challenge=session['current_challenge'],
            expected_origin=f'https://{RELAY_PARTY_ID}',
            expected_rp_id=RELAY_PARTY_ID
        )

        if verification.user_verified:
            user['credentials'].append({
                'credential_id': verification.credential_id,
                'public_key': verification.credential_public_key,
                'sign_count': verification.sign_count
            })
            return jsonify({'status': 'ok'})
        else:
            return jsonify({'status': 'failed', 'reason': verification.reason}), 400
    except Exception as e:
        return jsonify({'status': 'failed', 'reason': str(e)}), 400

This is the "view" method that receives the data from the client, all encoded (URL safe) as base64:

# In-memory user database, populated from the registration flow
user_database = {}

@app.route('/auth/complete', methods=['POST'])
def auth_complete():
    data = request.json
    user = user_database.get(data['username'])
    
    if not user:
        return jsonify({'status': 'failed', 'reason': 'User not found'}), 404
    
    credential_id = base64url_to_bytes(data["id"])
    authenticator_data = base64url_to_bytes(data["authenticatorData"])
    client_data_json = base64url_to_bytes(data["clientDataJSON"])
    signature = base64url_to_bytes(data["signature"])
    
    stored_credential = next((cred for cred in user['credentials'] if cred['credential_id'] == credential_id), None)

    if not stored_credential:
        return jsonify({'status': 'failed', 'reason': 'Credential not found'}), 404
    
    try:
        assertion_response = AuthenticatorAssertionResponse(
            authenticator_data=authenticator_data,
            client_data_json=client_data_json,
            signature=signature
        )
        
        credential = AuthenticationCredential(
            id=data['id'],
            raw_id=base64url_to_bytes(data['rawId']),
            response=assertion_response,
            type='public-key'
        )
        
        verification = verify_authentication_response(
            credential=credential,
            expected_challenge=session['current_challenge'],
            expected_origin=f'https://{RELAY_PARTY_ID}',
            expected_rp_id=RELAY_PARTY_ID,
            credential_public_key=stored_credential['public_key'],
            credential_current_sign_count=stored_credential['sign_count']
        )

        if verification.verified:
            stored_credential['sign_count'] = verification.new_sign_count
            return jsonify({'status': 'ok'})
        else:
            return jsonify({'status': 'failed', 'reason': verification.reason}), 400
    except Exception as e:
        return jsonify({'status': 'failed', 'reason': str(e)}), 400

I hope this helps, otherwise, please let me know.