@@ -428,70 +428,69 @@ func (u *DynamoUser) WebAuthnIcon() string {
428428
429429// WebAuthnCredentials returns an array of credentials (passkeys) plus a U2F credential if present
430430func (u * DynamoUser ) WebAuthnCredentials () []webauthn.Credential {
431- creds := u .Credentials
431+ if u .EncryptedKeyHandle == "" || u .EncryptedPublicKey == "" {
432+ // no U2F credential found
433+ return u .Credentials
434+ }
432435
433- if u .EncryptedKeyHandle != "" && u .EncryptedPublicKey != "" {
434- credId , err := u .ApiKey .DecryptLegacy ([]byte (u .EncryptedKeyHandle ))
435- if err != nil {
436- log .Printf ("unable to decrypt credential id: %s" , err )
437- return nil
438- }
436+ credId , err := u .ApiKey .DecryptLegacy ([]byte (u .EncryptedKeyHandle ))
437+ if err != nil {
438+ log .Printf ("unable to decrypt credential id: %s" , err )
439+ return nil
440+ }
439441
440- // decryption process includes extra/invalid \x00 character, so trim it out
441- // at some point early in dev this was needed, but in testing recently it doesn't
442- // make a difference. Leaving commented out for now until we know 100% it's not needed
443- // credId = bytes.Trim(credId, "\x00")
442+ // decryption process includes extra/invalid \x00 character, so trim it out
443+ // at some point early in dev this was needed, but in testing recently it doesn't
444+ // make a difference. Leaving commented out for now until we know 100% it's not needed
445+ // credId = bytes.Trim(credId, "\x00")
444446
445- decodedCredId , err := base64 .RawURLEncoding .DecodeString (string (credId ))
446- if err != nil {
447- log .Println ("error decoding credential id:" , err )
448- return nil
449- }
447+ decodedCredId , err := base64 .RawURLEncoding .DecodeString (string (credId ))
448+ if err != nil {
449+ log .Println ("error decoding credential id:" , err )
450+ return nil
451+ }
450452
451- pubKey , err := u .ApiKey .DecryptLegacy ([]byte (u .EncryptedPublicKey ))
452- if err != nil {
453- log .Printf ("unable to decrypt pubic key: %s" , err )
454- return nil
455- }
456- // Same as credId
457- // pubKey = bytes.Trim(pubKey, "\x00")
453+ pubKey , err := u .ApiKey .DecryptLegacy ([]byte (u .EncryptedPublicKey ))
454+ if err != nil {
455+ log .Printf ("unable to decrypt pubic key: %s" , err )
456+ return nil
457+ }
458+ // Same as credId
459+ // pubKey = bytes.Trim(pubKey, "\x00")
458460
459- decodedPubKey , err := base64 .RawURLEncoding .DecodeString (string (pubKey ))
460- if err != nil {
461- log .Println ("error decoding public key:" , err )
462- return nil
463- }
461+ decodedPubKey , err := base64 .RawURLEncoding .DecodeString (string (pubKey ))
462+ if err != nil {
463+ log .Println ("error decoding public key:" , err )
464+ return nil
465+ }
464466
465- // U2F key is concatenation of 0x4 + Xcoord + Ycoord
466- // documentation / example at https://docs.yubico.com/yesdk/users-manual/application-piv/attestation.html
467- coordLen := (len (decodedPubKey ) - 1 ) / 2
468- xCoord := decodedPubKey [1 : coordLen + 1 ]
469- yCoord := decodedPubKey [1 + coordLen :]
470-
471- ec2PublicKey := webauthncose.EC2PublicKeyData {
472- XCoord : xCoord ,
473- YCoord : yCoord ,
474- PublicKeyData : webauthncose.PublicKeyData {
475- Algorithm : int64 (webauthncose .AlgES256 ),
476- KeyType : int64 (webauthncose .EllipticKey ),
477- },
478- }
467+ // U2F key is concatenation of 0x4 + Xcoord + Ycoord
468+ // documentation / example at https://docs.yubico.com/yesdk/users-manual/application-piv/attestation.html
469+ coordLen := (len (decodedPubKey ) - 1 ) / 2
470+ xCoord := decodedPubKey [1 : coordLen + 1 ]
471+ yCoord := decodedPubKey [1 + coordLen :]
479472
480- // Get the CBOR-encoded representation of the OKPPublicKeyData
481- cborEncodedKey , err := cbor .Marshal (ec2PublicKey )
482- if err != nil {
483- log .Printf ("error marshalling key to cbor: %s" , err )
484- return nil
485- }
473+ ec2PublicKey := webauthncose.EC2PublicKeyData {
474+ XCoord : xCoord ,
475+ YCoord : yCoord ,
476+ PublicKeyData : webauthncose.PublicKeyData {
477+ Algorithm : int64 (webauthncose .AlgES256 ),
478+ KeyType : int64 (webauthncose .EllipticKey ),
479+ },
480+ }
486481
487- creds = append ( creds , webauthn. Credential {
488- ID : decodedCredId ,
489- PublicKey : cborEncodedKey ,
490- AttestationType : string ( protocol . PublicKeyCredentialType ),
491- })
482+ // Get the CBOR-encoded representation of the OKPPublicKeyData
483+ cborEncodedKey , err := cbor . Marshal ( ec2PublicKey )
484+ if err != nil {
485+ log . Printf ( "error marshalling key to cbor: %s" , err )
486+ return nil
492487 }
493488
494- return creds
489+ return append (u .Credentials , webauthn.Credential {
490+ ID : decodedCredId ,
491+ PublicKey : cborEncodedKey ,
492+ AttestationType : string (protocol .PublicKeyCredentialType ),
493+ })
495494}
496495
497496// isNullByteSlice works around a bug in JSON unmarshalling for a URL-encoded Base64 string
0 commit comments