Merge pull request #19 from go-webauthn/merge-fixes-from-master

backport: master to v0.1
go-webauthn · Mar 1, 2022 · 03df22a · 03df22a
2 parents 93a942a + 35287ea
commit 03df22a
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/protocol/authenticator.go b/protocol/authenticator.go
@@ -8,9 +8,10 @@ import (
  "github.com/go-webauthn/webauthn/protocol/webauthncbor"
 )
 
-var (
+const (
  minAuthDataLength = 37
  minAttestedAuthLength = 55
+ maxCredentialIDLength = 1023
 )
 
 // Authenticators respond to Relying Party requests by returning an object derived from the
@@ -203,6 +204,10 @@ func (a *AuthenticatorData) unmarshalAttestedData(rawAuthData []byte) (err error
  return ErrBadRequest.WithDetails("Authenticator attestation data length too short")
  }
 
+ if idLength > maxCredentialIDLength {
+ return ErrBadRequest.WithDetails("Authenticator attestation data credential id length too long")
+ }
+
  a.AttData.CredentialID = rawAuthData[55 : 55+idLength]
 
  a.AttData.CredentialPublicKey, err = unmarshalCredentialPublicKey(rawAuthData[55+idLength:])

diff --git a/protocol/credential.go b/protocol/credential.go
@@ -51,8 +51,8 @@ type CredentialCreationResponse struct {
 type ParsedCredentialCreationData struct {
  ParsedPublicKeyCredential
  Response ParsedAttestationResponse
+ Transports []AuthenticatorTransport
  Raw CredentialCreationResponse
- Transports []AuthenticatorTransport `json:"transports,omitempty"`
 }
 
 func ParseCredentialCreationResponse(response *http.Request) (*ParsedCredentialCreationData, error) {