mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-07-12 17:34:16 -04:00
this is a bit complex, but essentially we're using the test variables defined in the duolabs py_webauthn library [1]. We're already using their test variables in tests/app/models/test_webauthn_credential.py and in the webauthn_credential fixture in conftest.py. By using sample signature, authenticatordata and clientdatajson from the same key we can test that the library correctly verifies the signed challenge matches the original. We needed to transform some of this data as the yubico/fido2 library we use has a slightly different way of formatting the fields for the request body, which is why we're doing things like base64 decoding and converting from hex to bytes in the post data. The pytest fixture has changed - before it was incomplete/corrupted and would error when trying to verify the signature. We took the credential_data from the pytest fixture, converted it to an AttestedCredentialData using WebauthnCredential.to_credential_data, modified the public_key private dictionary to add `public_key[-1]: 1`, and then called `AttestedCredentialData.create` to re-CBOR-encode the blob. The `-1: 1` is the numeric ID of the "SECP256R1" elliptic curve algorithm. The py_webauthn library forces this particular algorithm, which differs from the sample creds we took from the fido2 lib tests, which is why we've had to update our data. [1] https://github.com/duo-labs/py_webauthn/blob/master/tests/test_webauthn.py#L13-L32