Small Windows command-line program which signs arbitrary clientData using FIDO/CTAP2.
ctap2-sign data2sign domain credentialid
data2sign holds arbitrary data encoded in Base64Url.
domain holds an issuer domain like test.webpki.org.
credentialid holds the requested credentialId encoded in Base64Url.
The command returns Base64Url encoded values of signature and authenticatorData.
Applied to https://fido-web-pay.github.io/specification/ FIDO/CTAP2 signatures enables CBOR encoded payment authorizations like:
{
1: "1.0",
2: {
1: "Space Shop",
2: "20220817.0001",
3: "435.00",
4: "EUR"
},
3: "test.webpki.org",
4: "FR7630002111110020050014382",
5: "20500211",
6: "https://banknet2.org",
8: {
1: {
3: "Windows",
4: "N/A"
},
2: {
3: "Chrome",
4: "104"
}
},
9: "2022-08-17T11:24:41+02:00",
/ ENVELOPED SIGNATURE CONTAINER /
10: {
/ ALGORITHM (COSE) /
1: -257,
/ PUBLIC KEY (COSE) /
2: {
1: 3,
-1: h'e8e00feae22fdcdaae6de0d71498867e386ca0a6d446e1f24f9169247d92fd3cdd09380471dfbbb98379ba30436c90d6e702a4699ec89e41a1fba0f445b9a01ee1327520bf82c18ac6ec7e811df97d16f281d15e56b676c33faf28eb0b7290947a9d3c895f37b8e9649a1155b3d1ba412b5dd97302f72e758b7092d826f9b07dc03c5417cc912ce60f12e8c268a0e16bebc92b01b558056213676042540b6cdeaba869c0c52eb1e3e9a8a38f19bdcffef12464eb1ac81aac7a6f381075bb507478a0a93e8edff0cdd56903186a33ace1e37c84f30a903b31f5b499cea4798583de2dc511d5bc9fdcb105377f68185af665cca1a957260aee791e55589297f9af',
-2: h'010001'
},
/ FIDO AUTHENTICATOR DATA /
3: h'29a61b658fc4de4d14ce7fbaf1bcd67ec37773fe8b6549118c729a6cdb37b11b0500000005',
/ FIDO SIGNATURE /
4: h'5326ce0e9ebd7d2ab3dad6da8610d98ef208acd0925d7cbcc3b4b84442908478ba134bbe5f5d1c507acc13beabef86d5fad4982c19d4a4524ac6d7e3aae7ecf2eb7fe202557d4dfb4c20a0dc00066a3860f97718fd12d2e3fa2841ee4ba2bf20d02deacdc3d5e656524000b9fd862310e4066b9696500f14e203e6108540bd9ee0ab430efa15d3af2c7af982193978c55dc5d98a320e84e80d1b8f3c263d32ae155a9b8d06f284c9aad42c81f074e9e7074149dfb4d6f06504e2f61fffdbe6bdc14f939b68c3c22f69aca369b2cb2d83625f91ca37f24780fffafb2d32105f0f7a1a2ef8d2737eac537b1b4893a97d28c0d8a496aa01360dc3ca1e52b7408438'
}
}
That is, the WebAuthn clientDataJSON element and associated JSON parsing is eliminated.
Although the solution above uses an enveloped signature scheme that depends on the
deterministic mode of CBOR, nothing prevents you from modifying JOSE
and COSE libraries, to cope with authenticatorData the explicit hashing
of clientData, and the differing ECDSA signature format.