Improve Ed448 logic in WebAuthnCodecs

fdennis · fdennis · commit ae4cd6676ebc · 2025-09-22T15:01:27.000+02:00
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/WebAuthnCodecs.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/WebAuthnCodecs.java
@@ -74,6 +74,21 @@ final class WebAuthnCodecs {
             112
           });
 
+  private static final ByteArray ED448_ALG_ID =
+      new ByteArray(
+          new byte[] {
+              // SEQUENCE (5 bytes)
+              0x30,
+              5,
+              // OID (3 bytes)
+              0x06,
+              3,
+              // OID 1.3.101.113
+              0x2B,
+              101,
+              113
+          });
+
   static ByteArray ecPublicKeyToRaw(ECPublicKey key) {
 
     final int fieldSizeBytes =
@@ -218,6 +233,8 @@ private static PublicKey importCoseEdDsaPublicKey(CBORObject cose)
     switch (curveId) {
       case 6:
         return importCoseEd25519PublicKey(cose);
+      case 7:
+        return importCoseEd448PublicKey(cose);
       default:
         throw new IllegalArgumentException("Unsupported EdDSA curve: " + curveId);
     }
@@ -234,6 +251,17 @@ private static PublicKey importCoseEd25519PublicKey(CBORObject cose)
     return kFact.generatePublic(new X509EncodedKeySpec(x509Key));
   }
 
+  private static PublicKey importCoseEd448PublicKey(CBORObject cose)
+      throws InvalidKeySpecException, NoSuchAlgorithmException {
+    final byte[] rawKey = cose.get(CBORObject.FromObject(-2)).GetByteString();
+    final byte[] x509Key =
+        BinaryUtil.encodeDerSequence(
+            ED448_ALG_ID.getBytes(), BinaryUtil.encodeDerBitStringWithZeroUnused(rawKey));
+
+    KeyFactory kFact = KeyFactory.getInstance("EdDSA");
+    return kFact.generatePublic(new X509EncodedKeySpec(x509Key));
+  }
+
   static String getJavaAlgorithmName(COSEAlgorithmIdentifier alg) {
     switch (alg) {
       case EdDSA:
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialCreationOptions.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredentialCreationOptions.java
@@ -521,6 +521,7 @@ private static List<PublicKeyCredentialParameters> filterAvailableAlgorithms(
                 param -> {
                   try {
                     switch (param.getAlg()) {
+                      case Ed448:
                       case EdDSA:
                         KeyFactory.getInstance("EdDSA");
                         break;
