From 3cae1f4b6ce22fa1e5a992172d12b1f876c296d7 Mon Sep 17 00:00:00 2001
From: Martin Sirringhaus <martin.sirringhaus@suse.com>
Date: Wed, 16 Jul 2025 12:37:00 +0200
Subject: [PATCH] Implement u2f attestation format

---
 .../src/webauthn.rs                           | 29 ++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/xyz-iinuwa-credential-manager-portal-gtk/src/webauthn.rs b/xyz-iinuwa-credential-manager-portal-gtk/src/webauthn.rs
index a9748392..7a3eff7f 100644
--- a/xyz-iinuwa-credential-manager-portal-gtk/src/webauthn.rs
+++ b/xyz-iinuwa-credential-manager-portal-gtk/src/webauthn.rs
@@ -10,7 +10,7 @@ use libwebauthn::{
 };
 use serde::{Deserialize, Serialize};
 use serde_json::json;
-use tracing::debug;
+use tracing::{debug, error};
 
 use crate::cose::{CoseKeyAlgorithmIdentifier, CoseKeyType};
 
@@ -55,6 +55,19 @@ pub(crate) fn create_attestation_object(
                 }
             }
         }
+        AttestationStatement::U2F {
+            signature,
+            certificate,
+        } => {
+            cbor_writer.write_text("fido-u2f").unwrap();
+            cbor_writer.write_text("attStmt").unwrap();
+            cbor_writer.write_map_start(2).unwrap();
+            cbor_writer.write_text("x5c").unwrap();
+            cbor_writer.write_array_start(1).unwrap();
+            cbor_writer.write_bytes(certificate).unwrap();
+            cbor_writer.write_text("sig").unwrap();
+            cbor_writer.write_bytes(signature).unwrap();
+        }
         AttestationStatement::None => {
             cbor_writer.write_text("none").unwrap();
             cbor_writer.write_text("attStmt").unwrap();
@@ -318,6 +331,10 @@ impl TryFrom<PublicKeyCredentialParameters> for CoseKeyType {
 #[derive(Debug, PartialEq)]
 pub(crate) enum AttestationStatement {
     None,
+    U2F {
+        signature: Vec<u8>,
+        certificate: Vec<u8>,
+    },
     Packed {
         algorithm: CoseKeyAlgorithmIdentifier,
         signature: Vec<u8>,
@@ -346,6 +363,16 @@ impl TryFrom<&Ctap2AttestationStatement> for AttestationStatement {
                         .collect(),
                 })
             }
+            Ctap2AttestationStatement::FidoU2F(att_stmt) => {
+                if att_stmt.certificates.len() != 1 {
+                    error!("fido-u2f attestation statement has to have one certificate, but we received {}!", att_stmt.certificates.len());
+                    return Err(Error::InvalidState);
+                }
+                Ok(Self::U2F {
+                    signature: att_stmt.signature.as_ref().to_vec(),
+                    certificate: att_stmt.certificates[0].to_vec(),
+                })
+            }
             _ => {
                 debug!("Unsupported attestation type: {:?}", value);
                 Err(Error::NotSupported)