:java.lang.ArrayIndexOutOfBoundsException when calling com.yubico.webauthn.RelyingParty.finishRegistration

[Benny-Susanto]

Hi, I'm using webauthn-server-core 2.5.0

I got this errror when calling com.yubico.webauthn.RelyingParty.finishRegistration:

err:java.lang.ArrayIndexOutOfBoundsException at java.lang.System.arraycopy(Native Method) at COSE.OneKey.CheckECKey(OneKey.java:397) at COSE.OneKey.CheckKeyState(OneKey.java:307) at COSE.OneKey.(OneKey.java:59) at com.yubico.webauthn.WebAuthnCodecs.importCoseP256PublicKey(WebAuthnCodecs.java:151) at com.yubico.webauthn.WebAuthnCodecs.importCosePublicKey(WebAuthnCodecs.java:132) at com.yubico.webauthn.FinishRegistrationSteps$Step16.validate(FinishRegistrationSteps.java:337) at com.yubico.webauthn.FinishRegistrationSteps$Step.next(FinishRegistrationSteps.java:113) at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:121) at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:121) at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:121) at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:121) at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:121) at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:121) at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:121) at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:121) at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:121) at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:121) at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:121) at com.yubico.webauthn.FinishRegistrationSteps.run(FinishRegistrationSteps.java:100) at com.yubico.webauthn.RelyingParty.finishRegistration(RelyingParty.java:505)

I have checked the payload using https://debugger.simplewebauthn.dev/? And it still can be parsed no problem

Example: https://debugger.simplewebauthn.dev/?credential=ewogICJjbGllbnRFeHRlbnNpb25SZXN1bHRzIjoge30sCiAgImlkIjogIkZuUW1zM0VMM05kb1RwdmxrY3l2UEJUZm0zTkRuYVBJT3R2T0U0LVdIZ28iLAogICJ0eXBlIjogInB1YmxpYy1rZXkiLAogICJyYXdJZCI6ICJGblFtczNFTDNOZG9UcHZsa2N5dlBCVGZtM05EbmFQSU90dk9FNC1XSGdvIiwKICAicmVzcG9uc2UiOiB7CiAgICAiYXR0ZXN0YXRpb25PYmplY3QiOiAidjJObWJYUnJZVzVrY205cFpDMXJaWGxuWVhSMFUzUnRkTDlqWVd4bkptTnphV2RZUnpCRkFpQVMwdmgwRzctT2FkeHplNnhmQ0Z6Y1JraGJHbm1sWnhaTGFoMDlNb0VUNGdJaEFOaUhFa0tmOEtrd0x4anhrTENSZWFLVFZIX0hUUkdycWN1b2FKRDVvVjRiWTNnMVk0UlpBcVl3Z2dLaU1JSUNTS0FEQWdFQ0FnRUJNQW9HQ0NxR1NNNDlCQU1DTURreEREQUtCZ05WQkF3TUExUkZSVEVwTUNjR0ExVUVCUk1nT1RNd05XWTFObUZtTmpGbE16QXlaVFEyWldZME9XSmxPVFpqT0RNNE56QXdJQmNOTnpBd01UQXhNREF3TURBd1doZ1BNakV3TmpBeU1EY3dOakk0TVRWYU1COHhIVEFiQmdOVkJBTU1GRUZ1WkhKdmFXUWdTMlY1YzNSdmNtVWdTMlY1TUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMjNfM3lZTXRERGZqWWJvQVNxS2xhUmxlWUFBNkYxaDkydHNudmpRdXh6UWVmUDA2SXFPSHh0OHk5QVlYV3czOHZHLTJEb09HVS1hNmhqVlAzQ2t1VGFPQ0FWY3dnZ0ZUTUE0R0ExVWREd0VCX3dRRUF3SUhnRENDQVQ4R0Npc0dBUVFCMW5rQ0FSRUVnZ0V2TUlJQkt3SUJBd29CQVFJQkJBb0JBUVFnRjZlQ25uX2FpVXVLdi1tZkVqVkVaY2ZLRGNZczZiYnBlQ2xlRFRDZ0hyTUVBREJSdjRVOUNBSUdBWlRiM0x4QXY0VkZRUVFfTUQweEZ6QVZCQTVwWkM1a1lXNWhMblJsYzNRd05RSURLYWdRTVNJRUlFam44MzZqcEZ2SUZ2YkxLMG1ySV9mUXJWTFE5MFV6UjBSREg2U251SGRJTUlHbG9RZ3hCZ0lCQWdJQkE2SURBZ0VEb3dRQ0FnRUFwUVV4QXdJQkJLb0RBZ0VCdjRONEF3SUJBci1GUGdNQ0FRQ19oVUJNTUVvRUlNWFR4eHZIRFZqajRFQ2NxZG16VEEyNndkTHdtbDNwU0tTNDhKRHhrbWxsQVFIX0NnRUFCQ0F2T0FxRUNXVkpqWHM5TXlVZDJBaGIweG9XYkxXQTBpaU9uOGF2d1ZTQUFyLUZRUVVDQXdIVXdMLUZRZ1VDQXdNV1A3LUZUZ1lDQkFFMHNKMl9oVThHQWdRQk5MQ2RNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUURnSzNtX0hhTUlGT2ZGZTZ5bWtHZ2RXX0JfU2RFN0ZINzNyOGFDa0loRWRBSWdDX1hoTGozM29vMmlZMmVjZ051SlNpZTh1TVZWYVdOQ3pRdzNRaTM3NUdWWkFmY3dnZ0h6TUlJQmVhQURBZ0VDQWhCVTU4WVdIVldIVWVmQ2hkU05rUV9FTUFvR0NDcUdTTTQ5QkFNQ01Ea3hEREFLQmdOVkJBd01BMVJGUlRFcE1DY0dBMVVFQlJNZ1lqVm1ZVEl4TldReU5qbGxaRFZrT1RabE5HWmhOVE13TlRZMU1XTTRNRE13SGhjTk1qQXdNVEEzTWpBMU1qRXdXaGNOTXpBd01UQTBNakExTWpFd1dqQTVNUXd3Q2dZRFZRUU1EQU5VUlVVeEtUQW5CZ05WQkFVVElEa3pNRFZtTlRaaFpqWXhaVE13TW1VME5tVm1ORGxpWlRrMll6Z3pPRGN3TUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFSldhT2cyU01NTmxONjdSMlR3YVIwejRKUDJKd0VlRHFUUnFxVXI3RERiUEtTSV9yQ3RSR1NLQmt2dFNnbHBvX2c0aWpQOUFWUUxXdXNYYm9hLUl2dDZOak1HRXdIUVlEVlIwT0JCWUVGSEtjdXQ4MmdsZUFGYnlkdFpxRnc2S3h5ejR3TUI4R0ExVWRJd1FZTUJhQUZBM2swSGQzYVVEdFFieThUMVl3bG53NU5zckJNQThHQTFVZEV3RUJfd1FGTUFNQkFmOHdEZ1lEVlIwUEFRSF9CQVFEQWdJRU1Bb0dDQ3FHU000OUJBTUNBMmdBTUdVQ01DOUNleUdScVpWSnBKRzM3aHNQX1BWWWNaM0QzT2NVbVExQi1Sa0lHZjRTS0tadmlXdHItMk5oV0JQeVNlZWZRd0l4QUxBcmViX2M1dEs5azRUYVMydEU2NFN3TXg0Nkx6OFZvT2U3Um0xLTlVSktMS3FqNGVfSnNnZ2ptdGp1cmNoeGMxa0RsekNDQTVNd2dnRjdvQU1DQVFJQ0VFdGk4TlkxNGRncWxwbkduTm9iVGhrd0RRWUpLb1pJaHZjTkFRRUxCUUF3R3pFWk1CY0dBMVVFQlJNUVpqa3lNREE1WlRnMU0ySTJZakEwTlRBZUZ3MHlNREF4TURjeU1EVXdOVEJhRncwek1EQXhNRFF5TURVd05UQmFNRGt4RERBS0JnTlZCQXdNQTFSRlJURXBNQ2NHQTFVRUJSTWdZalZtWVRJeE5XUXlOamxsWkRWa09UWmxOR1poTlRNd05UWTFNV000TURNd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVJEZDhZR1hBMThFTnh6cUk4eDIwTUlEcDdyLUxmZjdnaE8zcnNvM3ozQ0hmMWlTQUpJVUxiWDJvbHgyMEFCMmFwNzJZYklLeEtOOVhQa0R4RlNvUk1JaEVHLTFuSlUyc2V5Y0xGU0lWd1Roa0xOYjZXQmtsZmY0SEJOUjhhc1JRbWpZekJoTUIwR0ExVWREZ1FXQkJRTjVOQjNkMmxBN1VHOHZFOVdNSlo4T1RiS3dUQWZCZ05WSFNNRUdEQVdnQlEyWWVFQWZJZ0ZDVkdMUkd4SF94cE15ZXBQRWpBUEJnTlZIUk1CQWY4RUJUQURBUUhfTUE0R0ExVWREd0VCX3dRRUF3SUNCREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBRTBlSUVHYWx6VVp4VV9lNmF6UWZTY0FlWG5LWHVCLWNMNVBrWXA3bGZvY2s1OGxpczRHdEdDT0VZbXNQb0VDeUVqUUlvZUQ5WHJ3SUhJUW9aeVVwT0I0VWQwaGp5enZzSm9URVFZWUU4eHRGRThsOWN2TXE4V1F0V2d6NDBFd1p2U1RFbWZPdkE0SEJDYThpVHZ0OHAxV0hoc0VYWFF6THVlNGNqU29tNzI2eWxQODJWSlVkeVhIV2xzLTJSaTVIQ21UTUlOYW9pX2RVZlpROTkteEdUaXNnalNUbkk5YTlCc21mTlBYakhGbWNpdXZLRDM4Qld2bllSS3hydkJsRlZ0N1pfWTNhZUNTMEk1SWQtXzNFbHg0V1FqbnRBSzl2NldFUVg3LUpVWkZJUU8zM1VtekRHMVl3XzJsV0xEZUk4NXN3OFA3bjdWNHlFQWN0M0x2Yi12SXFTVFFfQXVWYi1Mb0NMN0xsRzlHMGlBUVVnUWFmejdkWDBHekVTUlZHdzEyZmktLUo4RWI0RE5qWjRoMlYtM3BoODVOeWtYXzZFQkJfTDFFTHJaRF95alFhSWlPVDdsTXJ0SkRjT3VGM0RXeF9keTdWd3ktVkRta1E3NFJ0YVNmVVRlTFpENGV3Z2ctTHRCN0VfNjBWZnFjMzJhVVE3ZUk5MHhnLWxaMkRMSENVUzlFYWNIOFJHRUdtdU9TMEVsOHhBbFNzUWlfb3BtVUhEMDV5RFZxVTJOM0RpbkVVYlU5aE1zOFpnX1A2Y0xhT0FvVTZ1b1g3RzlGTmd6Wi1VR2F2U2luby1YQ3ZobFk5X195dDVUdEY2VjVFbDNpUkh1Qnd0WFBpZzJUS3BJQjctX0hQY0ZYWHp3dnZoRVRRVElUTVR0R3RJQW9DNngxRG5YazNtSDlaQlNBd2dnVWNNSUlEQktBREFnRUNBZ2tBMVFfeVc2UHkxck13RFFZSktvWklodmNOQVFFTEJRQXdHekVaTUJjR0ExVUVCUk1RWmpreU1EQTVaVGcxTTJJMllqQTBOVEFlRncweE9URXhNakl5TURNM05UaGFGdzB6TkRFeE1UZ3lNRE0zTlRoYU1Cc3hHVEFYQmdOVkJBVVRFR1k1TWpBd09XVTROVE5pTm1Jd05EVXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDdnRzZUNLN0duQWV3cnRDNkx6RlFXWTZ2dm1DOHl4MzkxTVFNTWwxSkxHMV9vQ2Z2SEtxbEZIM1E4dlpwdkV6VjBTcVZlZF9hMnJEVTE3aGZDWG1PVkY5MmNrdVkzU2xQTF9pV1BqX3UyX1JLVGVLSXFUS21jUlMxSHBaOHlBZlJCbDhvY3pYNTJMN0wxTVZHMl9yTF9fU3R2NVA1YnhyMmV3MHYtQ0NPZHF2enJqcldvN1NzNnpaeGVPbmVRNGJVVVFua3hXWVdZRWEyZXNxbHJ2ZGVsZkpPcEhFSDh6U2ZXZjliMmNhb0xnVkpoclRoUG8zbEVoa1lFM2JQWXhQa2dvWnNXVnNMeFN0YlFQRmJzQmdpWkJCd2UwYVgtYlRSQXRWYTYwZENoVWxpY1UtVmROd2RpOEJJdTc1R0dHeHNPYkV5QWtuU1p3T20td0xnLU84SDVQSExBU1dCTHZTOFRSZVlzUDQ0bTItd0d5VWRtODhFb0k1MVBReEw2MkJJNGgtQnI3UFZuV0R2NE5WcUJfdXE2LVpxRHlOOC1LaklxX0djcjhTQ3hOUldMYUNIT3J6Q2JidTUzLVlnenNCamFvUTVGSHdhamROVUhnZk5aQ0NsbXUzZUxrd2lVSnBqblRndk5KR0tLQWNMTUEtVWZDejViU3NIazM1NnZuX2Fra3FkOEZJT0lLSVVCVzBJczVudUF1SXliU09FN1lIcTFSY2NqXzR4RS1QTFRhTG4yVWcweEZGNl9ub1lxMXgzMm83X1NSUWxaMWxOMERaZWhMemFMRS05bTFkQ2xTbTR2WFpwdjcwUm9NcnhuaEVjbGhoOEpQZERtODBCZHFKWkQ3dzlOYWJaQ0FGSDl1VEJKWno0MmxRV0EwODMwLTlDTHhZU0RsU1lBWXdJREFRQUJvMk13WVRBZEJnTlZIUTRFRmdRVU5tSGhBSHlJQlFsUmkwUnNSXzhhVE1ucVR4SXdId1lEVlIwakJCZ3dGb0FVTm1IaEFIeUlCUWxSaTBSc1JfOGFUTW5xVHhJd0R3WURWUjBUQVFIX0JBVXdBd0VCX3pBT0JnTlZIUThCQWY4RUJBTUNBZ1F3RFFZSktvWklodmNOQVFFTEJRQURnZ0lCQUU0eG9GenlpNlpkdmEtaHp0Y0phZTVjcUVFRXJkN1lvd2JQZjIzdVVEZGRkRjdaa3NzQ1Fzem5MY251MVJHUl9sclZLNjE5MDdKY0NaNFRwSkdqemRTSHBhek9oMll5VEVya1l6Z2thdWUzaWtHS3k3bUtCY1RKMXBidXFyWUowTG9NNGFNYjZZU1EzejlNRHFuZHllZ3Ytd19MUHA2OTJNdVZKNG55c1VFZnJGYkloa0p1dHlsZ1FuTmRwUTRSckhGZkdCalBuOXhPSlVvM1l6VWJhaVJBRlFoaEpqcHVNUXZocFEzbHgtanVpQV9kUy1XSVNqY1NqUmlEQzdOSGFfUXBIb0xWeG1wa2xKT2VDRWdMLThBUGZZcDAxRDV6YzM2LVhZNU94UlV3TFVhSmFTZUEzSFU0N1g2UmRiNWhPZWROUTYwNGl6QlFfOVdwM2xKaUFBaVl3QjlqeFQzLUlpQ1JDUHBQWmJvV3hKekwzZ2czMThXRVRWUzNPWXVnRWk1UVd4VmNreFBQNG01eTJINGlxaFlXNXIyX1ZIM2YtVDN5bmpXbU8wVmY0ZndPeVZXQjhfVDN1LU83Z29PV28zcmpGWFdDdkRka3VYZ0tJNTc4RDNXaDR1YlpRYzZyckNmZDZ3SGl2WVFoQXB2cU5OVWE3bXhnSngxYWxldlFCUldwd0FFOTJBdjRmdW9tQzRIRFQyaU9ickUwaXZEWTZoeXNNcXk1MlQtaVN2OERDb1RJOHJEMWFjeVZDQXNnckRXczRNYlkyOVQyaEhjWlVaMHlSUUZtNjB2eFc0V1FSRkFhM3E5RFk0TERTeFhqdFV5UzVodHB3cl9ISmtXSkZ5czhrOXZqWE9CdENQMWNBVElzb0lkN0hSSjBPdkg2MVpRT29id0MzWWtjXzJoaGRYUm9SR0YwWVZpbXktWFM2bEpzd1I0OEh2SGh6N0Nad25CSEZOYWlxdVNMTTZLcDRpaGRpZkJGQUFBQUFDN2NjMmZHeTB4ZHR6dFQ5X0FJRlBrQUlCWjBKck54Qzl6WGFFNmI1WkhNcnp3VTM1dHpRNTJqeURyYnpoT1BsaDRLdndFQ0F5WWdBU0ZZSVFEYmZfZkpneTBNTi1OaHVnQktvcVZwR1Y1Z0FEb1hXSDNhMnllLU5DN0hOQ0pZSUI1OF9Ub2lvNGZHM3pMMEJoZGJEZnk4YjdZT2c0WlQ1cnFHTlVfY0tTNU5fXzgiLAogICAgInRyYW5zcG9ydHMiOiBbCiAgICAgICJpbnRlcm5hbCIKICAgIF0sCiAgICAiY2xpZW50RGF0YUpTT04iOiAiZXlKaGJtUnliMmxrVUdGamEyRm5aVTVoYldVaU9pSnBaQzVrWVc1aExuUmxjM1F3TlNJc0ltTm9ZV3hzWlc1blpTSTZJbEoyVnpKMWRsOXZaMWhwY1UwMlptdENTa2RFYlhKT1MxWjZkSGhoWVVrelNIRkZVRzVZYlRNdGVqUWlMQ0p2Y21sbmFXNGlPaUpoYm1SeWIybGtPbUZ3YXkxclpYa3RhR0Z6YURwVFQyWjZabkZQYTFjNFoxYzVjM055VTJGemFqazVRM1JWZEVRelVsUk9TRkpGVFdad1MyVTBaREJuSWl3aWRIbHdaU0k2SW5kbFltRjFkR2h1TG1OeVpXRjBaU0o5IgogIH0KfQ