PackedAttestationStatementVerifier throws on unknown COSEAlgorithmIdentifier: -37

[emlun]

are you sure this is fixed? huawai nova Y70 (standard huawai phone browser / no google services), gives an error, all other devices and browsers work.

versions: implementation 'com.yubico:webauthn-server-core:2.5.4-RC1' implementation 'com.yubico:webauthn-server-core:2.5.4' not working...

Here is the error:

Caused by: com.yubico.webauthn.exception.RegistrationFailedException: java.lang.IllegalArgumentException: Unsupported COSE algorithm identifier: -37
2025-04-11T10:58:07.788358535Z 	at com.yubico.webauthn.RelyingParty.finishRegistration(RelyingParty.java:507)
2025-04-11T10:58:07.788519824Z 	at io.r_one.erid_webauthn.service.CredentialRegistrationService.finishRegistration(CredentialRegistrationService.java:161)
2025-04-11T10:58:07.788807404Z 	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
2025-04-11T10:58:07.788984443Z 	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
2025-04-11T10:58:07.789109858Z 	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:355)
2025-04-11T10:58:07.789277272Z 	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:196)
2025-04-11T10:58:07.789395979Z 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
2025-04-11T10:58:07.789506228Z 	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:768)
2025-04-11T10:58:07.789607434Z 	... 136 common frames omitted
2025-04-11T10:58:07.789792057Z Caused by: java.lang.IllegalArgumentException: Unsupported COSE algorithm identifier: -37
2025-04-11T10:58:07.789964138Z 	at com.yubico.webauthn.PackedAttestationStatementVerifier.lambda$verifyX5cSignature$2(PackedAttestationStatementVerifier.java:199)
2025-04-11T10:58:07.790071178Z 	at java.base/java.util.Optional.orElseThrow(Unknown Source)
2025-04-11T10:58:07.790253176Z 	at com.yubico.webauthn.PackedAttestationStatementVerifier.lambda$verifyX5cSignature$3(PackedAttestationStatementVerifier.java:197)
2025-04-11T10:58:07.790409507Z 	at java.base/java.util.Optional.map(Unknown Source)
2025-04-11T10:58:07.790550963Z 	at com.yubico.webauthn.PackedAttestationStatementVerifier.verifyX5cSignature(PackedAttestationStatementVerifier.java:167)
2025-04-11T10:58:07.790764169Z 	at com.yubico.webauthn.PackedAttestationStatementVerifier.verifyAttestationSignature(PackedAttestationStatementVerifier.java:80)
2025-04-11T10:58:07.791014998Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step19.lambda$validate$0(FinishRegistrationSteps.java:398)
2025-04-11T10:58:07.791229370Z 	at java.base/java.util.Optional.ifPresent(Unknown Source)
2025-04-11T10:58:07.791376660Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step19.validate(FinishRegistrationSteps.java:395)
2025-04-11T10:58:07.791543199Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.next(FinishRegistrationSteps.java:112)
2025-04-11T10:58:07.791698947Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.791822612Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.792015985Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.792234440Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.792418479Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.792572185Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.792702267Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.792829432Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.792988680Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.793184677Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.793438423Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.793790169Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.793919958Z 	at com.yubico.webauthn.FinishRegistrationSteps$Step.run(FinishRegistrationSteps.java:120)
2025-04-11T10:58:07.794117706Z 	at com.yubico.webauthn.FinishRegistrationSteps.run(FinishRegistrationSteps.java:99)
2025-04-11T10:58:07.794292120Z 	at com.yubico.webauthn.RelyingParty.finishRegistration(RelyingParty.java:505)
2025-04-11T10:58:07.794480534Z 	... 143 common frames omitted

Originally posted by @Lamardinho in #390

[Lamardinho]

Thank you very much! I will wait for the solution to the problem!

[emlun]

@Lamardinho Thanks for reporting! Are you able to share an example pair of attestationObject and clientDataJSON byte arrays (in any encoding) we can add to our test suites for this?

[Lamardinho]

I'll try to send it later, but for now I want to say that the problem is this:

if we use AttestationConveyancePreference.INDIRECT (in the RelyingParty settings) then Huawei for some reason sends the algorithm -37

if we use: AttestationConveyancePreference.NONE

then Huawei works fine, but then we won't see the Aaguid when creating a key in windows, and I need this to display the system icon where the key was created =)