verify method

  1. @override
bool verify(
  1. Uint8List message,
  2. Uint8List signature
)
override

Verifies a serialized passkey signature over message (the challenge the passkey signed, i.e. blake2b(intentMessage)).

Implementation

@override
bool verify(Uint8List message, Uint8List signature) {
  final parsed = parseSerializedPasskeySignature(signature);
  final Map<String, dynamic> clientData = jsonDecode(parsed.clientDataJson);

  if (clientData['type'] != 'webauthn.get') return false;

  // The WebAuthn challenge is base64url — must equal the signed message.
  final challenge = _base64UrlDecode(clientData['challenge'] as String);
  if (!bytesEqual(message, challenge)) return false;

  // userSignature = flag(0x02) || 64-byte sig || 33-byte pubkey.
  final pk = parsed.userSignature.sublist(1 + PASSKEY_SIGNATURE_SIZE);
  if (!bytesEqual(toRawBytes(), pk)) return false;

  final payload = Uint8List.fromList([
    ...parsed.authenticatorData,
    ...sha256(Uint8List.fromList(utf8.encode(parsed.clientDataJson))),
  ]);
  final sig = parsed.userSignature.sublist(1, PASSKEY_SIGNATURE_SIZE + 1);
  return Secp256.fromSecp256r1().verifySignature(
    sha256(payload),
    SignatureData.fromBytes(sig),
    pk,
  );
}