Passkeys : algorithm ID is not checked

[rdubois-crypto]

When creating a passkey on a labtop, asking for incorrect algorithm ID, Samsung S20 phone (at least) ignore the field and creates a passkey anyway:

Example (look at line DUMMY VALUE:

var script = document.createElement('script');
script.src = 'https://cdn.jsdelivr.net/npm/[email protected]/cbor.js';
document.head.appendChild(script);

(async () => {
const publicKeyCredential = {
publicKey: {
challenge: new Uint8Array(32),
rp: { name: "Test RP" },
user: {
id: new Uint8Array(32),
name: "testuser",
displayName: "Test User",
},
pubKeyCredParams: [
{ type: "public-key", alg: -666 }, // DUMMY VALUE SHALL FAIL HERE, -7 expected
],
timeout: 60000,
attestation: "direct",
},
};

try {
    const credential = await navigator.credentials.create(publicKeyCredential);
    if (credential) {
        console.log("curve supported:", credential !== null);

        // Decode the attestation object
        const attestationObject = new Uint8Array(credential.response.attestationObject);
        const decodedAttestationObject = CBOR.decode(attestationObject.buffer);

        // Extract the authenticator data
        const authData = new Uint8Array(decodedAttestationObject.authData);
        
        // Extract the public key from the authenticator data
        const publicKey = extractPublicKey(authData);
        console.log("Raw public key value:", publicKey);
    }
} catch (err) {
    console.error("curve is not supported or failed:", err);
}

// Helper function to extract the public key
function extractPublicKey(authData) {
    // The public key is located after the credentialId in the authData
    const credentialIdLength = (authData[53] << 8) + authData[54];
    const publicKeyStart = 55 + credentialIdLength;
    const publicKey = authData.slice(publicKeyStart);
    return publicKey;
}

})();

[rdubois-crypto]

I realized this bug trying to use -8, was happy to believe that Ed25519 was finally implemented, then realized that extracted Passkey was too long.