What is included in the clientdata

[krabbenprgr]

I am fairly new to Fido and a bit confused about what the ClientData means. In the example "cred" the client data is set in line 61:
r = fido_cred_set_clientdata(cred, cd, sizeof(cd));
while cd is a static array of 32 bytes in the example.

My question is what is contained in the byte array? According to the documentation, the following members are contained there (see. Section 3.1(https://fidoalliance.org/specs/fido-v2.0-ps-20150904/fido-signature-format-v2.0-ps-20150904.html#dictionary-clientdata-members)):

• challenge
• facet
• tokenBinding
• extensions
• hashAlg

I'm a bit confused now, as this information is presumably not stored in a 32byte array? Also, it's not clear to me whether this array in the example is already hashed or not. I would appreciate any clarification.

Furthermore, it is not clear to me where this client data should come from. For example, does the challenge have to be created via a cryptography library or is this already included in the libfido2 library? If the challenge is statically contained in the ClientData array, as in the example, the security of the procedure is undermined.

[LDVG]

My question is what is contained in the byte array?
...
I'm a bit confused now, as this information is presumably not stored in a 32byte array?

For the sake of keeping the example simple, consider its client data array to be an opaque blob of bytes as retrieved from somewhere else. You should never use fully static data as client data in a real client.

This library mostly concerns itself with the communication with the authenticators themselves, i.e. the CTAP part of the FIDO family of specifications. At this level, the client data is opaque (and only the hash of it is sent to the authenticator). As a result, you can technically call fido_cred_set_clientdata() with any set of bytes.

The specification you linked is fairly old and superseded by WebAuthn which defines its clientData slightly differently, but in a nutshell still a combination of data collected by the client (e.g. a browser) and data provided by the Relying Party (e.g. the challenge). You may also want to look at the WebAuthn credential registration procedure and note about cryptographic challenges.

Finally, if you're interested in an example implementation of a basic WebAuthn client using libfido2, you can have a look at https://github.com/martelletto/fido2-webauthn-client.

For example, does the challenge have to be created via a cryptography library or is this already included in the libfido2 library?

libfido2 does not modify the client data in any way (fido_cred_set_clientdata() hashes it, and fido_cred_set_clientdata_hash() accepts pre-hashed client data); any such challenge has to be provided by the client (which in turn may require a Relying Party to provide it).

Does that clear things up slightly?