TPM attestation Signature Encoding Error

Skip to first unread message


Nov 24, 2023, 3:02:15 PM11/24/23
Hi Team , we have planned to implement passkey feature through windows ,but verifying the signature over the certinfo in TPM attestation using alg identifier present in the public key label RS256 showing signature encoding error ,but at the same time verifying by using SHA1withRSA,its verified.can you kindly explain ,why we facing this issue ,i just googled and i got the result as encoding structure must be adhered to ASN .1 kindly explain how to handle this issue.

Nasir Hayat Project Managment Services Est

Nov 24, 2023, 3:08:30 PM11/24/23
to FIDO Dev (fido-dev), MANIRATHNAM V

Arshad Noor

Nov 24, 2023, 5:08:55 PM11/24/23
RS256 implies that the algorithm is using an RSA signature with the
SHA256 digest (aka hash); that signature-digest combination is
completely different from using an RSA signature with a SHA1 digest.

If an attestation certificate is showing an SHA256 label, but verifying
correctly with a SHA1 digest, then the attestation certificate is wrong.
It needs to be corrected by either changing the label to specify it is
using SHA1withRSA in the signing algorithm, or it should change the
signature algorithm to correspond to the label.

Arshad Noor
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
> <>.
> To view this discussion on the web visit
> <>.


Nov 25, 2023, 1:07:16 AM11/25/23
Any reply on this?

Tammy Walker

Nov 25, 2023, 2:54:45 AM11/25/23
to FIDO Dev (fido-dev), MANIRATHNAM V
Definitely need regulatory rules for fingerprinting.
Check root certificates, perhaps a way to bring uniformity and also a better way to match. 
Outdated or unknown root certificates that all have differentorigins, and different standards, do not help.
ISO standard introductionwould be best guess, and of course, a way to implementacross.

Emil Lundberg

Nov 27, 2023, 4:37:33 AM11/27/23
to Arshad Noor, MANIRATHNAM V,
It could be that the credential public key uses RSA with SHA256, but the attestation key uses RSA with SHA1. This would mean that you would need to use SHA1 to verify the attestation signature, but any subsequent assertion signatures must be verified with SHA256.

Would you mind sharing an attestation object that exhibits the issue?

Emil Lundberg

Senior Software Engineer | Yubico

To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit
Reply all
Reply to author
0 new messages