Fix: Use RFC1951 DEFLATE for large blobs.

examples/large_blobs.py

@@ -93,7 +93,7 @@ user = {"id": b"user_id", "name": "A. User"}
 # Prepare parameters for makeCredential
 create_options, state = server.register_begin(
     user,
-    resident_key=True,
+    resident_key_requirement="required",
     user_verification=uv,
     authenticator_attachment="cross-platform",
 )
@@ -146,4 +146,4 @@ selection = client.get_assertion(options)
 
 # Only one cred in allowCredentials, only one response.
 result = selection.get_response(0)
-print("Read blob: ", result.extension_results.get("blob"))
+print("Read blob:", result.extension_results.get("blob"))

fido2/ctap2/blob.py

@@ -41,6 +41,16 @@ import zlib
 import os
 
 
+def _compress(data):
+    o = zlib.compressobj(wbits=-zlib.MAX_WBITS)
+    return o.compress(data) + o.flush()
+
+
+def _decompress(data):
+    o = zlib.decompressobj(wbits=-zlib.MAX_WBITS)
+    return o.decompress(data) + o.flush()
+
+
 def _lb_ad(orig_size):
     return b"blob" + struct.pack("<Q", orig_size)
 
@@ -50,7 +60,7 @@ def _lb_pack(key, data):
     nonce = os.urandom(12)
     aesgcm = AESGCM(key)
 
-    ciphertext = aesgcm.encrypt(nonce, zlib.compress(data), _lb_ad(orig_size))
+    ciphertext = aesgcm.encrypt(nonce, _compress(data), _lb_ad(orig_size))
 
     return {
         1: ciphertext,
@@ -172,7 +182,7 @@ class LargeBlobs:
         for entry in self.read_blob_array():
             try:
                 compressed, orig_size = _lb_unpack(large_blob_key, entry)
-                decompressed = zlib.decompress(compressed)
+                decompressed = _decompress(compressed)
                 if len(decompressed) == orig_size:
                     return decompressed
             except (ValueError, zlib.error):