Fix DER signature decoding when r or s < 32 bytes; pad and slice

`webauthn.decode_asn1_der_signature()` could return NULL when either
INTEGER in the ASN.1 DER (r or s) was shorter than 32 bytes. The old
logic sliced the last 32 bytes using a negative start when `len1/len2`
< 32, yielding no rows. We now left-pad each INTEGER with zero bytes and
then take a 32-byte tail:

* `decode(repeat('00',32),'hex') || integer*_zeropadded`
* `substring(... from len*+1 for 32)`

This preserves the query structure and fixes short-length cases while
remaining immutable and constant-time friendly.

Other minor changes:

* Use `CROSS JOIN LATERAL` in place of `JOIN LATERAL ... ON TRUE`.
* Convert to SQL-body function with `BEGIN ATOMIC ... END`.

Bump extension to 1.5 and add upgrade script.

Files:

* `FUNCTIONS/decode_asn1_der_signature.sql` — apply fix and SQL-body
  form.
* `1.4--1.5.sql`, `webauthn--1.4--1.5.sql` — upgrade script.
* `webauthn--1.5.sql` — regenerated extension script.
* `webauthn.control` — `default_version` → 1.5.
* `Makefile` — update DATA/targets and clean rules.

Author: joelonsql

1.4--1.5.sql

@@ -0,0 +1,17 @@
+CREATE OR REPLACE FUNCTION webauthn.decode_asn1_der_signature(asn1der bytea)
+RETURNS bytea
+IMMUTABLE
+BEGIN ATOMIC
+SELECT integer1||integer2
+FROM get_byte(asn1der,3) AS Q1(len1)
+CROSS JOIN LATERAL get_byte(asn1der,5+len1) AS Q2(len2)
+CROSS JOIN LATERAL substring(asn1der from 5 for len1) AS Q3(integer1_zeropadded)
+CROSS JOIN LATERAL substring(decode(repeat('00',32),'hex')||integer1_zeropadded from len1+1 for 32) AS Q4(integer1)
+CROSS JOIN LATERAL substring(asn1der from 5+len1+2 for len2) AS Q5(integer2_zeropadded)
+CROSS JOIN LATERAL substring(decode(repeat('00',32),'hex')||integer2_zeropadded from len2+1 for 32) AS Q6(integer2)
+WHERE get_byte(asn1der,0) = 48 /* 0x30 SEQUENCE */
+AND get_byte(asn1der,1) = length(asn1der)-2
+AND get_byte(asn1der,2) = 2 /* 0x02 INTEGER */
+AND get_byte(asn1der,5+len1-1) = 2 /* 0x02 INTEGER */
+AND length(integer1||integer2) = 64;
+END;

FUNCTIONS/decode_asn1_der_signature.sql

@@ -1,18 +1,17 @@
 CREATE OR REPLACE FUNCTION webauthn.decode_asn1_der_signature(asn1der bytea)
 RETURNS bytea
 IMMUTABLE
-LANGUAGE sql
-AS $$
+BEGIN ATOMIC
 SELECT integer1||integer2
 FROM get_byte(asn1der,3) AS Q1(len1)
-JOIN LATERAL get_byte(asn1der,5+len1) AS Q2(len2) ON TRUE
-JOIN LATERAL substring(asn1der from 5 for len1) AS Q3(integer1_zeropadded) ON TRUE
-JOIN LATERAL substring(integer1_zeropadded from length(integer1_zeropadded)-31 for 32) AS Q4(integer1) ON TRUE
-JOIN LATERAL substring(asn1der from 5+len1+2 for len2) AS Q5(integer2_zeropadded) ON TRUE
-JOIN LATERAL substring(integer2_zeropadded from length(integer2_zeropadded)-31 for 32) AS Q6(integer2) ON TRUE
+CROSS JOIN LATERAL get_byte(asn1der,5+len1) AS Q2(len2)
+CROSS JOIN LATERAL substring(asn1der from 5 for len1) AS Q3(integer1_zeropadded)
+CROSS JOIN LATERAL substring(decode(repeat('00',32),'hex')||integer1_zeropadded from len1+1 for 32) AS Q4(integer1)
+CROSS JOIN LATERAL substring(asn1der from 5+len1+2 for len2) AS Q5(integer2_zeropadded)
+CROSS JOIN LATERAL substring(decode(repeat('00',32),'hex')||integer2_zeropadded from len2+1 for 32) AS Q6(integer2)
 WHERE get_byte(asn1der,0) = 48 /* 0x30 SEQUENCE */
 AND get_byte(asn1der,1) = length(asn1der)-2
 AND get_byte(asn1der,2) = 2 /* 0x02 INTEGER */
 AND get_byte(asn1der,5+len1-1) = 2 /* 0x02 INTEGER */
-AND length(integer1||integer2) = 64
-$$;
+AND length(integer1||integer2) = 64;
+END;

Makefile

@@ -8,7 +8,9 @@ DATA = \
 	webauthn--1.2--1.3.sql \
 	webauthn--1.3.sql \
 	webauthn--1.3--1.4.sql \
-	webauthn--1.4.sql
+	webauthn--1.4.sql \
+	webauthn--1.4--1.5.sql \
+	webauthn--1.5.sql
 
 REGRESS = ok \
 	ok_user_handle \
@@ -24,49 +26,49 @@ REGRESS = ok \
 	error_replay_attack \
 	error_hijack_attack
 
-EXTRA_CLEAN = webauthn--1.4.sql webauthn--1.3--1.4.sql
+EXTRA_CLEAN = webauthn--1.5.sql webauthn--1.4--1.5.sql
 
 PG_CONFIG = pg_config
 PGXS := $(shell $(PG_CONFIG) --pgxs)
 include $(PGXS)
 
-all: webauthn--1.4.sql webauthn--1.3--1.4.sql
+all: webauthn--1.5.sql webauthn--1.4--1.5.sql
 
 SQL_SRC = \
-  complain_header.sql \
+	complain_header.sql \
 	FUNCTIONS/raise_error.sql \
 	ENUMS/credential_type.sql \
 	ENUMS/user_verification_requirement.sql \
 	ENUMS/attestation_conveyance_preference.sql \
-  FUNCTIONS/base64url_decode.sql \
-  FUNCTIONS/base64url_encode.sql \
-  FUNCTIONS/cose_ecdha_to_pkcs.sql \
-  FUNCTIONS/decode_asn1_der_signature.sql \
-  FUNCTIONS/from_utf8.sql \
-  FUNCTIONS/parse_authenticator_data.sql \
-  FUNCTIONS/parse_attestation_object.sql \
-  TABLES/credential_challenges.sql \
+	FUNCTIONS/base64url_decode.sql \
+	FUNCTIONS/base64url_encode.sql \
+	FUNCTIONS/cose_ecdha_to_pkcs.sql \
+	FUNCTIONS/decode_asn1_der_signature.sql \
+	FUNCTIONS/from_utf8.sql \
+	FUNCTIONS/parse_authenticator_data.sql \
+	FUNCTIONS/parse_attestation_object.sql \
+	TABLES/credential_challenges.sql \
 	FUNCTIONS/credential_challenge_user_verification.sql \
 	FUNCTIONS/credential_challenge_expiration.sql \
-  TABLES/credentials.sql \
-  TABLES/assertion_challenges.sql \
+	TABLES/credentials.sql \
+	TABLES/assertion_challenges.sql \
 	FUNCTIONS/assertion_challenge_user_verification.sql \
 	FUNCTIONS/assertion_challenge_expiration.sql \
 	FUNCTIONS/credential_public_key.sql \
-  TABLES/assertions.sql \
+	TABLES/assertions.sql \
 	FUNCTIONS/get_credential_creation_options.sql \
-  FUNCTIONS/init_credential.sql \
-  FUNCTIONS/store_credential.sql \
-  FUNCTIONS/get_credentials.sql \
-  FUNCTIONS/verify_assertion.sql \
+	FUNCTIONS/init_credential.sql \
+	FUNCTIONS/store_credential.sql \
+	FUNCTIONS/get_credentials.sql \
+	FUNCTIONS/verify_assertion.sql \
 	FUNCTIONS/generate_test.sql
 
-webauthn--1.4.sql: $(SQL_SRC)
+webauthn--1.5.sql: $(SQL_SRC)
 	cat $^ > $@
 
 SQL_SRC = \
   complain_header.sql \
-  1.3--1.4.sql
+  1.4--1.5.sql
 
-webauthn--1.3--1.4.sql: $(SQL_SRC)
+webauthn--1.4--1.5.sql: $(SQL_SRC)
 	cat $^ > $@

webauthn--1.4--1.5.sql

@@ -0,0 +1,19 @@
+-- complain if script is sourced in psql, rather than via CREATE EXTENSION
+\echo Use "CREATE EXTENSION webauthn" to load this file. \quit
+CREATE OR REPLACE FUNCTION webauthn.decode_asn1_der_signature(asn1der bytea)
+RETURNS bytea
+IMMUTABLE
+BEGIN ATOMIC
+SELECT integer1||integer2
+FROM get_byte(asn1der,3) AS Q1(len1)
+CROSS JOIN LATERAL get_byte(asn1der,5+len1) AS Q2(len2)
+CROSS JOIN LATERAL substring(asn1der from 5 for len1) AS Q3(integer1_zeropadded)
+CROSS JOIN LATERAL substring(decode(repeat('00',32),'hex')||integer1_zeropadded from len1+1 for 32) AS Q4(integer1)
+CROSS JOIN LATERAL substring(asn1der from 5+len1+2 for len2) AS Q5(integer2_zeropadded)
+CROSS JOIN LATERAL substring(decode(repeat('00',32),'hex')||integer2_zeropadded from len2+1 for 32) AS Q6(integer2)
+WHERE get_byte(asn1der,0) = 48 /* 0x30 SEQUENCE */
+AND get_byte(asn1der,1) = length(asn1der)-2
+AND get_byte(asn1der,2) = 2 /* 0x02 INTEGER */
+AND get_byte(asn1der,5+len1-1) = 2 /* 0x02 INTEGER */
+AND length(integer1||integer2) = 64;
+END;