@bradford-tech/supabase-integrity-attest 0.2.1 → 0.2.3

package/esm/src/certificate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"certificate.d.ts","sourceRoot":"","sources":["../../src/src/certificate.ts"],"names":[],"mappings":"AAsBA;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,UAAU,EAAE,EACjB,SAAS,CAAC,EAAE,IAAI,GACf,OAAO,CAAC,IAAI,CAAC,CA2Bf;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,UAAU,GAAG,UAAU,CAqCpE;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,UAAU,CAAC,CAkBrB"}
+{"version":3,"file":"certificate.d.ts","sourceRoot":"","sources":["../../src/src/certificate.ts"],"names":[],"mappings":"AA+UA;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,UAAU,EAAE,EACjB,SAAS,CAAC,EAAE,IAAI,GACf,OAAO,CAAC,IAAI,CAAC,CAkEf;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,UAAU,GAAG,UAAU,CA6BpE;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,UAAU,CAAC,CAqBrB"}

package/esm/src/certificate.js

@@ -1,19 +1,222 @@
 // src/certificate.ts
-import * as pkijs from "pkijs";
 import * as asn1js from "asn1js";
+import { p384 } from "@noble/curves/nist.js";
+import { decodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.10/base64.js";
 import { APPLE_APP_ATTESTATION_ROOT_CA_PEM, APPLE_NONCE_EXTENSION_OID, } from "./constants.js";
+import { derToRaw } from "./der.js";
 import { AttestationError, AttestationErrorCode } from "./errors.js";
+import { constantTimeEqual } from "./utils.js";
+// ── OID mappings ────────────────────────────────────────────────────
+/** Signature algorithm OID → hash algorithm name */
+const SIG_ALG_HASH = {
+    "1.2.840.10045.4.3.2": "SHA-256",
+    "1.2.840.10045.4.3.3": "SHA-384",
+};
+/** Curve OID → WebCrypto namedCurve */
+const CURVE_OID_NAME = {
+    "1.2.840.10045.3.1.7": "P-256",
+    "1.3.132.0.34": "P-384",
+};
+/** Curve name → ECDSA r||s component size in bytes */
+const CURVE_COMPONENT_SIZE = {
+    "P-256": 32,
+    "P-384": 48,
+};
+// ── Helpers ─────────────────────────────────────────────────────────
 /**
- * Parse the Apple App Attestation Root CA from PEM into a pkijs Certificate.
+ * Safely create an ArrayBuffer from a Uint8Array, handling subarrays.
+ * If `der` is a subarray, `der.buffer` includes the full underlying buffer,
+ * so we must slice to get only the relevant portion.
  */
-function parseRootCa() {
+function safeBuffer(der) {
+    return der.buffer.slice(der.byteOffset, der.byteOffset + der.byteLength);
+}
+/**
+ * Slice bytes from a valueBeforeDecodeView, producing an independent copy.
+ */
+function sliceFromView(view) {
+    return new Uint8Array(view.buffer.slice(view.byteOffset, view.byteOffset + view.byteLength));
+}
+/**
+ * Parse a date from an ASN.1 time element (UTCTime or GeneralizedTime).
+ */
+function parseAsn1Date(element) {
+    if (element instanceof asn1js.UTCTime) {
+        return element.toDate();
+    }
+    if (element instanceof asn1js.GeneralizedTime) {
+        return element.toDate();
+    }
+    throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Unexpected ASN.1 time type in certificate validity");
+}
+// ── parseCertificate ────────────────────────────────────────────────
+/**
+ * Parse an X.509 DER-encoded certificate into structured fields.
+ * All byte slices come from the original input buffer.
+ */
+function parseCertificate(der) {
+    const buf = safeBuffer(der);
+    const asn1 = asn1js.fromBER(buf);
+    if (asn1.offset === -1) {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Failed to parse certificate DER");
+    }
+    const certSeq = asn1.result;
+    const certChildren = certSeq.valueBlock.value;
+    // certChildren: [tbsCertificate, signatureAlgorithm, signatureValue]
+    const tbsElement = certChildren[0];
+    const sigAlgElement = certChildren[1];
+    const sigValueElement = certChildren[2];
+    // TBS bytes — slice from the element's full encoding (tag + length + value)
+    const tbsView = tbsElement
+        .valueBeforeDecodeView;
+    const tbsCertificateDer = sliceFromView(tbsView);
+    // Signature algorithm OID
+    const sigAlgOid = sigAlgElement.valueBlock.value[0].valueBlock
+        .toString();
+    // Signature value — unused-bits byte already stripped by asn1js
+    const signatureValue = new Uint8Array(sigValueElement.valueBlock.valueHexView);
+    // TBS children — check for v3 version tag
+    const tbsChildren = tbsElement.valueBlock.value;
+    let offset = 0;
+    // First child is explicit [0] version tag for v3 certs
+    const firstChild = tbsChildren[0];
+    if (firstChild.idBlock.tagClass === 3 && // CONTEXT-SPECIFIC
+        firstChild.idBlock.tagNumber === 0) {
+        offset = 1; // Version tag present, shift all indices
+    }
+    // TBS layout (with offset): serial, sigAlg, issuer, validity, subject, SPKI, [extensions]
+    // [offset+0]=serial, [offset+1]=sigAlg, [offset+2]=issuer, [offset+3]=validity,
+    // [offset+4]=subject, [offset+5]=SPKI
+    const issuerElement = tbsChildren[offset + 2];
+    const issuerView = issuerElement
+        .valueBeforeDecodeView;
+    const issuer = sliceFromView(issuerView);
+    const validityElement = tbsChildren[offset + 3];
+    const validityChildren = validityElement.valueBlock.value;
+    const validityNotBefore = parseAsn1Date(validityChildren[0]);
+    const validityNotAfter = parseAsn1Date(validityChildren[1]);
+    const subjectElement = tbsChildren[offset + 4];
+    const subjectView = subjectElement
+        .valueBeforeDecodeView;
+    const subject = sliceFromView(subjectView);
+    const spkiElement = tbsChildren[offset + 5];
+    const spkiView = spkiElement
+        .valueBeforeDecodeView;
+    const subjectPublicKeyInfoDer = sliceFromView(spkiView);
+    // Extract curve OID from SPKI's AlgorithmIdentifier
+    const spkiSeq = spkiElement;
+    const spkiAlgId = spkiSeq.valueBlock.value[0];
+    const curveOidElement = spkiAlgId.valueBlock
+        .value[1];
+    const publicKeyCurveOid = curveOidElement.valueBlock.toString();
+    // Extensions — found in explicit [3] tag within TBS
+    const extensions = [];
+    for (let i = offset + 6; i < tbsChildren.length; i++) {
+        const child = tbsChildren[i];
+        if (child.idBlock.tagClass === 3 && // CONTEXT-SPECIFIC
+            child.idBlock.tagNumber === 3) {
+            // This is the extensions wrapper: explicit [3] containing a SEQUENCE of extensions
+            const extWrapper = child;
+            const extSeqOfSeq = extWrapper.valueBlock.value[0];
+            for (const extSeq of extSeqOfSeq.valueBlock.value) {
+                const extChildren = extSeq.valueBlock.value;
+                const oid = extChildren[0].valueBlock
+                    .toString();
+                let critical = false;
+                let valueElement;
+                if (extChildren[1] instanceof asn1js.Boolean) {
+                    critical = extChildren[1].getValue();
+                    valueElement = extChildren[2];
+                }
+                else {
+                    valueElement = extChildren[1];
+                }
+                extensions.push({
+                    oid,
+                    critical,
+                    value: new Uint8Array(valueElement.valueBlock.valueHexView),
+                });
+            }
+            break;
+        }
+    }
+    return {
+        tbsCertificateDer,
+        signatureAlgorithmOid: sigAlgOid,
+        signatureValue,
+        issuer,
+        subject,
+        validityNotBefore,
+        validityNotAfter,
+        subjectPublicKeyInfoDer,
+        publicKeyCurveOid,
+        extensions,
+    };
+}
+// ── extractRawPublicKeyFromSpki ─────────────────────────────────────
+/**
+ * Extract the raw public key bytes from a DER-encoded SubjectPublicKeyInfo.
+ * Returns the uncompressed EC point (0x04 || x || y).
+ */
+function extractRawPublicKeyFromSpki(spkiDer) {
+    const buf = safeBuffer(spkiDer);
+    const asn1 = asn1js.fromBER(buf);
+    if (asn1.offset === -1) {
+        throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, "Failed to parse SPKI DER");
+    }
+    const spkiSeq = asn1.result;
+    const publicKeyBitString = spkiSeq.valueBlock.value[1];
+    return new Uint8Array(publicKeyBitString.valueBlock.valueHexView);
+}
+// ── verifySignature ─────────────────────────────────────────────────
+/**
+ * Verify the signature of a child certificate against the parent's public key.
+ *
+ * Deno WebCrypto throws "Not implemented" for cross-paired curve+hash
+ * (e.g., P-384 key signing with SHA-256). Apple's intermediate (P-384)
+ * signs the leaf cert with SHA-256. Use @noble/curves for this case.
+ */
+async function verifySignature(child, parent) {
+    const hash = SIG_ALG_HASH[child.signatureAlgorithmOid];
+    if (!hash) {
+        throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, `Unsupported signature algorithm OID: ${child.signatureAlgorithmOid}`);
+    }
+    const namedCurve = CURVE_OID_NAME[parent.publicKeyCurveOid];
+    if (!namedCurve) {
+        throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, `Unsupported curve OID: ${parent.publicKeyCurveOid}`);
+    }
+    const componentSize = CURVE_COMPONENT_SIZE[namedCurve];
+    const sigRaw = derToRaw(child.signatureValue, componentSize);
+    // Apple's intermediate (P-384 key) signs the leaf cert with SHA-256.
+    // Deno WebCrypto throws "Not implemented" for this cross-pairing.
+    // Use @noble/curves p384 to verify instead.
+    if (namedCurve === "P-384" && hash === "SHA-256") {
+        // Pre-hash TBS, then verify with @noble/curves.
+        // lowS: false — X.509 signatures don't enforce BIP-62 low-S normalization.
+        // prehash: false — we hash manually since the hash algorithm differs from the curve's default.
+        const digest = new Uint8Array(await crypto.subtle.digest(hash, child.tbsCertificateDer));
+        const rawPubKey = extractRawPublicKeyFromSpki(parent.subjectPublicKeyInfoDer);
+        return p384.verify(sigRaw, digest, rawPubKey, {
+            prehash: false,
+            lowS: false,
+        });
+    }
+    // Standard pairing — WebCrypto
+    const parentKey = await crypto.subtle.importKey("spki", parent.subjectPublicKeyInfoDer, { name: "ECDSA", namedCurve }, false, ["verify"]);
+    return crypto.subtle.verify({ name: "ECDSA", hash }, parentKey, sigRaw, child.tbsCertificateDer);
+}
+// ── parseRootCaDer ──────────────────────────────────────────────────
+/**
+ * Decode the Apple App Attestation Root CA from PEM to DER bytes.
+ */
+function parseRootCaDer() {
     const b64 = APPLE_APP_ATTESTATION_ROOT_CA_PEM
         .replace("-----BEGIN CERTIFICATE-----", "")
         .replace("-----END CERTIFICATE-----", "")
         .replace(/\s/g, "");
-    const der = Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
-    return pkijs.Certificate.fromBER(der);
+    return decodeBase64(b64);
 }
+// ── Exported functions ──────────────────────────────────────────────
 /**
  * Verify the x5c certificate chain against the Apple App Attestation Root CA.
  *
@@ -24,17 +227,41 @@ export async function verifyCertificateChain(x5c, checkDate) {
     if (x5c.length === 0) {
         throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, "Certificate chain (x5c) is empty");
     }
-    const rootCa = parseRootCa();
-    // Parse all x5c certs
-    const certs = x5c.map((der) => pkijs.Certificate.fromBER(der));
-    const chainEngine = new pkijs.CertificateChainValidationEngine({
-        trustedCerts: [rootCa],
-        certs: certs,
-        checkDate: checkDate ?? new Date(),
-    });
-    const result = await chainEngine.verify();
-    if (!result.result) {
-        throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, `Certificate chain verification failed: ${result.resultMessage}`);
+    // Parse root CA and all x5c certs
+    const rootCaDer = parseRootCaDer();
+    const rootCa = parseCertificate(rootCaDer);
+    const certs = x5c.map((der) => parseCertificate(der));
+    // Build chain: [leaf, ..., intermediate, rootCA]
+    const chain = [...certs, rootCa];
+    // Verify root is self-signed
+    if (!constantTimeEqual(rootCa.issuer, rootCa.subject)) {
+        throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, "Root CA is not self-signed (issuer !== subject)");
+    }
+    const rootSelfSigned = await verifySignature(rootCa, rootCa);
+    if (!rootSelfSigned) {
+        throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, "Root CA self-signature verification failed");
+    }
+    // Verify each child→parent pair in the chain
+    for (let i = 0; i < chain.length - 1; i++) {
+        const child = chain[i];
+        const parent = chain[i + 1];
+        // Issuer must match parent's subject
+        if (!constantTimeEqual(child.issuer, parent.subject)) {
+            throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, `Certificate ${i} issuer does not match certificate ${i + 1} subject`);
+        }
+        // Verify signature
+        const valid = await verifySignature(child, parent);
+        if (!valid) {
+            throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, `Certificate ${i} signature verification failed`);
+        }
+    }
+    // Check validity periods
+    const now = checkDate ?? new Date();
+    for (let i = 0; i < chain.length; i++) {
+        const cert = chain[i];
+        if (now < cert.validityNotBefore || now > cert.validityNotAfter) {
+            throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, `Certificate ${i} is not valid at ${now.toISOString()} (valid from ${cert.validityNotBefore.toISOString()} to ${cert.validityNotAfter.toISOString()})`);
+        }
     }
 }
 /**
@@ -47,23 +274,19 @@ export async function verifyCertificateChain(x5c, checkDate) {
  * @returns The 32-byte nonce
  */
 export function extractNonceFromCert(certDer) {
-    const cert = pkijs.Certificate.fromBER(certDer);
-    const extensions = cert.extensions;
-    if (!extensions) {
-        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Certificate has no extensions");
-    }
-    const nonceExt = extensions.find((ext) => ext.extnID === APPLE_NONCE_EXTENSION_OID);
+    const cert = parseCertificate(certDer);
+    const nonceExt = cert.extensions.find((ext) => ext.oid === APPLE_NONCE_EXTENSION_OID);
     if (!nonceExt) {
         throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Certificate missing nonce extension (OID ${APPLE_NONCE_EXTENSION_OID})`);
     }
     // Parse the extension value as ASN.1
-    const extValue = nonceExt.extnValue.getValue();
-    const asn1 = asn1js.fromBER(extValue);
-    if (asn1.offset === -1) {
+    const extBuf = safeBuffer(nonceExt.value);
+    const extAsn1 = asn1js.fromBER(extBuf);
+    if (extAsn1.offset === -1) {
         throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Failed to parse nonce extension ASN.1");
     }
     // Navigate: SEQUENCE -> tagged [1] -> OCTET STRING
-    const sequence = asn1.result;
+    const sequence = extAsn1.result;
     const tagged = sequence.valueBlock.value[0];
     const octetString = tagged.valueBlock.value[0];
     return new Uint8Array(octetString.valueBlock.valueHexView);
@@ -75,12 +298,13 @@ export function extractNonceFromCert(certDer) {
  * @returns 65-byte uncompressed EC point (0x04 || x || y)
  */
 export async function extractPublicKeyFromCert(certDer) {
-    const cert = pkijs.Certificate.fromBER(certDer);
-    // Get the SubjectPublicKeyInfo and convert to DER
-    const spkiDer = cert.subjectPublicKeyInfo.toSchema().toBER(false);
-    // Import as SPKI to get a CryptoKey
-    const cryptoKey = await crypto.subtle.importKey("spki", spkiDer, { name: "ECDSA", namedCurve: "P-256" }, true, ["verify"]);
-    // Export as raw (uncompressed point)
+    const cert = parseCertificate(certDer);
+    const namedCurve = CURVE_OID_NAME[cert.publicKeyCurveOid];
+    if (!namedCurve) {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Unsupported curve OID: ${cert.publicKeyCurveOid}`);
+    }
+    // Import SPKI as CryptoKey, then export as raw uncompressed point
+    const cryptoKey = await crypto.subtle.importKey("spki", cert.subjectPublicKeyInfoDer, { name: "ECDSA", namedCurve }, true, ["verify"]);
     const rawKey = await crypto.subtle.exportKey("raw", cryptoKey);
     return new Uint8Array(rawKey);
 }

package/esm/src/der.d.ts

@@ -1,3 +1,3 @@
-export declare function derToRaw(der: Uint8Array): Uint8Array;
-export declare function rawToDer(raw: Uint8Array): Uint8Array;
+export declare function derToRaw(der: Uint8Array, componentSize?: number): Uint8Array;
+export declare function rawToDer(raw: Uint8Array, componentSize?: number): Uint8Array;
 //# sourceMappingURL=der.d.ts.map

package/esm/src/der.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"der.d.ts","sourceRoot":"","sources":["../../src/src/der.ts"],"names":[],"mappings":"AAEA,wBAAgB,QAAQ,CAAC,GAAG,EAAE,UAAU,GAAG,UAAU,CAoCpD;AAED,wBAAgB,QAAQ,CAAC,GAAG,EAAE,UAAU,GAAG,UAAU,CAiBpD"}
+{"version":3,"file":"der.d.ts","sourceRoot":"","sources":["../../src/src/der.ts"],"names":[],"mappings":"AAEA,wBAAgB,QAAQ,CACtB,GAAG,EAAE,UAAU,EACf,aAAa,SAAK,GACjB,UAAU,CAoCZ;AAED,wBAAgB,QAAQ,CACtB,GAAG,EAAE,UAAU,EACf,aAAa,SAAK,GACjB,UAAU,CAmBZ"}

package/esm/src/der.js

@@ -1,5 +1,5 @@
 // src/der.ts
-export function derToRaw(der) {
+export function derToRaw(der, componentSize = 32) {
     if (der[0] !== 0x30) {
         throw new Error("Invalid DER signature: expected SEQUENCE tag (0x30)");
     }
@@ -8,7 +8,7 @@ export function derToRaw(der) {
         const lengthBytes = der[1] & 0x7f;
         offset = 2 + lengthBytes;
     }
-    const raw = new Uint8Array(64);
+    const raw = new Uint8Array(componentSize * 2);
     if (der[offset] !== 0x02) {
         throw new Error("Invalid DER signature: expected INTEGER tag (0x02) for r");
     }
@@ -22,16 +22,16 @@ export function derToRaw(der) {
     offset++;
     const sLen = der[offset++];
     const sBytes = der.subarray(offset, offset + sLen);
-    copyInteger(rBytes, raw, 0);
-    copyInteger(sBytes, raw, 32);
+    copyInteger(rBytes, raw, 0, componentSize);
+    copyInteger(sBytes, raw, componentSize, componentSize);
     return raw;
 }
-export function rawToDer(raw) {
-    if (raw.length !== 64) {
-        throw new Error(`Invalid raw signature: expected 64 bytes, got ${raw.length}`);
+export function rawToDer(raw, componentSize = 32) {
+    if (raw.length !== componentSize * 2) {
+        throw new Error(`Invalid raw signature: expected ${componentSize * 2} bytes, got ${raw.length}`);
     }
-    const r = encodeInteger(raw.subarray(0, 32));
-    const s = encodeInteger(raw.subarray(32, 64));
+    const r = encodeInteger(raw.subarray(0, componentSize));
+    const s = encodeInteger(raw.subarray(componentSize, componentSize * 2));
     const seqLen = r.length + s.length;
     const der = new Uint8Array(2 + seqLen);
     der[0] = 0x30;
@@ -40,16 +40,16 @@ export function rawToDer(raw) {
     der.set(s, 2 + r.length);
     return der;
 }
-function copyInteger(src, dst, dstOffset) {
+function copyInteger(src, dst, dstOffset, componentSize) {
     let srcOffset = 0;
     while (srcOffset < src.length - 1 && src[srcOffset] === 0) {
         srcOffset++;
     }
     const len = src.length - srcOffset;
-    if (len > 32) {
+    if (len > componentSize) {
         throw new Error(`Integer too large: ${len} bytes`);
     }
-    dst.set(src.subarray(srcOffset), dstOffset + (32 - len));
+    dst.set(src.subarray(srcOffset), dstOffset + (componentSize - len));
 }
 function encodeInteger(value) {
     let start = 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bradford-tech/supabase-integrity-attest",
-  "version": "0.2.1",
+  "version": "0.2.3",
   "description": "Verify Apple App Attest attestations and assertions using WebCrypto.",
   "repository": {
     "type": "git",
@@ -20,9 +20,9 @@
     "test": "node test_runner.js"
   },
   "dependencies": {
+    "@noble/curves": "^2.0.1",
     "asn1js": "^3.0.7",
-    "cborg": "^4.5.8",
-    "pkijs": "^3.3.3"
+    "cborg": "^4.5.8"
   },
   "devDependencies": {
     "@types/node": "^20.9.0",