@bradford-tech/supabase-integrity-attest 0.2.1

package/esm/src/assertion.js

@@ -0,0 +1,64 @@
+// src/assertion.ts
+import { decode } from "cborg";
+import { parseAssertionAuthData } from "./authdata.js";
+import { derToRaw } from "./der.js";
+import { AssertionError, AssertionErrorCode } from "./errors.js";
+import { concat, constantTimeEqual, decodeBase64Bytes, importPemPublicKey, toBytes, } from "./utils.js";
+export async function verifyAssertion(appInfo, assertion, clientData, publicKeyPem, previousSignCount) {
+    const assertionBytes = decodeBase64Bytes(assertion);
+    const clientDataBytes = toBytes(clientData);
+    // Step 1: CBOR decode
+    let decoded;
+    try {
+        decoded = decode(assertionBytes);
+        if (!decoded.signature || !decoded.authenticatorData) {
+            throw new Error("Missing required fields");
+        }
+    }
+    catch (e) {
+        throw new AssertionError(AssertionErrorCode.INVALID_FORMAT, `Failed to decode assertion: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    // Step 2: Parse authenticatorData
+    let authData;
+    try {
+        authData = parseAssertionAuthData(decoded.authenticatorData);
+    }
+    catch (e) {
+        throw new AssertionError(AssertionErrorCode.INVALID_FORMAT, `Invalid authenticatorData: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    // Step 3: Verify rpIdHash
+    const expectedRpIdHash = new Uint8Array(await crypto.subtle.digest("SHA-256", new TextEncoder().encode(appInfo.appId)));
+    if (!constantTimeEqual(authData.rpIdHash, expectedRpIdHash)) {
+        throw new AssertionError(AssertionErrorCode.RP_ID_MISMATCH, "rpIdHash does not match expected appId");
+    }
+    // Step 4: Verify counter
+    if (authData.signCount <= previousSignCount) {
+        throw new AssertionError(AssertionErrorCode.COUNTER_NOT_INCREMENTED, `signCount ${authData.signCount} is not greater than previous ${previousSignCount}`);
+    }
+    // Step 5: Compute clientDataHash
+    const clientDataHash = new Uint8Array(await crypto.subtle.digest("SHA-256", clientDataBytes));
+    // Step 6: Build message = authenticatorData || clientDataHash
+    const message = concat(decoded.authenticatorData, clientDataHash);
+    // Step 7: Convert DER signature to raw r||s
+    let signatureRaw;
+    try {
+        signatureRaw = derToRaw(decoded.signature);
+    }
+    catch (e) {
+        throw new AssertionError(AssertionErrorCode.INVALID_FORMAT, `Invalid DER signature: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    // Step 8: Import PEM public key
+    let publicKey;
+    try {
+        publicKey = await importPemPublicKey(publicKeyPem);
+    }
+    catch (e) {
+        throw new AssertionError(AssertionErrorCode.INVALID_FORMAT, `Invalid public key PEM: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    // Step 9: Verify ECDSA signature
+    const valid = await crypto.subtle.verify({ name: "ECDSA", hash: "SHA-256" }, publicKey, signatureRaw, message);
+    if (!valid) {
+        throw new AssertionError(AssertionErrorCode.SIGNATURE_INVALID, "ECDSA signature verification failed");
+    }
+    return { signCount: authData.signCount };
+}

package/esm/src/attestation.d.ts

@@ -0,0 +1,37 @@
+export interface AppInfo {
+    appId: string;
+    developmentEnv?: boolean;
+}
+export interface AttestationResult {
+    publicKeyPem: string;
+    receipt: Uint8Array;
+    signCount: number;
+}
+export interface VerifyAttestationOptions {
+    /** Override date for certificate chain validation (for testing with expired certs) */
+    checkDate?: Date;
+}
+/**
+ * Minimal CBOR decoder for Apple App Attest attestation objects.
+ *
+ * Apple's CBOR encoding of the attestation object contains a receipt field whose
+ * byte-string length header is sometimes incorrect (overstated by ~21 bytes).
+ * Standard CBOR libraries (cborg) fail to decode this. We use a lightweight
+ * structure-aware parser that handles the known attestation object layout:
+ *   { "fmt": text, "attStmt": { "x5c": [bstr, ...], "receipt": bstr }, "authData": bstr }
+ *
+ * The parser locates map keys by scanning for known text-string CBOR keys and
+ * extracts values based on their CBOR type headers, which avoids relying on
+ * potentially incorrect length fields for opaque byte-string values.
+ */
+export interface AttestationCbor {
+    fmt: string;
+    attStmt: {
+        x5c: Uint8Array[];
+        receipt: Uint8Array;
+    };
+    authData: Uint8Array;
+}
+export declare function decodeAttestationCbor(data: Uint8Array): AttestationCbor;
+export declare function verifyAttestation(appInfo: AppInfo, keyId: string, challenge: Uint8Array | string, attestation: Uint8Array | string, options?: VerifyAttestationOptions): Promise<AttestationResult>;
+//# sourceMappingURL=attestation.d.ts.map

package/esm/src/attestation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../src/src/attestation.ts"],"names":[],"mappings":"AAaA,MAAM,WAAW,OAAO;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,UAAU,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,wBAAwB;IACvC,sFAAsF;IACtF,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE;QACP,GAAG,EAAE,UAAU,EAAE,CAAC;QAClB,OAAO,EAAE,UAAU,CAAC;KACrB,CAAC;IACF,QAAQ,EAAE,UAAU,CAAC;CACtB;AAsGD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,UAAU,GAAG,eAAe,CAyEvE;AAED,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,UAAU,GAAG,MAAM,EAC9B,WAAW,EAAE,UAAU,GAAG,MAAM,EAChC,OAAO,CAAC,EAAE,wBAAwB,GACjC,OAAO,CAAC,iBAAiB,CAAC,CAkJ5B"}

package/esm/src/attestation.js

@@ -0,0 +1,242 @@
+// src/attestation.ts
+import { decodeBase64 } from "../deps/jsr.io/@std/encoding/1.0.10/base64.js";
+import { extractNonceFromCert, extractPublicKeyFromCert, verifyCertificateChain, } from "./certificate.js";
+import { AAGUID_DEVELOPMENT, AAGUID_PRODUCTION } from "./constants.js";
+import { AttestationError, AttestationErrorCode } from "./errors.js";
+import { parseAttestationAuthData } from "./authdata.js";
+import { concat, constantTimeEqual, exportKeyToPem, toBytes } from "./utils.js";
+/** Read a CBOR unsigned integer (additional info + following bytes). */
+function readCborUint(data, offset) {
+    const additional = data[offset] & 0x1f;
+    if (additional < 24)
+        return { value: additional, end: offset + 1 };
+    if (additional === 24)
+        return { value: data[offset + 1], end: offset + 2 };
+    if (additional === 25) {
+        return {
+            value: (data[offset + 1] << 8) | data[offset + 2],
+            end: offset + 3,
+        };
+    }
+    if (additional === 26) {
+        return {
+            value: ((data[offset + 1] << 24) >>> 0) +
+                (data[offset + 2] << 16) +
+                (data[offset + 3] << 8) +
+                data[offset + 4],
+            end: offset + 5,
+        };
+    }
+    throw new Error(`Unsupported CBOR additional info: ${additional}`);
+}
+/** Read a CBOR text string starting at offset. Returns {value, end}. */
+function readCborText(data, offset) {
+    const majorType = (data[offset] >> 5) & 0x07;
+    if (majorType !== 3) {
+        throw new Error(`Expected CBOR text string (type 3) at offset ${offset}, got type ${majorType}`);
+    }
+    const { value: len, end: dataStart } = readCborUint(data, offset);
+    const text = new TextDecoder().decode(data.slice(dataStart, dataStart + len));
+    return { value: text, end: dataStart + len };
+}
+/** Read a CBOR byte string starting at offset. Returns {value, end}. */
+function readCborBytes(data, offset) {
+    const majorType = (data[offset] >> 5) & 0x07;
+    if (majorType !== 2) {
+        throw new Error(`Expected CBOR byte string (type 2) at offset ${offset}, got type ${majorType}`);
+    }
+    const { value: len, end: dataStart } = readCborUint(data, offset);
+    return {
+        value: data.slice(dataStart, dataStart + len),
+        end: dataStart + len,
+    };
+}
+/**
+ * Find the position of a CBOR text-string key within a byte sequence.
+ * Searches for the CBOR encoding of a text string (type 3 header + UTF-8 bytes).
+ */
+function findCborTextKey(data, key, startOffset) {
+    const keyBytes = new TextEncoder().encode(key);
+    // Build the expected CBOR encoding: type 3 header + key bytes
+    let header;
+    if (keyBytes.length < 24) {
+        header = new Uint8Array([0x60 | keyBytes.length]);
+    }
+    else if (keyBytes.length < 256) {
+        header = new Uint8Array([0x78, keyBytes.length]);
+    }
+    else {
+        header = new Uint8Array([
+            0x79,
+            keyBytes.length >> 8,
+            keyBytes.length & 0xff,
+        ]);
+    }
+    const needle = new Uint8Array(header.length + keyBytes.length);
+    needle.set(header);
+    needle.set(keyBytes, header.length);
+    for (let i = startOffset; i <= data.length - needle.length; i++) {
+        let match = true;
+        for (let j = 0; j < needle.length; j++) {
+            if (data[i + j] !== needle[j]) {
+                match = false;
+                break;
+            }
+        }
+        if (match)
+            return i;
+    }
+    return -1;
+}
+export function decodeAttestationCbor(data) {
+    // Verify top-level is a CBOR map
+    const majorType = (data[0] >> 5) & 0x07;
+    if (majorType !== 5) {
+        throw new Error("Expected CBOR map at top level");
+    }
+    // Find "fmt" key and read its value
+    const fmtKeyPos = findCborTextKey(data, "fmt", 0);
+    if (fmtKeyPos === -1)
+        throw new Error('Missing "fmt" key');
+    const fmtKeyEnd = fmtKeyPos + 1 + 3; // 0x63 + "fmt"
+    const { value: fmt } = readCborText(data, fmtKeyEnd);
+    // Find "attStmt" key
+    const attStmtKeyPos = findCborTextKey(data, "attStmt", 0);
+    if (attStmtKeyPos === -1)
+        throw new Error('Missing "attStmt" key');
+    // After "attStmt" key: 0x67 + "attStmt" = 8 bytes
+    const attStmtValuePos = attStmtKeyPos + 8;
+    // attStmt value should be a map
+    const attStmtMajor = (data[attStmtValuePos] >> 5) & 0x07;
+    if (attStmtMajor !== 5)
+        throw new Error("attStmt is not a CBOR map");
+    // Find "x5c" key within attStmt
+    const x5cKeyPos = findCborTextKey(data, "x5c", attStmtValuePos);
+    if (x5cKeyPos === -1)
+        throw new Error('Missing "x5c" key in attStmt');
+    const x5cValuePos = x5cKeyPos + 4; // 0x63 + "x5c"
+    // x5c value is an array
+    const x5cMajor = (data[x5cValuePos] >> 5) & 0x07;
+    if (x5cMajor !== 4)
+        throw new Error("x5c is not a CBOR array");
+    const { value: x5cCount, end: x5cFirstItemPos } = readCborUint(data, x5cValuePos);
+    // Read each certificate byte string
+    const x5c = [];
+    let pos = x5cFirstItemPos;
+    for (let i = 0; i < x5cCount; i++) {
+        const { value: cert, end } = readCborBytes(data, pos);
+        x5c.push(cert);
+        pos = end;
+    }
+    // After x5c, find "receipt" key
+    const receiptKeyPos = findCborTextKey(data, "receipt", pos);
+    if (receiptKeyPos === -1)
+        throw new Error('Missing "receipt" key in attStmt');
+    // Find "authData" key - search from after the receipt key position
+    const authDataKeyPos = findCborTextKey(data, "authData", receiptKeyPos);
+    if (authDataKeyPos === -1) {
+        throw new Error('Missing "authData" key');
+    }
+    // The receipt value is the bytes between the receipt key end and the authData key start.
+    // Receipt key: 0x67 + "receipt" = 8 bytes
+    const receiptValueStart = receiptKeyPos + 8;
+    // Read the receipt CBOR header to get the data start offset
+    const receiptMajor = (data[receiptValueStart] >> 5) & 0x07;
+    if (receiptMajor !== 2)
+        throw new Error("receipt is not a CBOR byte string");
+    const { end: receiptDataStart } = readCborUint(data, receiptValueStart);
+    // The actual receipt data extends to just before the authData key.
+    // This handles the case where Apple's CBOR length header is incorrect.
+    const receipt = data.slice(receiptDataStart, authDataKeyPos);
+    // Read authData value
+    // authData key: 0x68 + "authData" = 9 bytes
+    const authDataValuePos = authDataKeyPos + 9;
+    const { value: authData } = readCborBytes(data, authDataValuePos);
+    return { fmt, attStmt: { x5c, receipt }, authData };
+}
+export async function verifyAttestation(appInfo, keyId, challenge, attestation, options) {
+    // Decode attestation bytes from base64 if string
+    let attestationBytes;
+    if (typeof attestation === "string") {
+        try {
+            attestationBytes = decodeBase64(attestation);
+        }
+        catch {
+            throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Failed to decode attestation base64");
+        }
+    }
+    else {
+        attestationBytes = attestation;
+    }
+    // Step 1: CBOR decode attestation -> { fmt, attStmt: { x5c, receipt }, authData }
+    let decoded;
+    try {
+        decoded = decodeAttestationCbor(attestationBytes);
+    }
+    catch {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Failed to CBOR-decode attestation object");
+    }
+    // Step 2: Validate fmt === "apple-appattest"
+    if (decoded.fmt !== "apple-appattest") {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Invalid attestation format: expected "apple-appattest", got "${decoded.fmt}"`);
+    }
+    const { x5c, receipt } = decoded.attStmt;
+    const authData = decoded.authData;
+    // Step 3: Verify x5c cert chain exists (length >= 2)
+    if (x5c.length < 2) {
+        throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, "Certificate chain (x5c) must contain at least 2 certificates");
+    }
+    // Step 4: Verify certificate chain
+    await verifyCertificateChain(x5c, options?.checkDate);
+    // Step 5-6: Compute nonce = SHA-256(authData || challenge)
+    // Apple's nonce verification uses the raw challenge bytes concatenated with authData,
+    // NOT a hash of the challenge.
+    const challengeBytes = toBytes(challenge);
+    const nonceInput = concat(authData, challengeBytes);
+    const computedNonce = new Uint8Array(await crypto.subtle.digest("SHA-256", nonceInput));
+    // Step 7: Extract nonce from leaf cert
+    const certNonce = extractNonceFromCert(x5c[0]);
+    // Step 8: constantTimeEqual(computedNonce, certNonce)
+    if (!constantTimeEqual(computedNonce, certNonce)) {
+        throw new AttestationError(AttestationErrorCode.NONCE_MISMATCH, "Computed nonce does not match certificate nonce");
+    }
+    // Step 9: Extract public key from leaf cert (65 bytes raw)
+    const publicKeyRaw = await extractPublicKeyFromCert(x5c[0]);
+    // Step 10: SHA-256(publicKeyRaw) must equal base64-decoded keyId
+    const publicKeyHash = new Uint8Array(await crypto.subtle.digest("SHA-256", publicKeyRaw));
+    const keyIdBytes = decodeBase64(keyId);
+    if (!constantTimeEqual(publicKeyHash, keyIdBytes)) {
+        throw new AttestationError(AttestationErrorCode.KEY_ID_MISMATCH, "Public key hash does not match keyId");
+    }
+    // Step 11: Parse authData
+    const parsedAuthData = parseAttestationAuthData(authData);
+    // Step 12: Verify rpIdHash === SHA-256(appId)
+    const appIdHash = new Uint8Array(await crypto.subtle.digest("SHA-256", new TextEncoder().encode(appInfo.appId)));
+    if (!constantTimeEqual(parsedAuthData.rpIdHash, appIdHash)) {
+        throw new AttestationError(AttestationErrorCode.RP_ID_MISMATCH, "RP ID hash does not match SHA-256 of appId");
+    }
+    // Step 13: Verify signCount === 0
+    if (parsedAuthData.signCount !== 0) {
+        throw new AttestationError(AttestationErrorCode.INVALID_COUNTER, `Expected signCount 0 for attestation, got ${parsedAuthData.signCount}`);
+    }
+    // Step 14: Verify AAGUID matches expected (prod or dev)
+    const expectedAaguid = appInfo.developmentEnv
+        ? AAGUID_DEVELOPMENT
+        : AAGUID_PRODUCTION;
+    if (!constantTimeEqual(parsedAuthData.aaguid, expectedAaguid)) {
+        throw new AttestationError(AttestationErrorCode.INVALID_AAGUID, `AAGUID mismatch: expected ${appInfo.developmentEnv ? "development" : "production"} environment`);
+    }
+    // Step 15: Verify credentialId === keyIdBytes
+    if (!constantTimeEqual(parsedAuthData.credentialId, keyIdBytes)) {
+        throw new AttestationError(AttestationErrorCode.KEY_ID_MISMATCH, "Credential ID does not match keyId");
+    }
+    // Step 16: Export public key as PEM
+    const cryptoKey = await crypto.subtle.importKey("raw", publicKeyRaw, { name: "ECDSA", namedCurve: "P-256" }, true, ["verify"]);
+    const publicKeyPem = await exportKeyToPem(cryptoKey);
+    // Step 17: Return result
+    return {
+        publicKeyPem,
+        receipt,
+        signCount: 0,
+    };
+}

package/esm/src/authdata.d.ts

@@ -0,0 +1,13 @@
+export interface AssertionAuthData {
+    rpIdHash: Uint8Array;
+    flags: number;
+    signCount: number;
+}
+export interface AttestationAuthData extends AssertionAuthData {
+    aaguid: Uint8Array;
+    credentialId: Uint8Array;
+    coseKeyBytes: Uint8Array;
+}
+export declare function parseAssertionAuthData(data: Uint8Array): AssertionAuthData;
+export declare function parseAttestationAuthData(data: Uint8Array): AttestationAuthData;
+//# sourceMappingURL=authdata.d.ts.map

package/esm/src/authdata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authdata.d.ts","sourceRoot":"","sources":["../../src/src/authdata.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,UAAU,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAoB,SAAQ,iBAAiB;IAC5D,MAAM,EAAE,UAAU,CAAC;IACnB,YAAY,EAAE,UAAU,CAAC;IACzB,YAAY,EAAE,UAAU,CAAC;CAC1B;AAED,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,UAAU,GAAG,iBAAiB,CAgB1E;AAED,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,UAAU,GACf,mBAAmB,CAiCrB"}

package/esm/src/authdata.js

@@ -0,0 +1,29 @@
+// src/authdata.ts
+export function parseAssertionAuthData(data) {
+    if (data.length < 37) {
+        throw new Error(`authenticatorData too short: expected at least 37 bytes, got ${data.length}`);
+    }
+    const rpIdHash = data.slice(0, 32);
+    const flags = data[32];
+    const signCount = new DataView(data.buffer, data.byteOffset + 33, 4).getUint32(0, false);
+    return { rpIdHash, flags, signCount };
+}
+export function parseAttestationAuthData(data) {
+    const base = parseAssertionAuthData(data);
+    if (data.length < 55) {
+        throw new Error(`attestation authenticatorData too short: expected at least 55 bytes, got ${data.length}`);
+    }
+    const aaguid = data.slice(37, 53);
+    const credentialIdLength = new DataView(data.buffer, data.byteOffset + 53, 2).getUint16(0, false);
+    if (data.length < 55 + credentialIdLength) {
+        throw new Error(`authenticatorData truncated: credentialIdLength=${credentialIdLength} but only ${data.length - 55} bytes remain`);
+    }
+    const credentialId = data.slice(55, 55 + credentialIdLength);
+    const coseKeyBytes = data.slice(55 + credentialIdLength);
+    return {
+        ...base,
+        aaguid,
+        credentialId,
+        coseKeyBytes,
+    };
+}

package/esm/src/certificate.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Verify the x5c certificate chain against the Apple App Attestation Root CA.
+ *
+ * @param x5c - Array of DER-encoded certificates (index 0 = leaf, last = closest to root)
+ * @param checkDate - Date to use for validity checking (defaults to now; override for testing expired certs)
+ */
+export declare function verifyCertificateChain(x5c: Uint8Array[], checkDate?: Date): Promise<void>;
+/**
+ * Extract the nonce from the Apple App Attest credential certificate.
+ *
+ * The nonce is stored in an extension with OID 1.2.840.113635.100.8.2.
+ * The extension value is ASN.1: SEQUENCE { [1] EXPLICIT { OCTET STRING <nonce> } }
+ *
+ * @param certDer - DER-encoded leaf certificate
+ * @returns The 32-byte nonce
+ */
+export declare function extractNonceFromCert(certDer: Uint8Array): Uint8Array;
+/**
+ * Extract the raw (uncompressed) public key from a DER-encoded certificate.
+ *
+ * @param certDer - DER-encoded certificate
+ * @returns 65-byte uncompressed EC point (0x04 || x || y)
+ */
+export declare function extractPublicKeyFromCert(certDer: Uint8Array): Promise<Uint8Array>;
+//# sourceMappingURL=certificate.d.ts.map

package/esm/src/certificate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"certificate.d.ts","sourceRoot":"","sources":["../../src/src/certificate.ts"],"names":[],"mappings":"AAsBA;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,UAAU,EAAE,EACjB,SAAS,CAAC,EAAE,IAAI,GACf,OAAO,CAAC,IAAI,CAAC,CA2Bf;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,UAAU,GAAG,UAAU,CAqCpE;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,UAAU,CAAC,CAkBrB"}

package/esm/src/certificate.js

@@ -0,0 +1,86 @@
+// src/certificate.ts
+import * as pkijs from "pkijs";
+import * as asn1js from "asn1js";
+import { APPLE_APP_ATTESTATION_ROOT_CA_PEM, APPLE_NONCE_EXTENSION_OID, } from "./constants.js";
+import { AttestationError, AttestationErrorCode } from "./errors.js";
+/**
+ * Parse the Apple App Attestation Root CA from PEM into a pkijs Certificate.
+ */
+function parseRootCa() {
+    const b64 = APPLE_APP_ATTESTATION_ROOT_CA_PEM
+        .replace("-----BEGIN CERTIFICATE-----", "")
+        .replace("-----END CERTIFICATE-----", "")
+        .replace(/\s/g, "");
+    const der = Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
+    return pkijs.Certificate.fromBER(der);
+}
+/**
+ * Verify the x5c certificate chain against the Apple App Attestation Root CA.
+ *
+ * @param x5c - Array of DER-encoded certificates (index 0 = leaf, last = closest to root)
+ * @param checkDate - Date to use for validity checking (defaults to now; override for testing expired certs)
+ */
+export async function verifyCertificateChain(x5c, checkDate) {
+    if (x5c.length === 0) {
+        throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, "Certificate chain (x5c) is empty");
+    }
+    const rootCa = parseRootCa();
+    // Parse all x5c certs
+    const certs = x5c.map((der) => pkijs.Certificate.fromBER(der));
+    const chainEngine = new pkijs.CertificateChainValidationEngine({
+        trustedCerts: [rootCa],
+        certs: certs,
+        checkDate: checkDate ?? new Date(),
+    });
+    const result = await chainEngine.verify();
+    if (!result.result) {
+        throw new AttestationError(AttestationErrorCode.INVALID_CERTIFICATE_CHAIN, `Certificate chain verification failed: ${result.resultMessage}`);
+    }
+}
+/**
+ * Extract the nonce from the Apple App Attest credential certificate.
+ *
+ * The nonce is stored in an extension with OID 1.2.840.113635.100.8.2.
+ * The extension value is ASN.1: SEQUENCE { [1] EXPLICIT { OCTET STRING <nonce> } }
+ *
+ * @param certDer - DER-encoded leaf certificate
+ * @returns The 32-byte nonce
+ */
+export function extractNonceFromCert(certDer) {
+    const cert = pkijs.Certificate.fromBER(certDer);
+    const extensions = cert.extensions;
+    if (!extensions) {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Certificate has no extensions");
+    }
+    const nonceExt = extensions.find((ext) => ext.extnID === APPLE_NONCE_EXTENSION_OID);
+    if (!nonceExt) {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, `Certificate missing nonce extension (OID ${APPLE_NONCE_EXTENSION_OID})`);
+    }
+    // Parse the extension value as ASN.1
+    const extValue = nonceExt.extnValue.getValue();
+    const asn1 = asn1js.fromBER(extValue);
+    if (asn1.offset === -1) {
+        throw new AttestationError(AttestationErrorCode.INVALID_FORMAT, "Failed to parse nonce extension ASN.1");
+    }
+    // Navigate: SEQUENCE -> tagged [1] -> OCTET STRING
+    const sequence = asn1.result;
+    const tagged = sequence.valueBlock.value[0];
+    const octetString = tagged.valueBlock.value[0];
+    return new Uint8Array(octetString.valueBlock.valueHexView);
+}
+/**
+ * Extract the raw (uncompressed) public key from a DER-encoded certificate.
+ *
+ * @param certDer - DER-encoded certificate
+ * @returns 65-byte uncompressed EC point (0x04 || x || y)
+ */
+export async function extractPublicKeyFromCert(certDer) {
+    const cert = pkijs.Certificate.fromBER(certDer);
+    // Get the SubjectPublicKeyInfo and convert to DER
+    const spkiDer = cert.subjectPublicKeyInfo.toSchema().toBER(false);
+    // Import as SPKI to get a CryptoKey
+    const cryptoKey = await crypto.subtle.importKey("spki", spkiDer, { name: "ECDSA", namedCurve: "P-256" }, true, ["verify"]);
+    // Export as raw (uncompressed point)
+    const rawKey = await crypto.subtle.exportKey("raw", cryptoKey);
+    return new Uint8Array(rawKey);
+}

package/esm/src/constants.d.ts

@@ -0,0 +1,9 @@
+/** Apple App Attestation Root CA (single cert for both dev and prod environments). */
+export declare const APPLE_APP_ATTESTATION_ROOT_CA_PEM = "-----BEGIN CERTIFICATE-----\nMIICITCCAaegAwIBAgIQC/O+DvHN0uD7jG5yH2IXmDAKBggqhkjOPQQDAzBSMSYw\nJAYDVQQDDB1BcHBsZSBBcHAgQXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwK\nQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yMDAzMTgxODMyNTNa\nFw00NTAzMTUwMDAwMDBaMFIxJjAkBgNVBAMMHUFwcGxlIEFwcCBBdHRlc3RhdGlv\nbiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9y\nbmlhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERTHhmLW07ATaFQIEVwTtT4dyctdh\nNbJhFs/Ii2FdCgAHGbpphY3+d8qjuDngIN3WVhQUBHAoMeQ/cLiP1sOUtgjqK9au\nYen1mMEvRq9Sk3Jm5X8U62H+xTD3FE9TgS41o0IwQDAPBgNVHRMBAf8EBTADAQH/\nMB0GA1UdDgQWBBSskRBTM72+aEH/pwyp5frq5eWKoTAOBgNVHQ8BAf8EBAMCAQYw\nCgYIKoZIzj0EAwMDaAAwZQIwQgFGnByvsiVbpTKwSga0kP0e8EeDS4+sQmTvb7vn\n53O5+FRXgeLhpJ06ysC5PrOyAjEAp5U4xDgEgllF7En3VcE3iexZZtKeYnpqtijV\noyFraWVIyd/dganmrduC1bmTBGwD\n-----END CERTIFICATE-----";
+/** Production AAGUID: "appattest" + 7 null bytes (16 bytes total) */
+export declare const AAGUID_PRODUCTION: Uint8Array<ArrayBuffer>;
+/** Development AAGUID: "appattestdevelop" (16 bytes, no nulls) */
+export declare const AAGUID_DEVELOPMENT: Uint8Array<ArrayBuffer>;
+/** OID for the Apple App Attest nonce extension in credential certificates */
+export declare const APPLE_NONCE_EXTENSION_OID = "1.2.840.113635.100.8.2";
+//# sourceMappingURL=constants.d.ts.map

package/esm/src/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/src/constants.ts"],"names":[],"mappings":"AAEA,sFAAsF;AACtF,eAAO,MAAM,iCAAiC,+yBAapB,CAAC;AAE3B,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,yBAiB5B,CAAC;AAEH,kEAAkE;AAClE,eAAO,MAAM,kBAAkB,yBAiB7B,CAAC;AAEH,8EAA8E;AAC9E,eAAO,MAAM,yBAAyB,2BAA2B,CAAC"}

package/esm/src/constants.js

@@ -0,0 +1,56 @@
+// src/constants.ts
+/** Apple App Attestation Root CA (single cert for both dev and prod environments). */
+export const APPLE_APP_ATTESTATION_ROOT_CA_PEM = `-----BEGIN CERTIFICATE-----
+MIICITCCAaegAwIBAgIQC/O+DvHN0uD7jG5yH2IXmDAKBggqhkjOPQQDAzBSMSYw
+JAYDVQQDDB1BcHBsZSBBcHAgQXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwK
+QXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yMDAzMTgxODMyNTNa
+Fw00NTAzMTUwMDAwMDBaMFIxJjAkBgNVBAMMHUFwcGxlIEFwcCBBdHRlc3RhdGlv
+biBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9y
+bmlhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERTHhmLW07ATaFQIEVwTtT4dyctdh
+NbJhFs/Ii2FdCgAHGbpphY3+d8qjuDngIN3WVhQUBHAoMeQ/cLiP1sOUtgjqK9au
+Yen1mMEvRq9Sk3Jm5X8U62H+xTD3FE9TgS41o0IwQDAPBgNVHRMBAf8EBTADAQH/
+MB0GA1UdDgQWBBSskRBTM72+aEH/pwyp5frq5eWKoTAOBgNVHQ8BAf8EBAMCAQYw
+CgYIKoZIzj0EAwMDaAAwZQIwQgFGnByvsiVbpTKwSga0kP0e8EeDS4+sQmTvb7vn
+53O5+FRXgeLhpJ06ysC5PrOyAjEAp5U4xDgEgllF7En3VcE3iexZZtKeYnpqtijV
+oyFraWVIyd/dganmrduC1bmTBGwD
+-----END CERTIFICATE-----`;
+/** Production AAGUID: "appattest" + 7 null bytes (16 bytes total) */
+export const AAGUID_PRODUCTION = new Uint8Array([
+    0x61,
+    0x70,
+    0x70,
+    0x61,
+    0x74,
+    0x74,
+    0x65,
+    0x73,
+    0x74,
+    0x00,
+    0x00,
+    0x00,
+    0x00,
+    0x00,
+    0x00,
+    0x00,
+]);
+/** Development AAGUID: "appattestdevelop" (16 bytes, no nulls) */
+export const AAGUID_DEVELOPMENT = new Uint8Array([
+    0x61,
+    0x70,
+    0x70,
+    0x61,
+    0x74,
+    0x74,
+    0x65,
+    0x73,
+    0x74,
+    0x64,
+    0x65,
+    0x76,
+    0x65,
+    0x6c,
+    0x6f,
+    0x70,
+]);
+/** OID for the Apple App Attest nonce extension in credential certificates */
+export const APPLE_NONCE_EXTENSION_OID = "1.2.840.113635.100.8.2";

package/esm/src/cose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cose.d.ts","sourceRoot":"","sources":["../../src/src/cose.ts"],"names":[],"mappings":"AAGA,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,UAAU,GAAG,UAAU,CAkBvE;AAED,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,SAAS,CAAC,CASpB"}

package/esm/src/der.d.ts

@@ -0,0 +1,3 @@
+export declare function derToRaw(der: Uint8Array): Uint8Array;
+export declare function rawToDer(raw: Uint8Array): Uint8Array;
+//# sourceMappingURL=der.d.ts.map

package/esm/src/der.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"der.d.ts","sourceRoot":"","sources":["../../src/src/der.ts"],"names":[],"mappings":"AAEA,wBAAgB,QAAQ,CAAC,GAAG,EAAE,UAAU,GAAG,UAAU,CAoCpD;AAED,wBAAgB,QAAQ,CAAC,GAAG,EAAE,UAAU,GAAG,UAAU,CAiBpD"}

package/esm/src/der.js

@@ -0,0 +1,72 @@
+// src/der.ts
+export function derToRaw(der) {
+    if (der[0] !== 0x30) {
+        throw new Error("Invalid DER signature: expected SEQUENCE tag (0x30)");
+    }
+    let offset = 2;
+    if (der[1] & 0x80) {
+        const lengthBytes = der[1] & 0x7f;
+        offset = 2 + lengthBytes;
+    }
+    const raw = new Uint8Array(64);
+    if (der[offset] !== 0x02) {
+        throw new Error("Invalid DER signature: expected INTEGER tag (0x02) for r");
+    }
+    offset++;
+    const rLen = der[offset++];
+    const rBytes = der.subarray(offset, offset + rLen);
+    offset += rLen;
+    if (der[offset] !== 0x02) {
+        throw new Error("Invalid DER signature: expected INTEGER tag (0x02) for s");
+    }
+    offset++;
+    const sLen = der[offset++];
+    const sBytes = der.subarray(offset, offset + sLen);
+    copyInteger(rBytes, raw, 0);
+    copyInteger(sBytes, raw, 32);
+    return raw;
+}
+export function rawToDer(raw) {
+    if (raw.length !== 64) {
+        throw new Error(`Invalid raw signature: expected 64 bytes, got ${raw.length}`);
+    }
+    const r = encodeInteger(raw.subarray(0, 32));
+    const s = encodeInteger(raw.subarray(32, 64));
+    const seqLen = r.length + s.length;
+    const der = new Uint8Array(2 + seqLen);
+    der[0] = 0x30;
+    der[1] = seqLen;
+    der.set(r, 2);
+    der.set(s, 2 + r.length);
+    return der;
+}
+function copyInteger(src, dst, dstOffset) {
+    let srcOffset = 0;
+    while (srcOffset < src.length - 1 && src[srcOffset] === 0) {
+        srcOffset++;
+    }
+    const len = src.length - srcOffset;
+    if (len > 32) {
+        throw new Error(`Integer too large: ${len} bytes`);
+    }
+    dst.set(src.subarray(srcOffset), dstOffset + (32 - len));
+}
+function encodeInteger(value) {
+    let start = 0;
+    while (start < value.length - 1 && value[start] === 0) {
+        start++;
+    }
+    const needsPadding = value[start] & 0x80;
+    const len = value.length - start + (needsPadding ? 1 : 0);
+    const result = new Uint8Array(2 + len);
+    result[0] = 0x02;
+    result[1] = len;
+    if (needsPadding) {
+        result[2] = 0x00;
+        result.set(value.subarray(start), 3);
+    }
+    else {
+        result.set(value.subarray(start), 2);
+    }
+    return result;
+}