@bradford-tech/supabase-integrity-attest 0.2.2 → 0.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"certificate.d.ts","sourceRoot":"","sources":["../../src/src/certificate.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"certificate.d.ts","sourceRoot":"","sources":["../../src/src/certificate.ts"],"names":[],"mappings":"AA+UA;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,UAAU,EAAE,EACjB,SAAS,CAAC,EAAE,IAAI,GACf,OAAO,CAAC,IAAI,CAAC,CAkEf;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,UAAU,GAAG,UAAU,CA6BpE;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,UAAU,CAAC,CAqBrB"}
|
package/esm/src/certificate.js
CHANGED
|
@@ -192,10 +192,14 @@ async function verifySignature(child, parent) {
|
|
|
192
192
|
// Use @noble/curves p384 to verify instead.
|
|
193
193
|
if (namedCurve === "P-384" && hash === "SHA-256") {
|
|
194
194
|
// Pre-hash TBS, then verify with @noble/curves.
|
|
195
|
-
//
|
|
195
|
+
// lowS: false — X.509 signatures don't enforce BIP-62 low-S normalization.
|
|
196
|
+
// prehash: false — we hash manually since the hash algorithm differs from the curve's default.
|
|
196
197
|
const digest = new Uint8Array(await crypto.subtle.digest(hash, child.tbsCertificateDer));
|
|
197
198
|
const rawPubKey = extractRawPublicKeyFromSpki(parent.subjectPublicKeyInfoDer);
|
|
198
|
-
return p384.verify(sigRaw, digest, rawPubKey, {
|
|
199
|
+
return p384.verify(sigRaw, digest, rawPubKey, {
|
|
200
|
+
prehash: false,
|
|
201
|
+
lowS: false,
|
|
202
|
+
});
|
|
199
203
|
}
|
|
200
204
|
// Standard pairing — WebCrypto
|
|
201
205
|
const parentKey = await crypto.subtle.importKey("spki", parent.subjectPublicKeyInfoDer, { name: "ECDSA", namedCurve }, false, ["verify"]);
|