@metamask-previews/passkey-controller 0.0.0-preview-4c0846313

package/dist/webauthn/verify-registration-response.mjs

@@ -0,0 +1,201 @@
+import { decodePartialCBOR } from "@levischuck/tiny-cbor";
+import { concatBytes } from "@metamask/utils";
+import { sha256 } from "@noble/hashes/sha2";
+import { base64URLToBytes, bytesToBase64URL, bytesToHex } from "../utils/encoding.mjs";
+import { COSEALG, COSEKEYS } from "./constants.mjs";
+import { decodeAttestationObject } from "./decode-attestation-object.mjs";
+import { decodeClientDataJSON } from "./decode-client-data-json.mjs";
+import { matchExpectedRPID } from "./match-expected-rp-id.mjs";
+import { parseAuthenticatorData } from "./parse-authenticator-data.mjs";
+import { verifySignature } from "./verify-signature.mjs";
+/**
+ * Verifies a WebAuthn registration (attestation) response per
+ * W3C WebAuthn Level 3 §7.1.
+ *
+ * Performs the following checks in order:
+ * 1. Credential ID presence and base64url consistency (`id === rawId`), and
+ *    that `id` matches the credential id inside parsed authenticator data.
+ * 2. Credential type is `"public-key"`.
+ * 3. `clientDataJSON` -- type is `"webauthn.create"`, challenge and origin
+ *    match the expected values.
+ * 4. Attestation object -- CBOR-decodes and parses `authData` to verify
+ *    the RP ID hash, user-presence flag, optional user-verification flag,
+ *    and the attested credential public key algorithm.
+ * 5. Attestation statement -- supports `"none"` (no signature) and
+ *    `"packed"` self-attestation (signature verified against the
+ *    credential's own public key).
+ *
+ * @param opts - Verification options.
+ * @param opts.response - The `PublicKeyCredential` result from
+ *   `navigator.credentials.create()`, serialized as JSON.
+ * @param opts.expectedChallenge - The base64url challenge that was passed
+ *   to the authenticator (must match `clientDataJSON.challenge`).
+ * @param opts.expectedOrigin - One or more acceptable origins (e.g.
+ *   `"chrome-extension://..."` or `"https://metamask.io"`).
+ * @param opts.expectedRPID - The Relying Party ID domain. The
+ *   authenticator's `rpIdHash` is compared against `SHA-256(expectedRPID)`.
+ * @param opts.requireUserVerification - When `true`, verification fails
+ *   if the UV flag is not set. Defaults to `false`.
+ * @param opts.supportedAlgorithmIDs - COSE algorithm identifiers accepted
+ *   for the credential public key. Defaults to EdDSA, ES256, and RS256.
+ * @returns On success, `{ verified: true, registrationInfo }` with the
+ *   parsed credential ID, public key, counter, AAGUID, and transport
+ *   hints. On failure, `{ verified: false }`.
+ */
+export async function verifyRegistrationResponse(opts) {
+    const { response, expectedChallenge, expectedOrigin, expectedRPID, requireUserVerification = false, supportedAlgorithmIDs = [COSEALG.EdDSA, COSEALG.ES256, COSEALG.RS256], } = opts;
+    const { id, rawId, type: credentialType, response: attestationResponse, } = response;
+    // Ensure credential specified an ID
+    if (!id) {
+        throw new Error('Missing credential ID');
+    }
+    // Ensure ID is base64url-encoded
+    if (id !== rawId) {
+        throw new Error('Credential ID was not base64url-encoded');
+    }
+    // Make sure credential type is public-key
+    if (credentialType !== 'public-key') {
+        throw new Error(`Unexpected credential type ${String(credentialType)}, expected "public-key"`);
+    }
+    const clientDataJSON = decodeClientDataJSON(attestationResponse.clientDataJSON);
+    const { type, challenge, origin, tokenBinding } = clientDataJSON;
+    // Make sure we're handling an registration
+    if (type !== 'webauthn.create') {
+        throw new Error(`Unexpected registration response type: ${type}`);
+    }
+    // Ensure the device provided the challenge we gave it
+    if (challenge !== expectedChallenge) {
+        throw new Error(`Unexpected registration response challenge "${challenge}", expected "${expectedChallenge}"`);
+    }
+    // Check that the origin is our site
+    const expectedOrigins = Array.isArray(expectedOrigin)
+        ? expectedOrigin
+        : [expectedOrigin];
+    if (!expectedOrigins.includes(origin)) {
+        throw new Error(`Unexpected registration response origin "${origin}", expected one of: ${expectedOrigins.join(', ')}`);
+    }
+    if (tokenBinding) {
+        if (typeof tokenBinding !== 'object') {
+            throw new Error('ClientDataJSON tokenBinding was not an object');
+        }
+        if (!['present', 'supported', 'not-supported'].includes(tokenBinding.status)) {
+            throw new Error(`Unexpected tokenBinding.status value of "${tokenBinding.status}"`);
+        }
+    }
+    const attestationObjectBytes = base64URLToBytes(attestationResponse.attestationObject);
+    const decodedAttObj = decodeAttestationObject(attestationObjectBytes);
+    const fmt = decodedAttObj.get('fmt');
+    const authData = decodedAttObj.get('authData');
+    const attStmt = decodedAttObj.get('attStmt');
+    const parsedAuthData = parseAuthenticatorData(authData);
+    const { rpIdHash, flags, counter, credentialID, credentialPublicKey, aaguid, } = parsedAuthData;
+    matchExpectedRPID(rpIdHash, [expectedRPID]);
+    // Make sure someone was physically present
+    if (!flags.up) {
+        throw new Error('User presence was required, but user was not present');
+    }
+    // Enforce user verification if specified
+    if (requireUserVerification && !flags.uv) {
+        throw new Error('User verification was required, but user could not be verified');
+    }
+    if (!credentialID) {
+        throw new Error('No credential ID was provided by authenticator');
+    }
+    const attestedCredentialId = bytesToBase64URL(credentialID);
+    if (id !== attestedCredentialId) {
+        throw new Error('Credential id does not match the credential id in authenticator data');
+    }
+    if (!credentialPublicKey) {
+        throw new Error('No public key was provided by authenticator');
+    }
+    if (!aaguid) {
+        throw new Error('No AAGUID was present during registration');
+    }
+    const decodedPublicKey = decodePartialCBOR(new Uint8Array(credentialPublicKey), 0)[0];
+    const alg = decodedPublicKey.get(COSEKEYS.Alg);
+    if (typeof alg !== 'number') {
+        throw new Error('Credential public key was missing numeric alg');
+    }
+    // Make sure the key algorithm is one we specified within the registration options
+    if (!supportedAlgorithmIDs.includes(alg)) {
+        throw new Error(`Unexpected public key alg "${alg}", expected one of "${supportedAlgorithmIDs.join(', ')}"`);
+    }
+    let verified = false;
+    if (fmt === 'none') {
+        if (attStmt.size > 0) {
+            throw new Error('None attestation had unexpected attestation statement');
+        }
+        verified = true;
+    }
+    else if (fmt === 'packed') {
+        verified = await verifyPackedAttestation(attStmt, authData, attestationResponse.clientDataJSON, decodedPublicKey);
+    }
+    else {
+        throw new Error(`Unsupported attestation format: ${fmt}`);
+    }
+    if (!verified) {
+        return { verified: false };
+    }
+    const aaguidHex = bytesToHex(aaguid);
+    const aaguidStr = [
+        aaguidHex.slice(0, 8),
+        aaguidHex.slice(8, 12),
+        aaguidHex.slice(12, 16),
+        aaguidHex.slice(16, 20),
+        aaguidHex.slice(20),
+    ].join('-');
+    return {
+        verified: true,
+        registrationInfo: {
+            credentialId: attestedCredentialId,
+            publicKey: credentialPublicKey,
+            counter,
+            transports: attestationResponse.transports,
+            aaguid: aaguidStr,
+            attestationFormat: fmt,
+            userVerified: flags.uv,
+        },
+    };
+}
+/**
+ * Verify packed self-attestation per WebAuthn §8.2: no x5c certificate
+ * chain, signature over `authData || SHA-256(clientDataJSON)` verified
+ * with the credential's own public key, and `alg` in the attestation
+ * statement must match the credential key's algorithm.
+ *
+ * @param attStmt - The attestation statement map from the attestation
+ *   object.
+ * @param attStmt.get - Accessor to retrieve statement fields by key.
+ * @param attStmt.size - Number of entries in the statement.
+ * @param authData - Raw authenticator data bytes.
+ * @param clientDataJSONB64url - Base64url-encoded clientDataJSON.
+ * @param cosePublicKey - Decoded COSE public key map from authenticator
+ *   data.
+ * @returns Whether the packed attestation signature is valid.
+ */
+async function verifyPackedAttestation(attStmt, authData, clientDataJSONB64url, cosePublicKey) {
+    const attStmtAlg = attStmt.get('alg');
+    const signature = attStmt.get('sig');
+    const x5c = attStmt.get('x5c');
+    if (typeof attStmtAlg !== 'number') {
+        throw new Error('Packed attestation statement missing alg');
+    }
+    if (!signature) {
+        throw new Error('Packed attestation missing signature');
+    }
+    if (x5c && x5c.length > 0) {
+        throw new Error('Packed attestation with certificate chain (x5c) is not supported; only self-attestation is accepted');
+    }
+    const credAlg = cosePublicKey.get(COSEKEYS.Alg);
+    if (attStmtAlg !== credAlg) {
+        throw new Error(`Packed attestation alg ${attStmtAlg} does not match credential alg ${credAlg}`);
+    }
+    const clientDataHash = sha256(base64URLToBytes(clientDataJSONB64url));
+    const signatureBase = concatBytes([authData, clientDataHash]);
+    return verifySignature({
+        cosePublicKey,
+        signature,
+        data: signatureBase,
+    });
+}
+//# sourceMappingURL=verify-registration-response.mjs.map

package/dist/webauthn/verify-registration-response.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-registration-response.mjs","sourceRoot":"","sources":["../../src/webauthn/verify-registration-response.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,8BAA8B;AAC1D,OAAO,EAAE,WAAW,EAAE,wBAAwB;AAC9C,OAAO,EAAE,MAAM,EAAE,2BAA2B;AAG5C,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,UAAU,EACX,8BAA0B;AAC3B,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,wBAAoB;AAChD,OAAO,EAAE,uBAAuB,EAAE,wCAAoC;AACtE,OAAO,EAAE,oBAAoB,EAAE,sCAAkC;AACjE,OAAO,EAAE,iBAAiB,EAAE,mCAA+B;AAC3D,OAAO,EAAE,sBAAsB,EAAE,uCAAmC;AAEpE,OAAO,EAAE,eAAe,EAAE,+BAA2B;AAiBrD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,IAOhD;IACC,MAAM,EACJ,QAAQ,EACR,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,uBAAuB,GAAG,KAAK,EAC/B,qBAAqB,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,GACtE,GAAG,IAAI,CAAC;IAET,MAAM,EACJ,EAAE,EACF,KAAK,EACL,IAAI,EAAE,cAAc,EACpB,QAAQ,EAAE,mBAAmB,GAC9B,GAAG,QAAQ,CAAC;IAEb,oCAAoC;IACpC,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,iCAAiC;IACjC,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,0CAA0C;IAC1C,IAAI,cAAc,KAAK,YAAY,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,8BAA8B,MAAM,CAAC,cAAc,CAAC,yBAAyB,CAC9E,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,oBAAoB,CACzC,mBAAmB,CAAC,cAAc,CACnC,CAAC;IACF,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,cAAc,CAAC;IAEjE,2CAA2C;IAC3C,IAAI,IAAI,KAAK,iBAAiB,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,sDAAsD;IACtD,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,+CAA+C,SAAS,gBAAgB,iBAAiB,GAAG,CAC7F,CAAC;IACJ,CAAC;IAED,oCAAoC;IACpC,MAAM,eAAe,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;QACnD,CAAC,CAAC,cAAc;QAChB,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IACrB,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,4CAA4C,MAAM,uBAAuB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACtG,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QAED,IACE,CAAC,CAAC,SAAS,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,EACxE,CAAC;YACD,MAAM,IAAI,KAAK,CACb,4CAA4C,YAAY,CAAC,MAAM,GAAG,CACnE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,sBAAsB,GAAG,gBAAgB,CAC7C,mBAAmB,CAAC,iBAAiB,CACtC,CAAC;IACF,MAAM,aAAa,GAAG,uBAAuB,CAAC,sBAAsB,CAAC,CAAC;IACtE,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAE7C,MAAM,cAAc,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IACxD,MAAM,EACJ,QAAQ,EACR,KAAK,EACL,OAAO,EACP,YAAY,EACZ,mBAAmB,EACnB,MAAM,GACP,GAAG,cAAc,CAAC;IAEnB,iBAAiB,CAAC,QAAQ,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC;IAE5C,2CAA2C;IAC3C,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IAED,yCAAyC;IACzC,IAAI,uBAAuB,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CACb,gEAAgE,CACjE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,oBAAoB,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;IAC5D,IAAI,EAAE,KAAK,oBAAoB,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IACD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,gBAAgB,GAAG,iBAAiB,CACxC,IAAI,UAAU,CAAC,mBAAmB,CAAC,EACnC,CAAC,CACF,CAAC,CAAC,CAAqC,CAAC;IACzC,MAAM,GAAG,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAE/C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,kFAAkF;IAClF,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CACb,8BAA8B,GAAG,uBAAuB,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAC5F,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnB,IAAI,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QACD,QAAQ,GAAG,IAAI,CAAC;IAClB,CAAC;SAAM,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,QAAQ,GAAG,MAAM,uBAAuB,CACtC,OAAO,EACP,QAAQ,EACR,mBAAmB,CAAC,cAAc,EAClC,gBAAgB,CACjB,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,mCAAmC,GAAG,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;IAED,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG;QAChB,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;QACrB,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;QACtB,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;QACvB,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;QACvB,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;KACpB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEZ,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,gBAAgB,EAAE;YAChB,YAAY,EAAE,oBAAoB;YAClC,SAAS,EAAE,mBAAmB;YAC9B,OAAO;YACP,UAAU,EACR,mBAAmB,CAAC,UAA4C;YAClE,MAAM,EAAE,SAAS;YACjB,iBAAiB,EAAE,GAAG;YACtB,YAAY,EAAE,KAAK,CAAC,EAAE;SACvB;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,KAAK,UAAU,uBAAuB,CACpC,OAAoD,EACpD,QAAoB,EACpB,oBAA4B,EAC5B,aAA+C;IAE/C,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAuB,CAAC;IAC5D,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAA2B,CAAC;IAC/D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAA6B,CAAC;IAE3D,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,qGAAqG,CACtG,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAW,CAAC;IAC1D,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACb,0BAA0B,UAAU,kCAAkC,OAAO,EAAE,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,MAAM,CAAC,gBAAgB,CAAC,oBAAoB,CAAC,CAAC,CAAC;IACtE,MAAM,aAAa,GAAG,WAAW,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAE9D,OAAO,eAAe,CAAC;QACrB,aAAa;QACb,SAAS;QACT,IAAI,EAAE,aAAa;KACpB,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { decodePartialCBOR } from '@levischuck/tiny-cbor';\nimport { concatBytes } from '@metamask/utils';\nimport { sha256 } from '@noble/hashes/sha2';\n\nimport type { AuthenticatorTransportFuture } from '../types';\nimport {\n  base64URLToBytes,\n  bytesToBase64URL,\n  bytesToHex,\n} from '../utils/encoding';\nimport { COSEALG, COSEKEYS } from './constants';\nimport { decodeAttestationObject } from './decode-attestation-object';\nimport { decodeClientDataJSON } from './decode-client-data-json';\nimport { matchExpectedRPID } from './match-expected-rp-id';\nimport { parseAuthenticatorData } from './parse-authenticator-data';\nimport type { PasskeyRegistrationResponse } from './types';\nimport { verifySignature } from './verify-signature';\n\nexport type VerifiedRegistrationResponse =\n  | { verified: false; registrationInfo?: never }\n  | {\n      verified: true;\n      registrationInfo: {\n        credentialId: string;\n        publicKey: Uint8Array;\n        counter: number;\n        transports?: AuthenticatorTransportFuture[];\n        aaguid: string;\n        attestationFormat: string;\n        userVerified: boolean;\n      };\n    };\n\n/**\n * Verifies a WebAuthn registration (attestation) response per\n * W3C WebAuthn Level 3 §7.1.\n *\n * Performs the following checks in order:\n * 1. Credential ID presence and base64url consistency (`id === rawId`), and\n *    that `id` matches the credential id inside parsed authenticator data.\n * 2. Credential type is `\"public-key\"`.\n * 3. `clientDataJSON` -- type is `\"webauthn.create\"`, challenge and origin\n *    match the expected values.\n * 4. Attestation object -- CBOR-decodes and parses `authData` to verify\n *    the RP ID hash, user-presence flag, optional user-verification flag,\n *    and the attested credential public key algorithm.\n * 5. Attestation statement -- supports `\"none\"` (no signature) and\n *    `\"packed\"` self-attestation (signature verified against the\n *    credential's own public key).\n *\n * @param opts - Verification options.\n * @param opts.response - The `PublicKeyCredential` result from\n *   `navigator.credentials.create()`, serialized as JSON.\n * @param opts.expectedChallenge - The base64url challenge that was passed\n *   to the authenticator (must match `clientDataJSON.challenge`).\n * @param opts.expectedOrigin - One or more acceptable origins (e.g.\n *   `\"chrome-extension://...\"` or `\"https://metamask.io\"`).\n * @param opts.expectedRPID - The Relying Party ID domain. The\n *   authenticator's `rpIdHash` is compared against `SHA-256(expectedRPID)`.\n * @param opts.requireUserVerification - When `true`, verification fails\n *   if the UV flag is not set. Defaults to `false`.\n * @param opts.supportedAlgorithmIDs - COSE algorithm identifiers accepted\n *   for the credential public key. Defaults to EdDSA, ES256, and RS256.\n * @returns On success, `{ verified: true, registrationInfo }` with the\n *   parsed credential ID, public key, counter, AAGUID, and transport\n *   hints. On failure, `{ verified: false }`.\n */\nexport async function verifyRegistrationResponse(opts: {\n  response: PasskeyRegistrationResponse;\n  expectedChallenge: string;\n  expectedOrigin: string | string[];\n  expectedRPID: string;\n  requireUserVerification?: boolean;\n  supportedAlgorithmIDs?: number[];\n}): Promise<VerifiedRegistrationResponse> {\n  const {\n    response,\n    expectedChallenge,\n    expectedOrigin,\n    expectedRPID,\n    requireUserVerification = false,\n    supportedAlgorithmIDs = [COSEALG.EdDSA, COSEALG.ES256, COSEALG.RS256],\n  } = opts;\n\n  const {\n    id,\n    rawId,\n    type: credentialType,\n    response: attestationResponse,\n  } = response;\n\n  // Ensure credential specified an ID\n  if (!id) {\n    throw new Error('Missing credential ID');\n  }\n\n  // Ensure ID is base64url-encoded\n  if (id !== rawId) {\n    throw new Error('Credential ID was not base64url-encoded');\n  }\n\n  // Make sure credential type is public-key\n  if (credentialType !== 'public-key') {\n    throw new Error(\n      `Unexpected credential type ${String(credentialType)}, expected \"public-key\"`,\n    );\n  }\n\n  const clientDataJSON = decodeClientDataJSON(\n    attestationResponse.clientDataJSON,\n  );\n  const { type, challenge, origin, tokenBinding } = clientDataJSON;\n\n  // Make sure we're handling an registration\n  if (type !== 'webauthn.create') {\n    throw new Error(`Unexpected registration response type: ${type}`);\n  }\n\n  // Ensure the device provided the challenge we gave it\n  if (challenge !== expectedChallenge) {\n    throw new Error(\n      `Unexpected registration response challenge \"${challenge}\", expected \"${expectedChallenge}\"`,\n    );\n  }\n\n  // Check that the origin is our site\n  const expectedOrigins = Array.isArray(expectedOrigin)\n    ? expectedOrigin\n    : [expectedOrigin];\n  if (!expectedOrigins.includes(origin)) {\n    throw new Error(\n      `Unexpected registration response origin \"${origin}\", expected one of: ${expectedOrigins.join(', ')}`,\n    );\n  }\n\n  if (tokenBinding) {\n    if (typeof tokenBinding !== 'object') {\n      throw new Error('ClientDataJSON tokenBinding was not an object');\n    }\n\n    if (\n      !['present', 'supported', 'not-supported'].includes(tokenBinding.status)\n    ) {\n      throw new Error(\n        `Unexpected tokenBinding.status value of \"${tokenBinding.status}\"`,\n      );\n    }\n  }\n\n  const attestationObjectBytes = base64URLToBytes(\n    attestationResponse.attestationObject,\n  );\n  const decodedAttObj = decodeAttestationObject(attestationObjectBytes);\n  const fmt = decodedAttObj.get('fmt');\n  const authData = decodedAttObj.get('authData');\n  const attStmt = decodedAttObj.get('attStmt');\n\n  const parsedAuthData = parseAuthenticatorData(authData);\n  const {\n    rpIdHash,\n    flags,\n    counter,\n    credentialID,\n    credentialPublicKey,\n    aaguid,\n  } = parsedAuthData;\n\n  matchExpectedRPID(rpIdHash, [expectedRPID]);\n\n  // Make sure someone was physically present\n  if (!flags.up) {\n    throw new Error('User presence was required, but user was not present');\n  }\n\n  // Enforce user verification if specified\n  if (requireUserVerification && !flags.uv) {\n    throw new Error(\n      'User verification was required, but user could not be verified',\n    );\n  }\n\n  if (!credentialID) {\n    throw new Error('No credential ID was provided by authenticator');\n  }\n\n  const attestedCredentialId = bytesToBase64URL(credentialID);\n  if (id !== attestedCredentialId) {\n    throw new Error(\n      'Credential id does not match the credential id in authenticator data',\n    );\n  }\n\n  if (!credentialPublicKey) {\n    throw new Error('No public key was provided by authenticator');\n  }\n  if (!aaguid) {\n    throw new Error('No AAGUID was present during registration');\n  }\n\n  const decodedPublicKey = decodePartialCBOR(\n    new Uint8Array(credentialPublicKey),\n    0,\n  )[0] as Map<number, number | Uint8Array>;\n  const alg = decodedPublicKey.get(COSEKEYS.Alg);\n\n  if (typeof alg !== 'number') {\n    throw new Error('Credential public key was missing numeric alg');\n  }\n\n  // Make sure the key algorithm is one we specified within the registration options\n  if (!supportedAlgorithmIDs.includes(alg)) {\n    throw new Error(\n      `Unexpected public key alg \"${alg}\", expected one of \"${supportedAlgorithmIDs.join(', ')}\"`,\n    );\n  }\n\n  let verified = false;\n  if (fmt === 'none') {\n    if (attStmt.size > 0) {\n      throw new Error('None attestation had unexpected attestation statement');\n    }\n    verified = true;\n  } else if (fmt === 'packed') {\n    verified = await verifyPackedAttestation(\n      attStmt,\n      authData,\n      attestationResponse.clientDataJSON,\n      decodedPublicKey,\n    );\n  } else {\n    throw new Error(`Unsupported attestation format: ${fmt}`);\n  }\n\n  if (!verified) {\n    return { verified: false };\n  }\n\n  const aaguidHex = bytesToHex(aaguid);\n  const aaguidStr = [\n    aaguidHex.slice(0, 8),\n    aaguidHex.slice(8, 12),\n    aaguidHex.slice(12, 16),\n    aaguidHex.slice(16, 20),\n    aaguidHex.slice(20),\n  ].join('-');\n\n  return {\n    verified: true,\n    registrationInfo: {\n      credentialId: attestedCredentialId,\n      publicKey: credentialPublicKey,\n      counter,\n      transports:\n        attestationResponse.transports as AuthenticatorTransportFuture[],\n      aaguid: aaguidStr,\n      attestationFormat: fmt,\n      userVerified: flags.uv,\n    },\n  };\n}\n\n/**\n * Verify packed self-attestation per WebAuthn §8.2: no x5c certificate\n * chain, signature over `authData || SHA-256(clientDataJSON)` verified\n * with the credential's own public key, and `alg` in the attestation\n * statement must match the credential key's algorithm.\n *\n * @param attStmt - The attestation statement map from the attestation\n *   object.\n * @param attStmt.get - Accessor to retrieve statement fields by key.\n * @param attStmt.size - Number of entries in the statement.\n * @param authData - Raw authenticator data bytes.\n * @param clientDataJSONB64url - Base64url-encoded clientDataJSON.\n * @param cosePublicKey - Decoded COSE public key map from authenticator\n *   data.\n * @returns Whether the packed attestation signature is valid.\n */\nasync function verifyPackedAttestation(\n  attStmt: { get(key: string): unknown; size: number },\n  authData: Uint8Array,\n  clientDataJSONB64url: string,\n  cosePublicKey: Map<number, number | Uint8Array>,\n): Promise<boolean> {\n  const attStmtAlg = attStmt.get('alg') as number | undefined;\n  const signature = attStmt.get('sig') as Uint8Array | undefined;\n  const x5c = attStmt.get('x5c') as Uint8Array[] | undefined;\n\n  if (typeof attStmtAlg !== 'number') {\n    throw new Error('Packed attestation statement missing alg');\n  }\n\n  if (!signature) {\n    throw new Error('Packed attestation missing signature');\n  }\n\n  if (x5c && x5c.length > 0) {\n    throw new Error(\n      'Packed attestation with certificate chain (x5c) is not supported; only self-attestation is accepted',\n    );\n  }\n\n  const credAlg = cosePublicKey.get(COSEKEYS.Alg) as number;\n  if (attStmtAlg !== credAlg) {\n    throw new Error(\n      `Packed attestation alg ${attStmtAlg} does not match credential alg ${credAlg}`,\n    );\n  }\n\n  const clientDataHash = sha256(base64URLToBytes(clientDataJSONB64url));\n  const signatureBase = concatBytes([authData, clientDataHash]);\n\n  return verifySignature({\n    cosePublicKey,\n    signature,\n    data: signatureBase,\n  });\n}\n"]}

package/dist/webauthn/verify-signature.cjs

@@ -0,0 +1,176 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifySignature = void 0;
+const utils_1 = require("@metamask/utils");
+const ed25519_1 = require("@noble/curves/ed25519");
+const nist_1 = require("@noble/curves/nist");
+const sha2_1 = require("@noble/hashes/sha2");
+const encoding_1 = require("../utils/encoding.cjs");
+const constants_1 = require("./constants.cjs");
+/**
+ * Get the key type from a COSE public key map.
+ *
+ * @param cosePublicKey - COSE public key map.
+ * @returns The COSEKTY value.
+ */
+function getKeyType(cosePublicKey) {
+    const kty = cosePublicKey.get(constants_1.COSEKEYS.Kty);
+    if (typeof kty !== 'number') {
+        throw new Error('COSE public key missing kty');
+    }
+    return kty;
+}
+/**
+ * Verify an EC2 (P-256, P-384, P-521) signature using @noble/curves.
+ *
+ * ECDSA requires the data to be hashed with the curve-appropriate
+ * algorithm before verification: SHA-256 for P-256 and SHA-384 for P-384.
+ *
+ * @param cosePublicKey - COSE-encoded EC2 public key.
+ * @param signature - DER-encoded ECDSA signature.
+ * @param data - Data that was signed.
+ * @returns Whether the signature is valid.
+ */
+function verifyEC2(cosePublicKey, signature, data) {
+    const alg = cosePublicKey.get(constants_1.COSEKEYS.Alg);
+    const crv = cosePublicKey.get(constants_1.COSEKEYS.Crv);
+    const xCoord = cosePublicKey.get(constants_1.COSEKEYS.X);
+    const yCoord = cosePublicKey.get(constants_1.COSEKEYS.Y);
+    if (typeof alg !== 'number') {
+        throw new Error('EC2 public key missing alg');
+    }
+    if (!xCoord || !yCoord) {
+        throw new Error('EC2 public key missing x or y coordinate');
+    }
+    const uncompressed = (0, utils_1.concatBytes)([new Uint8Array([0x04]), xCoord, yCoord]);
+    switch (crv) {
+        case constants_1.COSECRV.P256:
+            return nist_1.p256.verify(signature, (0, sha2_1.sha256)(data), uncompressed);
+        case constants_1.COSECRV.P384:
+            return nist_1.p384.verify(signature, (0, sha2_1.sha384)(data), uncompressed);
+        case constants_1.COSECRV.P521:
+            return nist_1.p521.verify(signature, (0, sha2_1.sha512)(data), uncompressed);
+        default:
+            throw new Error(`Unsupported EC2 curve: ${crv}`);
+    }
+}
+/**
+ * Verify an OKP (Ed25519) signature using @noble/curves.
+ *
+ * @param cosePublicKey - COSE-encoded OKP public key.
+ * @param signature - Raw Ed25519 signature (64 bytes).
+ * @param data - Data that was signed.
+ * @returns Whether the signature is valid.
+ */
+function verifyOKP(cosePublicKey, signature, data) {
+    const alg = cosePublicKey.get(constants_1.COSEKEYS.Alg);
+    const crv = cosePublicKey.get(constants_1.COSEKEYS.Crv);
+    const xCoord = cosePublicKey.get(constants_1.COSEKEYS.X);
+    if (alg !== constants_1.COSEALG.EdDSA) {
+        throw new Error(`Unexpected OKP algorithm: ${String(alg)}`);
+    }
+    if (crv !== constants_1.COSECRV.ED25519) {
+        throw new Error(`Unsupported OKP curve: ${String(crv)}`);
+    }
+    if (!xCoord) {
+        throw new Error('OKP public key missing x coordinate');
+    }
+    return ed25519_1.ed25519.verify(signature, data, xCoord);
+}
+/**
+ * Verify an RSA signature using Web Crypto API.
+ *
+ * @param cosePublicKey - COSE-encoded RSA public key.
+ * @param signature - RSA PKCS#1 v1.5 signature.
+ * @param data - Data that was signed.
+ * @returns Whether the signature is valid.
+ */
+async function verifyRSA(cosePublicKey, signature, data) {
+    const alg = cosePublicKey.get(constants_1.COSEKEYS.Alg);
+    const modulus = cosePublicKey.get(constants_1.COSEKEYS.N);
+    const exponent = cosePublicKey.get(constants_1.COSEKEYS.E);
+    if (typeof alg !== 'number') {
+        throw new Error('RSA public key missing alg');
+    }
+    if (!modulus || !exponent) {
+        throw new Error('RSA public key missing n or e');
+    }
+    let keyAlgorithmName;
+    let hashAlg;
+    let saltLength;
+    switch (alg) {
+        case constants_1.COSEALG.RS1:
+            keyAlgorithmName = 'RSASSA-PKCS1-v1_5';
+            hashAlg = 'SHA-1';
+            break;
+        case constants_1.COSEALG.RS256:
+            keyAlgorithmName = 'RSASSA-PKCS1-v1_5';
+            hashAlg = 'SHA-256';
+            break;
+        case constants_1.COSEALG.RS384:
+            keyAlgorithmName = 'RSASSA-PKCS1-v1_5';
+            hashAlg = 'SHA-384';
+            break;
+        case constants_1.COSEALG.RS512:
+            keyAlgorithmName = 'RSASSA-PKCS1-v1_5';
+            hashAlg = 'SHA-512';
+            break;
+        case constants_1.COSEALG.PS256:
+            keyAlgorithmName = 'RSA-PSS';
+            hashAlg = 'SHA-256';
+            saltLength = 32;
+            break;
+        case constants_1.COSEALG.PS384:
+            keyAlgorithmName = 'RSA-PSS';
+            hashAlg = 'SHA-384';
+            saltLength = 48;
+            break;
+        case constants_1.COSEALG.PS512:
+            keyAlgorithmName = 'RSA-PSS';
+            hashAlg = 'SHA-512';
+            saltLength = 64;
+            break;
+        default:
+            throw new Error(`Unsupported RSA algorithm: ${alg}`);
+    }
+    const key = await globalThis.crypto.subtle.importKey('jwk', {
+        kty: 'RSA',
+        n: (0, encoding_1.bytesToBase64URL)(modulus),
+        e: (0, encoding_1.bytesToBase64URL)(exponent),
+    }, { name: keyAlgorithmName, hash: { name: hashAlg } }, false, ['verify']);
+    const verifyAlgorithm = keyAlgorithmName === 'RSA-PSS'
+        ? { name: 'RSA-PSS', saltLength: saltLength }
+        : 'RSASSA-PKCS1-v1_5';
+    const signatureBytes = Uint8Array.from(signature);
+    const dataBytes = Uint8Array.from(data);
+    return globalThis.crypto.subtle.verify(verifyAlgorithm, key, signatureBytes, dataBytes);
+}
+/**
+ * Verify a WebAuthn signature using the appropriate algorithm based on
+ * the COSE key type.
+ *
+ * Uses @noble/curves for EC2 and OKP (synchronous, audited, handles DER
+ * natively). Falls back to Web Crypto API for RSA.
+ *
+ * @param opts - Options object.
+ * @param opts.cosePublicKey - COSE-encoded public key as a Map.
+ * @param opts.signature - The signature bytes.
+ * @param opts.data - The data that was signed.
+ * @returns Whether the signature is valid.
+ */
+async function verifySignature(opts) {
+    const { cosePublicKey, signature, data } = opts;
+    const kty = getKeyType(cosePublicKey);
+    switch (kty) {
+        case constants_1.COSEKTY.EC2:
+            return verifyEC2(cosePublicKey, signature, data);
+        case constants_1.COSEKTY.OKP:
+            return verifyOKP(cosePublicKey, signature, data);
+        case constants_1.COSEKTY.RSA:
+            return verifyRSA(cosePublicKey, signature, data);
+        default:
+            throw new Error(`Unsupported COSE key type: ${kty}`);
+    }
+}
+exports.verifySignature = verifySignature;
+//# sourceMappingURL=verify-signature.cjs.map

package/dist/webauthn/verify-signature.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-signature.cjs","sourceRoot":"","sources":["../../src/webauthn/verify-signature.ts"],"names":[],"mappings":";;;AAAA,2CAA8C;AAC9C,mDAAgD;AAChD,6CAAsD;AACtD,6CAA4D;AAE5D,oDAAqD;AACrD,+CAAkE;AAIlE;;;;;GAKG;AACH,SAAS,UAAU,CAAC,aAA4B;IAC9C,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,oBAAQ,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,SAAS,CAChB,aAA4B,EAC5B,SAAqB,EACrB,IAAgB;IAEhB,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,oBAAQ,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,oBAAQ,CAAC,GAAG,CAAW,CAAC;IACtD,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,oBAAQ,CAAC,CAAC,CAAe,CAAC;IAC3D,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,oBAAQ,CAAC,CAAC,CAAe,CAAC;IAE3D,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,YAAY,GAAG,IAAA,mBAAW,EAAC,CAAC,IAAI,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAE3E,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,mBAAO,CAAC,IAAI;YACf,OAAO,WAAI,CAAC,MAAM,CAAC,SAAS,EAAE,IAAA,aAAM,EAAC,IAAI,CAAC,EAAE,YAAY,CAAC,CAAC;QAC5D,KAAK,mBAAO,CAAC,IAAI;YACf,OAAO,WAAI,CAAC,MAAM,CAAC,SAAS,EAAE,IAAA,aAAM,EAAC,IAAI,CAAC,EAAE,YAAY,CAAC,CAAC;QAC5D,KAAK,mBAAO,CAAC,IAAI;YACf,OAAO,WAAI,CAAC,MAAM,CAAC,SAAS,EAAE,IAAA,aAAM,EAAC,IAAI,CAAC,EAAE,YAAY,CAAC,CAAC;QAC5D;YACE,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,EAAE,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,SAAS,CAChB,aAA4B,EAC5B,SAAqB,EACrB,IAAgB;IAEhB,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,oBAAQ,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,oBAAQ,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,oBAAQ,CAAC,CAAC,CAAe,CAAC;IAE3D,IAAI,GAAG,KAAK,mBAAO,CAAC,KAAK,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,GAAG,KAAK,mBAAO,CAAC,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,iBAAO,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;AACjD,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,SAAS,CACtB,aAA4B,EAC5B,SAAqB,EACrB,IAAgB;IAEhB,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,oBAAQ,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,oBAAQ,CAAC,CAAC,CAAe,CAAC;IAC5D,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,oBAAQ,CAAC,CAAC,CAAe,CAAC;IAE7D,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,CAAC,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,gBAAiD,CAAC;IACtD,IAAI,OAAe,CAAC;IACpB,IAAI,UAA8B,CAAC;IACnC,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,mBAAO,CAAC,GAAG;YACd,gBAAgB,GAAG,mBAAmB,CAAC;YACvC,OAAO,GAAG,OAAO,CAAC;YAClB,MAAM;QACR,KAAK,mBAAO,CAAC,KAAK;YAChB,gBAAgB,GAAG,mBAAmB,CAAC;YACvC,OAAO,GAAG,SAAS,CAAC;YACpB,MAAM;QACR,KAAK,mBAAO,CAAC,KAAK;YAChB,gBAAgB,GAAG,mBAAmB,CAAC;YACvC,OAAO,GAAG,SAAS,CAAC;YACpB,MAAM;QACR,KAAK,mBAAO,CAAC,KAAK;YAChB,gBAAgB,GAAG,mBAAmB,CAAC;YACvC,OAAO,GAAG,SAAS,CAAC;YACpB,MAAM;QACR,KAAK,mBAAO,CAAC,KAAK;YAChB,gBAAgB,GAAG,SAAS,CAAC;YAC7B,OAAO,GAAG,SAAS,CAAC;YACpB,UAAU,GAAG,EAAE,CAAC;YAChB,MAAM;QACR,KAAK,mBAAO,CAAC,KAAK;YAChB,gBAAgB,GAAG,SAAS,CAAC;YAC7B,OAAO,GAAG,SAAS,CAAC;YACpB,UAAU,GAAG,EAAE,CAAC;YAChB,MAAM;QACR,KAAK,mBAAO,CAAC,KAAK;YAChB,gBAAgB,GAAG,SAAS,CAAC;YAC7B,OAAO,GAAG,SAAS,CAAC;YACpB,UAAU,GAAG,EAAE,CAAC;YAChB,MAAM;QACR;YACE,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAClD,KAAK,EACL;QACE,GAAG,EAAE,KAAK;QACV,CAAC,EAAE,IAAA,2BAAgB,EAAC,OAAO,CAAC;QAC5B,CAAC,EAAE,IAAA,2BAAgB,EAAC,QAAQ,CAAC;KAC9B,EACD,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EACnD,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;IAEF,MAAM,eAAe,GACnB,gBAAgB,KAAK,SAAS;QAC5B,CAAC,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,UAAoB,EAAE;QACvD,CAAC,CAAC,mBAAmB,CAAC;IAE1B,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxC,OAAO,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CACpC,eAAe,EACf,GAAG,EACH,cAAc,EACd,SAAS,CACV,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACI,KAAK,UAAU,eAAe,CAAC,IAIrC;IACC,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC;IAChD,MAAM,GAAG,GAAG,UAAU,CAAC,aAAa,CAAC,CAAC;IAEtC,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,mBAAO,CAAC,GAAG;YACd,OAAO,SAAS,CAAC,aAAa,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QACnD,KAAK,mBAAO,CAAC,GAAG;YACd,OAAO,SAAS,CAAC,aAAa,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QACnD,KAAK,mBAAO,CAAC,GAAG;YACd,OAAO,SAAS,CAAC,aAAa,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QACnD;YACE,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,EAAE,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAlBD,0CAkBC","sourcesContent":["import { concatBytes } from '@metamask/utils';\nimport { ed25519 } from '@noble/curves/ed25519';\nimport { p256, p384, p521 } from '@noble/curves/nist';\nimport { sha256, sha384, sha512 } from '@noble/hashes/sha2';\n\nimport { bytesToBase64URL } from '../utils/encoding';\nimport { COSEALG, COSECRV, COSEKEYS, COSEKTY } from './constants';\n\ntype COSEPublicKey = Map<number, number | Uint8Array>;\n\n/**\n * Get the key type from a COSE public key map.\n *\n * @param cosePublicKey - COSE public key map.\n * @returns The COSEKTY value.\n */\nfunction getKeyType(cosePublicKey: COSEPublicKey): number {\n  const kty = cosePublicKey.get(COSEKEYS.Kty);\n  if (typeof kty !== 'number') {\n    throw new Error('COSE public key missing kty');\n  }\n  return kty;\n}\n\n/**\n * Verify an EC2 (P-256, P-384, P-521) signature using @noble/curves.\n *\n * ECDSA requires the data to be hashed with the curve-appropriate\n * algorithm before verification: SHA-256 for P-256 and SHA-384 for P-384.\n *\n * @param cosePublicKey - COSE-encoded EC2 public key.\n * @param signature - DER-encoded ECDSA signature.\n * @param data - Data that was signed.\n * @returns Whether the signature is valid.\n */\nfunction verifyEC2(\n  cosePublicKey: COSEPublicKey,\n  signature: Uint8Array,\n  data: Uint8Array,\n): boolean {\n  const alg = cosePublicKey.get(COSEKEYS.Alg);\n  const crv = cosePublicKey.get(COSEKEYS.Crv) as number;\n  const xCoord = cosePublicKey.get(COSEKEYS.X) as Uint8Array;\n  const yCoord = cosePublicKey.get(COSEKEYS.Y) as Uint8Array;\n\n  if (typeof alg !== 'number') {\n    throw new Error('EC2 public key missing alg');\n  }\n\n  if (!xCoord || !yCoord) {\n    throw new Error('EC2 public key missing x or y coordinate');\n  }\n\n  const uncompressed = concatBytes([new Uint8Array([0x04]), xCoord, yCoord]);\n\n  switch (crv) {\n    case COSECRV.P256:\n      return p256.verify(signature, sha256(data), uncompressed);\n    case COSECRV.P384:\n      return p384.verify(signature, sha384(data), uncompressed);\n    case COSECRV.P521:\n      return p521.verify(signature, sha512(data), uncompressed);\n    default:\n      throw new Error(`Unsupported EC2 curve: ${crv}`);\n  }\n}\n\n/**\n * Verify an OKP (Ed25519) signature using @noble/curves.\n *\n * @param cosePublicKey - COSE-encoded OKP public key.\n * @param signature - Raw Ed25519 signature (64 bytes).\n * @param data - Data that was signed.\n * @returns Whether the signature is valid.\n */\nfunction verifyOKP(\n  cosePublicKey: COSEPublicKey,\n  signature: Uint8Array,\n  data: Uint8Array,\n): boolean {\n  const alg = cosePublicKey.get(COSEKEYS.Alg);\n  const crv = cosePublicKey.get(COSEKEYS.Crv);\n  const xCoord = cosePublicKey.get(COSEKEYS.X) as Uint8Array;\n\n  if (alg !== COSEALG.EdDSA) {\n    throw new Error(`Unexpected OKP algorithm: ${String(alg)}`);\n  }\n\n  if (crv !== COSECRV.ED25519) {\n    throw new Error(`Unsupported OKP curve: ${String(crv)}`);\n  }\n\n  if (!xCoord) {\n    throw new Error('OKP public key missing x coordinate');\n  }\n\n  return ed25519.verify(signature, data, xCoord);\n}\n\n/**\n * Verify an RSA signature using Web Crypto API.\n *\n * @param cosePublicKey - COSE-encoded RSA public key.\n * @param signature - RSA PKCS#1 v1.5 signature.\n * @param data - Data that was signed.\n * @returns Whether the signature is valid.\n */\nasync function verifyRSA(\n  cosePublicKey: COSEPublicKey,\n  signature: Uint8Array,\n  data: Uint8Array,\n): Promise<boolean> {\n  const alg = cosePublicKey.get(COSEKEYS.Alg);\n  const modulus = cosePublicKey.get(COSEKEYS.N) as Uint8Array;\n  const exponent = cosePublicKey.get(COSEKEYS.E) as Uint8Array;\n\n  if (typeof alg !== 'number') {\n    throw new Error('RSA public key missing alg');\n  }\n\n  if (!modulus || !exponent) {\n    throw new Error('RSA public key missing n or e');\n  }\n\n  let keyAlgorithmName: 'RSASSA-PKCS1-v1_5' | 'RSA-PSS';\n  let hashAlg: string;\n  let saltLength: number | undefined;\n  switch (alg) {\n    case COSEALG.RS1:\n      keyAlgorithmName = 'RSASSA-PKCS1-v1_5';\n      hashAlg = 'SHA-1';\n      break;\n    case COSEALG.RS256:\n      keyAlgorithmName = 'RSASSA-PKCS1-v1_5';\n      hashAlg = 'SHA-256';\n      break;\n    case COSEALG.RS384:\n      keyAlgorithmName = 'RSASSA-PKCS1-v1_5';\n      hashAlg = 'SHA-384';\n      break;\n    case COSEALG.RS512:\n      keyAlgorithmName = 'RSASSA-PKCS1-v1_5';\n      hashAlg = 'SHA-512';\n      break;\n    case COSEALG.PS256:\n      keyAlgorithmName = 'RSA-PSS';\n      hashAlg = 'SHA-256';\n      saltLength = 32;\n      break;\n    case COSEALG.PS384:\n      keyAlgorithmName = 'RSA-PSS';\n      hashAlg = 'SHA-384';\n      saltLength = 48;\n      break;\n    case COSEALG.PS512:\n      keyAlgorithmName = 'RSA-PSS';\n      hashAlg = 'SHA-512';\n      saltLength = 64;\n      break;\n    default:\n      throw new Error(`Unsupported RSA algorithm: ${alg}`);\n  }\n\n  const key = await globalThis.crypto.subtle.importKey(\n    'jwk',\n    {\n      kty: 'RSA',\n      n: bytesToBase64URL(modulus),\n      e: bytesToBase64URL(exponent),\n    },\n    { name: keyAlgorithmName, hash: { name: hashAlg } },\n    false,\n    ['verify'],\n  );\n\n  const verifyAlgorithm =\n    keyAlgorithmName === 'RSA-PSS'\n      ? { name: 'RSA-PSS', saltLength: saltLength as number }\n      : 'RSASSA-PKCS1-v1_5';\n\n  const signatureBytes = Uint8Array.from(signature);\n  const dataBytes = Uint8Array.from(data);\n  return globalThis.crypto.subtle.verify(\n    verifyAlgorithm,\n    key,\n    signatureBytes,\n    dataBytes,\n  );\n}\n\n/**\n * Verify a WebAuthn signature using the appropriate algorithm based on\n * the COSE key type.\n *\n * Uses @noble/curves for EC2 and OKP (synchronous, audited, handles DER\n * natively). Falls back to Web Crypto API for RSA.\n *\n * @param opts - Options object.\n * @param opts.cosePublicKey - COSE-encoded public key as a Map.\n * @param opts.signature - The signature bytes.\n * @param opts.data - The data that was signed.\n * @returns Whether the signature is valid.\n */\nexport async function verifySignature(opts: {\n  cosePublicKey: COSEPublicKey;\n  signature: Uint8Array;\n  data: Uint8Array;\n}): Promise<boolean> {\n  const { cosePublicKey, signature, data } = opts;\n  const kty = getKeyType(cosePublicKey);\n\n  switch (kty) {\n    case COSEKTY.EC2:\n      return verifyEC2(cosePublicKey, signature, data);\n    case COSEKTY.OKP:\n      return verifyOKP(cosePublicKey, signature, data);\n    case COSEKTY.RSA:\n      return verifyRSA(cosePublicKey, signature, data);\n    default:\n      throw new Error(`Unsupported COSE key type: ${kty}`);\n  }\n}\n"]}

package/dist/webauthn/verify-signature.d.cts

@@ -0,0 +1,21 @@
+type COSEPublicKey = Map<number, number | Uint8Array>;
+/**
+ * Verify a WebAuthn signature using the appropriate algorithm based on
+ * the COSE key type.
+ *
+ * Uses @noble/curves for EC2 and OKP (synchronous, audited, handles DER
+ * natively). Falls back to Web Crypto API for RSA.
+ *
+ * @param opts - Options object.
+ * @param opts.cosePublicKey - COSE-encoded public key as a Map.
+ * @param opts.signature - The signature bytes.
+ * @param opts.data - The data that was signed.
+ * @returns Whether the signature is valid.
+ */
+export declare function verifySignature(opts: {
+    cosePublicKey: COSEPublicKey;
+    signature: Uint8Array;
+    data: Uint8Array;
+}): Promise<boolean>;
+export {};
+//# sourceMappingURL=verify-signature.d.cts.map

package/dist/webauthn/verify-signature.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-signature.d.cts","sourceRoot":"","sources":["../../src/webauthn/verify-signature.ts"],"names":[],"mappings":"AAQA,KAAK,aAAa,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC,CAAC;AAsLtD;;;;;;;;;;;;GAYG;AACH,wBAAsB,eAAe,CAAC,IAAI,EAAE;IAC1C,aAAa,EAAE,aAAa,CAAC;IAC7B,SAAS,EAAE,UAAU,CAAC;IACtB,IAAI,EAAE,UAAU,CAAC;CAClB,GAAG,OAAO,CAAC,OAAO,CAAC,CAcnB"}

package/dist/webauthn/verify-signature.d.mts

@@ -0,0 +1,21 @@
+type COSEPublicKey = Map<number, number | Uint8Array>;
+/**
+ * Verify a WebAuthn signature using the appropriate algorithm based on
+ * the COSE key type.
+ *
+ * Uses @noble/curves for EC2 and OKP (synchronous, audited, handles DER
+ * natively). Falls back to Web Crypto API for RSA.
+ *
+ * @param opts - Options object.
+ * @param opts.cosePublicKey - COSE-encoded public key as a Map.
+ * @param opts.signature - The signature bytes.
+ * @param opts.data - The data that was signed.
+ * @returns Whether the signature is valid.
+ */
+export declare function verifySignature(opts: {
+    cosePublicKey: COSEPublicKey;
+    signature: Uint8Array;
+    data: Uint8Array;
+}): Promise<boolean>;
+export {};
+//# sourceMappingURL=verify-signature.d.mts.map

package/dist/webauthn/verify-signature.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-signature.d.mts","sourceRoot":"","sources":["../../src/webauthn/verify-signature.ts"],"names":[],"mappings":"AAQA,KAAK,aAAa,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC,CAAC;AAsLtD;;;;;;;;;;;;GAYG;AACH,wBAAsB,eAAe,CAAC,IAAI,EAAE;IAC1C,aAAa,EAAE,aAAa,CAAC;IAC7B,SAAS,EAAE,UAAU,CAAC;IACtB,IAAI,EAAE,UAAU,CAAC;CAClB,GAAG,OAAO,CAAC,OAAO,CAAC,CAcnB"}

package/dist/webauthn/verify-signature.mjs

@@ -0,0 +1,172 @@
+import { concatBytes } from "@metamask/utils";
+import { ed25519 } from "@noble/curves/ed25519";
+import { p256, p384, p521 } from "@noble/curves/nist";
+import { sha256, sha384, sha512 } from "@noble/hashes/sha2";
+import { bytesToBase64URL } from "../utils/encoding.mjs";
+import { COSEALG, COSECRV, COSEKEYS, COSEKTY } from "./constants.mjs";
+/**
+ * Get the key type from a COSE public key map.
+ *
+ * @param cosePublicKey - COSE public key map.
+ * @returns The COSEKTY value.
+ */
+function getKeyType(cosePublicKey) {
+    const kty = cosePublicKey.get(COSEKEYS.Kty);
+    if (typeof kty !== 'number') {
+        throw new Error('COSE public key missing kty');
+    }
+    return kty;
+}
+/**
+ * Verify an EC2 (P-256, P-384, P-521) signature using @noble/curves.
+ *
+ * ECDSA requires the data to be hashed with the curve-appropriate
+ * algorithm before verification: SHA-256 for P-256 and SHA-384 for P-384.
+ *
+ * @param cosePublicKey - COSE-encoded EC2 public key.
+ * @param signature - DER-encoded ECDSA signature.
+ * @param data - Data that was signed.
+ * @returns Whether the signature is valid.
+ */
+function verifyEC2(cosePublicKey, signature, data) {
+    const alg = cosePublicKey.get(COSEKEYS.Alg);
+    const crv = cosePublicKey.get(COSEKEYS.Crv);
+    const xCoord = cosePublicKey.get(COSEKEYS.X);
+    const yCoord = cosePublicKey.get(COSEKEYS.Y);
+    if (typeof alg !== 'number') {
+        throw new Error('EC2 public key missing alg');
+    }
+    if (!xCoord || !yCoord) {
+        throw new Error('EC2 public key missing x or y coordinate');
+    }
+    const uncompressed = concatBytes([new Uint8Array([0x04]), xCoord, yCoord]);
+    switch (crv) {
+        case COSECRV.P256:
+            return p256.verify(signature, sha256(data), uncompressed);
+        case COSECRV.P384:
+            return p384.verify(signature, sha384(data), uncompressed);
+        case COSECRV.P521:
+            return p521.verify(signature, sha512(data), uncompressed);
+        default:
+            throw new Error(`Unsupported EC2 curve: ${crv}`);
+    }
+}
+/**
+ * Verify an OKP (Ed25519) signature using @noble/curves.
+ *
+ * @param cosePublicKey - COSE-encoded OKP public key.
+ * @param signature - Raw Ed25519 signature (64 bytes).
+ * @param data - Data that was signed.
+ * @returns Whether the signature is valid.
+ */
+function verifyOKP(cosePublicKey, signature, data) {
+    const alg = cosePublicKey.get(COSEKEYS.Alg);
+    const crv = cosePublicKey.get(COSEKEYS.Crv);
+    const xCoord = cosePublicKey.get(COSEKEYS.X);
+    if (alg !== COSEALG.EdDSA) {
+        throw new Error(`Unexpected OKP algorithm: ${String(alg)}`);
+    }
+    if (crv !== COSECRV.ED25519) {
+        throw new Error(`Unsupported OKP curve: ${String(crv)}`);
+    }
+    if (!xCoord) {
+        throw new Error('OKP public key missing x coordinate');
+    }
+    return ed25519.verify(signature, data, xCoord);
+}
+/**
+ * Verify an RSA signature using Web Crypto API.
+ *
+ * @param cosePublicKey - COSE-encoded RSA public key.
+ * @param signature - RSA PKCS#1 v1.5 signature.
+ * @param data - Data that was signed.
+ * @returns Whether the signature is valid.
+ */
+async function verifyRSA(cosePublicKey, signature, data) {
+    const alg = cosePublicKey.get(COSEKEYS.Alg);
+    const modulus = cosePublicKey.get(COSEKEYS.N);
+    const exponent = cosePublicKey.get(COSEKEYS.E);
+    if (typeof alg !== 'number') {
+        throw new Error('RSA public key missing alg');
+    }
+    if (!modulus || !exponent) {
+        throw new Error('RSA public key missing n or e');
+    }
+    let keyAlgorithmName;
+    let hashAlg;
+    let saltLength;
+    switch (alg) {
+        case COSEALG.RS1:
+            keyAlgorithmName = 'RSASSA-PKCS1-v1_5';
+            hashAlg = 'SHA-1';
+            break;
+        case COSEALG.RS256:
+            keyAlgorithmName = 'RSASSA-PKCS1-v1_5';
+            hashAlg = 'SHA-256';
+            break;
+        case COSEALG.RS384:
+            keyAlgorithmName = 'RSASSA-PKCS1-v1_5';
+            hashAlg = 'SHA-384';
+            break;
+        case COSEALG.RS512:
+            keyAlgorithmName = 'RSASSA-PKCS1-v1_5';
+            hashAlg = 'SHA-512';
+            break;
+        case COSEALG.PS256:
+            keyAlgorithmName = 'RSA-PSS';
+            hashAlg = 'SHA-256';
+            saltLength = 32;
+            break;
+        case COSEALG.PS384:
+            keyAlgorithmName = 'RSA-PSS';
+            hashAlg = 'SHA-384';
+            saltLength = 48;
+            break;
+        case COSEALG.PS512:
+            keyAlgorithmName = 'RSA-PSS';
+            hashAlg = 'SHA-512';
+            saltLength = 64;
+            break;
+        default:
+            throw new Error(`Unsupported RSA algorithm: ${alg}`);
+    }
+    const key = await globalThis.crypto.subtle.importKey('jwk', {
+        kty: 'RSA',
+        n: bytesToBase64URL(modulus),
+        e: bytesToBase64URL(exponent),
+    }, { name: keyAlgorithmName, hash: { name: hashAlg } }, false, ['verify']);
+    const verifyAlgorithm = keyAlgorithmName === 'RSA-PSS'
+        ? { name: 'RSA-PSS', saltLength: saltLength }
+        : 'RSASSA-PKCS1-v1_5';
+    const signatureBytes = Uint8Array.from(signature);
+    const dataBytes = Uint8Array.from(data);
+    return globalThis.crypto.subtle.verify(verifyAlgorithm, key, signatureBytes, dataBytes);
+}
+/**
+ * Verify a WebAuthn signature using the appropriate algorithm based on
+ * the COSE key type.
+ *
+ * Uses @noble/curves for EC2 and OKP (synchronous, audited, handles DER
+ * natively). Falls back to Web Crypto API for RSA.
+ *
+ * @param opts - Options object.
+ * @param opts.cosePublicKey - COSE-encoded public key as a Map.
+ * @param opts.signature - The signature bytes.
+ * @param opts.data - The data that was signed.
+ * @returns Whether the signature is valid.
+ */
+export async function verifySignature(opts) {
+    const { cosePublicKey, signature, data } = opts;
+    const kty = getKeyType(cosePublicKey);
+    switch (kty) {
+        case COSEKTY.EC2:
+            return verifyEC2(cosePublicKey, signature, data);
+        case COSEKTY.OKP:
+            return verifyOKP(cosePublicKey, signature, data);
+        case COSEKTY.RSA:
+            return verifyRSA(cosePublicKey, signature, data);
+        default:
+            throw new Error(`Unsupported COSE key type: ${kty}`);
+    }
+}
+//# sourceMappingURL=verify-signature.mjs.map