@motebit/verify 1.0.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +14 -10
- package/dist/adapters.d.ts +66 -26
- package/dist/adapters.d.ts.map +1 -1
- package/dist/adapters.js +27 -5
- package/dist/adapters.js.map +1 -1
- package/dist/cli.d.ts +5 -3
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +75 -11
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +6 -3
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +6 -3
- package/dist/index.js.map +1 -1
- package/package.json +11 -8
package/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# @motebit/verify
|
|
2
2
|
|
|
3
|
-
The canonical motebit
|
|
3
|
+
The canonical `motebit-verify` command-line tool. A single binary that verifies any signed motebit artifact — identity files, execution receipts, credentials, presentations — including credentials carrying hardware-attestation claims under any of the four canonical sovereign-verifiable platforms (Apple App Attest, Android Hardware-Backed Keystore Attestation, TPM 2.0, WebAuthn) plus the deprecated Play Integrity adapter bundled for one minor cycle for backward compat with already-minted credentials.
|
|
4
4
|
|
|
5
5
|
Network-free. No relay contact, no external service, no cloud dependency. Every trust anchor is pinned in the installed package.
|
|
6
6
|
|
|
@@ -26,15 +26,16 @@ VALID (credential)
|
|
|
26
26
|
| W3C VerifiableCredentials | `eddsa-jcs-2022` proof, hardware-attestation channel if present |
|
|
27
27
|
| VerifiablePresentations | Signed envelope + every embedded credential |
|
|
28
28
|
|
|
29
|
-
Hardware-attestation channel covers
|
|
29
|
+
Hardware-attestation channel covers every currently-shipped platform:
|
|
30
30
|
|
|
31
|
-
| Platform
|
|
32
|
-
|
|
|
33
|
-
| `secure_enclave`
|
|
34
|
-
| `device_check`
|
|
35
|
-
| `tpm`
|
|
36
|
-
| `
|
|
37
|
-
| `webauthn`
|
|
31
|
+
| Platform | Adapter | Trust anchor |
|
|
32
|
+
| ------------------------------- | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
33
|
+
| `secure_enclave` | `@motebit/crypto` (built-in) | ECDSA-P256 signature; self-asserted SE public key |
|
|
34
|
+
| `device_check` | `@motebit/crypto-appattest` | Pinned Apple App Attestation Root CA |
|
|
35
|
+
| `tpm` | `@motebit/crypto-tpm` | Pinned Infineon / Nuvoton / STMicro / Intel PTT vendor roots |
|
|
36
|
+
| `android_keystore` | `@motebit/crypto-android-keystore` | Pinned Google Hardware Attestation roots (RSA + ECDSA P-384) |
|
|
37
|
+
| `webauthn` | `@motebit/crypto-webauthn` | Pinned Apple / Yubico / Microsoft FIDO roots |
|
|
38
|
+
| `play_integrity` _(deprecated)_ | `@motebit/crypto-play-integrity` | Operator-supplied JWKS (no global Google JWKS exists; bundled for one minor cycle for backward compat — see `docs/doctrine/hardware-attestation.md`) |
|
|
38
39
|
|
|
39
40
|
Unknown platform → named error, fail-closed. Missing adapter context → named error, fail-closed. Never silent acceptance.
|
|
40
41
|
|
|
@@ -49,10 +50,13 @@ motebit-verify <file> --clock-skew 30 # allow N seconds of clock drift
|
|
|
49
50
|
# Platform overrides (defaults match motebit's canonical identifiers)
|
|
50
51
|
motebit-verify <file> \
|
|
51
52
|
--bundle-id com.example.app \
|
|
53
|
+
--android-attestation-application-id ./app-id.bin \
|
|
52
54
|
--android-package com.example.app \
|
|
53
55
|
--rp-id example.com
|
|
54
56
|
```
|
|
55
57
|
|
|
58
|
+
**Verifying `android_keystore` credentials requires `--android-attestation-application-id`.** The flag's value is a path to a binary file containing the raw bytes of the leaf cert's `attestationApplicationId` extension — operators capture this once at build time (deterministic from the registered Android package name + signing-cert SHA-256) and commit the file alongside other pinned config. Without the flag, the Android Keystore arm is intentionally unwired (passing a placeholder would false-reject every real claim); the dispatcher reports `"verifier not wired"`. The legacy `--android-package` flag still configures the deprecated Play Integrity adapter for backward-compat with already-minted credentials.
|
|
59
|
+
|
|
56
60
|
Exit codes:
|
|
57
61
|
|
|
58
62
|
- `0` — artifact verified (including hardware-attestation channel)
|
|
@@ -85,7 +89,7 @@ This package sits at the top of a deliberate three-layer split — the same shap
|
|
|
85
89
|
All three are Apache-2.0 with explicit patent grant — the full verification surface ships under the permissive floor. The BSL line stays at `motebit` (the operator console) and everything below it, where the motebit-proprietary judgment actually lives.
|
|
86
90
|
|
|
87
91
|
- Install **`@motebit/verify`** when you want the command-line tool with every platform bundled. One install, verify anything offline, no license friction in CI pipelines.
|
|
88
|
-
- Install **`@motebit/verifier`** when you're writing TypeScript code that needs to read + verify motebit artifacts programmatically and want the dep-thin library without the
|
|
92
|
+
- Install **`@motebit/verifier`** when you're writing TypeScript code that needs to read + verify motebit artifacts programmatically and want the dep-thin library without the bundled platform adapters.
|
|
89
93
|
- Install **`@motebit/crypto`** when you want the primitives — the verify dispatcher, sign APIs, suite registry — to build your own verification tooling from scratch.
|
|
90
94
|
|
|
91
95
|
## Superseding the deprecated `@motebit/verify@0.x`
|
package/dist/adapters.d.ts
CHANGED
|
@@ -2,25 +2,38 @@
|
|
|
2
2
|
* Bundled-adapter wiring — the core reason this package exists.
|
|
3
3
|
*
|
|
4
4
|
* `@motebit/verifier` (Apache-2.0) accepts an optional
|
|
5
|
-
* `HardwareAttestationVerifiers` record but wires none of the
|
|
6
|
-
*
|
|
7
|
-
*
|
|
8
|
-
* `@motebit/crypto-
|
|
9
|
-
* `@motebit/crypto-webauthn
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
* of
|
|
5
|
+
* `HardwareAttestationVerifiers` record but wires none of the leaves
|
|
6
|
+
* itself; that keeps it dep-thin. This Apache-2.0 aggregator imports
|
|
7
|
+
* every leaf (`@motebit/crypto-appattest`,
|
|
8
|
+
* `@motebit/crypto-android-keystore`, `@motebit/crypto-tpm`,
|
|
9
|
+
* `@motebit/crypto-webauthn`, plus the deprecated
|
|
10
|
+
* `@motebit/crypto-play-integrity` for backward compatibility during
|
|
11
|
+
* its 1.x deprecation cycle) and produces a single
|
|
12
|
+
* `HardwareAttestationVerifiers` object the CLI hands to `verifyFile`.
|
|
13
|
+
* Any credential whose subject carries a hardware-attestation claim
|
|
14
|
+
* for any of the canonical platforms now verifies end-to-end — chain
|
|
15
|
+
* + nonce + bundle + identity — instead of returning the
|
|
16
|
+
* `adapter not yet shipped` sentinel.
|
|
15
17
|
*
|
|
16
18
|
* Defaults match motebit's canonical app identifiers:
|
|
17
|
-
* - App Attest
|
|
18
|
-
* -
|
|
19
|
-
*
|
|
20
|
-
*
|
|
19
|
+
* - App Attest → bundleId `com.motebit.mobile`
|
|
20
|
+
* - Android Keystore → caller-supplied attestationApplicationId (no
|
|
21
|
+
* canonical default — the bytes are
|
|
22
|
+
* deterministic from `(packageName, signing-cert
|
|
23
|
+
* SHA-256)` known at the operator's build time;
|
|
24
|
+
* no analogous "magic string" fits)
|
|
25
|
+
* - WebAuthn → rpId `motebit.com`
|
|
26
|
+
* - TPM → the pinned vendor roots in `@motebit/crypto-tpm`
|
|
21
27
|
*
|
|
22
28
|
* Operators verifying credentials from a different motebit deployment
|
|
23
29
|
* can override any of these via the config parameter.
|
|
30
|
+
*
|
|
31
|
+
* Play Integrity (deprecated): wired for one minor cycle so
|
|
32
|
+
* already-minted credentials carrying `platform: "play_integrity"`
|
|
33
|
+
* continue to verify cleanly through the same CLI invocation. New
|
|
34
|
+
* mobile builds emit `platform: "android_keystore"` instead — see
|
|
35
|
+
* `docs/doctrine/hardware-attestation.md` § "Three architectural
|
|
36
|
+
* categories".
|
|
24
37
|
*/
|
|
25
38
|
import type { HardwareAttestationVerifiers } from "@motebit/crypto";
|
|
26
39
|
import { type GoogleJwks } from "@motebit/crypto-play-integrity";
|
|
@@ -39,20 +52,42 @@ export interface HardwareVerifierBundleConfig {
|
|
|
39
52
|
*/
|
|
40
53
|
readonly appAttestRootPem?: string;
|
|
41
54
|
/**
|
|
42
|
-
*
|
|
43
|
-
*
|
|
55
|
+
* Android Hardware-Backed Keystore Attestation — `attestationApplicationId`
|
|
56
|
+
* bytes (raw, captured-from-leaf-cert form) the leaf cert MUST carry.
|
|
57
|
+
* Required at wiring time when verifying Android-Keystore-attested
|
|
58
|
+
* credentials. Operators compute this at build time as
|
|
59
|
+
* `(packageName, signing-cert SHA-256)` and pin the result here; the
|
|
60
|
+
* verifier byte-compares against the leaf's KeyDescription extension.
|
|
61
|
+
* Absent → the Android Keystore arm is not wired and the canonical
|
|
62
|
+
* dispatcher returns "verifier not wired".
|
|
63
|
+
*/
|
|
64
|
+
readonly androidKeystoreExpectedAttestationApplicationId?: Uint8Array;
|
|
65
|
+
/**
|
|
66
|
+
* Android Hardware-Backed Keystore Attestation — override the pinned
|
|
67
|
+
* Google attestation roots. Defaults to
|
|
68
|
+
* `DEFAULT_ANDROID_KEYSTORE_TRUST_ANCHORS` (RSA-4096 + ECDSA P-384,
|
|
69
|
+
* covering both pre- and post-rotation device fleets).
|
|
70
|
+
*/
|
|
71
|
+
readonly androidKeystoreRootPems?: ReadonlyArray<string>;
|
|
72
|
+
/**
|
|
73
|
+
* Google Play Integrity (DEPRECATED) — Android package name the
|
|
74
|
+
* attested app was built with. Defaults to `com.motebit.mobile`.
|
|
75
|
+
* Wired during the `@motebit/crypto-play-integrity@1.x`
|
|
76
|
+
* deprecation cycle so already-minted credentials continue to
|
|
77
|
+
* verify; new mobile builds emit `platform: "android_keystore"`.
|
|
44
78
|
*/
|
|
45
79
|
readonly playIntegrityPackageName?: string;
|
|
46
80
|
/**
|
|
47
|
-
* Google Play Integrity — override the pinned JWKS.
|
|
48
|
-
* default
|
|
49
|
-
*
|
|
81
|
+
* Google Play Integrity (DEPRECATED) — override the pinned JWKS.
|
|
82
|
+
* Fail-closed by default — see the structural-mismatch note in
|
|
83
|
+
* `@motebit/crypto-play-integrity`'s CLAUDE.md (no global Google
|
|
84
|
+
* JWKS exists; this verifier is operator-key-mediated rather than
|
|
85
|
+
* sovereign-verifiable, which is why it's been deprecated).
|
|
50
86
|
*/
|
|
51
87
|
readonly playIntegrityPinnedJwks?: GoogleJwks;
|
|
52
88
|
/**
|
|
53
|
-
* Google Play Integrity — relax the device-integrity
|
|
54
|
-
* to the strict `"MEETS_DEVICE_INTEGRITY"`.
|
|
55
|
-
* scenarios may lower to `"MEETS_BASIC_INTEGRITY"`.
|
|
89
|
+
* Google Play Integrity (DEPRECATED) — relax the device-integrity
|
|
90
|
+
* floor. Defaults to the strict `"MEETS_DEVICE_INTEGRITY"`.
|
|
56
91
|
*/
|
|
57
92
|
readonly playIntegrityRequiredDeviceIntegrity?: string;
|
|
58
93
|
/**
|
|
@@ -73,20 +108,25 @@ export interface HardwareVerifierBundleConfig {
|
|
|
73
108
|
readonly tpmRootPems?: ReadonlyArray<string>;
|
|
74
109
|
}
|
|
75
110
|
/**
|
|
76
|
-
* Build the full `HardwareAttestationVerifiers` object covering
|
|
77
|
-
* platform
|
|
111
|
+
* Build the full `HardwareAttestationVerifiers` object covering every
|
|
112
|
+
* canonical platform adapter. Pass the result to `verifyFile`:
|
|
78
113
|
*
|
|
79
114
|
* ```ts
|
|
80
115
|
* import { verifyFile } from "@motebit/verifier";
|
|
81
116
|
* import { buildHardwareVerifiers } from "@motebit/verify";
|
|
82
117
|
*
|
|
83
118
|
* const result = await verifyFile("cred.json", {
|
|
84
|
-
* hardwareAttestation: buildHardwareVerifiers(
|
|
119
|
+
* hardwareAttestation: buildHardwareVerifiers({
|
|
120
|
+
* androidKeystoreExpectedAttestationApplicationId: appIdBytes,
|
|
121
|
+
* }),
|
|
85
122
|
* });
|
|
86
123
|
* ```
|
|
87
124
|
*
|
|
88
125
|
* Pure function: every dependency is captured at factory time and the
|
|
89
|
-
* returned verifiers are idempotent across calls.
|
|
126
|
+
* returned verifiers are idempotent across calls. The Android Keystore
|
|
127
|
+
* arm is wired only when `androidKeystoreExpectedAttestationApplicationId`
|
|
128
|
+
* is supplied — there is no canonical default for the leaf-cert
|
|
129
|
+
* package binding, by design.
|
|
90
130
|
*/
|
|
91
131
|
export declare function buildHardwareVerifiers(config?: HardwareVerifierBundleConfig): HardwareAttestationVerifiers;
|
|
92
132
|
//# sourceMappingURL=adapters.d.ts.map
|
package/dist/adapters.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"adapters.d.ts","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"adapters.d.ts","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAIpE,OAAO,EAAyB,KAAK,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAIxF,MAAM,WAAW,4BAA4B;IAC3C;;;;OAIG;IACH,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC;;;;;OAKG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC;;;;;;;;;OASG;IACH,QAAQ,CAAC,+CAA+C,CAAC,EAAE,UAAU,CAAC;IACtE;;;;;OAKG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzD;;;;;;OAMG;IACH,QAAQ,CAAC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAC3C;;;;;;OAMG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,UAAU,CAAC;IAC9C;;;OAGG;IACH,QAAQ,CAAC,oCAAoC,CAAC,EAAE,MAAM,CAAC;IACvD;;;OAGG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAClD;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9C;AAOD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,CAAC,EAAE,4BAA4B,GACpC,4BAA4B,CA4C9B"}
|
package/dist/adapters.js
CHANGED
|
@@ -1,4 +1,6 @@
|
|
|
1
|
+
import { androidKeystoreVerifier } from "@motebit/crypto-android-keystore";
|
|
1
2
|
import { deviceCheckVerifier, APPLE_APPATTEST_ROOT_PEM } from "@motebit/crypto-appattest";
|
|
3
|
+
// eslint-disable-next-line @typescript-eslint/no-deprecated -- consumed for one minor deprecation cycle so already-minted Play Integrity claims continue to verify; removed at @motebit/crypto-play-integrity@2.0.0.
|
|
2
4
|
import { playIntegrityVerifier } from "@motebit/crypto-play-integrity";
|
|
3
5
|
import { tpmVerifier } from "@motebit/crypto-tpm";
|
|
4
6
|
import { webauthnVerifier, DEFAULT_FIDO_ROOTS } from "@motebit/crypto-webauthn";
|
|
@@ -7,26 +9,31 @@ const DEFAULT_BUNDLE_ID = "com.motebit.mobile";
|
|
|
7
9
|
/** Motebit's canonical Relying Party ID for WebAuthn credentials. */
|
|
8
10
|
const DEFAULT_WEBAUTHN_RP_ID = "motebit.com";
|
|
9
11
|
/**
|
|
10
|
-
* Build the full `HardwareAttestationVerifiers` object covering
|
|
11
|
-
* platform
|
|
12
|
+
* Build the full `HardwareAttestationVerifiers` object covering every
|
|
13
|
+
* canonical platform adapter. Pass the result to `verifyFile`:
|
|
12
14
|
*
|
|
13
15
|
* ```ts
|
|
14
16
|
* import { verifyFile } from "@motebit/verifier";
|
|
15
17
|
* import { buildHardwareVerifiers } from "@motebit/verify";
|
|
16
18
|
*
|
|
17
19
|
* const result = await verifyFile("cred.json", {
|
|
18
|
-
* hardwareAttestation: buildHardwareVerifiers(
|
|
20
|
+
* hardwareAttestation: buildHardwareVerifiers({
|
|
21
|
+
* androidKeystoreExpectedAttestationApplicationId: appIdBytes,
|
|
22
|
+
* }),
|
|
19
23
|
* });
|
|
20
24
|
* ```
|
|
21
25
|
*
|
|
22
26
|
* Pure function: every dependency is captured at factory time and the
|
|
23
|
-
* returned verifiers are idempotent across calls.
|
|
27
|
+
* returned verifiers are idempotent across calls. The Android Keystore
|
|
28
|
+
* arm is wired only when `androidKeystoreExpectedAttestationApplicationId`
|
|
29
|
+
* is supplied — there is no canonical default for the leaf-cert
|
|
30
|
+
* package binding, by design.
|
|
24
31
|
*/
|
|
25
32
|
export function buildHardwareVerifiers(config) {
|
|
26
33
|
const appAttestBundleId = config?.appAttestBundleId ?? DEFAULT_BUNDLE_ID;
|
|
27
34
|
const playIntegrityPackageName = config?.playIntegrityPackageName ?? DEFAULT_BUNDLE_ID;
|
|
28
35
|
const webauthnRpId = config?.webauthnRpId ?? DEFAULT_WEBAUTHN_RP_ID;
|
|
29
|
-
|
|
36
|
+
const verifiers = {
|
|
30
37
|
deviceCheck: deviceCheckVerifier({
|
|
31
38
|
expectedBundleId: appAttestBundleId,
|
|
32
39
|
rootPem: config?.appAttestRootPem ?? APPLE_APPATTEST_ROOT_PEM,
|
|
@@ -34,6 +41,7 @@ export function buildHardwareVerifiers(config) {
|
|
|
34
41
|
tpm: tpmVerifier({
|
|
35
42
|
...(config?.tpmRootPems !== undefined ? { rootPems: config.tpmRootPems } : {}),
|
|
36
43
|
}),
|
|
44
|
+
// eslint-disable-next-line @typescript-eslint/no-deprecated -- one-minor-cycle backward compat for already-minted Play Integrity credentials; removed at @motebit/crypto-play-integrity@2.0.0.
|
|
37
45
|
playIntegrity: playIntegrityVerifier({
|
|
38
46
|
expectedPackageName: playIntegrityPackageName,
|
|
39
47
|
...(config?.playIntegrityPinnedJwks !== undefined
|
|
@@ -48,5 +56,19 @@ export function buildHardwareVerifiers(config) {
|
|
|
48
56
|
rootPems: config?.webauthnRootPems ?? DEFAULT_FIDO_ROOTS,
|
|
49
57
|
}),
|
|
50
58
|
};
|
|
59
|
+
// Android Keystore is wired only when the operator has supplied the
|
|
60
|
+
// expected `attestationApplicationId`. Leaving it unwired makes the
|
|
61
|
+
// canonical dispatcher report "verifier not wired" with a clear
|
|
62
|
+
// message — preferable to passing a placeholder that would
|
|
63
|
+
// false-reject every real claim.
|
|
64
|
+
if (config?.androidKeystoreExpectedAttestationApplicationId !== undefined) {
|
|
65
|
+
verifiers.androidKeystore = androidKeystoreVerifier({
|
|
66
|
+
expectedAttestationApplicationId: config.androidKeystoreExpectedAttestationApplicationId,
|
|
67
|
+
...(config.androidKeystoreRootPems !== undefined
|
|
68
|
+
? { rootPems: config.androidKeystoreRootPems }
|
|
69
|
+
: {}),
|
|
70
|
+
});
|
|
71
|
+
}
|
|
72
|
+
return verifiers;
|
|
51
73
|
}
|
|
52
74
|
//# sourceMappingURL=adapters.js.map
|
package/dist/adapters.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"adapters.js","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"adapters.js","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AAsCA,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAC1F,qNAAqN;AACrN,OAAO,EAAE,qBAAqB,EAAmB,MAAM,gCAAgC,CAAC;AACxF,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAyEhF,wDAAwD;AACxD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAC/C,qEAAqE;AACrE,MAAM,sBAAsB,GAAG,aAAa,CAAC;AAE7C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,sBAAsB,CACpC,MAAqC;IAErC,MAAM,iBAAiB,GAAG,MAAM,EAAE,iBAAiB,IAAI,iBAAiB,CAAC;IACzE,MAAM,wBAAwB,GAAG,MAAM,EAAE,wBAAwB,IAAI,iBAAiB,CAAC;IACvF,MAAM,YAAY,GAAG,MAAM,EAAE,YAAY,IAAI,sBAAsB,CAAC;IAEpE,MAAM,SAAS,GAA0C;QACvD,WAAW,EAAE,mBAAmB,CAAC;YAC/B,gBAAgB,EAAE,iBAAiB;YACnC,OAAO,EAAE,MAAM,EAAE,gBAAgB,IAAI,wBAAwB;SAC9D,CAAC;QACF,GAAG,EAAE,WAAW,CAAC;YACf,GAAG,CAAC,MAAM,EAAE,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/E,CAAC;QACF,+LAA+L;QAC/L,aAAa,EAAE,qBAAqB,CAAC;YACnC,mBAAmB,EAAE,wBAAwB;YAC7C,GAAG,CAAC,MAAM,EAAE,uBAAuB,KAAK,SAAS;gBAC/C,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,uBAAuB,EAAE;gBAChD,CAAC,CAAC,EAAE,CAAC;YACP,GAAG,CAAC,MAAM,EAAE,oCAAoC,KAAK,SAAS;gBAC5D,CAAC,CAAC,EAAE,uBAAuB,EAAE,MAAM,CAAC,oCAAoC,EAAE;gBAC1E,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;QACF,QAAQ,EAAE,gBAAgB,CAAC;YACzB,YAAY,EAAE,YAAY;YAC1B,QAAQ,EAAE,MAAM,EAAE,gBAAgB,IAAI,kBAAkB;SACzD,CAAC;KACH,CAAC;IAEF,oEAAoE;IACpE,oEAAoE;IACpE,gEAAgE;IAChE,2DAA2D;IAC3D,iCAAiC;IACjC,IAAI,MAAM,EAAE,+CAA+C,KAAK,SAAS,EAAE,CAAC;QAC1E,SAAS,CAAC,eAAe,GAAG,uBAAuB,CAAC;YAClD,gCAAgC,EAAE,MAAM,CAAC,+CAA+C;YACxF,GAAG,CAAC,MAAM,CAAC,uBAAuB,KAAK,SAAS;gBAC9C,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,uBAAuB,EAAE;gBAC9C,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}
|
package/dist/cli.d.ts
CHANGED
|
@@ -5,8 +5,10 @@
|
|
|
5
5
|
* Verifies identity files, execution receipts, credentials, and
|
|
6
6
|
* presentations against their embedded signatures. When a credential
|
|
7
7
|
* carries a `hardware_attestation` claim for `device_check` / `tpm` /
|
|
8
|
-
* `
|
|
9
|
-
*
|
|
8
|
+
* `android_keystore` / `webauthn` (plus the deprecated `play_integrity`
|
|
9
|
+
* for backward compat with already-minted credentials), the bundled
|
|
10
|
+
* platform adapters verify the chain, extension, package binding, and
|
|
11
|
+
* identity binding end-to-end.
|
|
10
12
|
*
|
|
11
13
|
* ```
|
|
12
14
|
* motebit-verify <file> # auto-detect, print human
|
|
@@ -18,7 +20,7 @@
|
|
|
18
20
|
* # motebit's canonical identifiers).
|
|
19
21
|
* motebit-verify <file> \
|
|
20
22
|
* --bundle-id com.example.app \
|
|
21
|
-
* --android-
|
|
23
|
+
* --android-attestation-application-id ./app-id.bin \
|
|
22
24
|
* --rp-id example.com
|
|
23
25
|
* ```
|
|
24
26
|
*
|
package/dist/cli.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG"}
|
package/dist/cli.js
CHANGED
|
@@ -5,8 +5,10 @@
|
|
|
5
5
|
* Verifies identity files, execution receipts, credentials, and
|
|
6
6
|
* presentations against their embedded signatures. When a credential
|
|
7
7
|
* carries a `hardware_attestation` claim for `device_check` / `tpm` /
|
|
8
|
-
* `
|
|
9
|
-
*
|
|
8
|
+
* `android_keystore` / `webauthn` (plus the deprecated `play_integrity`
|
|
9
|
+
* for backward compat with already-minted credentials), the bundled
|
|
10
|
+
* platform adapters verify the chain, extension, package binding, and
|
|
11
|
+
* identity binding end-to-end.
|
|
10
12
|
*
|
|
11
13
|
* ```
|
|
12
14
|
* motebit-verify <file> # auto-detect, print human
|
|
@@ -18,7 +20,7 @@
|
|
|
18
20
|
* # motebit's canonical identifiers).
|
|
19
21
|
* motebit-verify <file> \
|
|
20
22
|
* --bundle-id com.example.app \
|
|
21
|
-
* --android-
|
|
23
|
+
* --android-attestation-application-id ./app-id.bin \
|
|
22
24
|
* --rp-id example.com
|
|
23
25
|
* ```
|
|
24
26
|
*
|
|
@@ -49,6 +51,7 @@ const EXPECT_VALUES = [
|
|
|
49
51
|
"receipt",
|
|
50
52
|
"credential",
|
|
51
53
|
"presentation",
|
|
54
|
+
"skill",
|
|
52
55
|
];
|
|
53
56
|
function parseArgs(argv) {
|
|
54
57
|
let file;
|
|
@@ -57,6 +60,7 @@ function parseArgs(argv) {
|
|
|
57
60
|
let clockSkewSeconds;
|
|
58
61
|
let bundleId;
|
|
59
62
|
let androidPackage;
|
|
63
|
+
let androidAttestationApplicationIdPath;
|
|
60
64
|
let rpId;
|
|
61
65
|
let help = false;
|
|
62
66
|
let version = false;
|
|
@@ -118,6 +122,22 @@ function parseArgs(argv) {
|
|
|
118
122
|
i += 2;
|
|
119
123
|
break;
|
|
120
124
|
}
|
|
125
|
+
case "--android-attestation-application-id": {
|
|
126
|
+
// Path to a binary file containing the raw bytes of the leaf
|
|
127
|
+
// cert's `attestationApplicationId` extension value. Operators
|
|
128
|
+
// capture this once at build time (deterministic from the
|
|
129
|
+
// package name + signing-cert SHA-256) and pin the result;
|
|
130
|
+
// the verifier byte-compares against the leaf's KeyDescription
|
|
131
|
+
// extension. File-only intentionally — typical AAID is 50-200
|
|
132
|
+
// bytes, unwieldy on the command line as hex.
|
|
133
|
+
const value = argv[i + 1];
|
|
134
|
+
if (value === undefined) {
|
|
135
|
+
return usage("--android-attestation-application-id requires a path to a binary file");
|
|
136
|
+
}
|
|
137
|
+
androidAttestationApplicationIdPath = value;
|
|
138
|
+
i += 2;
|
|
139
|
+
break;
|
|
140
|
+
}
|
|
121
141
|
case "--rp-id": {
|
|
122
142
|
const value = argv[i + 1];
|
|
123
143
|
if (value === undefined)
|
|
@@ -151,6 +171,9 @@ function parseArgs(argv) {
|
|
|
151
171
|
...(clockSkewSeconds !== undefined && { clockSkewSeconds }),
|
|
152
172
|
...(bundleId !== undefined && { bundleId }),
|
|
153
173
|
...(androidPackage !== undefined && { androidPackage }),
|
|
174
|
+
...(androidAttestationApplicationIdPath !== undefined && {
|
|
175
|
+
androidAttestationApplicationIdPath,
|
|
176
|
+
}),
|
|
154
177
|
...(rpId !== undefined && { rpId }),
|
|
155
178
|
};
|
|
156
179
|
}
|
|
@@ -159,10 +182,17 @@ function usage(message) {
|
|
|
159
182
|
}
|
|
160
183
|
function renderHelp() {
|
|
161
184
|
return [
|
|
162
|
-
"motebit-verify —
|
|
185
|
+
"motebit-verify — verify any signed Motebit artifact offline.",
|
|
163
186
|
"",
|
|
164
187
|
"USAGE",
|
|
165
|
-
" motebit-verify <
|
|
188
|
+
" motebit-verify <path> [options]",
|
|
189
|
+
"",
|
|
190
|
+
" <path> may be a single file (identity, receipt, credential, presentation,",
|
|
191
|
+
" or a skill envelope JSON) OR a skill directory containing SKILL.md +",
|
|
192
|
+
" skill-envelope.json (plus any auxiliary files declared in",
|
|
193
|
+
" envelope.files[]). Skill directories run the full envelope-sig +",
|
|
194
|
+
" body-hash + per-file-hash cross-check; single-file inputs run the",
|
|
195
|
+
" artifact's own signature check.",
|
|
166
196
|
"",
|
|
167
197
|
"OPTIONS",
|
|
168
198
|
" --json Print structured JSON instead of human-readable.",
|
|
@@ -171,7 +201,18 @@ function renderHelp() {
|
|
|
171
201
|
" --bundle-id <id> Override the expected iOS bundle ID for App Attest",
|
|
172
202
|
" (default: com.motebit.mobile).",
|
|
173
203
|
" --android-package <name> Override the expected Android package name for",
|
|
174
|
-
" Play Integrity
|
|
204
|
+
" the deprecated Play Integrity adapter",
|
|
205
|
+
" (default: com.motebit.mobile).",
|
|
206
|
+
" --android-attestation-application-id <path>",
|
|
207
|
+
" Path to a binary file containing the raw bytes",
|
|
208
|
+
" of the leaf cert's `attestationApplicationId`",
|
|
209
|
+
" extension value. REQUIRED to verify any",
|
|
210
|
+
" `android_keystore` credential — without it,",
|
|
211
|
+
" the Android Keystore arm is not wired and",
|
|
212
|
+
" the dispatcher reports 'verifier not wired'.",
|
|
213
|
+
" Capture once at build time from the registered",
|
|
214
|
+
" Android package + signing-cert hash; commit",
|
|
215
|
+
" alongside other pinned config.",
|
|
175
216
|
" --rp-id <id> Override the expected WebAuthn Relying Party ID",
|
|
176
217
|
" (default: motebit.com).",
|
|
177
218
|
" -h, --help Show this help.",
|
|
@@ -182,11 +223,19 @@ function renderHelp() {
|
|
|
182
223
|
" 1 Artifact invalid (signature, expiry, hardware-channel chain / nonce / bundle).",
|
|
183
224
|
" 2 Usage or I/O error.",
|
|
184
225
|
"",
|
|
185
|
-
"PLATFORMS WIRED",
|
|
186
|
-
" device_check
|
|
187
|
-
" tpm
|
|
188
|
-
"
|
|
189
|
-
"
|
|
226
|
+
"PLATFORMS WIRED (canonical)",
|
|
227
|
+
" device_check Apple App Attest (pinned Apple root)",
|
|
228
|
+
" tpm TPM 2.0 (pinned Infineon / Nuvoton / STMicro / Intel PTT roots)",
|
|
229
|
+
" android_keystore Android Hardware-Backed Keystore Attestation",
|
|
230
|
+
" (pinned Google attestation roots; requires",
|
|
231
|
+
" --android-attestation-application-id)",
|
|
232
|
+
" webauthn WebAuthn packed attestation (pinned Apple / Yubico / Microsoft)",
|
|
233
|
+
"",
|
|
234
|
+
"PLATFORMS WIRED (deprecated, removed at @motebit/crypto-play-integrity@2.0.0)",
|
|
235
|
+
" play_integrity Google Play Integrity (operator-supplied JWKS;",
|
|
236
|
+
" no global Google JWKS exists by Google's design.",
|
|
237
|
+
" See docs/doctrine/hardware-attestation.md § 'Three",
|
|
238
|
+
" architectural categories' for the structural reason.)",
|
|
190
239
|
].join("\n");
|
|
191
240
|
}
|
|
192
241
|
let cachedVersion;
|
|
@@ -223,9 +272,24 @@ async function main() {
|
|
|
223
272
|
process.stderr.write(`motebit-verify: missing file argument\n\n${renderHelp()}\n`);
|
|
224
273
|
return 2;
|
|
225
274
|
}
|
|
275
|
+
let androidKeystoreExpectedAttestationApplicationId;
|
|
276
|
+
if (args.androidAttestationApplicationIdPath !== undefined) {
|
|
277
|
+
try {
|
|
278
|
+
const bytes = readFileSync(args.androidAttestationApplicationIdPath);
|
|
279
|
+
androidKeystoreExpectedAttestationApplicationId = new Uint8Array(bytes.buffer, bytes.byteOffset, bytes.byteLength);
|
|
280
|
+
}
|
|
281
|
+
catch (err) {
|
|
282
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
283
|
+
process.stderr.write(`motebit-verify: cannot read --android-attestation-application-id at ${args.androidAttestationApplicationIdPath}: ${msg}\n`);
|
|
284
|
+
return 2;
|
|
285
|
+
}
|
|
286
|
+
}
|
|
226
287
|
const hardwareAttestation = buildHardwareVerifiers({
|
|
227
288
|
...(args.bundleId !== undefined && { appAttestBundleId: args.bundleId }),
|
|
228
289
|
...(args.androidPackage !== undefined && { playIntegrityPackageName: args.androidPackage }),
|
|
290
|
+
...(androidKeystoreExpectedAttestationApplicationId !== undefined && {
|
|
291
|
+
androidKeystoreExpectedAttestationApplicationId,
|
|
292
|
+
}),
|
|
229
293
|
...(args.rpId !== undefined && { webauthnRpId: args.rpId }),
|
|
230
294
|
});
|
|
231
295
|
let result;
|
package/dist/cli.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA
|
|
1
|
+
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAGzC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE5D,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEvD,MAAM,aAAa,GAA4B;IAC7C,UAAU;IACV,SAAS;IACT,YAAY;IACZ,cAAc;IACd,OAAO;CACR,CAAC;AAeF,SAAS,SAAS,CAAC,IAAuB;IACxC,IAAI,IAAwB,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,YAAsC,CAAC;IAC3C,IAAI,gBAAoC,CAAC;IACzC,IAAI,QAA4B,CAAC;IACjC,IAAI,cAAkC,CAAC;IACvC,IAAI,mCAAuD,CAAC;IAC5D,IAAI,IAAwB,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;QACrB,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,IAAI,CAAC;YACV,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,IAAI,CAAC;YACV,KAAK,WAAW;gBACd,OAAO,GAAG,IAAI,CAAC;gBACf,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,UAAU,CAAC;YAChB,KAAK,iBAAiB,CAAC,CAAC,CAAC;gBACvB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,GAAG,GAAG,mBAAmB,CAAC,CAAC;gBACjE,IAAI,CAAE,aAAmC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC1D,OAAO,KAAK,CAAC,2BAA2B,KAAK,aAAa,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACzF,CAAC;gBACD,YAAY,GAAG,KAAqB,CAAC;gBACrC,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,cAAc,CAAC,CAAC,CAAC;gBACpB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,gDAAgD,CAAC,CAAC;gBACxF,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,OAAO,KAAK,CAAC,qDAAqD,KAAK,IAAI,CAAC,CAAC;gBAC/E,CAAC;gBACD,gBAAgB,GAAG,CAAC,CAAC;gBACrB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,aAAa,CAAC,CAAC,CAAC;gBACnB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,8BAA8B,CAAC,CAAC;gBACtE,QAAQ,GAAG,KAAK,CAAC;gBACjB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,mBAAmB,CAAC,CAAC,CAAC;gBACzB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBAC5E,cAAc,GAAG,KAAK,CAAC;gBACvB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,sCAAsC,CAAC,CAAC,CAAC;gBAC5C,6DAA6D;gBAC7D,+DAA+D;gBAC/D,0DAA0D;gBAC1D,2DAA2D;gBAC3D,+DAA+D;gBAC/D,8DAA8D;gBAC9D,8CAA8C;gBAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACxB,OAAO,KAAK,CAAC,uEAAuE,CAAC,CAAC;gBACxF,CAAC;gBACD,mCAAmC,GAAG,KAAK,CAAC;gBAC5C,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAClE,IAAI,GAAG,KAAK,CAAC;gBACb,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD;gBACE,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,OAAO,KAAK,CAAC,iBAAiB,GAAG,EAAE,CAAC,CAAC;gBAC9D,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;oBACvB,OAAO,KAAK,CACV,sDAAsD,GAAG,aAAa,IAAI,IAAI,CAC/E,CAAC;gBACJ,CAAC;gBACD,IAAI,GAAG,GAAG,CAAC;gBACX,CAAC,EAAE,CAAC;gBACJ,MAAM;QACV,CAAC;IACH,CAAC;IAED,IAAI,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACxC,IAAI,OAAO;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAC9C,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAE9D,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,IAAI;QACJ,GAAG,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,CAAC;QACnD,GAAG,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,CAAC;QAC3D,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,QAAQ,EAAE,CAAC;QAC3C,GAAG,CAAC,cAAc,KAAK,SAAS,IAAI,EAAE,cAAc,EAAE,CAAC;QACvD,GAAG,CAAC,mCAAmC,KAAK,SAAS,IAAI;YACvD,mCAAmC;SACpC,CAAC;QACF,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,EAAE,IAAI,EAAE,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,KAAK,CAAC,OAAe;IAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;AAC5D,CAAC;AAED,SAAS,UAAU;IACjB,OAAO;QACL,8DAA8D;QAC9D,EAAE;QACF,OAAO;QACP,mCAAmC;QACnC,EAAE;QACF,6EAA6E;QAC7E,wEAAwE;QACxE,6DAA6D;QAC7D,oEAAoE;QACpE,qEAAqE;QACrE,mCAAmC;QACnC,EAAE;QACF,SAAS;QACT,8EAA8E;QAC9E,2EAA2E;QAC3E,4DAA4D;QAC5D,gFAAgF;QAChF,4DAA4D;QAC5D,4EAA4E;QAC5E,mEAAmE;QACnE,4DAA4D;QAC5D,+CAA+C;QAC/C,4EAA4E;QAC5E,2EAA2E;QAC3E,qEAAqE;QACrE,yEAAyE;QACzE,uEAAuE;QACvE,0EAA0E;QAC1E,4EAA4E;QAC5E,yEAAyE;QACzE,4DAA4D;QAC5D,6EAA6E;QAC7E,qDAAqD;QACrD,6CAA6C;QAC7C,4CAA4C;QAC5C,EAAE;QACF,YAAY;QACZ,kEAAkE;QAClE,qFAAqF;QACrF,0BAA0B;QAC1B,EAAE;QACF,6BAA6B;QAC7B,2DAA2D;QAC3D,sFAAsF;QACtF,mEAAmE;QACnE,iEAAiE;QACjE,4DAA4D;QAC5D,sFAAsF;QACtF,EAAE;QACF,+EAA+E;QAC/E,qEAAqE;QACrE,uEAAuE;QACvE,yEAAyE;QACzE,4EAA4E;KAC7E,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,IAAI,aAAiC,CAAC;AACtC,SAAS,iBAAiB;IACxB,IAAI,aAAa,KAAK,SAAS;QAAE,OAAO,aAAa,CAAC;IACtD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;QACjD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAyB,CAAC;QAC/E,aAAa,GAAG,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,aAAa,GAAG,OAAO,CAAC;IAC1B,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9C,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,iBAAiB,EAAE,IAAI,CAAC,CAAC;QACjD,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;QAC1B,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,IAAI,CAAC,UAAU,OAAO,IAAI,IAAI,CAAC,CAAC;YACxE,OAAO,CAAC,CAAC;QACX,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC;QAClC,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4CAA4C,UAAU,EAAE,IAAI,CAAC,CAAC;QACnF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,+CAAuE,CAAC;IAC5E,IAAI,IAAI,CAAC,mCAAmC,KAAK,SAAS,EAAE,CAAC;QAC3D,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;YACrE,+CAA+C,GAAG,IAAI,UAAU,CAC9D,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,UAAU,CACjB,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,uEAAuE,IAAI,CAAC,mCAAmC,KAAK,GAAG,IAAI,CAC5H,CAAC;YACF,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED,MAAM,mBAAmB,GAAG,sBAAsB,CAAC;QACjD,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,iBAAiB,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACxE,GAAG,CAAC,IAAI,CAAC,cAAc,KAAK,SAAS,IAAI,EAAE,wBAAwB,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC;QAC3F,GAAG,CAAC,+CAA+C,KAAK,SAAS,IAAI;YACnE,+CAA+C;SAChD,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;KAC5D,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE;YACnC,GAAG,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3E,GAAG,CAAC,IAAI,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACvF,mBAAmB;SACpB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,IAAI,CAAC,IAAI,KAAK,GAAG,IAAI,CAAC,CAAC;QAC3E,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IAC/D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED,IAAI,EAAE;KACH,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;IACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC,CAAC;KACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;IACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC;IACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -2,13 +2,16 @@
|
|
|
2
2
|
* @motebit/verify — hardware-attestation-aware companion to
|
|
3
3
|
* `@motebit/verifier`.
|
|
4
4
|
*
|
|
5
|
-
* Bundles
|
|
5
|
+
* Bundles every Apache-2.0 permissive-floor platform verifier leaf
|
|
6
6
|
* into a single `HardwareAttestationVerifiers` record + a CLI
|
|
7
7
|
* `motebit-verify` that hands them to `@motebit/verifier::verifyFile`.
|
|
8
8
|
* A credential with `hardware_attestation: { platform: "device_check" |
|
|
9
|
-
* "tpm" | "
|
|
9
|
+
* "tpm" | "android_keystore" | "webauthn", ... }` verifies end-to-end
|
|
10
10
|
* through this package instead of returning the permissive-floor
|
|
11
|
-
* verifier's `adapter not yet shipped` sentinel.
|
|
11
|
+
* verifier's `adapter not yet shipped` sentinel. The deprecated
|
|
12
|
+
* `play_integrity` arm is also wired during the
|
|
13
|
+
* `@motebit/crypto-play-integrity@1.x` deprecation cycle for backward
|
|
14
|
+
* compatibility with already-minted credentials.
|
|
12
15
|
*
|
|
13
16
|
* Programmatic use:
|
|
14
17
|
*
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AACvD,YAAY,EAAE,4BAA4B,EAAE,MAAM,eAAe,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -2,13 +2,16 @@
|
|
|
2
2
|
* @motebit/verify — hardware-attestation-aware companion to
|
|
3
3
|
* `@motebit/verifier`.
|
|
4
4
|
*
|
|
5
|
-
* Bundles
|
|
5
|
+
* Bundles every Apache-2.0 permissive-floor platform verifier leaf
|
|
6
6
|
* into a single `HardwareAttestationVerifiers` record + a CLI
|
|
7
7
|
* `motebit-verify` that hands them to `@motebit/verifier::verifyFile`.
|
|
8
8
|
* A credential with `hardware_attestation: { platform: "device_check" |
|
|
9
|
-
* "tpm" | "
|
|
9
|
+
* "tpm" | "android_keystore" | "webauthn", ... }` verifies end-to-end
|
|
10
10
|
* through this package instead of returning the permissive-floor
|
|
11
|
-
* verifier's `adapter not yet shipped` sentinel.
|
|
11
|
+
* verifier's `adapter not yet shipped` sentinel. The deprecated
|
|
12
|
+
* `play_integrity` arm is also wired during the
|
|
13
|
+
* `@motebit/crypto-play-integrity@1.x` deprecation cycle for backward
|
|
14
|
+
* compatibility with already-minted credentials.
|
|
12
15
|
*
|
|
13
16
|
* Programmatic use:
|
|
14
17
|
*
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@motebit/verify",
|
|
3
|
-
"version": "1.
|
|
4
|
-
"description": "The canonical motebit
|
|
3
|
+
"version": "1.2.0",
|
|
4
|
+
"description": "The canonical `motebit-verify` command-line tool — verifies any signed motebit artifact offline, with every hardware-attestation platform bundled (Apple App Attest, Android Hardware-Backed Keystore Attestation, TPM 2.0, WebAuthn — plus the deprecated Google Play Integrity for one minor cycle). One install, no network, self-attesting. Replaces the deprecated @motebit/verify@0.x zero-dep library: library primitives now live in @motebit/crypto; file-reading + formatting helpers in @motebit/verifier; this package is the binary.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|
|
7
7
|
"types": "./dist/index.d.ts",
|
|
@@ -31,6 +31,8 @@
|
|
|
31
31
|
"cli",
|
|
32
32
|
"hardware-attestation",
|
|
33
33
|
"app-attest",
|
|
34
|
+
"android-keystore",
|
|
35
|
+
"key-attestation",
|
|
34
36
|
"tpm",
|
|
35
37
|
"webauthn",
|
|
36
38
|
"ed25519",
|
|
@@ -50,12 +52,13 @@
|
|
|
50
52
|
"access": "public"
|
|
51
53
|
},
|
|
52
54
|
"dependencies": {
|
|
53
|
-
"@motebit/crypto
|
|
54
|
-
"@motebit/crypto": "1.
|
|
55
|
-
"@motebit/crypto-
|
|
56
|
-
"@motebit/crypto-tpm": "1.
|
|
57
|
-
"@motebit/crypto-
|
|
58
|
-
"@motebit/
|
|
55
|
+
"@motebit/crypto": "1.2.0",
|
|
56
|
+
"@motebit/crypto-android-keystore": "1.1.1",
|
|
57
|
+
"@motebit/crypto-play-integrity": "1.1.1",
|
|
58
|
+
"@motebit/crypto-tpm": "1.1.1",
|
|
59
|
+
"@motebit/crypto-appattest": "1.0.2",
|
|
60
|
+
"@motebit/crypto-webauthn": "1.0.2",
|
|
61
|
+
"@motebit/verifier": "1.1.0"
|
|
59
62
|
},
|
|
60
63
|
"devDependencies": {
|
|
61
64
|
"@noble/curves": "^1.9.0",
|