@revibase/ctap2-js 0.1.0

package/README.md

@@ -0,0 +1,65 @@
+# @revibase/ctap2-js
+
+This library is for apps that want to talk to a **physical FIDO2/passkey authenticator over NFC** by sending **APDUs** directly.
+
+**License:** MIT
+
+## Install
+
+```bash
+pnpm add @revibase/ctap2-js
+```
+
+Optional peer (for types): [`@simplewebauthn/browser`](https://simplewebauthn.dev/docs/packages/browser)
+
+```bash
+pnpm add @simplewebauthn/browser
+```
+
+## Usage
+
+## React Native
+
+Use a library that can send NFC commands like [`react-native-nfc-manager`](https://github.com/revtel/react-native-nfc-manager) with `NfcTech.IsoDep`.
+
+```ts
+import { authenticateWithNfc } from "@revibase/ctap2-js";
+import NfcManager, { NfcTech } from "react-native-nfc-manager";
+
+async function withIsoDep<T>(
+  fn: (tx: (apdu: Uint8Array) => Promise<Uint8Array>) => Promise<T>,
+): Promise<T> {
+  const store = useNfcAuthPromptStore.getState();
+  await NfcManager.start();
+  if (Platform.OS === "android") {
+    store.setVisible(true);
+    store.setCancelSession(() => {
+      NfcManager.cancelTechnologyRequest().catch(() => {});
+    });
+  }
+  await NfcManager.requestTechnology(NfcTech.IsoDep, {
+    alertMessage: "Hold your security key near the phone",
+  });
+  const tx = async (apdu: Uint8Array) => {
+    return new Uint8Array(await NfcManager.isoDepHandler.transceive([...apdu]));
+  };
+
+  try {
+    return await fn(tx);
+  } finally {
+    if (Platform.OS === "android") {
+      store.setCancelSession(null);
+    }
+    await NfcManager.cancelTechnologyRequest().catch(() => {});
+  }
+}
+
+const request = {
+  origin: "your_origin",
+  crossOrigin: false,
+  rpId: "your_rp_id",
+  challenge: "random_challenge_in_base64_url",
+};
+
+await withIsoDep((tx) => authenticateWithNfc(request, tx));
+```

package/lib/apdu.d.ts

@@ -0,0 +1,56 @@
+interface ParsedIso7816Response {
+    data: Uint8Array;
+    sw1: number;
+    sw2: number;
+    statusWord: number;
+}
+interface NfcShortApduSegment {
+    bytes: Uint8Array;
+    chained: boolean;
+}
+export declare function encodeExtendedCase3e(cla: number, ins: number, p1: number, p2: number, data: Uint8Array): Uint8Array;
+export declare function encodeShortApdu(cla: number, ins: number, p1: number, p2: number, payload: Uint8Array, options: {
+    chained: boolean;
+}): Uint8Array;
+/**
+ * Send CTAP CBOR command APDUs
+ * Extended APDU in memory is split into short chained frames;
+ * Intermediate responses must be SW 0x9000, the last response carries CTAP payload + SW.
+ */
+export declare function transmitCborApduSegments(segments: NfcShortApduSegment[], transceive: (apdu: Uint8Array) => Promise<Uint8Array>): Promise<Uint8Array>;
+/**
+ * Follow ISO 7816 "more data" responses for CBOR:
+ * while SW1 == 0x61, send GET RESPONSE (CLA 0x80, INS 0xc0, Le = SW2) and
+ * concatenate response bodies; final buffer is payload + SW1 + SW2.
+ */
+export declare function collectCborApduResponse(firstResponse: Uint8Array, transceive: (apdu: Uint8Array) => Promise<Uint8Array>): Promise<Uint8Array>;
+/**
+ * Full NFC CTAP2 command exchange for Java Card–style FIDO applets: send short
+ * chained command frames ({@link transmitCborApduSegments}), then resolve
+ * `61 xx` / GET RESPONSE until `90 00` (same as libfido2 `nfc_do_tx` +
+ * `rx_msg`). Use after SELECT.
+ */
+export declare function transceiveNfcCtap2Command(segments: NfcShortApduSegment[], transceive: (apdu: Uint8Array) => Promise<Uint8Array>): Promise<Uint8Array>;
+export declare function splitExtendedApduForNfcTransmit(extended: Uint8Array, chunkSize?: number): NfcShortApduSegment[];
+export declare function buildSelectFidoApdu(): Uint8Array;
+/** Short APDU(s) for SELECT — preferred over {@link buildSelectFidoApdu} on NFC. */
+export declare function buildSelectFidoApduSegments(): NfcShortApduSegment[];
+export declare function buildCborCommandApdu(cborPayload: Uint8Array): Uint8Array;
+export declare function buildGetResponseApdu(le: number, cbor: boolean): Uint8Array;
+export declare function parseIso7816Response(buf: Uint8Array): ParsedIso7816Response;
+type ParseCtaphidCborBodyResult = {
+    ok: true;
+    cborMapBytes: Uint8Array;
+} | {
+    ok: false;
+    layer: "iso7816";
+    statusWord: number;
+} | {
+    ok: false;
+    layer: "ctap";
+    errorCode: number;
+};
+export declare function parseCtaphidCborFromApduResponse(apduResponseIncludingSw: Uint8Array): ParseCtaphidCborBodyResult;
+export declare function unwrapCtaphidCborBody(parsed: ParseCtaphidCborBodyResult): Uint8Array;
+export {};
+//# sourceMappingURL=apdu.d.ts.map

package/lib/apdu.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apdu.d.ts","sourceRoot":"","sources":["../src/apdu.ts"],"names":[],"mappings":"AA2BA,UAAU,qBAAqB;IAC7B,IAAI,EAAE,UAAU,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,mBAAmB;IAC3B,KAAK,EAAE,UAAU,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,EACX,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,UAAU,GACf,UAAU,CAiBZ;AAED,wBAAgB,eAAe,CAC7B,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,EACX,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,UAAU,EACnB,OAAO,EAAE;IAAE,OAAO,EAAE,OAAO,CAAA;CAAE,GAC5B,UAAU,CAiBZ;AAED;;;;GAIG;AACH,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,UAAU,EAAE,CAAC,IAAI,EAAE,UAAU,KAAK,OAAO,CAAC,UAAU,CAAC,GACpD,OAAO,CAAC,UAAU,CAAC,CAwBrB;AAKD;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,aAAa,EAAE,UAAU,EACzB,UAAU,EAAE,CAAC,IAAI,EAAE,UAAU,KAAK,OAAO,CAAC,UAAU,CAAC,GACpD,OAAO,CAAC,UAAU,CAAC,CAyBrB;AAED;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAC7C,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,UAAU,EAAE,CAAC,IAAI,EAAE,UAAU,KAAK,OAAO,CAAC,UAAU,CAAC,GACpD,OAAO,CAAC,UAAU,CAAC,CAKrB;AAED,wBAAgB,+BAA+B,CAC7C,QAAQ,EAAE,UAAU,EACpB,SAAS,GAAE,MAA0B,GACpC,mBAAmB,EAAE,CAyBvB;AAED,wBAAgB,mBAAmB,IAAI,UAAU,CAEhD;AAED,oFAAoF;AACpF,wBAAgB,2BAA2B,IAAI,mBAAmB,EAAE,CAEnE;AAED,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,UAAU,GAAG,UAAU,CAExE;AAED,wBAAgB,oBAAoB,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,UAAU,CAQ1E;AAED,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,UAAU,GAAG,qBAAqB,CAa3E;AAMD,KAAK,0BAA0B,GAC3B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,YAAY,EAAE,UAAU,CAAA;CAAE,GACtC;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,SAAS,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC;AAEpD,wBAAgB,gCAAgC,CAC9C,uBAAuB,EAAE,UAAU,GAClC,0BAA0B,CAa5B;AAED,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,0BAA0B,GACjC,UAAU,CAUZ"}

package/lib/apdu.js

@@ -0,0 +1,225 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unwrapCtaphidCborBody = exports.parseCtaphidCborFromApduResponse = exports.parseIso7816Response = exports.buildGetResponseApdu = exports.buildCborCommandApdu = exports.buildSelectFidoApduSegments = exports.buildSelectFidoApdu = exports.splitExtendedApduForNfcTransmit = exports.transceiveNfcCtap2Command = exports.collectCborApduResponse = exports.transmitCborApduSegments = exports.encodeShortApdu = exports.encodeExtendedCase3e = void 0;
+const constants_1 = require("./constants");
+const errors_1 = require("./errors");
+const CLA_CHAIN = 0x10;
+/** CTAP2 error codes  */
+function formatCtapErrorMessage(code) {
+    const hex = `0x${code.toString(16).padStart(2, "0")}`;
+    const names = {
+        0x01: "INVALID_COMMAND",
+        0x02: "INVALID_PARAMETER",
+        0x03: "INVALID_LENGTH",
+        0x11: "CBOR_UNEXPECTED_TYPE",
+        0x12: "INVALID_CBOR",
+        0x14: "MISSING_PARAMETER",
+        0x2e: "NO_CREDENTIALS",
+        0x30: "NOT_ALLOWED",
+    };
+    const name = names[code];
+    return name ? `CTAP error ${hex} (${name})` : `CTAP error code ${hex}`;
+}
+function encodeExtendedCase3e(cla, ins, p1, p2, data) {
+    const n = data.length;
+    if (n > 65535) {
+        throw new errors_1.ApduError("APDU data field exceeds 65535 bytes");
+    }
+    const out = new Uint8Array(7 + n + 2);
+    out[0] = cla & 0xff;
+    out[1] = ins & 0xff;
+    out[2] = p1 & 0xff;
+    out[3] = p2 & 0xff;
+    out[4] = 0x00;
+    out[5] = (n >> 8) & 0xff;
+    out[6] = n & 0xff;
+    out.set(data, 7);
+    out[7 + n] = 0x00;
+    out[7 + n + 1] = 0x00;
+    return out;
+}
+exports.encodeExtendedCase3e = encodeExtendedCase3e;
+function encodeShortApdu(cla, ins, p1, p2, payload, options) {
+    const lc = payload.length;
+    if (lc > 255) {
+        throw new errors_1.ApduError("short APDU payload must be ≤ 255 bytes");
+    }
+    const withLe = !options.chained;
+    const out = new Uint8Array(5 + lc + (withLe ? 1 : 0));
+    out[0] = (cla & 0xff) | (options.chained ? CLA_CHAIN : 0);
+    out[1] = ins & 0xff;
+    out[2] = p1 & 0xff;
+    out[3] = p2 & 0xff;
+    out[4] = lc & 0xff;
+    out.set(payload, 5);
+    if (withLe) {
+        out[5 + lc] = 0x00;
+    }
+    return out;
+}
+exports.encodeShortApdu = encodeShortApdu;
+/**
+ * Send CTAP CBOR command APDUs
+ * Extended APDU in memory is split into short chained frames;
+ * Intermediate responses must be SW 0x9000, the last response carries CTAP payload + SW.
+ */
+async function transmitCborApduSegments(segments, transceive) {
+    let last;
+    for (const seg of segments) {
+        const resp = await transceive(seg.bytes);
+        if (resp.length < 2) {
+            throw new errors_1.ApduError(`APDU response too short for status word (${resp.length} byte(s))`);
+        }
+        const sw = (resp[resp.length - 2] << 8) | resp[resp.length - 1];
+        if (seg.chained) {
+            if (sw !== constants_1.SW_NO_ERROR) {
+                throw new errors_1.ApduError(`ISO7816 status 0x${sw.toString(16).padStart(4, "0")}`);
+            }
+        }
+        else {
+            last = resp;
+        }
+    }
+    if (!last) {
+        throw new errors_1.ApduError("no final APDU response");
+    }
+    return last;
+}
+exports.transmitCborApduSegments = transmitCborApduSegments;
+/** Max GET RESPONSE iterations (matches practical NFC response sizes). */
+const GET_RESPONSE_MAX_CHAIN = 256;
+/**
+ * Follow ISO 7816 "more data" responses for CBOR:
+ * while SW1 == 0x61, send GET RESPONSE (CLA 0x80, INS 0xc0, Le = SW2) and
+ * concatenate response bodies; final buffer is payload + SW1 + SW2.
+ */
+async function collectCborApduResponse(firstResponse, transceive) {
+    const chunks = [];
+    let cur = firstResponse;
+    for (let i = 0; i < GET_RESPONSE_MAX_CHAIN; i++) {
+        if (cur.length < 2) {
+            throw new errors_1.ApduError("APDU response too short");
+        }
+        const sw1 = cur[cur.length - 2];
+        const sw2 = cur[cur.length - 1];
+        chunks.push(cur.slice(0, -2));
+        if (sw1 !== constants_1.SW1_MORE_DATA) {
+            const totalLen = chunks.reduce((a, c) => a + c.length, 0) + 2;
+            const out = new Uint8Array(totalLen);
+            let o = 0;
+            for (const c of chunks) {
+                out.set(c, o);
+                o += c.length;
+            }
+            out[o] = sw1;
+            out[o + 1] = sw2;
+            return out;
+        }
+        cur = await transceive(buildGetResponseApdu(sw2, true));
+    }
+    throw new errors_1.ApduError("GET RESPONSE chain exceeded limit");
+}
+exports.collectCborApduResponse = collectCborApduResponse;
+/**
+ * Full NFC CTAP2 command exchange for Java Card–style FIDO applets: send short
+ * chained command frames ({@link transmitCborApduSegments}), then resolve
+ * `61 xx` / GET RESPONSE until `90 00` (same as libfido2 `nfc_do_tx` +
+ * `rx_msg`). Use after SELECT.
+ */
+async function transceiveNfcCtap2Command(segments, transceive) {
+    return collectCborApduResponse(await transmitCborApduSegments(segments, transceive), transceive);
+}
+exports.transceiveNfcCtap2Command = transceiveNfcCtap2Command;
+function splitExtendedApduForNfcTransmit(extended, chunkSize = constants_1.NFC_TX_CHUNK_SIZE) {
+    if (extended.length < 9) {
+        throw new errors_1.ApduError("extended APDU too short");
+    }
+    const cla = extended[0];
+    const ins = extended[1];
+    const p1 = extended[2];
+    const p2 = extended[3];
+    const data = extended.slice(7, extended.length - 2);
+    const segments = [];
+    let off = 0;
+    while (data.length - off > chunkSize) {
+        const chunk = data.subarray(off, off + chunkSize);
+        segments.push({
+            bytes: encodeShortApdu(cla, ins, p1, p2, chunk, { chained: true }),
+            chained: true,
+        });
+        off += chunkSize;
+    }
+    const rest = data.subarray(off);
+    segments.push({
+        bytes: encodeShortApdu(cla, ins, p1, p2, rest, { chained: false }),
+        chained: false,
+    });
+    return segments;
+}
+exports.splitExtendedApduForNfcTransmit = splitExtendedApduForNfcTransmit;
+function buildSelectFidoApdu() {
+    return encodeExtendedCase3e(0x00, 0xa4, 0x04, 0x00, constants_1.FIDO_AID);
+}
+exports.buildSelectFidoApdu = buildSelectFidoApdu;
+/** Short APDU(s) for SELECT — preferred over {@link buildSelectFidoApdu} on NFC. */
+function buildSelectFidoApduSegments() {
+    return splitExtendedApduForNfcTransmit(buildSelectFidoApdu());
+}
+exports.buildSelectFidoApduSegments = buildSelectFidoApduSegments;
+function buildCborCommandApdu(cborPayload) {
+    return encodeExtendedCase3e(0x80, 0x10, 0x00, 0x00, cborPayload);
+}
+exports.buildCborCommandApdu = buildCborCommandApdu;
+function buildGetResponseApdu(le, cbor) {
+    const apdu = new Uint8Array(5);
+    apdu[0] = cbor ? 0x80 : 0x00;
+    apdu[1] = 0xc0;
+    apdu[2] = 0x00;
+    apdu[3] = 0x00;
+    apdu[4] = le & 0xff;
+    return apdu;
+}
+exports.buildGetResponseApdu = buildGetResponseApdu;
+function parseIso7816Response(buf) {
+    if (buf.length < 2) {
+        throw new errors_1.ApduError("response must include SW1 and SW2");
+    }
+    const sw1 = buf[buf.length - 2];
+    const sw2 = buf[buf.length - 1];
+    const statusWord = (sw1 << 8) | sw2;
+    return {
+        data: buf.slice(0, -2),
+        sw1,
+        sw2,
+        statusWord,
+    };
+}
+exports.parseIso7816Response = parseIso7816Response;
+function isSuccessStatus(statusWord) {
+    return statusWord === constants_1.SW_NO_ERROR;
+}
+function parseCtaphidCborFromApduResponse(apduResponseIncludingSw) {
+    const { data, statusWord } = parseIso7816Response(apduResponseIncludingSw);
+    if (!isSuccessStatus(statusWord)) {
+        return { ok: false, layer: "iso7816", statusWord };
+    }
+    if (data.length < 1) {
+        throw new errors_1.ApduError("empty CTAP payload after ISO7816 success");
+    }
+    const status = data[0];
+    if (status !== 0) {
+        return { ok: false, layer: "ctap", errorCode: status };
+    }
+    return { ok: true, cborMapBytes: data.subarray(1) };
+}
+exports.parseCtaphidCborFromApduResponse = parseCtaphidCborFromApduResponse;
+function unwrapCtaphidCborBody(parsed) {
+    if (!parsed.ok) {
+        if (parsed.layer === "iso7816") {
+            throw new errors_1.ApduError(`ISO7816 status 0x${parsed.statusWord.toString(16).padStart(4, "0")}`);
+        }
+        throw new errors_1.ApduError(formatCtapErrorMessage(parsed.errorCode));
+    }
+    return parsed.cborMapBytes;
+}
+exports.unwrapCtaphidCborBody = unwrapCtaphidCborBody;

package/lib/buildRequests.d.ts

@@ -0,0 +1,11 @@
+import type { NfcShortApduSegment } from "./apdu";
+import type { PublicKeyCredentialCreationOptionsJSONWithNfc, PublicKeyCredentialRequestOptionsJSONWithNfc } from "./types";
+/** @internal Used by tests and advanced integrations. */
+export declare function startAuthenticationToApdu(args: PublicKeyCredentialRequestOptionsJSONWithNfc): Uint8Array;
+/** @internal */
+export declare function startAuthenticationToApduSegments(args: PublicKeyCredentialRequestOptionsJSONWithNfc): NfcShortApduSegment[];
+/** @internal */
+export declare function startRegistrationToApdu(args: PublicKeyCredentialCreationOptionsJSONWithNfc): Uint8Array;
+/** @internal */
+export declare function startRegistrationToApduSegments(args: PublicKeyCredentialCreationOptionsJSONWithNfc): NfcShortApduSegment[];
+//# sourceMappingURL=buildRequests.d.ts.map

package/lib/buildRequests.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"buildRequests.d.ts","sourceRoot":"","sources":["../src/buildRequests.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAOlD,OAAO,KAAK,EACX,6CAA6C,EAC7C,4CAA4C,EAC5C,MAAM,SAAS,CAAC;AAEjB,yDAAyD;AACzD,wBAAgB,yBAAyB,CACxC,IAAI,EAAE,4CAA4C,GAChD,UAAU,CAIZ;AAED,gBAAgB;AAChB,wBAAgB,iCAAiC,CAChD,IAAI,EAAE,4CAA4C,GAChD,mBAAmB,EAAE,CAIvB;AAED,gBAAgB;AAChB,wBAAgB,uBAAuB,CACtC,IAAI,EAAE,6CAA6C,GACjD,UAAU,CAIZ;AAED,gBAAgB;AAChB,wBAAgB,+BAA+B,CAC9C,IAAI,EAAE,6CAA6C,GACjD,mBAAmB,EAAE,CAIvB"}

package/lib/buildRequests.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startRegistrationToApduSegments = exports.startRegistrationToApdu = exports.startAuthenticationToApduSegments = exports.startAuthenticationToApdu = void 0;
+const fromWebAuthnJson_1 = require("./helpers/fromWebAuthnJson");
+/** @internal Used by tests and advanced integrations. */
+function startAuthenticationToApdu(args) {
+    return (0, fromWebAuthnJson_1.buildAuthenticatorGetAssertionApduFromPublicKeyCredentialRequestOptionsJSON)(args);
+}
+exports.startAuthenticationToApdu = startAuthenticationToApdu;
+/** @internal */
+function startAuthenticationToApduSegments(args) {
+    return (0, fromWebAuthnJson_1.buildAuthenticatorGetAssertionApduSegmentsFromPublicKeyCredentialRequestOptionsJSON)(args);
+}
+exports.startAuthenticationToApduSegments = startAuthenticationToApduSegments;
+/** @internal */
+function startRegistrationToApdu(args) {
+    return (0, fromWebAuthnJson_1.buildAuthenticatorMakeCredentialApduFromPublicKeyCredentialCreationOptionsJSON)(args);
+}
+exports.startRegistrationToApdu = startRegistrationToApdu;
+/** @internal */
+function startRegistrationToApduSegments(args) {
+    return (0, fromWebAuthnJson_1.buildAuthenticatorMakeCredentialApduSegmentsFromPublicKeyCredentialCreationOptionsJSON)(args);
+}
+exports.startRegistrationToApduSegments = startRegistrationToApduSegments;

package/lib/constants.d.ts

@@ -0,0 +1,11 @@
+export declare const NFC_TX_CHUNK_SIZE = 240;
+export declare const FIDO_AID: Uint8Array;
+export declare const CTAP_CMD_MSG = 3;
+export declare const CTAP_CMD_INIT = 6;
+export declare const CTAP_CMD_CBOR = 16;
+export declare const CTAP_CBOR_MAKE_CRED = 1;
+export declare const CTAP_CBOR_ASSERT = 2;
+export declare const CTAP_CBOR_GETINFO = 4;
+export declare const SW_NO_ERROR = 36864;
+export declare const SW1_MORE_DATA = 97;
+//# sourceMappingURL=constants.d.ts.map

package/lib/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iBAAiB,MAAM,CAAC;AAErC,eAAO,MAAM,QAAQ,YAEnB,CAAC;AAEH,eAAO,MAAM,YAAY,IAAO,CAAC;AACjC,eAAO,MAAM,aAAa,IAAO,CAAC;AAClC,eAAO,MAAM,aAAa,KAAO,CAAC;AAElC,eAAO,MAAM,mBAAmB,IAAO,CAAC;AACxC,eAAO,MAAM,gBAAgB,IAAO,CAAC;AACrC,eAAO,MAAM,iBAAiB,IAAO,CAAC;AAEtC,eAAO,MAAM,WAAW,QAAS,CAAC;AAClC,eAAO,MAAM,aAAa,KAAO,CAAC"}

package/lib/constants.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SW1_MORE_DATA = exports.SW_NO_ERROR = exports.CTAP_CBOR_GETINFO = exports.CTAP_CBOR_ASSERT = exports.CTAP_CBOR_MAKE_CRED = exports.CTAP_CMD_CBOR = exports.CTAP_CMD_INIT = exports.CTAP_CMD_MSG = exports.FIDO_AID = exports.NFC_TX_CHUNK_SIZE = void 0;
+exports.NFC_TX_CHUNK_SIZE = 240;
+exports.FIDO_AID = Uint8Array.from([
+    0xa0, 0x00, 0x00, 0x06, 0x47, 0x2f, 0x00, 0x01,
+]);
+exports.CTAP_CMD_MSG = 0x03;
+exports.CTAP_CMD_INIT = 0x06;
+exports.CTAP_CMD_CBOR = 0x10;
+exports.CTAP_CBOR_MAKE_CRED = 0x01;
+exports.CTAP_CBOR_ASSERT = 0x02;
+exports.CTAP_CBOR_GETINFO = 0x04;
+exports.SW_NO_ERROR = 0x9000;
+exports.SW1_MORE_DATA = 0x61;

package/lib/ctap2/cborUtils.d.ts

@@ -0,0 +1,14 @@
+/**
+ * CTAP2 canonical CBOR key order for text-string map keys (FIDO CTAP §8 Message Encoding):
+ * shorter UTF-8 length sorts first; same length → lower byte-wise lexical order.
+ */
+export declare function compareCtapTextMapKeys(a: string, b: string): number;
+/**
+ * Recursively reorders every CBOR-serialized map to CTAP2 canonical form (sorted keys).
+ * Integer-key maps (command parameters, COSE, etc.) are sorted numerically.
+ */
+export declare function canonicalizeCtapValue(value: unknown): unknown;
+export declare function encodeCtapCbor(value: unknown): Uint8Array;
+export declare function bytesView(v: unknown): Uint8Array | undefined;
+export declare function cborMapGet(map: Map<number, unknown> | object, key: number): unknown;
+//# sourceMappingURL=cborUtils.d.ts.map

package/lib/ctap2/cborUtils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cborUtils.d.ts","sourceRoot":"","sources":["../../src/ctap2/cborUtils.ts"],"names":[],"mappings":"AAiBA;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAYnE;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAoE7D;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,UAAU,CAUzD;AAED,wBAAgB,SAAS,CAAC,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,SAAS,CAa5D;AAED,wBAAgB,UAAU,CACzB,GAAG,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAClC,GAAG,EAAE,MAAM,GACT,OAAO,CAeT"}

package/lib/ctap2/cborUtils.js

@@ -0,0 +1,141 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cborMapGet = exports.bytesView = exports.encodeCtapCbor = exports.canonicalizeCtapValue = exports.compareCtapTextMapKeys = void 0;
+const cbor_x_1 = require("cbor-x");
+/**
+ * cbor-x encodes JS `Map` with CBOR tag 259 by default. CTAP2/FIDO2 expects a
+ * plain CBOR map (no tag), or authenticators return FIDO_ERR_CBOR_UNEXPECTED_TYPE (0x11).
+ */
+const ctapCborEncoder = new cbor_x_1.Encoder({
+    useTag259ForMaps: false,
+    useRecords: false,
+    mapsAsObjects: true,
+    structuredClone: false,
+    tagUint8Array: false,
+    bundleStrings: false,
+});
+const textEncoder = new TextEncoder();
+/**
+ * CTAP2 canonical CBOR key order for text-string map keys (FIDO CTAP §8 Message Encoding):
+ * shorter UTF-8 length sorts first; same length → lower byte-wise lexical order.
+ */
+function compareCtapTextMapKeys(a, b) {
+    const ab = textEncoder.encode(a);
+    const bb = textEncoder.encode(b);
+    if (ab.length !== bb.length) {
+        return ab.length - bb.length;
+    }
+    for (let i = 0; i < ab.length; i++) {
+        if (ab[i] !== bb[i]) {
+            return ab[i] - bb[i];
+        }
+    }
+    return 0;
+}
+exports.compareCtapTextMapKeys = compareCtapTextMapKeys;
+/**
+ * Recursively reorders every CBOR-serialized map to CTAP2 canonical form (sorted keys).
+ * Integer-key maps (command parameters, COSE, etc.) are sorted numerically.
+ */
+function canonicalizeCtapValue(value) {
+    if (value === null || value === undefined) {
+        return value;
+    }
+    const t = typeof value;
+    if (t === "boolean" ||
+        t === "number" ||
+        t === "string" ||
+        t === "bigint") {
+        return value;
+    }
+    if (value instanceof Uint8Array) {
+        return value;
+    }
+    if (ArrayBuffer.isView(value) && !(value instanceof DataView)) {
+        const view = value;
+        return new Uint8Array(view.buffer, view.byteOffset, view.byteLength);
+    }
+    if (Array.isArray(value)) {
+        return value.map((v) => canonicalizeCtapValue(v));
+    }
+    if (value instanceof Map) {
+        const keys = [...value.keys()];
+        if (keys.length === 0) {
+            return new Map();
+        }
+        const allNum = keys.every((k) => typeof k === "number");
+        if (allNum) {
+            const sorted = keys
+                .slice()
+                .sort((a, b) => a - b);
+            const m = new Map();
+            for (const k of sorted) {
+                m.set(k, canonicalizeCtapValue(value.get(k)));
+            }
+            return m;
+        }
+        const allStr = keys.every((k) => typeof k === "string");
+        if (allStr) {
+            const sorted = keys
+                .slice()
+                .sort(compareCtapTextMapKeys);
+            const o = {};
+            for (const k of sorted) {
+                o[k] = canonicalizeCtapValue(value.get(k));
+            }
+            return o;
+        }
+        throw new Error("CTAP CBOR: map keys must be all numbers or all strings for canonical encoding");
+    }
+    if (t === "object") {
+        const o = value;
+        const keys = Object.keys(o).sort(compareCtapTextMapKeys);
+        const out = {};
+        for (const k of keys) {
+            out[k] = canonicalizeCtapValue(o[k]);
+        }
+        return out;
+    }
+    return value;
+}
+exports.canonicalizeCtapValue = canonicalizeCtapValue;
+function encodeCtapCbor(value) {
+    const encoded = ctapCborEncoder.encode(canonicalizeCtapValue(value));
+    if (encoded instanceof Uint8Array) {
+        return new Uint8Array(encoded);
+    }
+    if (ArrayBuffer.isView(encoded)) {
+        const v = encoded;
+        return new Uint8Array(v.buffer, v.byteOffset, v.byteLength);
+    }
+    return Uint8Array.from(encoded);
+}
+exports.encodeCtapCbor = encodeCtapCbor;
+function bytesView(v) {
+    if (v instanceof Uint8Array) {
+        return new Uint8Array(v);
+    }
+    if (ArrayBuffer.isView(v) && !(v instanceof DataView)) {
+        const view = v;
+        return new Uint8Array(view.buffer, view.byteOffset, view.byteLength);
+    }
+    return undefined;
+}
+exports.bytesView = bytesView;
+function cborMapGet(map, key) {
+    if (map instanceof Map) {
+        return map.get(key);
+    }
+    if (map !== null && typeof map === "object") {
+        const o = map;
+        if (key in o) {
+            return o[key];
+        }
+        const s = String(key);
+        if (s in o) {
+            return o[s];
+        }
+    }
+    return undefined;
+}
+exports.cborMapGet = cborMapGet;

package/lib/ctap2/getAssertion.d.ts

@@ -0,0 +1,32 @@
+export interface AuthenticatorGetAssertionRequest {
+    rpId: string;
+    clientDataHash: Uint8Array;
+    allowCredentials?: Array<{
+        id: Uint8Array;
+        type?: string;
+    }>;
+    extensions?: Record<string, unknown>;
+    options?: {
+        up?: boolean;
+        uv?: boolean;
+    };
+}
+export interface AuthenticatorGetAssertionResponse {
+    credential?: {
+        id: Uint8Array;
+        type?: string;
+    };
+    authData: Uint8Array;
+    signature: Uint8Array;
+    user?: {
+        id: Uint8Array;
+        name?: string;
+        displayName?: string;
+        icon?: string;
+    };
+    numberOfCredentials?: number;
+    largeBlobKey?: Uint8Array;
+}
+export declare function encodeAuthenticatorGetAssertionRequest(req: AuthenticatorGetAssertionRequest): Uint8Array;
+export declare function parseAuthenticatorGetAssertionResponse(apduResponseIncludingSw: Uint8Array): AuthenticatorGetAssertionResponse;
+//# sourceMappingURL=getAssertion.d.ts.map

package/lib/ctap2/getAssertion.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getAssertion.d.ts","sourceRoot":"","sources":["../../src/ctap2/getAssertion.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,gCAAgC;IAChD,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,EAAE,UAAU,CAAC;IAC3B,gBAAgB,CAAC,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,UAAU,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,OAAO,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,OAAO,CAAC;QAAC,EAAE,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;CACzC;AAED,MAAM,WAAW,iCAAiC;IACjD,UAAU,CAAC,EAAE;QACZ,EAAE,EAAE,UAAU,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;IACF,QAAQ,EAAE,UAAU,CAAC;IACrB,SAAS,EAAE,UAAU,CAAC;IACtB,IAAI,CAAC,EAAE;QACN,EAAE,EAAE,UAAU,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,IAAI,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;IACF,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,YAAY,CAAC,EAAE,UAAU,CAAC;CAC1B;AAkGD,wBAAgB,sCAAsC,CACrD,GAAG,EAAE,gCAAgC,GACnC,UAAU,CAWZ;AAED,wBAAgB,sCAAsC,CACrD,uBAAuB,EAAE,UAAU,GACjC,iCAAiC,CAMnC"}