@revibase/ctap2-js 0.1.0

package/src/helpers/webauthnResponses.ts

@@ -0,0 +1,113 @@
+import { utf8ToBytes } from "@noble/hashes/utils.js";
+import {
+	AuthenticationResponseJSON,
+	RegistrationResponseJSON,
+} from "@simplewebauthn/browser";
+import type { AuthenticatorGetAssertionResponse } from "../ctap2/getAssertion";
+import { ApduError } from "../errors";
+import {
+	buildAttestationObjectBytes,
+	extractCredentialIdFromAuthData,
+	type AuthenticatorMakeCredentialResponse,
+} from "../ctap2/makeCredential";
+import { parseAuthenticatorDataExtensions } from "./authDataExtensions";
+import { bufferToBase64URLString } from "./base64url";
+
+type ToWebAuthnResponseJSONInput =
+	| {
+			kind: "authentication";
+			assertion: AuthenticatorGetAssertionResponse;
+			credentialId?: Uint8Array;
+			clientDataJSON: string;
+	  }
+	| {
+			kind: "registration";
+			credential: AuthenticatorMakeCredentialResponse;
+			clientDataJSON: string;
+	  };
+
+export function toWebAuthnResponseJSON(
+	input: Extract<ToWebAuthnResponseJSONInput, { kind: "authentication" }>,
+): AuthenticationResponseJSON;
+export function toWebAuthnResponseJSON(
+	input: Extract<ToWebAuthnResponseJSONInput, { kind: "registration" }>,
+): RegistrationResponseJSON;
+export function toWebAuthnResponseJSON(
+	input: ToWebAuthnResponseJSONInput,
+): AuthenticationResponseJSON | RegistrationResponseJSON {
+	if (input.kind === "authentication") {
+		const {
+			assertion,
+			credentialId: credentialIdArg,
+			clientDataJSON,
+		} = input;
+
+		const clientExtensionResults = parseAuthenticatorDataExtensions(
+			assertion.authData,
+		) as AuthenticationExtensionsClientOutputs;
+
+		const credBytes =
+			assertion.credential?.id ??
+			credentialIdArg ??
+			(() => {
+				throw new ApduError(
+					"Assertion response missing credential id; set credentialId (base64url) on the request object or use a token that returns it in CBOR",
+				);
+			})();
+
+		const idStr = bufferToBase64URLString(credBytes);
+
+		return {
+			id: idStr,
+			rawId: idStr,
+			type: "public-key",
+			clientExtensionResults,
+			response: {
+				clientDataJSON: bufferToBase64URLString(
+					utf8ToBytes(clientDataJSON),
+				),
+				authenticatorData: bufferToBase64URLString(
+					assertion.authData,
+				),
+				signature: bufferToBase64URLString(assertion.signature),
+				userHandle:
+					assertion.user?.id !== undefined
+						? bufferToBase64URLString(
+								assertion.user.id,
+							)
+						: undefined,
+			},
+		};
+	}
+
+	const { credential, clientDataJSON } = input;
+	const ao = buildAttestationObjectBytes(
+		credential.fmt,
+		credential.authData,
+		credential.attStmt,
+	);
+	const credentialId = extractCredentialIdFromAuthData(
+		credential.authData,
+	);
+	const idStr = bufferToBase64URLString(credentialId);
+
+	const clientExtensionResults = parseAuthenticatorDataExtensions(
+		credential.authData,
+	) as AuthenticationExtensionsClientOutputs;
+
+	return {
+		id: idStr,
+		rawId: idStr,
+		type: "public-key",
+		clientExtensionResults,
+		response: {
+			clientDataJSON: bufferToBase64URLString(
+				utf8ToBytes(clientDataJSON),
+			),
+			attestationObject: bufferToBase64URLString(ao),
+			authenticatorData: bufferToBase64URLString(
+				credential.authData,
+			),
+		},
+	};
+}

package/src/index.ts

@@ -0,0 +1,6 @@
+export { ApduError } from "./errors";
+export { authenticateWithNfc, registerWithNfc } from "./publicApi";
+export type {
+	PublicKeyCredentialCreationOptionsJSONWithNfc,
+	PublicKeyCredentialRequestOptionsJSONWithNfc,
+} from "./types";

package/src/parseResponses.ts

@@ -0,0 +1,67 @@
+import {
+  AuthenticationResponseJSON,
+  RegistrationResponseJSON,
+} from "@simplewebauthn/browser";
+import { parseAuthenticatorGetAssertionResponse } from "./ctap2/getAssertion";
+import { parseAuthenticatorMakeCredentialResponse } from "./ctap2/makeCredential";
+import { buildCollectedClientDataJSON } from "./helpers/clientData";
+import { toWebAuthnResponseJSON } from "./helpers/webauthnResponses";
+import {
+  PublicKeyCredentialCreationOptionsJSONWithNfc,
+  PublicKeyCredentialRequestOptionsJSONWithNfc,
+} from "./types";
+
+type ParseApduToWebAuthnInput =
+  | {
+      kind: "authentication";
+      apduResponse: Uint8Array;
+      request: PublicKeyCredentialRequestOptionsJSONWithNfc;
+    }
+  | {
+      kind: "registration";
+      apduResponse: Uint8Array;
+      request: PublicKeyCredentialCreationOptionsJSONWithNfc;
+    };
+
+export function parseApduToWebAuthnResponse(
+  input: Extract<ParseApduToWebAuthnInput, { kind: "authentication" }>,
+): AuthenticationResponseJSON;
+export function parseApduToWebAuthnResponse(
+  input: Extract<ParseApduToWebAuthnInput, { kind: "registration" }>,
+): RegistrationResponseJSON;
+export function parseApduToWebAuthnResponse(
+  input: ParseApduToWebAuthnInput,
+): AuthenticationResponseJSON | RegistrationResponseJSON {
+  if (input.kind === "authentication") {
+    const clientDataJSON = buildCollectedClientDataJSON("webauthn.get", {
+      challenge: input.request.challenge,
+      origin: input.request.origin,
+      crossOrigin: input.request.crossOrigin ?? false,
+      topOrigin: input.request.topOrigin,
+    });
+    const assertion = parseAuthenticatorGetAssertionResponse(
+      input.apduResponse,
+    );
+    return toWebAuthnResponseJSON({
+      kind: "authentication",
+      assertion,
+      credentialId: assertion.credential?.id,
+      clientDataJSON,
+    });
+  }
+
+  const clientDataJSON = buildCollectedClientDataJSON("webauthn.create", {
+    challenge: input.request.challenge,
+    origin: input.request.origin,
+    crossOrigin: input.request.crossOrigin ?? false,
+    topOrigin: input.request.topOrigin,
+  });
+  const credential = parseAuthenticatorMakeCredentialResponse(
+    input.apduResponse,
+  );
+  return toWebAuthnResponseJSON({
+    kind: "registration",
+    credential,
+    clientDataJSON,
+  });
+}

package/src/publicApi.ts

@@ -0,0 +1,152 @@
+import {
+  AuthenticationResponseJSON,
+  RegistrationResponseJSON,
+} from "@simplewebauthn/browser";
+import {
+  buildCborCommandApdu,
+  buildSelectFidoApduSegments,
+  splitExtendedApduForNfcTransmit,
+  transceiveNfcCtap2Command,
+} from "./apdu";
+
+import { encodeAuthenticatorGetAssertionRequest } from "./ctap2/getAssertion";
+import { encodeAuthenticatorMakeCredentialRequest } from "./ctap2/makeCredential";
+import {
+  authenticatorGetAssertionRequestFromPublicKeyCredentialRequestOptionsJSON,
+  authenticatorMakeCredentialRequestFromPublicKeyCredentialCreationOptionsJSON,
+} from "./helpers/fromWebAuthnJson";
+import { parseApduToWebAuthnResponse } from "./parseResponses";
+import { ApduError } from "./errors";
+import {
+  PublicKeyCredentialCreationOptionsJSONWithNfc,
+  PublicKeyCredentialRequestOptionsJSONWithNfc,
+} from "./types";
+
+/**
+ * Wraps `transceive` so failures and short reads get a stable {@link ApduError}
+ * with API/phase in the message. Re-throws {@link ApduError} from lower layers unchanged.
+ */
+function nfcTransceiveFor(
+  transceive: (apdu: Uint8Array) => Promise<Uint8Array>,
+  apiLabel: string,
+  phase: string,
+): (apdu: Uint8Array) => Promise<Uint8Array> {
+  const label = `${apiLabel} (${phase})`;
+  return async (apdu) => {
+    try {
+      const resp = await transceive(apdu);
+      if (resp.length < 2) {
+        throw new ApduError(
+          `${label}: response must include SW1/SW2 (got ${resp.length} byte(s))`,
+        );
+      }
+      return resp;
+    } catch (e) {
+      if (e instanceof ApduError) {
+        throw e;
+      }
+      throw new ApduError(
+        `${label}: ${e instanceof Error ? e.message : String(e)}`,
+        { cause: e },
+      );
+    }
+  };
+}
+
+async function runAuthenticateWithNfc(
+  args: PublicKeyCredentialRequestOptionsJSONWithNfc,
+  transceive: (apdu: Uint8Array) => Promise<Uint8Array>,
+): Promise<AuthenticationResponseJSON> {
+  await transceiveNfcCtap2Command(
+    buildSelectFidoApduSegments(),
+    nfcTransceiveFor(transceive, "authenticateWithNfc", "SELECT FIDO"),
+  );
+  const apduResponse = await transceiveNfcCtap2Command(
+    splitExtendedApduForNfcTransmit(
+      buildCborCommandApdu(
+        encodeAuthenticatorGetAssertionRequest(
+          authenticatorGetAssertionRequestFromPublicKeyCredentialRequestOptionsJSON(
+            args,
+          ),
+        ),
+      ),
+    ),
+    nfcTransceiveFor(transceive, "authenticateWithNfc", "getAssertion"),
+  );
+  return parseApduToWebAuthnResponse({
+    kind: "authentication",
+    apduResponse,
+    request: args,
+  });
+}
+
+/**
+ * NFC against a Java Card FIDO2 applet: SELECT FIDO AID, then getAssertion with
+ * short APDU chaining + GET RESPONSE.
+ *
+ */
+export async function authenticateWithNfc(
+  args: PublicKeyCredentialRequestOptionsJSONWithNfc,
+  transceive: (apdu: Uint8Array) => Promise<Uint8Array>,
+): Promise<AuthenticationResponseJSON> {
+  try {
+    return await runAuthenticateWithNfc(args, transceive);
+  } catch (e) {
+    if (e instanceof ApduError) {
+      throw e;
+    }
+    throw new ApduError(
+      `authenticateWithNfc: ${e instanceof Error ? e.message : String(e)}`,
+      { cause: e },
+    );
+  }
+}
+
+async function runRegisterWithNfc(
+  args: PublicKeyCredentialCreationOptionsJSONWithNfc,
+  transceive: (apdu: Uint8Array) => Promise<Uint8Array>,
+): Promise<RegistrationResponseJSON> {
+  await transceiveNfcCtap2Command(
+    buildSelectFidoApduSegments(),
+    nfcTransceiveFor(transceive, "registerWithNfc", "SELECT FIDO"),
+  );
+  const apduResponse = await transceiveNfcCtap2Command(
+    splitExtendedApduForNfcTransmit(
+      buildCborCommandApdu(
+        encodeAuthenticatorMakeCredentialRequest(
+          authenticatorMakeCredentialRequestFromPublicKeyCredentialCreationOptionsJSON(
+            args,
+          ),
+        ),
+      ),
+    ),
+    nfcTransceiveFor(transceive, "registerWithNfc", "makeCredential"),
+  );
+  return parseApduToWebAuthnResponse({
+    kind: "registration",
+    apduResponse,
+    request: args,
+  });
+}
+
+/**
+ * NFC against a Java Card FIDO2 applet: SELECT FIDO AID, then makeCredential with
+ * short APDU chaining + GET RESPONSE.
+ *
+ */
+export async function registerWithNfc(
+  args: PublicKeyCredentialCreationOptionsJSONWithNfc,
+  transceive: (apdu: Uint8Array) => Promise<Uint8Array>,
+): Promise<RegistrationResponseJSON> {
+  try {
+    return await runRegisterWithNfc(args, transceive);
+  } catch (e) {
+    if (e instanceof ApduError) {
+      throw e;
+    }
+    throw new ApduError(
+      `registerWithNfc: ${e instanceof Error ? e.message : String(e)}`,
+      { cause: e },
+    );
+  }
+}

package/src/types.ts

@@ -0,0 +1,16 @@
+import {
+  PublicKeyCredentialCreationOptionsJSON,
+  PublicKeyCredentialRequestOptionsJSON,
+} from "@simplewebauthn/browser";
+
+type NfcWebAuthnClientFields = {
+  origin: string;
+  crossOrigin?: boolean;
+  topOrigin?: string;
+};
+
+export type PublicKeyCredentialRequestOptionsJSONWithNfc =
+  PublicKeyCredentialRequestOptionsJSON & NfcWebAuthnClientFields;
+
+export type PublicKeyCredentialCreationOptionsJSONWithNfc =
+  PublicKeyCredentialCreationOptionsJSON & NfcWebAuthnClientFields;

package/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "lib": ["ES2020", "DOM"],
+    "declaration": true,
+    "declarationMap": true,
+    "outDir": "lib",
+    "rootDir": "src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "moduleResolution": "node"
+  },
+  "include": ["src/**/*"]
+}