@simplewebauthn/server 10.0.0 → 10.0.1

package/esm/helpers/iso/isoCrypto/unwrapEC2Signature.d.ts

@@ -1,6 +1,7 @@
+import { COSECRV } from '../../cose.js';
 /**
  * In WebAuthn, EC2 signatures are wrapped in ASN.1 structure so we need to peel r and s apart.
  *
  * See https://www.w3.org/TR/webauthn-2/#sctn-signature-attestation-types
  */
-export declare function unwrapEC2Signature(signature: Uint8Array): Uint8Array;
+export declare function unwrapEC2Signature(signature: Uint8Array, crv: COSECRV): Uint8Array;

package/esm/helpers/iso/isoCrypto/unwrapEC2Signature.js

@@ -1,30 +1,72 @@
 import { AsnParser, ECDSASigValue } from '../../../deps.js';
+import { COSECRV } from '../../cose.js';
 import { isoUint8Array } from '../index.js';
 /**
  * In WebAuthn, EC2 signatures are wrapped in ASN.1 structure so we need to peel r and s apart.
  *
  * See https://www.w3.org/TR/webauthn-2/#sctn-signature-attestation-types
  */
-export function unwrapEC2Signature(signature) {
+export function unwrapEC2Signature(signature, crv) {
     const parsedSignature = AsnParser.parse(signature, ECDSASigValue);
-    let rBytes = new Uint8Array(parsedSignature.r);
-    let sBytes = new Uint8Array(parsedSignature.s);
-    if (shouldRemoveLeadingZero(rBytes)) {
-        rBytes = rBytes.slice(1);
-    }
-    if (shouldRemoveLeadingZero(sBytes)) {
-        sBytes = sBytes.slice(1);
-    }
-    const finalSignature = isoUint8Array.concat([rBytes, sBytes]);
+    const rBytes = new Uint8Array(parsedSignature.r);
+    const sBytes = new Uint8Array(parsedSignature.s);
+    const componentLength = getSignatureComponentLength(crv);
+    const rNormalizedBytes = toNormalizedBytes(rBytes, componentLength);
+    const sNormalizedBytes = toNormalizedBytes(sBytes, componentLength);
+    const finalSignature = isoUint8Array.concat([
+        rNormalizedBytes,
+        sNormalizedBytes,
+    ]);
     return finalSignature;
 }
 /**
- * Determine if the DER-specific `00` byte at the start of an ECDSA signature byte sequence
- * should be removed based on the following logic:
+ * The SubtleCrypto Web Crypto API expects ECDSA signatures with `r` and `s` values to be encoded
+ * to a specific length depending on the order of the curve. This function returns the expected
+ * byte-length for each of the `r` and `s` signature components.
+ *
+ * See <https://www.w3.org/TR/WebCryptoAPI/#ecdsa-operations>
+ */
+function getSignatureComponentLength(crv) {
+    switch (crv) {
+        case COSECRV.P256:
+            return 32;
+        case COSECRV.P384:
+            return 48;
+        case COSECRV.P521:
+            return 66;
+        default:
+            throw new Error(`Unexpected COSE crv value of ${crv} (EC2)`);
+    }
+}
+/**
+ * Converts the ASN.1 integer representation to bytes of a specific length `n`.
+ *
+ * DER encodes integers as big-endian byte arrays, with as small as possible representation and
+ * requires a leading `0` byte to disambiguate between negative and positive numbers. This means
+ * that `r` and `s` can potentially not be the expected byte-length that is needed by the
+ * SubtleCrypto Web Crypto API: if there are leading `0`s it can be shorter than expected, and if
+ * it has a leading `1` bit, it can be one byte longer.
  *
- * "If the leading byte is 0x0, and the the high order bit on the second byte is not set to 0,
- * then remove the leading 0x0 byte"
+ * See <https://www.itu.int/rec/T-REC-X.690-202102-I/en>
+ * See <https://www.w3.org/TR/WebCryptoAPI/#ecdsa-operations>
  */
-function shouldRemoveLeadingZero(bytes) {
-    return bytes[0] === 0x0 && (bytes[1] & (1 << 7)) !== 0;
+function toNormalizedBytes(bytes, componentLength) {
+    let normalizedBytes;
+    if (bytes.length < componentLength) {
+        // In case the bytes are shorter than expected, we need to pad it with leading `0`s.
+        normalizedBytes = new Uint8Array(componentLength);
+        normalizedBytes.set(bytes, componentLength - bytes.length);
+    }
+    else if (bytes.length === componentLength) {
+        normalizedBytes = bytes;
+    }
+    else if (bytes.length === componentLength + 1 && bytes[0] === 0 && (bytes[1] & 0x80) === 0x80) {
+        // The bytes contain a leading `0` to encode that the integer is positive. This leading `0`
+        // needs to be removed for compatibility with the SubtleCrypto Web Crypto API.
+        normalizedBytes = bytes.subarray(1);
+    }
+    else {
+        throw new Error(`Invalid signature component length ${bytes.length}, expected ${componentLength}`);
+    }
+    return normalizedBytes;
 }

package/esm/helpers/iso/isoCrypto/verify.js

@@ -1,4 +1,4 @@
-import { COSEKEYS, isCOSEPublicKeyEC2, isCOSEPublicKeyOKP, isCOSEPublicKeyRSA, } from '../../cose.js';
+import { COSEKEYS, isCOSECrv, isCOSEPublicKeyEC2, isCOSEPublicKeyOKP, isCOSEPublicKeyRSA, } from '../../cose.js';
 import { verifyEC2 } from './verifyEC2.js';
 import { verifyRSA } from './verifyRSA.js';
 import { verifyOKP } from './verifyOKP.js';
@@ -9,7 +9,11 @@ import { unwrapEC2Signature } from './unwrapEC2Signature.js';
 export function verify(opts) {
     const { cosePublicKey, signature, data, shaHashOverride } = opts;
     if (isCOSEPublicKeyEC2(cosePublicKey)) {
-        const unwrappedSignature = unwrapEC2Signature(signature);
+        const crv = cosePublicKey.get(COSEKEYS.crv);
+        if (!isCOSECrv(crv)) {
+            throw new Error(`unknown COSE curve ${crv}`);
+        }
+        const unwrappedSignature = unwrapEC2Signature(signature, crv);
         return verifyEC2({
             cosePublicKey,
             signature: unwrappedSignature,

package/package.json

@@ -2,7 +2,7 @@
   "module": "./esm/index.js",
   "main": "./script/index.js",
   "name": "@simplewebauthn/server",
-  "version": "10.0.0",
+  "version": "10.0.1",
   "description": "SimpleWebAuthn for Servers",
   "license": "MIT",
   "author": "Matthew Miller <matthew@millerti.me>",

package/script/helpers/iso/isoCrypto/unwrapEC2Signature.d.ts

@@ -1,6 +1,7 @@
+import { COSECRV } from '../../cose.js';
 /**
  * In WebAuthn, EC2 signatures are wrapped in ASN.1 structure so we need to peel r and s apart.
  *
  * See https://www.w3.org/TR/webauthn-2/#sctn-signature-attestation-types
  */
-export declare function unwrapEC2Signature(signature: Uint8Array): Uint8Array;
+export declare function unwrapEC2Signature(signature: Uint8Array, crv: COSECRV): Uint8Array;

package/script/helpers/iso/isoCrypto/unwrapEC2Signature.js

@@ -2,33 +2,75 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.unwrapEC2Signature = void 0;
 const deps_js_1 = require("../../../deps.js");
+const cose_js_1 = require("../../cose.js");
 const index_js_1 = require("../index.js");
 /**
  * In WebAuthn, EC2 signatures are wrapped in ASN.1 structure so we need to peel r and s apart.
  *
  * See https://www.w3.org/TR/webauthn-2/#sctn-signature-attestation-types
  */
-function unwrapEC2Signature(signature) {
+function unwrapEC2Signature(signature, crv) {
     const parsedSignature = deps_js_1.AsnParser.parse(signature, deps_js_1.ECDSASigValue);
-    let rBytes = new Uint8Array(parsedSignature.r);
-    let sBytes = new Uint8Array(parsedSignature.s);
-    if (shouldRemoveLeadingZero(rBytes)) {
-        rBytes = rBytes.slice(1);
-    }
-    if (shouldRemoveLeadingZero(sBytes)) {
-        sBytes = sBytes.slice(1);
-    }
-    const finalSignature = index_js_1.isoUint8Array.concat([rBytes, sBytes]);
+    const rBytes = new Uint8Array(parsedSignature.r);
+    const sBytes = new Uint8Array(parsedSignature.s);
+    const componentLength = getSignatureComponentLength(crv);
+    const rNormalizedBytes = toNormalizedBytes(rBytes, componentLength);
+    const sNormalizedBytes = toNormalizedBytes(sBytes, componentLength);
+    const finalSignature = index_js_1.isoUint8Array.concat([
+        rNormalizedBytes,
+        sNormalizedBytes,
+    ]);
     return finalSignature;
 }
 exports.unwrapEC2Signature = unwrapEC2Signature;
 /**
- * Determine if the DER-specific `00` byte at the start of an ECDSA signature byte sequence
- * should be removed based on the following logic:
+ * The SubtleCrypto Web Crypto API expects ECDSA signatures with `r` and `s` values to be encoded
+ * to a specific length depending on the order of the curve. This function returns the expected
+ * byte-length for each of the `r` and `s` signature components.
+ *
+ * See <https://www.w3.org/TR/WebCryptoAPI/#ecdsa-operations>
+ */
+function getSignatureComponentLength(crv) {
+    switch (crv) {
+        case cose_js_1.COSECRV.P256:
+            return 32;
+        case cose_js_1.COSECRV.P384:
+            return 48;
+        case cose_js_1.COSECRV.P521:
+            return 66;
+        default:
+            throw new Error(`Unexpected COSE crv value of ${crv} (EC2)`);
+    }
+}
+/**
+ * Converts the ASN.1 integer representation to bytes of a specific length `n`.
+ *
+ * DER encodes integers as big-endian byte arrays, with as small as possible representation and
+ * requires a leading `0` byte to disambiguate between negative and positive numbers. This means
+ * that `r` and `s` can potentially not be the expected byte-length that is needed by the
+ * SubtleCrypto Web Crypto API: if there are leading `0`s it can be shorter than expected, and if
+ * it has a leading `1` bit, it can be one byte longer.
  *
- * "If the leading byte is 0x0, and the the high order bit on the second byte is not set to 0,
- * then remove the leading 0x0 byte"
+ * See <https://www.itu.int/rec/T-REC-X.690-202102-I/en>
+ * See <https://www.w3.org/TR/WebCryptoAPI/#ecdsa-operations>
  */
-function shouldRemoveLeadingZero(bytes) {
-    return bytes[0] === 0x0 && (bytes[1] & (1 << 7)) !== 0;
+function toNormalizedBytes(bytes, componentLength) {
+    let normalizedBytes;
+    if (bytes.length < componentLength) {
+        // In case the bytes are shorter than expected, we need to pad it with leading `0`s.
+        normalizedBytes = new Uint8Array(componentLength);
+        normalizedBytes.set(bytes, componentLength - bytes.length);
+    }
+    else if (bytes.length === componentLength) {
+        normalizedBytes = bytes;
+    }
+    else if (bytes.length === componentLength + 1 && bytes[0] === 0 && (bytes[1] & 0x80) === 0x80) {
+        // The bytes contain a leading `0` to encode that the integer is positive. This leading `0`
+        // needs to be removed for compatibility with the SubtleCrypto Web Crypto API.
+        normalizedBytes = bytes.subarray(1);
+    }
+    else {
+        throw new Error(`Invalid signature component length ${bytes.length}, expected ${componentLength}`);
+    }
+    return normalizedBytes;
 }

package/script/helpers/iso/isoCrypto/verify.js

@@ -12,7 +12,11 @@ const unwrapEC2Signature_js_1 = require("./unwrapEC2Signature.js");
 function verify(opts) {
     const { cosePublicKey, signature, data, shaHashOverride } = opts;
     if ((0, cose_js_1.isCOSEPublicKeyEC2)(cosePublicKey)) {
-        const unwrappedSignature = (0, unwrapEC2Signature_js_1.unwrapEC2Signature)(signature);
+        const crv = cosePublicKey.get(cose_js_1.COSEKEYS.crv);
+        if (!(0, cose_js_1.isCOSECrv)(crv)) {
+            throw new Error(`unknown COSE curve ${crv}`);
+        }
+        const unwrappedSignature = (0, unwrapEC2Signature_js_1.unwrapEC2Signature)(signature, crv);
         return (0, verifyEC2_js_1.verifyEC2)({
             cosePublicKey,
             signature: unwrappedSignature,