@simplewebauthn/server 11.0.0 → 13.0.0-alpha1

package/script/helpers/iso/isoUint8Array.js

@@ -1,6 +1,17 @@
 "use strict";
+/**
+ * A runtime-agnostic collection of methods for working with Uint8Arrays
+ * @module
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.toDataView = exports.fromASCIIString = exports.fromUTF8String = exports.toUTF8String = exports.concat = exports.fromHex = exports.toHex = exports.areEqual = void 0;
+exports.areEqual = areEqual;
+exports.toHex = toHex;
+exports.fromHex = fromHex;
+exports.concat = concat;
+exports.toUTF8String = toUTF8String;
+exports.fromUTF8String = fromUTF8String;
+exports.fromASCIIString = fromASCIIString;
+exports.toDataView = toDataView;
 /**
  * Make sure two Uint8Arrays are deeply equivalent
  */
@@ -10,7 +21,6 @@ function areEqual(array1, array2) {
     }
     return array1.every((val, i) => val === array2[i]);
 }
-exports.areEqual = areEqual;
 /**
  * Convert a Uint8Array to Hexadecimal.
  *
@@ -21,7 +31,6 @@ function toHex(array) {
     // adce000235bcc60a648b0b25f1f05503
     return hexParts.join('');
 }
-exports.toHex = toHex;
 /**
  * Convert a hexadecimal string to isoUint8Array.
  *
@@ -39,7 +48,6 @@ function fromHex(hex) {
     const byteStrings = hex.match(/.{1,2}/g) ?? [];
     return Uint8Array.from(byteStrings.map((byte) => parseInt(byte, 16)));
 }
-exports.fromHex = fromHex;
 /**
  * Combine multiple Uint8Arrays into a single Uint8Array
  */
@@ -53,7 +61,6 @@ function concat(arrays) {
     });
     return toReturn;
 }
-exports.concat = concat;
 /**
  * Convert bytes into a UTF-8 string
  */
@@ -61,7 +68,6 @@ function toUTF8String(array) {
     const decoder = new globalThis.TextDecoder('utf-8');
     return decoder.decode(array);
 }
-exports.toUTF8String = toUTF8String;
 /**
  * Convert a UTF-8 string back into bytes
  */
@@ -69,18 +75,15 @@ function fromUTF8String(utf8String) {
     const encoder = new globalThis.TextEncoder();
     return encoder.encode(utf8String);
 }
-exports.fromUTF8String = fromUTF8String;
 /**
  * Convert an ASCII string to Uint8Array
  */
 function fromASCIIString(value) {
     return Uint8Array.from(value.split('').map((x) => x.charCodeAt(0)));
 }
-exports.fromASCIIString = fromASCIIString;
 /**
  * Prepare a DataView we can slice our way around in as we parse the bytes in a Uint8Array
  */
 function toDataView(array) {
     return new DataView(array.buffer, array.byteOffset, array.length);
 }
-exports.toDataView = toDataView;

package/script/helpers/logging.d.ts

@@ -13,3 +13,4 @@
  * ```
  */
 export declare function getLogger(_name: string): (message: string, ..._rest: unknown[]) => void;
+//# sourceMappingURL=logging.d.ts.map

package/script/helpers/logging.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logging.d.ts","sourceRoot":"","sources":["../../src/helpers/logging.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;GAaG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,CAGvF"}

package/script/helpers/logging.js

@@ -1,8 +1,7 @@
 "use strict";
-// import { debug, Debugger } from '../deps.ts';
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getLogger = void 0;
 // const defaultLogger = debug('SimpleWebAuthn');
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getLogger = getLogger;
 /**
  * Generate an instance of a `debug` logger that extends off of the "simplewebauthn" namespace for
  * consistent naming.
@@ -21,4 +20,3 @@ function getLogger(_name) {
     // This is a noop for now while I search for a better debug logger technique
     return (_message, ..._rest) => { };
 }
-exports.getLogger = getLogger;

package/script/helpers/mapX509SignatureAlgToCOSEAlg.d.ts

@@ -6,3 +6,4 @@ import { COSEALG } from './cose.js';
  * - RSA OIDs: https://oidref.com/1.2.840.113549.1.1
  */
 export declare function mapX509SignatureAlgToCOSEAlg(signatureAlgorithm: string): COSEALG;
+//# sourceMappingURL=mapX509SignatureAlgToCOSEAlg.d.ts.map

package/script/helpers/mapX509SignatureAlgToCOSEAlg.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mapX509SignatureAlgToCOSEAlg.d.ts","sourceRoot":"","sources":["../../src/helpers/mapX509SignatureAlgToCOSEAlg.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC;;;;;GAKG;AACH,wBAAgB,4BAA4B,CAC1C,kBAAkB,EAAE,MAAM,GACzB,OAAO,CAwBT"}

package/script/helpers/mapX509SignatureAlgToCOSEAlg.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.mapX509SignatureAlgToCOSEAlg = void 0;
+exports.mapX509SignatureAlgToCOSEAlg = mapX509SignatureAlgToCOSEAlg;
 const cose_js_1 = require("./cose.js");
 /**
  * Map X.509 signature algorithm OIDs to COSE algorithm IDs
@@ -36,4 +36,3 @@ function mapX509SignatureAlgToCOSEAlg(signatureAlgorithm) {
     }
     return alg;
 }
-exports.mapX509SignatureAlgToCOSEAlg = mapX509SignatureAlgToCOSEAlg;

package/script/helpers/matchExpectedRPID.d.ts

@@ -5,3 +5,4 @@
  * Raises an `UnexpectedRPIDHash` error if no match is found
  */
 export declare function matchExpectedRPID(rpIDHash: Uint8Array, expectedRPIDs: string[]): Promise<string>;
+//# sourceMappingURL=matchExpectedRPID.d.ts.map

package/script/helpers/matchExpectedRPID.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"matchExpectedRPID.d.ts","sourceRoot":"","sources":["../../src/helpers/matchExpectedRPID.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,UAAU,EACpB,aAAa,EAAE,MAAM,EAAE,GACtB,OAAO,CAAC,MAAM,CAAC,CA8BjB"}

package/script/helpers/matchExpectedRPID.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.matchExpectedRPID = void 0;
+exports.matchExpectedRPID = matchExpectedRPID;
 const toHash_js_1 = require("./toHash.js");
 const index_js_1 = require("./iso/index.js");
 /**
@@ -35,7 +35,6 @@ async function matchExpectedRPID(rpIDHash, expectedRPIDs) {
         throw err;
     }
 }
-exports.matchExpectedRPID = matchExpectedRPID;
 class UnexpectedRPIDHash extends Error {
     constructor() {
         const message = 'Unexpected RP ID hash';

package/script/helpers/parseAuthenticatorData.d.ts

@@ -23,6 +23,11 @@ export type ParsedAuthenticatorData = {
     extensionsData?: AuthenticationExtensionsAuthenticatorOutputs;
     extensionsDataBuffer?: Uint8Array;
 };
+/**
+ * Make it possible to stub the return value during testing
+ * @ignore Don't include this in docs output
+ */
 export declare const _parseAuthenticatorDataInternals: {
     stubThis: (value: ParsedAuthenticatorData) => ParsedAuthenticatorData;
 };
+//# sourceMappingURL=parseAuthenticatorData.d.ts.map

package/script/helpers/parseAuthenticatorData.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parseAuthenticatorData.d.ts","sourceRoot":"","sources":["../../src/helpers/parseAuthenticatorData.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,4CAA4C,EAE7C,MAAM,oCAAoC,CAAC;AAI5C;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,UAAU,GACnB,uBAAuB,CAwHzB;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,EAAE,UAAU,CAAC;IACrB,QAAQ,EAAE,UAAU,CAAC;IACrB,KAAK,EAAE;QACL,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,UAAU,CAAC;IACvB,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,YAAY,CAAC,EAAE,UAAU,CAAC;IAC1B,mBAAmB,CAAC,EAAE,UAAU,CAAC;IACjC,cAAc,CAAC,EAAE,4CAA4C,CAAC;IAC9D,oBAAoB,CAAC,EAAE,UAAU,CAAC;CACnC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,gCAAgC;sBACzB,uBAAuB;CAC1C,CAAC"}

package/script/helpers/parseAuthenticatorData.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports._parseAuthenticatorDataInternals = exports.parseAuthenticatorData = void 0;
+exports._parseAuthenticatorDataInternals = void 0;
+exports.parseAuthenticatorData = parseAuthenticatorData;
 const decodeAuthenticatorExtensions_js_1 = require("./decodeAuthenticatorExtensions.js");
 const index_js_1 = require("./iso/index.js");
 /**
@@ -18,12 +19,12 @@ function parseAuthenticatorData(authData) {
     // Bit positions can be referenced here:
     // https://www.w3.org/TR/webauthn-2/#flags
     const flags = {
-        up: !!(flagsInt & (1 << 0)),
-        uv: !!(flagsInt & (1 << 2)),
-        be: !!(flagsInt & (1 << 3)),
-        bs: !!(flagsInt & (1 << 4)),
-        at: !!(flagsInt & (1 << 6)),
-        ed: !!(flagsInt & (1 << 7)),
+        up: !!(flagsInt & (1 << 0)), // User Presence
+        uv: !!(flagsInt & (1 << 2)), // User Verified
+        be: !!(flagsInt & (1 << 3)), // Backup Eligibility
+        bs: !!(flagsInt & (1 << 4)), // Backup State
+        at: !!(flagsInt & (1 << 6)), // Attested Credential Data Present
+        ed: !!(flagsInt & (1 << 7)), // Extension Data Present
         flagsInt,
     };
     const counterBuf = authData.slice(pointer, pointer + 4);
@@ -100,8 +101,10 @@ function parseAuthenticatorData(authData) {
         extensionsDataBuffer,
     });
 }
-exports.parseAuthenticatorData = parseAuthenticatorData;
-// Make it possible to stub the return value during testing
+/**
+ * Make it possible to stub the return value during testing
+ * @ignore Don't include this in docs output
+ */
 exports._parseAuthenticatorDataInternals = {
     stubThis: (value) => value,
 };

package/script/helpers/parseBackupFlags.d.ts

@@ -1,4 +1,4 @@
-import type { CredentialDeviceType } from '../deps.js';
+import type { CredentialDeviceType } from '../types/index.js';
 /**
  * Make sense of Bits 3 and 4 in authenticator indicating:
  *
@@ -17,3 +17,4 @@ export declare function parseBackupFlags({ be, bs }: {
 export declare class InvalidBackupFlags extends Error {
     constructor(message: string);
 }
+//# sourceMappingURL=parseBackupFlags.d.ts.map

package/script/helpers/parseBackupFlags.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parseBackupFlags.d.ts","sourceRoot":"","sources":["../../src/helpers/parseBackupFlags.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAE9D;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,EAAE,EAAE,OAAO,CAAA;CAAE,GAAG;IAC1E,oBAAoB,EAAE,oBAAoB,CAAC;IAC3C,kBAAkB,EAAE,OAAO,CAAC;CAC7B,CAeA;AAED,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B"}

package/script/helpers/parseBackupFlags.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.InvalidBackupFlags = exports.parseBackupFlags = void 0;
+exports.InvalidBackupFlags = void 0;
+exports.parseBackupFlags = parseBackupFlags;
 /**
  * Make sense of Bits 3 and 4 in authenticator indicating:
  *
@@ -20,7 +21,6 @@ function parseBackupFlags({ be, bs }) {
     }
     return { credentialDeviceType, credentialBackedUp };
 }
-exports.parseBackupFlags = parseBackupFlags;
 class InvalidBackupFlags extends Error {
     constructor(message) {
         super(message);

package/script/helpers/toHash.d.ts

@@ -4,3 +4,4 @@ import { COSEALG } from './cose.js';
  * SHA-256.
  */
 export declare function toHash(data: Uint8Array | string, algorithm?: COSEALG): Promise<Uint8Array>;
+//# sourceMappingURL=toHash.d.ts.map

package/script/helpers/toHash.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"toHash.d.ts","sourceRoot":"","sources":["../../src/helpers/toHash.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC;;;GAGG;AACH,wBAAgB,MAAM,CACpB,IAAI,EAAE,UAAU,GAAG,MAAM,EACzB,SAAS,GAAE,OAAY,GACtB,OAAO,CAAC,UAAU,CAAC,CAQrB"}

package/script/helpers/toHash.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.toHash = void 0;
+exports.toHash = toHash;
 const index_js_1 = require("./iso/index.js");
 /**
  * Returns hash digest of the given data, using the given algorithm when provided. Defaults to using
@@ -13,4 +13,3 @@ function toHash(data, algorithm = -7) {
     const digest = index_js_1.isoCrypto.digest(data, algorithm);
     return digest;
 }
-exports.toHash = toHash;

package/script/helpers/validateCertificatePath.d.ts

@@ -1,6 +1,7 @@
 /**
  * Traverse an array of PEM certificates and ensure they form a proper chain
- * @param certificates Typically the result of `x5c.map(convertASN1toPEM)`
- * @param rootCertificates Possible root certificates to complete the path
+ * @param x5cCertsPEM Typically the result of `x5c.map(convertASN1toPEM)`
+ * @param trustAnchorsPEM PEM-formatted certs that an attestation statement x5c may chain back to
  */
-export declare function validateCertificatePath(certificates: string[], rootCertificates?: string[]): Promise<boolean>;
+export declare function validateCertificatePath(x5cCertsPEM: string[], trustAnchorsPEM?: string[]): Promise<boolean>;
+//# sourceMappingURL=validateCertificatePath.d.ts.map

package/script/helpers/validateCertificatePath.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validateCertificatePath.d.ts","sourceRoot":"","sources":["../../src/helpers/validateCertificatePath.ts"],"names":[],"mappings":"AASA;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,WAAW,EAAE,MAAM,EAAE,EACrB,eAAe,GAAE,MAAM,EAAO,GAC7B,OAAO,CAAC,OAAO,CAAC,CAsClB"}

package/script/helpers/validateCertificatePath.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateCertificatePath = void 0;
-const deps_js_1 = require("../deps.js");
+exports.validateCertificatePath = validateCertificatePath;
+const asn1_schema_1 = require("@peculiar/asn1-schema");
 const isCertRevoked_js_1 = require("./isCertRevoked.js");
 const verifySignature_js_1 = require("./verifySignature.js");
 const mapX509SignatureAlgToCOSEAlg_js_1 = require("./mapX509SignatureAlgToCOSEAlg.js");
@@ -9,23 +9,22 @@ const getCertificateInfo_js_1 = require("./getCertificateInfo.js");
 const convertPEMToBytes_js_1 = require("./convertPEMToBytes.js");
 /**
  * Traverse an array of PEM certificates and ensure they form a proper chain
- * @param certificates Typically the result of `x5c.map(convertASN1toPEM)`
- * @param rootCertificates Possible root certificates to complete the path
+ * @param x5cCertsPEM Typically the result of `x5c.map(convertASN1toPEM)`
+ * @param trustAnchorsPEM PEM-formatted certs that an attestation statement x5c may chain back to
  */
-async function validateCertificatePath(certificates, rootCertificates = []) {
-    if (rootCertificates.length === 0) {
-        // We have no root certs with which to create a full path, so skip path validation
-        // TODO: Is this going to be acceptable default behavior??
+async function validateCertificatePath(x5cCertsPEM, trustAnchorsPEM = []) {
+    if (trustAnchorsPEM.length === 0) {
+        // We have no trust anchors to chain back to, so skip path validation
         return true;
     }
     let invalidSubjectAndIssuerError = false;
     let certificateNotYetValidOrExpiredErrorMessage = undefined;
-    for (const rootCert of rootCertificates) {
+    for (const anchorPEM of trustAnchorsPEM) {
         try {
-            const certsWithRoot = certificates.concat([rootCert]);
-            await _validatePath(certsWithRoot);
+            const certsWithTrustAnchor = x5cCertsPEM.concat([anchorPEM]);
+            await _validatePath(certsWithTrustAnchor);
             // If we successfully validated a path then there's no need to continue. Reset any existing
-            // errors that were thrown by earlier root certificates
+            // errors that were thrown by earlier trust anchors
             invalidSubjectAndIssuerError = false;
             certificateNotYetValidOrExpiredErrorMessage = undefined;
             break;
@@ -42,7 +41,7 @@ async function validateCertificatePath(certificates, rootCertificates = []) {
             }
         }
     }
-    // We tried multiple root certs and none of them worked
+    // We tried multiple trust anchors and none of them worked
     if (invalidSubjectAndIssuerError) {
         throw new InvalidSubjectAndIssuer();
     }
@@ -51,65 +50,81 @@ async function validateCertificatePath(certificates, rootCertificates = []) {
     }
     return true;
 }
-exports.validateCertificatePath = validateCertificatePath;
-async function _validatePath(certificates) {
-    if (new Set(certificates).size !== certificates.length) {
+/**
+ * @param x5cCerts X.509 `x5c` certs in PEM string format
+ * @param anchorCert X.509 trust anchor cert in PEM string format
+ */
+async function _validatePath(x5cCertsWithTrustAnchorPEM) {
+    if (new Set(x5cCertsWithTrustAnchorPEM).size !== x5cCertsWithTrustAnchorPEM.length) {
         throw new Error('Invalid certificate path: found duplicate certificates');
     }
-    // From leaf to root, make sure each cert is issued by the next certificate in the chain
-    for (let i = 0; i < certificates.length; i += 1) {
-        const subjectPem = certificates[i];
-        const isLeafCert = i === 0;
-        const isRootCert = i + 1 >= certificates.length;
-        let issuerPem = '';
-        if (isRootCert) {
-            issuerPem = subjectPem;
-        }
-        else {
-            issuerPem = certificates[i + 1];
-        }
+    // Make sure no certs are revoked, and all are within their time validity window
+    for (const certificatePEM of x5cCertsWithTrustAnchorPEM) {
+        const certInfo = (0, getCertificateInfo_js_1.getCertificateInfo)((0, convertPEMToBytes_js_1.convertPEMToBytes)(certificatePEM));
+        await assertCertNotRevoked(certInfo.parsedCertificate);
+        assertCertIsWithinValidTimeWindow(certInfo, certificatePEM);
+    }
+    // Make sure each x5c cert is issued by the next certificate in the chain
+    for (let i = 0; i < (x5cCertsWithTrustAnchorPEM.length - 1); i += 1) {
+        const subjectPem = x5cCertsWithTrustAnchorPEM[i];
+        const issuerPem = x5cCertsWithTrustAnchorPEM[i + 1];
         const subjectInfo = (0, getCertificateInfo_js_1.getCertificateInfo)((0, convertPEMToBytes_js_1.convertPEMToBytes)(subjectPem));
         const issuerInfo = (0, getCertificateInfo_js_1.getCertificateInfo)((0, convertPEMToBytes_js_1.convertPEMToBytes)(issuerPem));
-        const x509Subject = subjectInfo.parsedCertificate;
-        // Check for certificate revocation
-        const subjectCertRevoked = await (0, isCertRevoked_js_1.isCertRevoked)(x509Subject);
-        if (subjectCertRevoked) {
-            throw new Error(`Found revoked certificate in certificate path`);
-        }
-        // Check that intermediate certificate is within its valid time window
-        const { notBefore, notAfter } = issuerInfo;
-        const now = new Date(Date.now());
-        if (notBefore > now || notAfter < now) {
-            if (isLeafCert) {
-                throw new CertificateNotYetValidOrExpired(`Leaf certificate is not yet valid or expired: ${issuerPem}`);
-            }
-            else if (isRootCert) {
-                throw new CertificateNotYetValidOrExpired(`Root certificate is not yet valid or expired: ${issuerPem}`);
-            }
-            else {
-                throw new CertificateNotYetValidOrExpired(`Intermediate certificate is not yet valid or expired: ${issuerPem}`);
-            }
-        }
+        // Make sure subject issuer is issuer subject
         if (subjectInfo.issuer.combined !== issuerInfo.subject.combined) {
             throw new InvalidSubjectAndIssuer();
         }
-        // Verify the subject certificate's signature with the issuer cert's public key
-        const data = deps_js_1.AsnSerializer.serialize(x509Subject.tbsCertificate);
-        const signature = x509Subject.signatureValue;
-        const signatureAlgorithm = (0, mapX509SignatureAlgToCOSEAlg_js_1.mapX509SignatureAlgToCOSEAlg)(x509Subject.signatureAlgorithm.algorithm);
-        const issuerCertBytes = (0, convertPEMToBytes_js_1.convertPEMToBytes)(issuerPem);
-        const verified = await (0, verifySignature_js_1.verifySignature)({
-            data: new Uint8Array(data),
-            signature: new Uint8Array(signature),
-            x509Certificate: issuerCertBytes,
-            hashAlgorithm: signatureAlgorithm,
-        });
-        if (!verified) {
-            throw new Error('Invalid certificate path: invalid signature');
+        const issuerCertIsRootCert = issuerInfo.issuer.combined === issuerInfo.subject.combined;
+        await assertSubjectIsSignedByIssuer(subjectInfo.parsedCertificate, issuerPem);
+        // Perform one final check if the issuer cert is also a root certificate
+        if (issuerCertIsRootCert) {
+            await assertSubjectIsSignedByIssuer(issuerInfo.parsedCertificate, issuerPem);
         }
     }
     return true;
 }
+/**
+ * Check if the certificate is revoked or not. If it is, raise an error
+ */
+async function assertCertNotRevoked(certificate) {
+    // Check for certificate revocation
+    const subjectCertRevoked = await (0, isCertRevoked_js_1.isCertRevoked)(certificate);
+    if (subjectCertRevoked) {
+        throw new Error(`Found revoked certificate in certificate path`);
+    }
+}
+/**
+ * Require the cert to be within its notBefore and notAfter time window
+ *
+ * @param certInfo Parsed cert information
+ * @param certPEM PEM-formatted certificate, for error reporting
+ */
+function assertCertIsWithinValidTimeWindow(certInfo, certPEM) {
+    const { notBefore, notAfter } = certInfo;
+    const now = new Date(Date.now());
+    if (notBefore > now || notAfter < now) {
+        throw new CertificateNotYetValidOrExpired(`Certificate is not yet valid or expired: ${certPEM}`);
+    }
+}
+/**
+ * Ensure that the subject cert has been signed by the next cert in the chain
+ */
+async function assertSubjectIsSignedByIssuer(subjectCert, issuerPEM) {
+    // Verify the subject certificate's signature with the issuer cert's public key
+    const data = asn1_schema_1.AsnSerializer.serialize(subjectCert.tbsCertificate);
+    const signature = subjectCert.signatureValue;
+    const signatureAlgorithm = (0, mapX509SignatureAlgToCOSEAlg_js_1.mapX509SignatureAlgToCOSEAlg)(subjectCert.signatureAlgorithm.algorithm);
+    const issuerCertBytes = (0, convertPEMToBytes_js_1.convertPEMToBytes)(issuerPEM);
+    const verified = await (0, verifySignature_js_1.verifySignature)({
+        data: new Uint8Array(data),
+        signature: new Uint8Array(signature),
+        x509Certificate: issuerCertBytes,
+        hashAlgorithm: signatureAlgorithm,
+    });
+    if (!verified) {
+        throw new InvalidSubjectSignatureForIssuer();
+    }
+}
 // Custom errors to help pass on certain errors
 class InvalidSubjectAndIssuer extends Error {
     constructor() {
@@ -118,6 +133,13 @@ class InvalidSubjectAndIssuer extends Error {
         this.name = 'InvalidSubjectAndIssuer';
     }
 }
+class InvalidSubjectSignatureForIssuer extends Error {
+    constructor() {
+        const message = 'Subject signature was invalid for issuer';
+        super(message);
+        this.name = 'InvalidSubjectSignatureForIssuer';
+    }
+}
 class CertificateNotYetValidOrExpired extends Error {
     constructor(message) {
         super(message);

package/script/helpers/validateExtFIDOGenCEAAGUID.d.ts

@@ -1,6 +1,7 @@
-import { Extensions } from '../deps.js';
+import { Extensions } from '@peculiar/asn1-x509';
 /**
  * Look for the id-fido-gen-ce-aaguid certificate extension. If it's present then check it against
  * the attestation statement AAGUID.
  */
 export declare function validateExtFIDOGenCEAAGUID(certExtensions: Extensions | undefined, aaguid: Uint8Array): boolean;
+//# sourceMappingURL=validateExtFIDOGenCEAAGUID.d.ts.map

package/script/helpers/validateExtFIDOGenCEAAGUID.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validateExtFIDOGenCEAAGUID.d.ts","sourceRoot":"","sources":["../../src/helpers/validateExtFIDOGenCEAAGUID.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAWjD;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,cAAc,EAAE,UAAU,GAAG,SAAS,EACtC,MAAM,EAAE,UAAU,GACjB,OAAO,CA6BT"}

package/script/helpers/validateExtFIDOGenCEAAGUID.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateExtFIDOGenCEAAGUID = void 0;
-const deps_js_1 = require("../deps.js");
+exports.validateExtFIDOGenCEAAGUID = validateExtFIDOGenCEAAGUID;
+const asn1_schema_1 = require("@peculiar/asn1-schema");
 const index_js_1 = require("./iso/index.js");
 /**
  * Attestation Certificate Extension OID: `id-fido-gen-ce-aaguid`
@@ -24,7 +24,7 @@ function validateExtFIDOGenCEAAGUID(certExtensions, aaguid) {
         return true;
     }
     // Parse the extension value
-    const parsedExtFIDOGenCEAAGUID = deps_js_1.AsnParser.parse(extFIDOGenCEAAGUID.extnValue, deps_js_1.OctetString);
+    const parsedExtFIDOGenCEAAGUID = asn1_schema_1.AsnParser.parse(extFIDOGenCEAAGUID.extnValue, asn1_schema_1.OctetString);
     const extValue = new Uint8Array(parsedExtFIDOGenCEAAGUID.buffer);
     // Compare the two values
     const aaguidAndExtAreEqual = index_js_1.isoUint8Array.areEqual(aaguid, extValue);
@@ -35,4 +35,3 @@ function validateExtFIDOGenCEAAGUID(certExtensions, aaguid) {
     }
     return true;
 }
-exports.validateExtFIDOGenCEAAGUID = validateExtFIDOGenCEAAGUID;

package/script/helpers/verifySignature.d.ts

@@ -9,6 +9,11 @@ export declare function verifySignature(opts: {
     x509Certificate?: Uint8Array;
     hashAlgorithm?: COSEALG;
 }): Promise<boolean>;
+/**
+ * Make it possible to stub the return value during testing
+ * @ignore Don't include this in docs output
+ */
 export declare const _verifySignatureInternals: {
     stubThis: (value: Promise<boolean>) => Promise<boolean>;
 };
+//# sourceMappingURL=verifySignature.d.ts.map

package/script/helpers/verifySignature.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifySignature.d.ts","sourceRoot":"","sources":["../../src/helpers/verifySignature.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAiB,MAAM,WAAW,CAAC;AAKnD;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE;IACpC,SAAS,EAAE,UAAU,CAAC;IACtB,IAAI,EAAE,UAAU,CAAC;IACjB,mBAAmB,CAAC,EAAE,UAAU,CAAC;IACjC,eAAe,CAAC,EAAE,UAAU,CAAC;IAC7B,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,GAAG,OAAO,CAAC,OAAO,CAAC,CAmCnB;AAED;;;GAGG;AACH,eAAO,MAAM,yBAAyB;sBAClB,OAAO,CAAC,OAAO,CAAC;CACnC,CAAC"}

package/script/helpers/verifySignature.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports._verifySignatureInternals = exports.verifySignature = void 0;
+exports._verifySignatureInternals = void 0;
+exports.verifySignature = verifySignature;
 const index_js_1 = require("./iso/index.js");
 const decodeCredentialPublicKey_js_1 = require("./decodeCredentialPublicKey.js");
 const convertX509PublicKeyToCOSE_js_1 = require("./convertX509PublicKeyToCOSE.js");
@@ -29,8 +30,10 @@ function verifySignature(opts) {
         shaHashOverride: hashAlgorithm,
     }));
 }
-exports.verifySignature = verifySignature;
-// Make it possible to stub the return value during testing
+/**
+ * Make it possible to stub the return value during testing
+ * @ignore Don't include this in docs output
+ */
 exports._verifySignatureInternals = {
     stubThis: (value) => value,
 };

package/script/index.d.ts

@@ -1,17 +1,9 @@
-/**
- * @packageDocumentation
- * @module @simplewebauthn/server
- */
-import { generateRegistrationOptions } from './registration/generateRegistrationOptions.js';
-import { verifyRegistrationResponse } from './registration/verifyRegistrationResponse.js';
-import { generateAuthenticationOptions } from './authentication/generateAuthenticationOptions.js';
-import { verifyAuthenticationResponse } from './authentication/verifyAuthenticationResponse.js';
-import { MetadataService } from './services/metadataService.js';
-import { SettingsService } from './services/settingsService.js';
-export { generateAuthenticationOptions, generateRegistrationOptions, MetadataService, SettingsService, verifyAuthenticationResponse, verifyRegistrationResponse, };
-import type { GenerateRegistrationOptionsOpts } from './registration/generateRegistrationOptions.js';
-import type { GenerateAuthenticationOptionsOpts } from './authentication/generateAuthenticationOptions.js';
-import type { MetadataStatement } from './metadata/mdsTypes.js';
-import type { VerifiedRegistrationResponse, VerifyRegistrationResponseOpts } from './registration/verifyRegistrationResponse.js';
-import type { VerifiedAuthenticationResponse, VerifyAuthenticationResponseOpts } from './authentication/verifyAuthenticationResponse.js';
-export type { GenerateAuthenticationOptionsOpts, GenerateRegistrationOptionsOpts, MetadataStatement, VerifiedAuthenticationResponse, VerifiedRegistrationResponse, VerifyAuthenticationResponseOpts, VerifyRegistrationResponseOpts, };
+export * from './registration/generateRegistrationOptions.js';
+export * from './registration/verifyRegistrationResponse.js';
+export * from './authentication/generateAuthenticationOptions.js';
+export * from './authentication/verifyAuthenticationResponse.js';
+export * from './services/metadataService.js';
+export * from './services/settingsService.js';
+export * from './metadata/mdsTypes.js';
+export * from './types/index.js';
+//# sourceMappingURL=index.d.ts.map

package/script/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,+CAA+C,CAAC;AAC9D,cAAc,8CAA8C,CAAC;AAC7D,cAAc,mDAAmD,CAAC;AAClE,cAAc,kDAAkD,CAAC;AACjE,cAAc,+BAA+B,CAAC;AAC9C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,wBAAwB,CAAC;AACvC,cAAc,kBAAkB,CAAC"}

package/script/index.js

@@ -1,19 +1,24 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyRegistrationResponse = exports.verifyAuthenticationResponse = exports.SettingsService = exports.MetadataService = exports.generateRegistrationOptions = exports.generateAuthenticationOptions = void 0;
-/**
- * @packageDocumentation
- * @module @simplewebauthn/server
- */
-const generateRegistrationOptions_js_1 = require("./registration/generateRegistrationOptions.js");
-Object.defineProperty(exports, "generateRegistrationOptions", { enumerable: true, get: function () { return generateRegistrationOptions_js_1.generateRegistrationOptions; } });
-const verifyRegistrationResponse_js_1 = require("./registration/verifyRegistrationResponse.js");
-Object.defineProperty(exports, "verifyRegistrationResponse", { enumerable: true, get: function () { return verifyRegistrationResponse_js_1.verifyRegistrationResponse; } });
-const generateAuthenticationOptions_js_1 = require("./authentication/generateAuthenticationOptions.js");
-Object.defineProperty(exports, "generateAuthenticationOptions", { enumerable: true, get: function () { return generateAuthenticationOptions_js_1.generateAuthenticationOptions; } });
-const verifyAuthenticationResponse_js_1 = require("./authentication/verifyAuthenticationResponse.js");
-Object.defineProperty(exports, "verifyAuthenticationResponse", { enumerable: true, get: function () { return verifyAuthenticationResponse_js_1.verifyAuthenticationResponse; } });
-const metadataService_js_1 = require("./services/metadataService.js");
-Object.defineProperty(exports, "MetadataService", { enumerable: true, get: function () { return metadataService_js_1.MetadataService; } });
-const settingsService_js_1 = require("./services/settingsService.js");
-Object.defineProperty(exports, "SettingsService", { enumerable: true, get: function () { return settingsService_js_1.SettingsService; } });
+__exportStar(require("./registration/generateRegistrationOptions.js"), exports);
+__exportStar(require("./registration/verifyRegistrationResponse.js"), exports);
+__exportStar(require("./authentication/generateAuthenticationOptions.js"), exports);
+__exportStar(require("./authentication/verifyAuthenticationResponse.js"), exports);
+__exportStar(require("./services/metadataService.js"), exports);
+__exportStar(require("./services/settingsService.js"), exports);
+__exportStar(require("./metadata/mdsTypes.js"), exports);
+__exportStar(require("./types/index.js"), exports);