@simplewebauthn/server 13.0.0 → 13.1.1

package/esm/helpers/fetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../../src/helpers/fetch.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAgB,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAEpD;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe;oBACV,MAAM;CACvB,CAAC"}
+{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../../src/helpers/fetch.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,wBAAgB,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAEpD;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe;oBACV,MAAM;CACvB,CAAC"}

package/esm/helpers/fetch.js

@@ -1,4 +1,3 @@
-import { fetch as crossFetch } from 'cross-fetch';
 /**
  * A simple method for requesting data via standard `fetch`. Should work
  * across multiple runtimes.
@@ -11,5 +10,5 @@ export function fetch(url) {
  * @ignore Don't include this in docs output
  */
 export const _fetchInternals = {
-    stubThis: (url) => crossFetch(url),
+    stubThis: (url) => globalThis.fetch(url),
 };

package/esm/helpers/iso/isoCrypto/getWebCrypto.d.ts

@@ -8,7 +8,7 @@ export declare class MissingWebCrypto extends Error {
     constructor();
 }
 export declare const _getWebCryptoInternals: {
-    stubThisGlobalThisCrypto: () => globalThis.Crypto;
+    stubThisGlobalThisCrypto: () => import("crypto").webcrypto.Crypto;
     setCachedCrypto: (newCrypto: Crypto | undefined) => void;
 };
 //# sourceMappingURL=getWebCrypto.d.ts.map

package/esm/registration/verifications/tpm/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/constants.ts"],"names":[],"mappings":"AACA;;;;;;;;GAQG;AAEH;;GAEG;AACH,eAAO,MAAM,MAAM,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAkB3C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,OAAO,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAsC5C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAUlD,CAAC;AAEF,KAAK,gBAAgB,GAAG;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACZ,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAAA;CAiFhE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAM/D,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/constants.ts"],"names":[],"mappings":"AACA;;;;;;;;GAQG;AAEH;;GAEG;AACH,eAAO,MAAM,MAAM,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAkB3C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,OAAO,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAsC5C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAUlD,CAAC;AAEF,KAAK,gBAAgB,GAAG;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACZ,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAAA;CAgChE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAM/D,CAAC"}

package/esm/registration/verifications/tpm/constants.js

@@ -93,86 +93,37 @@ export const TPM_ECC_CURVE = {
  * https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-Vendor-ID-Registry-Version-1.02-Revision-1.00.pdf
  */
 export const TPM_MANUFACTURERS = {
-    'id:414D4400': {
-        name: 'AMD',
-        id: 'AMD',
-    },
-    'id:41544D4C': {
-        name: 'Atmel',
-        id: 'ATML',
-    },
-    'id:4252434D': {
-        name: 'Broadcom',
-        id: 'BRCM',
-    },
-    'id:49424d00': {
-        name: 'IBM',
-        id: 'IBM',
-    },
-    'id:49424D00': {
-        name: 'IBM',
-        id: 'IBM',
-    },
-    'id:49465800': {
-        name: 'Infineon',
-        id: 'IFX',
-    },
-    'id:494E5443': {
-        name: 'Intel',
-        id: 'INTC',
-    },
-    'id:4C454E00': {
-        name: 'Lenovo',
-        id: 'LEN',
-    },
-    'id:4E534D20': {
-        name: 'National Semiconductor',
-        id: 'NSM',
-    },
-    'id:4E545A00': {
-        name: 'Nationz',
-        id: 'NTZ',
-    },
-    'id:4E544300': {
-        name: 'Nuvoton Technology',
-        id: 'NTC',
-    },
-    'id:51434F4D': {
-        name: 'Qualcomm',
-        id: 'QCOM',
-    },
-    'id:534D5343': {
-        name: 'SMSC',
-        id: 'SMSC',
-    },
-    'id:53544D20': {
-        name: 'ST Microelectronics',
-        id: 'STM',
-    },
-    'id:534D534E': {
-        name: 'Samsung',
-        id: 'SMSN',
-    },
-    'id:534E5300': {
-        name: 'Sinosun',
-        id: 'SNS',
-    },
-    'id:54584E00': {
-        name: 'Texas Instruments',
-        id: 'TXN',
-    },
-    'id:57454300': {
-        name: 'Winbond',
-        id: 'WEC',
-    },
-    'id:524F4343': {
-        name: 'Fuzhouk Rockchip',
-        id: 'ROCC',
-    },
-    'id:FFFFF1D0': {
-        name: 'FIDO Alliance',
-        id: 'FIDO',
-    },
+    'id:414D4400': { name: 'AMD', id: 'AMD' },
+    'id:414E5400': { name: 'Ant Group', id: 'ANT' },
+    'id:41544D4C': { name: 'Atmel', id: 'ATML' },
+    'id:4252434D': { name: 'Broadcom', id: 'BRCM' },
+    'id:4353434F': { name: 'Cisco', id: 'CSCO' },
+    'id:464C5953': { name: 'Flyslice Technologies', id: 'FLYS' },
+    'id:524F4343': { name: 'Fuzhou Rockchip', id: 'ROCC' },
+    'id:474F4F47': { name: 'Google', id: 'GOOG' },
+    'id:48504900': { name: 'HPI', id: 'HPI' },
+    'id:48504500': { name: 'HPE', id: 'HPE' },
+    'id:48495349': { name: 'Huawei', id: 'HISI' },
+    'id:49424d00': { name: 'IBM', id: 'IBM' },
+    'id:49424D00': { name: 'IBM', id: 'IBM' }, // Same ID for IBM as above, except the "D" is capitalized as per TPM spec
+    'id:49465800': { name: 'Infineon', id: 'IFX' },
+    'id:494E5443': { name: 'Intel', id: 'INTC' },
+    'id:4C454E00': { name: 'Lenovo', id: 'LEN' },
+    'id:4D534654': { name: 'Microsoft', id: 'MSFT' },
+    'id:4E534D20': { name: 'National Semiconductor', id: 'NSM' },
+    'id:4E545A00': { name: 'Nationz', id: 'NTZ' },
+    'id:4E534700': { name: 'NSING', id: 'NSG' },
+    'id:4E544300': { name: 'Nuvoton Technology', id: 'NTC' },
+    'id:51434F4D': { name: 'Qualcomm', id: 'QCOM' },
+    'id:534D534E': { name: 'Samsung', id: 'SMSN' },
+    'id:53454345': { name: 'SecEdge', id: 'SECE' },
+    'id:534E5300': { name: 'Sinosun', id: 'SNS' },
+    'id:534D5343': { name: 'SMSC', id: 'SMSC' },
+    'id:53544D20': { name: 'STMicroelectronics', id: 'STM' },
+    'id:54584E00': { name: 'Texas Instruments', id: 'TXN' },
+    'id:57454300': { name: 'Winbond', id: 'WEC' },
+    'id:5345414C': { name: 'Wisekey', id: 'SEAL' },
+    'id:FFFFF1D0': { name: 'FIDO Alliance', id: 'FIDO' }, // FIDO Conformance
 };
 /**
  * Match TPM public area curve ID's to `crv` numbers used in COSE public keys

package/esm/registration/verifications/verifyAttestationAndroidKey.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifyAttestationAndroidKey.d.ts","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationAndroidKey.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AAUtF;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,CA+HlB"}
+{"version":3,"file":"verifyAttestationAndroidKey.d.ts","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationAndroidKey.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AAUtF;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,CA0JlB"}

package/esm/registration/verifications/verifyAttestationAndroidKey.js

@@ -18,44 +18,55 @@ export async function verifyAttestationAndroidKey(options) {
     const sig = attStmt.get('sig');
     const alg = attStmt.get('alg');
     if (!x5c) {
-        throw new Error('No attestation certificate provided in attestation statement (AndroidKey)');
+        throw new Error('No attestation certificate provided in attestation statement (Android Key)');
     }
     if (!sig) {
-        throw new Error('No attestation signature provided in attestation statement (AndroidKey)');
+        throw new Error('No attestation signature provided in attestation statement (Android Key)');
     }
     if (!alg) {
-        throw new Error(`Attestation statement did not contain alg (AndroidKey)`);
+        throw new Error(`Attestation statement did not contain alg (Android Key)`);
     }
     if (!isCOSEAlg(alg)) {
-        throw new Error(`Attestation statement contained invalid alg ${alg} (AndroidKey)`);
+        throw new Error(`Attestation statement contained invalid alg ${alg} (Android Key)`);
     }
-    // Check that credentialPublicKey matches the public key in the attestation certificate
+    /**
+     * Verify that the public key in the first certificate in x5c matches the credentialPublicKey in
+     * the attestedCredentialData in authenticatorData.
+     */
     // Find the public cert in the certificate as PKCS
     const parsedCert = AsnParser.parse(x5c[0], Certificate);
     const parsedCertPubKey = new Uint8Array(parsedCert.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey);
     // Convert the credentialPublicKey to PKCS
     const credPubKeyPKCS = convertCOSEtoPKCS(credentialPublicKey);
     if (!isoUint8Array.areEqual(credPubKeyPKCS, parsedCertPubKey)) {
-        throw new Error('Credential public key does not equal leaf cert public key (AndroidKey)');
+        throw new Error('Credential public key does not equal leaf cert public key (Android Key)');
     }
+    /**
+     * Verify that the attestationChallenge field in the attestation certificate extension data is
+     * identical to clientDataHash.
+     */
     // Find Android KeyStore Extension in certificate extensions
     const extKeyStore = parsedCert.tbsCertificate.extensions?.find((ext) => ext.extnID === id_ce_keyDescription);
     if (!extKeyStore) {
-        throw new Error('Certificate did not contain extKeyStore (AndroidKey)');
+        throw new Error('Certificate did not contain extKeyStore (Android Key)');
     }
     const parsedExtKeyStore = AsnParser.parse(extKeyStore.extnValue, KeyDescription);
     // Verify extKeyStore values
     const { attestationChallenge, teeEnforced, softwareEnforced } = parsedExtKeyStore;
     if (!isoUint8Array.areEqual(new Uint8Array(attestationChallenge.buffer), clientDataHash)) {
-        throw new Error('Attestation challenge was not equal to client data hash (AndroidKey)');
+        throw new Error('Attestation challenge was not equal to client data hash (Android Key)');
     }
-    // Ensure that the key is strictly bound to the caller app identifier (shouldn't contain the
-    // [600] tag)
+    /**
+     * The AuthorizationList.allApplications field is not present on either authorization list
+     * (softwareEnforced nor teeEnforced), since PublicKeyCredential MUST be scoped to the RP ID.
+     *
+     * (i.e. These shouldn't contain the [600] tag)
+     */
     if (teeEnforced.allApplications !== undefined) {
-        throw new Error('teeEnforced contained "allApplications [600]" tag (AndroidKey)');
+        throw new Error('teeEnforced contained "allApplications [600]" tag (Android Key)');
     }
     if (softwareEnforced.allApplications !== undefined) {
-        throw new Error('teeEnforced contained "allApplications [600]" tag (AndroidKey)');
+        throw new Error('teeEnforced contained "allApplications [600]" tag (Android Key)');
     }
     const statement = await MetadataService.getStatement(aaguid);
     if (statement) {
@@ -69,19 +80,36 @@ export async function verifyAttestationAndroidKey(options) {
         }
         catch (err) {
             const _err = err;
-            throw new Error(`${_err.message} (AndroidKey)`);
+            throw new Error(`${_err.message} (Android Key)`);
         }
     }
     else {
+        /**
+         * Verify that x5c contains a full certificate path.
+         */
+        const x5cNoRootPEM = x5c.slice(0, -1).map(convertCertBufferToPEM);
+        const x5cRootPEM = x5c.slice(-1).map(convertCertBufferToPEM);
         try {
-            // Try validating the certificate path using the root certificates set via SettingsService
-            await validateCertificatePath(x5c.map(convertCertBufferToPEM), rootCertificates);
+            await validateCertificatePath(x5cNoRootPEM, x5cRootPEM);
         }
         catch (err) {
             const _err = err;
-            throw new Error(`${_err.message} (AndroidKey)`);
+            throw new Error(`${_err.message} (Android Key)`);
+        }
+        /**
+         * Make sure the root certificate is one of the Google Hardware Attestation Root certificates
+         *
+         * https://developer.android.com/privacy-and-security/security-key-attestation#root_certificate
+         */
+        if (rootCertificates.length > 0 && rootCertificates.indexOf(x5cRootPEM[0]) < 0) {
+            throw new Error('x5c root certificate was not a known root certificate (Android Key)');
         }
     }
+    /**
+     * Verify that sig is a valid signature over the concatenation of authenticatorData and
+     * clientDataHash using the public key in the first certificate in x5c with the algorithm
+     * specified in alg.
+     */
     const signatureBase = isoUint8Array.concat([authData, clientDataHash]);
     return verifySignature({
         signature: sig,

package/esm/services/defaultRootCerts/android-key.d.ts

@@ -22,4 +22,28 @@ export declare const Google_Hardware_Attestation_Root_1 = "-----BEGIN CERTIFICAT
  * 1E:F1:A0:4B:8B:A5:8A:B9:45:89:AC:49:8C:89:82:A7:83:F2:4E:A7:30:7E:01:59:A0:C3:A7:3B:37:7D:87:CC
  */
 export declare const Google_Hardware_Attestation_Root_2 = "-----BEGIN CERTIFICATE-----\nMIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\nBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAz\nNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS\nSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7\ntv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj\nnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq\nC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ\noVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O\nJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg\nsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi\nigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M\nRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E\naDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um\nAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud\nIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD\nVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnu\nXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83U\nh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cno\nL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2ok\nQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vA\nD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAI\nmMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoW\nFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91\noeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09o\njm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUB\nZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCH\nex0SdDrx+tWUDqG8At2JHA==\n-----END CERTIFICATE-----\n";
+/**
+ * Google Hardware Attestation Root 3
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (third entry)
+ *
+ * Valid until 2036-11-13 @ 15:10 PST
+ *
+ * SHA256 Fingerprint
+ * AB:66:41:17:8A:36:E1:79:AA:0C:1C:DD:DF:9A:16:EB:45:FA:20:94:3E:2B:8C:D7:C7:C0:5C:26:CF:8B:48:7A
+ */
+export declare const Google_Hardware_Attestation_Root_3 = "\n-----BEGIN CERTIFICATE-----\nMIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\nBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMx\nMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS\nSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7\ntv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj\nnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq\nC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ\noVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O\nJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg\nsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi\nigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M\nRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E\naDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um\nAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud\nIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD\nVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTG\nzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan\n63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/T\nQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJ\nerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiL\nZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a\n0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH\n7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0b\nHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7w\nlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2\nOb3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7\nmD/vFDkzF+wm7cyWpQpCVQ==\n-----END CERTIFICATE-----\n";
+/**
+ * Google Hardware Attestation Root 4
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (fourth entry)
+ *
+ * Valid until 2042-03-15 @ 11:07 PDT
+ *
+ * SHA256 Fingerprint
+ * CE:DB:1C:B6:DC:89:6A:E5:EC:79:73:48:BC:E9:28:67:53:C2:B3:8E:E7:1C:E0:FB:E3:4A:9A:12:48:80:0D:FC
+ */
+export declare const Google_Hardware_Attestation_Root_4 = "\n-----BEGIN CERTIFICATE-----\nMIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\nBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgw\nNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS\nSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7\ntv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj\nnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq\nC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ\noVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O\nJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg\nsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi\nigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M\nRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E\naDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um\nAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud\nIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD\nVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7\n174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGIC\nW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2G\ntkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkx\noSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG\n1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mF\nmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPz\nlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVw\nn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1Eu\nzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHo\nvaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHn\nw1IdYIg2Wxg7yHcQZemFQg==\n-----END CERTIFICATE-----\n";
 //# sourceMappingURL=android-key.d.ts.map

package/esm/services/defaultRootCerts/android-key.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"android-key.d.ts","sourceRoot":"","sources":["../../../src/services/defaultRootCerts/android-key.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,u6DA+B9C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,60DA8B9C,CAAC"}
+{"version":3,"file":"android-key.d.ts","sourceRoot":"","sources":["../../../src/services/defaultRootCerts/android-key.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,u6DA+B9C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,60DA8B9C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,+0DA+B9C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,+0DA+B9C,CAAC"}

package/esm/services/defaultRootCerts/android-key.js

@@ -83,3 +83,89 @@ ZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCH
 ex0SdDrx+tWUDqG8At2JHA==
 -----END CERTIFICATE-----
 `;
+/**
+ * Google Hardware Attestation Root 3
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (third entry)
+ *
+ * Valid until 2036-11-13 @ 15:10 PST
+ *
+ * SHA256 Fingerprint
+ * AB:66:41:17:8A:36:E1:79:AA:0C:1C:DD:DF:9A:16:EB:45:FA:20:94:3E:2B:8C:D7:C7:C0:5C:26:CF:8B:48:7A
+ */
+export const Google_Hardware_Attestation_Root_3 = `
+-----BEGIN CERTIFICATE-----
+MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
+BAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMx
+MDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS
+Sxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7
+tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj
+nar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq
+C4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ
+oVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O
+JtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg
+sTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi
+igHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M
+RPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E
+aDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um
+AGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud
+IwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD
+VR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTG
+zWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan
+63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/T
+QH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJ
+erGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiL
+Zez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a
+0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH
+7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0b
+HQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7w
+lZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2
+Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7
+mD/vFDkzF+wm7cyWpQpCVQ==
+-----END CERTIFICATE-----
+`;
+/**
+ * Google Hardware Attestation Root 4
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (fourth entry)
+ *
+ * Valid until 2042-03-15 @ 11:07 PDT
+ *
+ * SHA256 Fingerprint
+ * CE:DB:1C:B6:DC:89:6A:E5:EC:79:73:48:BC:E9:28:67:53:C2:B3:8E:E7:1C:E0:FB:E3:4A:9A:12:48:80:0D:FC
+ */
+export const Google_Hardware_Attestation_Root_4 = `
+-----BEGIN CERTIFICATE-----
+MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
+BAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgw
+NzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS
+Sxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7
+tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj
+nar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq
+C4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ
+oVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O
+JtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg
+sTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi
+igHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M
+RPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E
+aDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um
+AGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud
+IwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD
+VR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7
+174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGIC
+W/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2G
+tkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkx
+oSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG
+1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mF
+mr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPz
+lHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVw
+n6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1Eu
+zbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHo
+vaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHn
+w1IdYIg2Wxg7yHcQZemFQg==
+-----END CERTIFICATE-----
+`;

package/esm/services/settingsService.d.ts

@@ -1,4 +1,4 @@
-import { AttestationFormat } from '../helpers/decodeAttestationObject.js';
+import type { AttestationFormat } from '../helpers/decodeAttestationObject.js';
 export type RootCertIdentifier = AttestationFormat | 'mds';
 interface SettingsService {
     /**

package/esm/services/settingsService.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"settingsService.d.ts","sourceRoot":"","sources":["../../src/services/settingsService.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AAW1E,MAAM,MAAM,kBAAkB,GAAG,iBAAiB,GAAG,KAAK,CAAC;AAE3D,UAAU,eAAe;IACvB;;;;;;OAMG;IACH,mBAAmB,CAAC,IAAI,EAAE;QACxB,UAAU,EAAE,kBAAkB,CAAC;QAC/B,YAAY,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,CAAC;KACvC,GAAG,IAAI,CAAC;IAET;;OAEG;IACH,mBAAmB,CAAC,IAAI,EAAE;QAAE,UAAU,EAAE,kBAAkB,CAAA;KAAE,GAAG,MAAM,EAAE,CAAC;CACzE;AAkCD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,EAAE,eAA2C,CAAC"}
+{"version":3,"file":"settingsService.d.ts","sourceRoot":"","sources":["../../src/services/settingsService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AAa/E,MAAM,MAAM,kBAAkB,GAAG,iBAAiB,GAAG,KAAK,CAAC;AAE3D,UAAU,eAAe;IACvB;;;;;;OAMG;IACH,mBAAmB,CAAC,IAAI,EAAE;QACxB,UAAU,EAAE,kBAAkB,CAAC;QAC/B,YAAY,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,CAAC;KACvC,GAAG,IAAI,CAAC;IAET;;OAEG;IACH,mBAAmB,CAAC,IAAI,EAAE;QAAE,UAAU,EAAE,kBAAkB,CAAA;KAAE,GAAG,MAAM,EAAE,CAAC;CACzE;AAkCD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,EAAE,eAA2C,CAAC"}

package/esm/services/settingsService.js

@@ -1,6 +1,6 @@
 import { convertCertBufferToPEM } from '../helpers/convertCertBufferToPEM.js';
 import { GlobalSign_Root_CA } from './defaultRootCerts/android-safetynet.js';
-import { Google_Hardware_Attestation_Root_1, Google_Hardware_Attestation_Root_2, } from './defaultRootCerts/android-key.js';
+import { Google_Hardware_Attestation_Root_1, Google_Hardware_Attestation_Root_2, Google_Hardware_Attestation_Root_3, Google_Hardware_Attestation_Root_4, } from './defaultRootCerts/android-key.js';
 import { Apple_WebAuthn_Root_CA } from './defaultRootCerts/apple.js';
 import { GlobalSign_Root_CA_R3 } from './defaultRootCerts/mds.js';
 class BaseSettingsService {
@@ -53,6 +53,8 @@ SettingsService.setRootCertificates({
     certificates: [
         Google_Hardware_Attestation_Root_1,
         Google_Hardware_Attestation_Root_2,
+        Google_Hardware_Attestation_Root_3,
+        Google_Hardware_Attestation_Root_4,
     ],
 });
 SettingsService.setRootCertificates({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@simplewebauthn/server",
-  "version": "13.0.0",
+  "version": "13.1.1",
   "description": "SimpleWebAuthn for Servers",
   "keywords": [
     "typescript",
@@ -55,8 +55,7 @@
     "@peculiar/asn1-ecc": "^2.3.8",
     "@peculiar/asn1-rsa": "^2.3.8",
     "@peculiar/asn1-schema": "^2.3.8",
-    "@peculiar/asn1-x509": "^2.3.8",
-    "cross-fetch": "^4.0.0"
+    "@peculiar/asn1-x509": "^2.3.8"
   },
   "devDependencies": {
     "@types/node": "^20.9.0"

package/script/helpers/fetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../../src/helpers/fetch.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAgB,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAEpD;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe;oBACV,MAAM;CACvB,CAAC"}
+{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../../src/helpers/fetch.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,wBAAgB,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAEpD;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe;oBACV,MAAM;CACvB,CAAC"}

package/script/helpers/fetch.js

@@ -2,7 +2,6 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports._fetchInternals = void 0;
 exports.fetch = fetch;
-const cross_fetch_1 = require("cross-fetch");
 /**
  * A simple method for requesting data via standard `fetch`. Should work
  * across multiple runtimes.
@@ -15,5 +14,5 @@ function fetch(url) {
  * @ignore Don't include this in docs output
  */
 exports._fetchInternals = {
-    stubThis: (url) => (0, cross_fetch_1.fetch)(url),
+    stubThis: (url) => globalThis.fetch(url),
 };

package/script/helpers/iso/isoCrypto/getWebCrypto.d.ts

@@ -8,7 +8,7 @@ export declare class MissingWebCrypto extends Error {
     constructor();
 }
 export declare const _getWebCryptoInternals: {
-    stubThisGlobalThisCrypto: () => globalThis.Crypto;
+    stubThisGlobalThisCrypto: () => import("crypto").webcrypto.Crypto;
     setCachedCrypto: (newCrypto: Crypto | undefined) => void;
 };
 //# sourceMappingURL=getWebCrypto.d.ts.map

package/script/registration/verifications/tpm/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/constants.ts"],"names":[],"mappings":"AACA;;;;;;;;GAQG;AAEH;;GAEG;AACH,eAAO,MAAM,MAAM,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAkB3C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,OAAO,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAsC5C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAUlD,CAAC;AAEF,KAAK,gBAAgB,GAAG;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACZ,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAAA;CAiFhE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAM/D,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/constants.ts"],"names":[],"mappings":"AACA;;;;;;;;GAQG;AAEH;;GAEG;AACH,eAAO,MAAM,MAAM,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAkB3C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,OAAO,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAsC5C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAUlD,CAAC;AAEF,KAAK,gBAAgB,GAAG;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACZ,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAAA;CAgChE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,EAAE;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAM/D,CAAC"}

package/script/registration/verifications/tpm/constants.js

@@ -96,86 +96,37 @@ exports.TPM_ECC_CURVE = {
  * https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-Vendor-ID-Registry-Version-1.02-Revision-1.00.pdf
  */
 exports.TPM_MANUFACTURERS = {
-    'id:414D4400': {
-        name: 'AMD',
-        id: 'AMD',
-    },
-    'id:41544D4C': {
-        name: 'Atmel',
-        id: 'ATML',
-    },
-    'id:4252434D': {
-        name: 'Broadcom',
-        id: 'BRCM',
-    },
-    'id:49424d00': {
-        name: 'IBM',
-        id: 'IBM',
-    },
-    'id:49424D00': {
-        name: 'IBM',
-        id: 'IBM',
-    },
-    'id:49465800': {
-        name: 'Infineon',
-        id: 'IFX',
-    },
-    'id:494E5443': {
-        name: 'Intel',
-        id: 'INTC',
-    },
-    'id:4C454E00': {
-        name: 'Lenovo',
-        id: 'LEN',
-    },
-    'id:4E534D20': {
-        name: 'National Semiconductor',
-        id: 'NSM',
-    },
-    'id:4E545A00': {
-        name: 'Nationz',
-        id: 'NTZ',
-    },
-    'id:4E544300': {
-        name: 'Nuvoton Technology',
-        id: 'NTC',
-    },
-    'id:51434F4D': {
-        name: 'Qualcomm',
-        id: 'QCOM',
-    },
-    'id:534D5343': {
-        name: 'SMSC',
-        id: 'SMSC',
-    },
-    'id:53544D20': {
-        name: 'ST Microelectronics',
-        id: 'STM',
-    },
-    'id:534D534E': {
-        name: 'Samsung',
-        id: 'SMSN',
-    },
-    'id:534E5300': {
-        name: 'Sinosun',
-        id: 'SNS',
-    },
-    'id:54584E00': {
-        name: 'Texas Instruments',
-        id: 'TXN',
-    },
-    'id:57454300': {
-        name: 'Winbond',
-        id: 'WEC',
-    },
-    'id:524F4343': {
-        name: 'Fuzhouk Rockchip',
-        id: 'ROCC',
-    },
-    'id:FFFFF1D0': {
-        name: 'FIDO Alliance',
-        id: 'FIDO',
-    },
+    'id:414D4400': { name: 'AMD', id: 'AMD' },
+    'id:414E5400': { name: 'Ant Group', id: 'ANT' },
+    'id:41544D4C': { name: 'Atmel', id: 'ATML' },
+    'id:4252434D': { name: 'Broadcom', id: 'BRCM' },
+    'id:4353434F': { name: 'Cisco', id: 'CSCO' },
+    'id:464C5953': { name: 'Flyslice Technologies', id: 'FLYS' },
+    'id:524F4343': { name: 'Fuzhou Rockchip', id: 'ROCC' },
+    'id:474F4F47': { name: 'Google', id: 'GOOG' },
+    'id:48504900': { name: 'HPI', id: 'HPI' },
+    'id:48504500': { name: 'HPE', id: 'HPE' },
+    'id:48495349': { name: 'Huawei', id: 'HISI' },
+    'id:49424d00': { name: 'IBM', id: 'IBM' },
+    'id:49424D00': { name: 'IBM', id: 'IBM' }, // Same ID for IBM as above, except the "D" is capitalized as per TPM spec
+    'id:49465800': { name: 'Infineon', id: 'IFX' },
+    'id:494E5443': { name: 'Intel', id: 'INTC' },
+    'id:4C454E00': { name: 'Lenovo', id: 'LEN' },
+    'id:4D534654': { name: 'Microsoft', id: 'MSFT' },
+    'id:4E534D20': { name: 'National Semiconductor', id: 'NSM' },
+    'id:4E545A00': { name: 'Nationz', id: 'NTZ' },
+    'id:4E534700': { name: 'NSING', id: 'NSG' },
+    'id:4E544300': { name: 'Nuvoton Technology', id: 'NTC' },
+    'id:51434F4D': { name: 'Qualcomm', id: 'QCOM' },
+    'id:534D534E': { name: 'Samsung', id: 'SMSN' },
+    'id:53454345': { name: 'SecEdge', id: 'SECE' },
+    'id:534E5300': { name: 'Sinosun', id: 'SNS' },
+    'id:534D5343': { name: 'SMSC', id: 'SMSC' },
+    'id:53544D20': { name: 'STMicroelectronics', id: 'STM' },
+    'id:54584E00': { name: 'Texas Instruments', id: 'TXN' },
+    'id:57454300': { name: 'Winbond', id: 'WEC' },
+    'id:5345414C': { name: 'Wisekey', id: 'SEAL' },
+    'id:FFFFF1D0': { name: 'FIDO Alliance', id: 'FIDO' }, // FIDO Conformance
 };
 /**
  * Match TPM public area curve ID's to `crv` numbers used in COSE public keys

package/script/registration/verifications/verifyAttestationAndroidKey.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifyAttestationAndroidKey.d.ts","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationAndroidKey.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AAUtF;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,CA+HlB"}
+{"version":3,"file":"verifyAttestationAndroidKey.d.ts","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationAndroidKey.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AAUtF;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,CA0JlB"}

package/script/registration/verifications/verifyAttestationAndroidKey.js

@@ -21,44 +21,55 @@ async function verifyAttestationAndroidKey(options) {
     const sig = attStmt.get('sig');
     const alg = attStmt.get('alg');
     if (!x5c) {
-        throw new Error('No attestation certificate provided in attestation statement (AndroidKey)');
+        throw new Error('No attestation certificate provided in attestation statement (Android Key)');
     }
     if (!sig) {
-        throw new Error('No attestation signature provided in attestation statement (AndroidKey)');
+        throw new Error('No attestation signature provided in attestation statement (Android Key)');
     }
     if (!alg) {
-        throw new Error(`Attestation statement did not contain alg (AndroidKey)`);
+        throw new Error(`Attestation statement did not contain alg (Android Key)`);
     }
     if (!(0, cose_js_1.isCOSEAlg)(alg)) {
-        throw new Error(`Attestation statement contained invalid alg ${alg} (AndroidKey)`);
+        throw new Error(`Attestation statement contained invalid alg ${alg} (Android Key)`);
     }
-    // Check that credentialPublicKey matches the public key in the attestation certificate
+    /**
+     * Verify that the public key in the first certificate in x5c matches the credentialPublicKey in
+     * the attestedCredentialData in authenticatorData.
+     */
     // Find the public cert in the certificate as PKCS
     const parsedCert = asn1_schema_1.AsnParser.parse(x5c[0], asn1_x509_1.Certificate);
     const parsedCertPubKey = new Uint8Array(parsedCert.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey);
     // Convert the credentialPublicKey to PKCS
     const credPubKeyPKCS = (0, convertCOSEtoPKCS_js_1.convertCOSEtoPKCS)(credentialPublicKey);
     if (!index_js_1.isoUint8Array.areEqual(credPubKeyPKCS, parsedCertPubKey)) {
-        throw new Error('Credential public key does not equal leaf cert public key (AndroidKey)');
+        throw new Error('Credential public key does not equal leaf cert public key (Android Key)');
     }
+    /**
+     * Verify that the attestationChallenge field in the attestation certificate extension data is
+     * identical to clientDataHash.
+     */
     // Find Android KeyStore Extension in certificate extensions
     const extKeyStore = parsedCert.tbsCertificate.extensions?.find((ext) => ext.extnID === asn1_android_1.id_ce_keyDescription);
     if (!extKeyStore) {
-        throw new Error('Certificate did not contain extKeyStore (AndroidKey)');
+        throw new Error('Certificate did not contain extKeyStore (Android Key)');
     }
     const parsedExtKeyStore = asn1_schema_1.AsnParser.parse(extKeyStore.extnValue, asn1_android_1.KeyDescription);
     // Verify extKeyStore values
     const { attestationChallenge, teeEnforced, softwareEnforced } = parsedExtKeyStore;
     if (!index_js_1.isoUint8Array.areEqual(new Uint8Array(attestationChallenge.buffer), clientDataHash)) {
-        throw new Error('Attestation challenge was not equal to client data hash (AndroidKey)');
+        throw new Error('Attestation challenge was not equal to client data hash (Android Key)');
     }
-    // Ensure that the key is strictly bound to the caller app identifier (shouldn't contain the
-    // [600] tag)
+    /**
+     * The AuthorizationList.allApplications field is not present on either authorization list
+     * (softwareEnforced nor teeEnforced), since PublicKeyCredential MUST be scoped to the RP ID.
+     *
+     * (i.e. These shouldn't contain the [600] tag)
+     */
     if (teeEnforced.allApplications !== undefined) {
-        throw new Error('teeEnforced contained "allApplications [600]" tag (AndroidKey)');
+        throw new Error('teeEnforced contained "allApplications [600]" tag (Android Key)');
     }
     if (softwareEnforced.allApplications !== undefined) {
-        throw new Error('teeEnforced contained "allApplications [600]" tag (AndroidKey)');
+        throw new Error('teeEnforced contained "allApplications [600]" tag (Android Key)');
     }
     const statement = await metadataService_js_1.MetadataService.getStatement(aaguid);
     if (statement) {
@@ -72,19 +83,36 @@ async function verifyAttestationAndroidKey(options) {
         }
         catch (err) {
             const _err = err;
-            throw new Error(`${_err.message} (AndroidKey)`);
+            throw new Error(`${_err.message} (Android Key)`);
         }
     }
     else {
+        /**
+         * Verify that x5c contains a full certificate path.
+         */
+        const x5cNoRootPEM = x5c.slice(0, -1).map(convertCertBufferToPEM_js_1.convertCertBufferToPEM);
+        const x5cRootPEM = x5c.slice(-1).map(convertCertBufferToPEM_js_1.convertCertBufferToPEM);
         try {
-            // Try validating the certificate path using the root certificates set via SettingsService
-            await (0, validateCertificatePath_js_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_js_1.convertCertBufferToPEM), rootCertificates);
+            await (0, validateCertificatePath_js_1.validateCertificatePath)(x5cNoRootPEM, x5cRootPEM);
         }
         catch (err) {
             const _err = err;
-            throw new Error(`${_err.message} (AndroidKey)`);
+            throw new Error(`${_err.message} (Android Key)`);
+        }
+        /**
+         * Make sure the root certificate is one of the Google Hardware Attestation Root certificates
+         *
+         * https://developer.android.com/privacy-and-security/security-key-attestation#root_certificate
+         */
+        if (rootCertificates.length > 0 && rootCertificates.indexOf(x5cRootPEM[0]) < 0) {
+            throw new Error('x5c root certificate was not a known root certificate (Android Key)');
         }
     }
+    /**
+     * Verify that sig is a valid signature over the concatenation of authenticatorData and
+     * clientDataHash using the public key in the first certificate in x5c with the algorithm
+     * specified in alg.
+     */
     const signatureBase = index_js_1.isoUint8Array.concat([authData, clientDataHash]);
     return (0, verifySignature_js_1.verifySignature)({
         signature: sig,

package/script/services/defaultRootCerts/android-key.d.ts

@@ -22,4 +22,28 @@ export declare const Google_Hardware_Attestation_Root_1 = "-----BEGIN CERTIFICAT
  * 1E:F1:A0:4B:8B:A5:8A:B9:45:89:AC:49:8C:89:82:A7:83:F2:4E:A7:30:7E:01:59:A0:C3:A7:3B:37:7D:87:CC
  */
 export declare const Google_Hardware_Attestation_Root_2 = "-----BEGIN CERTIFICATE-----\nMIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\nBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAz\nNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS\nSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7\ntv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj\nnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq\nC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ\noVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O\nJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg\nsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi\nigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M\nRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E\naDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um\nAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud\nIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD\nVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnu\nXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83U\nh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cno\nL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2ok\nQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vA\nD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAI\nmMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoW\nFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91\noeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09o\njm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUB\nZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCH\nex0SdDrx+tWUDqG8At2JHA==\n-----END CERTIFICATE-----\n";
+/**
+ * Google Hardware Attestation Root 3
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (third entry)
+ *
+ * Valid until 2036-11-13 @ 15:10 PST
+ *
+ * SHA256 Fingerprint
+ * AB:66:41:17:8A:36:E1:79:AA:0C:1C:DD:DF:9A:16:EB:45:FA:20:94:3E:2B:8C:D7:C7:C0:5C:26:CF:8B:48:7A
+ */
+export declare const Google_Hardware_Attestation_Root_3 = "\n-----BEGIN CERTIFICATE-----\nMIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\nBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMx\nMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS\nSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7\ntv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj\nnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq\nC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ\noVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O\nJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg\nsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi\nigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M\nRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E\naDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um\nAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud\nIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD\nVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTG\nzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan\n63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/T\nQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJ\nerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiL\nZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a\n0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH\n7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0b\nHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7w\nlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2\nOb3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7\nmD/vFDkzF+wm7cyWpQpCVQ==\n-----END CERTIFICATE-----\n";
+/**
+ * Google Hardware Attestation Root 4
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (fourth entry)
+ *
+ * Valid until 2042-03-15 @ 11:07 PDT
+ *
+ * SHA256 Fingerprint
+ * CE:DB:1C:B6:DC:89:6A:E5:EC:79:73:48:BC:E9:28:67:53:C2:B3:8E:E7:1C:E0:FB:E3:4A:9A:12:48:80:0D:FC
+ */
+export declare const Google_Hardware_Attestation_Root_4 = "\n-----BEGIN CERTIFICATE-----\nMIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\nBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgw\nNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS\nSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7\ntv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj\nnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq\nC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ\noVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O\nJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg\nsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi\nigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M\nRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E\naDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um\nAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud\nIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD\nVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7\n174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGIC\nW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2G\ntkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkx\noSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG\n1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mF\nmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPz\nlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVw\nn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1Eu\nzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHo\nvaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHn\nw1IdYIg2Wxg7yHcQZemFQg==\n-----END CERTIFICATE-----\n";
 //# sourceMappingURL=android-key.d.ts.map

package/script/services/defaultRootCerts/android-key.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"android-key.d.ts","sourceRoot":"","sources":["../../../src/services/defaultRootCerts/android-key.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,u6DA+B9C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,60DA8B9C,CAAC"}
+{"version":3,"file":"android-key.d.ts","sourceRoot":"","sources":["../../../src/services/defaultRootCerts/android-key.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,u6DA+B9C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,60DA8B9C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,+0DA+B9C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,+0DA+B9C,CAAC"}

package/script/services/defaultRootCerts/android-key.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Google_Hardware_Attestation_Root_2 = exports.Google_Hardware_Attestation_Root_1 = void 0;
+exports.Google_Hardware_Attestation_Root_4 = exports.Google_Hardware_Attestation_Root_3 = exports.Google_Hardware_Attestation_Root_2 = exports.Google_Hardware_Attestation_Root_1 = void 0;
 /**
  * Google Hardware Attestation Root 1
  *
@@ -86,3 +86,89 @@ ZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCH
 ex0SdDrx+tWUDqG8At2JHA==
 -----END CERTIFICATE-----
 `;
+/**
+ * Google Hardware Attestation Root 3
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (third entry)
+ *
+ * Valid until 2036-11-13 @ 15:10 PST
+ *
+ * SHA256 Fingerprint
+ * AB:66:41:17:8A:36:E1:79:AA:0C:1C:DD:DF:9A:16:EB:45:FA:20:94:3E:2B:8C:D7:C7:C0:5C:26:CF:8B:48:7A
+ */
+exports.Google_Hardware_Attestation_Root_3 = `
+-----BEGIN CERTIFICATE-----
+MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
+BAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMx
+MDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS
+Sxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7
+tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj
+nar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq
+C4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ
+oVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O
+JtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg
+sTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi
+igHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M
+RPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E
+aDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um
+AGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud
+IwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD
+VR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTG
+zWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan
+63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/T
+QH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJ
+erGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiL
+Zez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a
+0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH
+7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0b
+HQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7w
+lZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2
+Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7
+mD/vFDkzF+wm7cyWpQpCVQ==
+-----END CERTIFICATE-----
+`;
+/**
+ * Google Hardware Attestation Root 4
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (fourth entry)
+ *
+ * Valid until 2042-03-15 @ 11:07 PDT
+ *
+ * SHA256 Fingerprint
+ * CE:DB:1C:B6:DC:89:6A:E5:EC:79:73:48:BC:E9:28:67:53:C2:B3:8E:E7:1C:E0:FB:E3:4A:9A:12:48:80:0D:FC
+ */
+exports.Google_Hardware_Attestation_Root_4 = `
+-----BEGIN CERTIFICATE-----
+MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
+BAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgw
+NzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS
+Sxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7
+tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj
+nar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq
+C4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ
+oVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O
+JtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg
+sTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi
+igHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M
+RPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E
+aDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um
+AGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud
+IwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD
+VR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7
+174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGIC
+W/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2G
+tkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkx
+oSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG
+1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mF
+mr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPz
+lHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVw
+n6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1Eu
+zbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHo
+vaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHn
+w1IdYIg2Wxg7yHcQZemFQg==
+-----END CERTIFICATE-----
+`;

package/script/services/settingsService.d.ts

@@ -1,4 +1,4 @@
-import { AttestationFormat } from '../helpers/decodeAttestationObject.js';
+import type { AttestationFormat } from '../helpers/decodeAttestationObject.js';
 export type RootCertIdentifier = AttestationFormat | 'mds';
 interface SettingsService {
     /**

package/script/services/settingsService.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"settingsService.d.ts","sourceRoot":"","sources":["../../src/services/settingsService.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AAW1E,MAAM,MAAM,kBAAkB,GAAG,iBAAiB,GAAG,KAAK,CAAC;AAE3D,UAAU,eAAe;IACvB;;;;;;OAMG;IACH,mBAAmB,CAAC,IAAI,EAAE;QACxB,UAAU,EAAE,kBAAkB,CAAC;QAC/B,YAAY,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,CAAC;KACvC,GAAG,IAAI,CAAC;IAET;;OAEG;IACH,mBAAmB,CAAC,IAAI,EAAE;QAAE,UAAU,EAAE,kBAAkB,CAAA;KAAE,GAAG,MAAM,EAAE,CAAC;CACzE;AAkCD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,EAAE,eAA2C,CAAC"}
+{"version":3,"file":"settingsService.d.ts","sourceRoot":"","sources":["../../src/services/settingsService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AAa/E,MAAM,MAAM,kBAAkB,GAAG,iBAAiB,GAAG,KAAK,CAAC;AAE3D,UAAU,eAAe;IACvB;;;;;;OAMG;IACH,mBAAmB,CAAC,IAAI,EAAE;QACxB,UAAU,EAAE,kBAAkB,CAAC;QAC/B,YAAY,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,CAAC;KACvC,GAAG,IAAI,CAAC;IAET;;OAEG;IACH,mBAAmB,CAAC,IAAI,EAAE;QAAE,UAAU,EAAE,kBAAkB,CAAA;KAAE,GAAG,MAAM,EAAE,CAAC;CACzE;AAkCD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,EAAE,eAA2C,CAAC"}

package/script/services/settingsService.js

@@ -56,6 +56,8 @@ exports.SettingsService.setRootCertificates({
     certificates: [
         android_key_js_1.Google_Hardware_Attestation_Root_1,
         android_key_js_1.Google_Hardware_Attestation_Root_2,
+        android_key_js_1.Google_Hardware_Attestation_Root_3,
+        android_key_js_1.Google_Hardware_Attestation_Root_4,
     ],
 });
 exports.SettingsService.setRootCertificates({