npm - @simplewebauthn/server - Versions diffs - 13.1.1 → 13.2.0 - Mend

@simplewebauthn/server 13.1.1 → 13.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (190) hide show

package/script/helpers/iso/isoUint8Array.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"isoUint8Array.d.ts","sourceRoot":"","sources":["../../../src/helpers/iso/isoUint8Array.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,~~UAAU~~,EAAE,MAAM,EAAE,~~UAAU~~,GAAG,OAAO,~~CAMxE~~;AAED;;;;GAIG;AACH,wBAAgB,KAAK,CAAC,KAAK,EAAE,~~UAAU~~,GAAG,MAAM,~~CAK/C~~;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,~~UAAU~~,~~CAe/C~~;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,MAAM,EAAE,~~UAAU~~,EAAE,GAAG,~~UAAU~~,~~CAYvD~~;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,~~UAAU~~,GAAG,MAAM,~~CAGtD~~;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,~~UAAU~~,~~CAG7D~~;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,~~UAAU~~,~~CAEzD~~;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,~~UAAU~~,GAAG,QAAQ,~~CAEtD~~"}
1	+ {"version":3,"file":"isoUint8Array.d.ts","sourceRoot":"","sources":["../../../src/helpers/iso/isoUint8Array.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAExD;;;GAGG;AAEH;;GAEG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,GAAG,OAAO,CAM1E;AAED;;;;GAIG;AACH,wBAAgB,KAAK,CAAC,KAAK,EAAE,WAAW,GAAG,MAAM,CAKhD;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAehD;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,MAAM,EAAE,WAAW,EAAE,GAAG,WAAW,CAYzD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,WAAW,GAAG,MAAM,CAGvD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,WAAW,CAG9D;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,CAE1D;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,WAAW,GAAG,QAAQ,CAEvD"}

package/script/helpers/iso/isoUint8Array.js CHANGED Viewed

@@ -1,8 +1,4 @@
 "use strict";
-/**
- * A runtime-agnostic collection of methods for working with Uint8Arrays
- * @module
- */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.areEqual = areEqual;
 exports.toHex = toHex;
@@ -12,6 +8,10 @@ exports.toUTF8String = toUTF8String;
 exports.fromUTF8String = fromUTF8String;
 exports.fromASCIIString = fromASCIIString;
 exports.toDataView = toDataView;
+/**
+ * A runtime-agnostic collection of methods for working with Uint8Arrays
+ * @module
+ */
 /**
  * Make sure two Uint8Arrays are deeply equivalent
  */

package/script/helpers/matchExpectedRPID.d.ts CHANGED Viewed

@@ -1,8 +1,9 @@
+import type { Uint8Array_ } from '../types/index.js';
 /**
  * Go through each expected RP ID and try to find one that matches. Returns the unhashed RP ID
  * that matched the hash in the response.
  *
  * Raises an `UnexpectedRPIDHash` error if no match is found
  */
-export declare function matchExpectedRPID(rpIDHash: Uint8Array, expectedRPIDs: string[]): Promise<string>;
+export declare function matchExpectedRPID(rpIDHash: Uint8Array_, expectedRPIDs: string[]): Promise<string>;
 //# sourceMappingURL=matchExpectedRPID.d.ts.map

package/script/helpers/matchExpectedRPID.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"matchExpectedRPID.d.ts","sourceRoot":"","sources":["../../src/helpers/matchExpectedRPID.ts"],"names":[],"mappings":"~~AAGA~~;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,~~UAAU~~,~~EACpB~~,aAAa,EAAE,MAAM,EAAE,GACtB,OAAO,CAAC,MAAM,CAAC,CA8BjB"}
1	+ {"version":3,"file":"matchExpectedRPID.d.ts","sourceRoot":"","sources":["../../src/helpers/matchExpectedRPID.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,WAAW,EACrB,aAAa,EAAE,MAAM,EAAE,GACtB,OAAO,CAAC,MAAM,CAAC,CA8BjB"}

package/script/helpers/parseAuthenticatorData.d.ts CHANGED Viewed

@@ -1,11 +1,12 @@
-import { AuthenticationExtensionsAuthenticatorOutputs } from './decodeAuthenticatorExtensions.js';
+import { type AuthenticationExtensionsAuthenticatorOutputs } from './decodeAuthenticatorExtensions.js';
+import type { Uint8Array_ } from '../types/index.js';
 /**
  * Make sense of the authData buffer contained in an Attestation
  */
-export declare function parseAuthenticatorData(authData: Uint8Array): ParsedAuthenticatorData;
+export declare function parseAuthenticatorData(authData: Uint8Array_): ParsedAuthenticatorData;
 export type ParsedAuthenticatorData = {
-    rpIdHash: Uint8Array;
-    flagsBuf: Uint8Array;
+    rpIdHash: Uint8Array_;
+    flagsBuf: Uint8Array_;
     flags: {
         up: boolean;
         uv: boolean;
@@ -16,12 +17,12 @@ export type ParsedAuthenticatorData = {
         flagsInt: number;
     };
     counter: number;
-    counterBuf: Uint8Array;
-    aaguid?: Uint8Array;
-    credentialID?: Uint8Array;
-    credentialPublicKey?: Uint8Array;
+    counterBuf: Uint8Array_;
+    aaguid?: Uint8Array_;
+    credentialID?: Uint8Array_;
+    credentialPublicKey?: Uint8Array_;
     extensionsData?: AuthenticationExtensionsAuthenticatorOutputs;
-    extensionsDataBuffer?: Uint8Array;
+    extensionsDataBuffer?: Uint8Array_;
 };
 /**
  * Make it possible to stub the return value during testing

package/script/helpers/parseAuthenticatorData.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"parseAuthenticatorData.d.ts","sourceRoot":"","sources":["../../src/helpers/parseAuthenticatorData.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,4CAA4C,~~EAE7C~~,MAAM,oCAAoC,CAAC;~~AAI5C~~;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,~~UAAU~~,~~GACnB~~,uBAAuB,CAwHzB;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,EAAE,~~UAAU~~,CAAC;~~IACrB~~,QAAQ,EAAE,~~UAAU~~,CAAC;~~IACrB~~,KAAK,EAAE;QACL,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,~~UAAU~~,CAAC;~~IACvB~~,MAAM,CAAC,EAAE,~~UAAU~~,CAAC;~~IACpB~~,YAAY,CAAC,EAAE,~~UAAU~~,CAAC;~~IAC1B~~,mBAAmB,CAAC,EAAE,~~UAAU~~,CAAC;~~IACjC~~,cAAc,CAAC,EAAE,4CAA4C,CAAC;IAC9D,oBAAoB,CAAC,EAAE,~~UAAU~~,CAAC;~~CACnC~~,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,gCAAgC;sBACzB,uBAAuB;CAC1C,CAAC"}
1	+ {"version":3,"file":"parseAuthenticatorData.d.ts","sourceRoot":"","sources":["../../src/helpers/parseAuthenticatorData.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,4CAA4C,EAElD,MAAM,oCAAoC,CAAC;AAG5C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,WAAW,GACpB,uBAAuB,CAwHzB;AAED,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,EAAE,WAAW,CAAC;IACtB,QAAQ,EAAE,WAAW,CAAC;IACtB,KAAK,EAAE;QACL,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,EAAE,EAAE,OAAO,CAAC;QACZ,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,WAAW,CAAC;IACxB,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,YAAY,CAAC,EAAE,WAAW,CAAC;IAC3B,mBAAmB,CAAC,EAAE,WAAW,CAAC;IAClC,cAAc,CAAC,EAAE,4CAA4C,CAAC;IAC9D,oBAAoB,CAAC,EAAE,WAAW,CAAC;CACpC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,gCAAgC;sBACzB,uBAAuB;CAC1C,CAAC"}

package/script/helpers/toHash.d.ts CHANGED Viewed

@@ -1,7 +1,8 @@
-import { COSEALG } from './cose.js';
+import type { COSEALG } from './cose.js';
+import type { Uint8Array_ } from '../types/index.js';
 /**
  * Returns hash digest of the given data, using the given algorithm when provided. Defaults to using
  * SHA-256.
  */
-export declare function toHash(data: Uint8Array | string, algorithm?: COSEALG): Promise<Uint8Array>;
+export declare function toHash(data: Uint8Array_ | string, algorithm?: COSEALG): Promise<Uint8Array_>;
 //# sourceMappingURL=toHash.d.ts.map

package/script/helpers/toHash.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"toHash.d.ts","sourceRoot":"","sources":["../../src/helpers/toHash.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;~~AAGpC~~;;;GAGG;AACH,wBAAgB,MAAM,CACpB,IAAI,EAAE,~~UAAU~~,GAAG,MAAM,~~EACzB~~,SAAS,GAAE,OAAY,GACtB,OAAO,CAAC,~~UAAU~~,CAAC,~~CAQrB~~"}
1	+ {"version":3,"file":"toHash.d.ts","sourceRoot":"","sources":["../../src/helpers/toHash.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEzC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD;;;GAGG;AACH,wBAAgB,MAAM,CACpB,IAAI,EAAE,WAAW,GAAG,MAAM,EAC1B,SAAS,GAAE,OAAY,GACtB,OAAO,CAAC,WAAW,CAAC,CAQtB"}

package/script/helpers/validateCertificatePath.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"validateCertificatePath.d.ts","sourceRoot":"","sources":["../../src/helpers/validateCertificatePath.ts"],"names":[],"mappings":"~~AASA~~;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,WAAW,EAAE,MAAM,EAAE,EACrB,eAAe,GAAE,MAAM,EAAO,GAC7B,OAAO,CAAC,OAAO,CAAC,~~CAsClB~~"}
1	+ {"version":3,"file":"validateCertificatePath.d.ts","sourceRoot":"","sources":["../../src/helpers/validateCertificatePath.ts"],"names":[],"mappings":"AAKA;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,WAAW,EAAE,MAAM,EAAE,EACrB,eAAe,GAAE,MAAM,EAAO,GAC7B,OAAO,CAAC,OAAO,CAAC,CA6HlB"}

package/script/helpers/validateCertificatePath.js CHANGED Viewed

@@ -1,12 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.validateCertificatePath = validateCertificatePath;
-const asn1_schema_1 = require("@peculiar/asn1-schema");
+const x509_1 = require("@peculiar/x509");
 const isCertRevoked_js_1 = require("./isCertRevoked.js");
-const verifySignature_js_1 = require("./verifySignature.js");
-const mapX509SignatureAlgToCOSEAlg_js_1 = require("./mapX509SignatureAlgToCOSEAlg.js");
-const getCertificateInfo_js_1 = require("./getCertificateInfo.js");
-const convertPEMToBytes_js_1 = require("./convertPEMToBytes.js");
+const getWebCrypto_js_1 = require("./iso/isoCrypto/getWebCrypto.js");
 /**
  * Traverse an array of PEM certificates and ensure they form a proper chain
  * @param x5cCertsPEM Typically the result of `x5c.map(convertASN1toPEM)`
@@ -17,27 +14,97 @@ async function validateCertificatePath(x5cCertsPEM, trustAnchorsPEM = []) {
         // We have no trust anchors to chain back to, so skip path validation
         return true;
     }
+    const WebCrypto = await (0, getWebCrypto_js_1.getWebCrypto)();
+    // Prepare to work with x5c certs
+    const x5cCertsParsed = x5cCertsPEM.map((certPEM) => new x509_1.X509Certificate(certPEM));
+    // Check for any expired or temporally invalid certs in x5c
+    for (let i = 0; i < x5cCertsParsed.length; i++) {
+        const cert = x5cCertsParsed[i];
+        const certPEM = x5cCertsPEM[i];
+        try {
+            await assertCertNotRevoked(cert);
+        }
+        catch (_err) {
+            throw new Error(`Found revoked certificate in x5c:\n${certPEM}`);
+        }
+        try {
+            assertCertIsWithinValidTimeWindow(cert.notBefore, cert.notAfter);
+        }
+        catch (_err) {
+            throw new Error(`Found certificate out of validity period in x5c:\n${certPEM}`);
+        }
+    }
+    // Prepare to work with trust anchor certs
+    const trustAnchorsParsed = trustAnchorsPEM.map((certPEM) => {
+        try {
+            return new x509_1.X509Certificate(certPEM);
+        }
+        catch (err) {
+            const _err = err;
+            throw new Error(`Could not parse trust anchor certificate:\n${certPEM}`, { cause: _err });
+        }
+    });
+    // Filter out any expired or temporally invalid trust anchors certs
+    const validTrustAnchors = [];
+    for (let i = 0; i < trustAnchorsParsed.length; i++) {
+        const cert = trustAnchorsParsed[i];
+        try {
+            await assertCertNotRevoked(cert);
+        }
+        catch (_err) {
+            // Continue processing the other certs
+            continue;
+        }
+        try {
+            assertCertIsWithinValidTimeWindow(cert.notBefore, cert.notAfter);
+        }
+        catch (_err) {
+            // Continue processing the other certs
+            continue;
+        }
+        validTrustAnchors.push(cert);
+    }
+    if (validTrustAnchors.length === 0) {
+        throw new Error('No specified trust anchor was valid for verifying x5c');
+    }
+    // Try to verify x5c with each trust anchor
     let invalidSubjectAndIssuerError = false;
-    let certificateNotYetValidOrExpiredErrorMessage = undefined;
-    for (const anchorPEM of trustAnchorsPEM) {
+    for (const anchor of trustAnchorsParsed) {
         try {
-            const certsWithTrustAnchor = x5cCertsPEM.concat([anchorPEM]);
-            await _validatePath(certsWithTrustAnchor);
+            const x5cWithTrustAnchor = x5cCertsParsed.concat([anchor]);
+            if (new Set(x5cWithTrustAnchor).size !== x5cWithTrustAnchor.length) {
+                throw new Error('Invalid certificate path: found duplicate certificates');
+            }
+            // Check signatures, and notBefore and notAfter
+            for (let i = 0; i < x5cWithTrustAnchor.length - 1; i++) {
+                const subject = x5cWithTrustAnchor[i];
+                const issuer = x5cWithTrustAnchor[i + 1];
+                // Leaf or intermediate cert, make sure the next cert in the chain signed it
+                const issuerSignedSubject = await subject.verify({ publicKey: issuer.publicKey, signatureOnly: true }, WebCrypto);
+                if (!issuerSignedSubject) {
+                    throw new InvalidSubjectAndIssuer();
+                }
+                if (issuer.subject === issuer.issuer) {
+                    // Root cert detected, make sure it signed itself
+                    const issuerSignedIssuer = await issuer.verify({ publicKey: issuer.publicKey, signatureOnly: true }, WebCrypto);
+                    if (!issuerSignedIssuer) {
+                        throw new InvalidSubjectAndIssuer();
+                    }
+                    // Don't process anything else after a root cert
+                    break;
+                }
+            }
             // If we successfully validated a path then there's no need to continue. Reset any existing
             // errors that were thrown by earlier trust anchors
             invalidSubjectAndIssuerError = false;
-            certificateNotYetValidOrExpiredErrorMessage = undefined;
             break;
         }
         catch (err) {
             if (err instanceof InvalidSubjectAndIssuer) {
                 invalidSubjectAndIssuerError = true;
             }
-            else if (err instanceof CertificateNotYetValidOrExpired) {
-                certificateNotYetValidOrExpiredErrorMessage = err.message;
-            }
             else {
-                throw err;
+                throw new Error('Unexpected error while validating certificate path', { cause: err });
             }
         }
     }
@@ -45,42 +112,6 @@ async function validateCertificatePath(x5cCertsPEM, trustAnchorsPEM = []) {
     if (invalidSubjectAndIssuerError) {
         throw new InvalidSubjectAndIssuer();
     }
-    else if (certificateNotYetValidOrExpiredErrorMessage) {
-        throw new CertificateNotYetValidOrExpired(certificateNotYetValidOrExpiredErrorMessage);
-    }
-    return true;
-}
-/**
- * @param x5cCerts X.509 `x5c` certs in PEM string format
- * @param anchorCert X.509 trust anchor cert in PEM string format
- */
-async function _validatePath(x5cCertsWithTrustAnchorPEM) {
-    if (new Set(x5cCertsWithTrustAnchorPEM).size !== x5cCertsWithTrustAnchorPEM.length) {
-        throw new Error('Invalid certificate path: found duplicate certificates');
-    }
-    // Make sure no certs are revoked, and all are within their time validity window
-    for (const certificatePEM of x5cCertsWithTrustAnchorPEM) {
-        const certInfo = (0, getCertificateInfo_js_1.getCertificateInfo)((0, convertPEMToBytes_js_1.convertPEMToBytes)(certificatePEM));
-        await assertCertNotRevoked(certInfo.parsedCertificate);
-        assertCertIsWithinValidTimeWindow(certInfo, certificatePEM);
-    }
-    // Make sure each x5c cert is issued by the next certificate in the chain
-    for (let i = 0; i < (x5cCertsWithTrustAnchorPEM.length - 1); i += 1) {
-        const subjectPem = x5cCertsWithTrustAnchorPEM[i];
-        const issuerPem = x5cCertsWithTrustAnchorPEM[i + 1];
-        const subjectInfo = (0, getCertificateInfo_js_1.getCertificateInfo)((0, convertPEMToBytes_js_1.convertPEMToBytes)(subjectPem));
-        const issuerInfo = (0, getCertificateInfo_js_1.getCertificateInfo)((0, convertPEMToBytes_js_1.convertPEMToBytes)(issuerPem));
-        // Make sure subject issuer is issuer subject
-        if (subjectInfo.issuer.combined !== issuerInfo.subject.combined) {
-            throw new InvalidSubjectAndIssuer();
-        }
-        const issuerCertIsRootCert = issuerInfo.issuer.combined === issuerInfo.subject.combined;
-        await assertSubjectIsSignedByIssuer(subjectInfo.parsedCertificate, issuerPem);
-        // Perform one final check if the issuer cert is also a root certificate
-        if (issuerCertIsRootCert) {
-            await assertSubjectIsSignedByIssuer(issuerInfo.parsedCertificate, issuerPem);
-        }
-    }
     return true;
 }
 /**
@@ -90,39 +121,16 @@ async function assertCertNotRevoked(certificate) {
     // Check for certificate revocation
     const subjectCertRevoked = await (0, isCertRevoked_js_1.isCertRevoked)(certificate);
     if (subjectCertRevoked) {
-        throw new Error(`Found revoked certificate in certificate path`);
+        throw new Error('Found revoked certificate in certificate path');
     }
 }
 /**
  * Require the cert to be within its notBefore and notAfter time window
- *
- * @param certInfo Parsed cert information
- * @param certPEM PEM-formatted certificate, for error reporting
  */
-function assertCertIsWithinValidTimeWindow(certInfo, certPEM) {
-    const { notBefore, notAfter } = certInfo;
+function assertCertIsWithinValidTimeWindow(certNotBefore, certNotAfter) {
     const now = new Date(Date.now());
-    if (notBefore > now || notAfter < now) {
-        throw new CertificateNotYetValidOrExpired(`Certificate is not yet valid or expired: ${certPEM}`);
-    }
-}
-/**
- * Ensure that the subject cert has been signed by the next cert in the chain
- */
-async function assertSubjectIsSignedByIssuer(subjectCert, issuerPEM) {
-    // Verify the subject certificate's signature with the issuer cert's public key
-    const data = asn1_schema_1.AsnSerializer.serialize(subjectCert.tbsCertificate);
-    const signature = subjectCert.signatureValue;
-    const signatureAlgorithm = (0, mapX509SignatureAlgToCOSEAlg_js_1.mapX509SignatureAlgToCOSEAlg)(subjectCert.signatureAlgorithm.algorithm);
-    const issuerCertBytes = (0, convertPEMToBytes_js_1.convertPEMToBytes)(issuerPEM);
-    const verified = await (0, verifySignature_js_1.verifySignature)({
-        data: new Uint8Array(data),
-        signature: new Uint8Array(signature),
-        x509Certificate: issuerCertBytes,
-        hashAlgorithm: signatureAlgorithm,
-    });
-    if (!verified) {
-        throw new InvalidSubjectSignatureForIssuer();
+    if (certNotBefore > now || certNotAfter < now) {
+        throw new Error('Certificate is not yet valid or expired');
     }
 }
 // Custom errors to help pass on certain errors
@@ -133,16 +141,3 @@ class InvalidSubjectAndIssuer extends Error {
         this.name = 'InvalidSubjectAndIssuer';
     }
 }
-class InvalidSubjectSignatureForIssuer extends Error {
-    constructor() {
-        const message = 'Subject signature was invalid for issuer';
-        super(message);
-        this.name = 'InvalidSubjectSignatureForIssuer';
-    }
-}
-class CertificateNotYetValidOrExpired extends Error {
-    constructor(message) {
-        super(message);
-        this.name = 'CertificateNotYetValidOrExpired';
-    }
-}

package/script/helpers/validateExtFIDOGenCEAAGUID.d.ts CHANGED Viewed

@@ -1,7 +1,8 @@
-import { Extensions } from '@peculiar/asn1-x509';
+import type { Extensions } from '@peculiar/asn1-x509';
+import type { Uint8Array_ } from '../types/index.js';
 /**
  * Look for the id-fido-gen-ce-aaguid certificate extension. If it's present then check it against
  * the attestation statement AAGUID.
  */
-export declare function validateExtFIDOGenCEAAGUID(certExtensions: Extensions | undefined, aaguid: Uint8Array): boolean;
+export declare function validateExtFIDOGenCEAAGUID(certExtensions: Extensions | undefined, aaguid: Uint8Array_): boolean;
 //# sourceMappingURL=validateExtFIDOGenCEAAGUID.d.ts.map

package/script/helpers/validateExtFIDOGenCEAAGUID.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"validateExtFIDOGenCEAAGUID.d.ts","sourceRoot":"","sources":["../../src/helpers/validateExtFIDOGenCEAAGUID.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;~~AAWjD~~;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,cAAc,EAAE,UAAU,GAAG,SAAS,EACtC,MAAM,EAAE,~~UAAU~~,~~GACjB~~,OAAO,CA6BT"}
1	+ {"version":3,"file":"validateExtFIDOGenCEAAGUID.d.ts","sourceRoot":"","sources":["../../src/helpers/validateExtFIDOGenCEAAGUID.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGtD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AASrD;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,cAAc,EAAE,UAAU,GAAG,SAAS,EACtC,MAAM,EAAE,WAAW,GAClB,OAAO,CA6BT"}

package/script/helpers/verifySignature.d.ts CHANGED Viewed

@@ -1,12 +1,13 @@
 import { COSEALG } from './cose.js';
+import type { Uint8Array_ } from '../types/index.js';
 /**
  * Verify an authenticator's signature
  */
 export declare function verifySignature(opts: {
-    signature: Uint8Array;
-    data: Uint8Array;
-    credentialPublicKey?: Uint8Array;
-    x509Certificate?: Uint8Array;
+    signature: Uint8Array_;
+    data: Uint8Array_;
+    credentialPublicKey?: Uint8Array_;
+    x509Certificate?: Uint8Array_;
     hashAlgorithm?: COSEALG;
 }): Promise<boolean>;
 /**

package/script/helpers/verifySignature.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"verifySignature.d.ts","sourceRoot":"","sources":["../../src/helpers/verifySignature.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAiB,MAAM,WAAW,CAAC;~~AAKnD~~;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE;IACpC,SAAS,EAAE,~~UAAU~~,CAAC;~~IACtB~~,IAAI,EAAE,~~UAAU~~,CAAC;~~IACjB~~,mBAAmB,CAAC,EAAE,~~UAAU~~,CAAC;~~IACjC~~,eAAe,CAAC,EAAE,~~UAAU~~,CAAC;~~IAC7B~~,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,GAAG,OAAO,CAAC,OAAO,CAAC,CAmCnB;AAED;;;GAGG;AACH,eAAO,MAAM,yBAAyB;sBAClB,OAAO,CAAC,OAAO,CAAC;CACnC,CAAC"}
1	+ {"version":3,"file":"verifySignature.d.ts","sourceRoot":"","sources":["../../src/helpers/verifySignature.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAiB,MAAM,WAAW,CAAC;AAInD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE;IACpC,SAAS,EAAE,WAAW,CAAC;IACvB,IAAI,EAAE,WAAW,CAAC;IAClB,mBAAmB,CAAC,EAAE,WAAW,CAAC;IAClC,eAAe,CAAC,EAAE,WAAW,CAAC;IAC9B,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,GAAG,OAAO,CAAC,OAAO,CAAC,CAmCnB;AAED;;;GAGG;AACH,eAAO,MAAM,yBAAyB;sBAClB,OAAO,CAAC,OAAO,CAAC;CACnC,CAAC"}

package/script/metadata/verifyAttestationWithMetadata.d.ts CHANGED Viewed

@@ -1,14 +1,15 @@
 import type { Base64URLString } from '../types/index.js';
 import type { AlgSign, MetadataStatement } from './mdsTypes.js';
 import { type COSEALG, type COSECRV, COSEKTY } from '../helpers/cose.js';
+import type { Uint8Array_ } from '../types/index.js';
 /**
  * Match properties of the authenticator's attestation statement against expected values as
  * registered with the FIDO Alliance Metadata Service
  */
 export declare function verifyAttestationWithMetadata({ statement, credentialPublicKey, x5c, attestationStatementAlg, }: {
     statement: MetadataStatement;
-    credentialPublicKey: Uint8Array;
-    x5c: Uint8Array[] | Base64URLString[];
+    credentialPublicKey: Uint8Array_;
+    x5c: Uint8Array_[] | Base64URLString[];
     attestationStatementAlg?: number;
 }): Promise<boolean>;
 type COSEInfo = {

package/script/metadata/verifyAttestationWithMetadata.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"verifyAttestationWithMetadata.d.ts","sourceRoot":"","sources":["../../src/metadata/verifyAttestationWithMetadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAIhE,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,OAAO,EAEZ,OAAO,EAER,MAAM,oBAAoB,CAAC;~~AAE5B~~;;;GAGG;AACH,wBAAsB,6BAA6B,CAAC,EAClD,SAAS,EACT,mBAAmB,EACnB,GAAG,EACH,uBAAuB,GACxB,EAAE;IACD,SAAS,EAAE,iBAAiB,CAAC;IAC7B,mBAAmB,EAAE,~~UAAU~~,CAAC;~~IAChC~~,GAAG,EAAE,~~UAAU~~,EAAE,GAAG,eAAe,EAAE,CAAC;~~IACtC~~,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC,GAAG,OAAO,CAAC,OAAO,CAAC,CAoJnB;AAED,KAAK,QAAQ,GAAG;IACd,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,CAAC,EAAE,OAAO,CAAC;CACf,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,EAAE;KAAG,GAAG,IAAI,OAAO,GAAG,QAAQ;CAe9D,CAAC"}
1	+ {"version":3,"file":"verifyAttestationWithMetadata.d.ts","sourceRoot":"","sources":["../../src/metadata/verifyAttestationWithMetadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAIhE,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,OAAO,EAEZ,OAAO,EAER,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD;;;GAGG;AACH,wBAAsB,6BAA6B,CAAC,EAClD,SAAS,EACT,mBAAmB,EACnB,GAAG,EACH,uBAAuB,GACxB,EAAE;IACD,SAAS,EAAE,iBAAiB,CAAC;IAC7B,mBAAmB,EAAE,WAAW,CAAC;IACjC,GAAG,EAAE,WAAW,EAAE,GAAG,eAAe,EAAE,CAAC;IACvC,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC,GAAG,OAAO,CAAC,OAAO,CAAC,CAoJnB;AAED,KAAK,QAAQ,GAAG;IACd,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,CAAC,EAAE,OAAO,CAAC;CACf,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,EAAE;KAAG,GAAG,IAAI,OAAO,GAAG,QAAQ;CAe9D,CAAC"}

package/script/metadata/verifyJWT.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import type { Uint8Array_ } from '../types/index.js';
 /**
  * Lightweight verification for FIDO MDS JWTs. Supports use of EC2 and RSA.
  *
@@ -7,5 +8,5 @@
  *
  * (Pulled from https://www.rfc-editor.org/rfc/rfc7515#section-4.1.1)
  */
-export declare function verifyJWT(jwt: string, leafCert: Uint8Array): Promise<boolean>;
+export declare function verifyJWT(jwt: string, leafCert: Uint8Array_): Promise<boolean>;
 //# sourceMappingURL=verifyJWT.d.ts.map

package/script/metadata/verifyJWT.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"verifyJWT.d.ts","sourceRoot":"","sources":["../../src/metadata/verifyJWT.ts"],"names":[],"mappings":"~~AAMA~~;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,~~UAAU~~,GAAG,OAAO,CAAC,OAAO,CAAC,~~CA0B7E~~"}
1	+ {"version":3,"file":"verifyJWT.d.ts","sourceRoot":"","sources":["../../src/metadata/verifyJWT.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CA0B9E"}

package/script/registration/generateRegistrationOptions.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import type { AuthenticationExtensionsClientInputs, AuthenticatorSelectionCriteria, AuthenticatorTransportFuture, Base64URLString, COSEAlgorithmIdentifier, PublicKeyCredentialCreationOptionsJSON } from '../types/index.js';
+import type { AuthenticationExtensionsClientInputs, AuthenticatorSelectionCriteria, AuthenticatorTransportFuture, Base64URLString, COSEAlgorithmIdentifier, PublicKeyCredentialCreationOptionsJSON, Uint8Array_ } from '../types/index.js';
 export type GenerateRegistrationOptionsOpts = Parameters<typeof generateRegistrationOptions>[0];
 /**
  * Supported crypto algo identifiers
@@ -29,8 +29,8 @@ export declare function generateRegistrationOptions(options: {
     rpName: string;
     rpID: string;
     userName: string;
-    userID?: Uint8Array;
-    challenge?: string | Uint8Array;
+    userID?: Uint8Array_;
+    challenge?: string | Uint8Array_;
     userDisplayName?: string;
     timeout?: number;
     attestationType?: 'direct' | 'enterprise' | 'none';

package/script/registration/generateRegistrationOptions.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"generateRegistrationOptions.d.ts","sourceRoot":"","sources":["../../src/registration/generateRegistrationOptions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,oCAAoC,EACpC,8BAA8B,EAC9B,4BAA4B,EAC5B,eAAe,EACf,uBAAuB,EACvB,sCAAsC,~~EAGvC~~,MAAM,mBAAmB,CAAC;AAK3B,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,OAAO,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;AAEhG;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,EAAE,uBAAuB,EAqBtE,CAAC;AAsBF;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE;IACP,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,~~UAAU~~,CAAC;~~IACpB~~,SAAS,CAAC,EAAE,MAAM,GAAG,~~UAAU~~,CAAC;~~IAChC~~,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,QAAQ,GAAG,YAAY,GAAG,MAAM,CAAC;IACnD,kBAAkB,CAAC,EAAE;QACnB,EAAE,EAAE,eAAe,CAAC;QACpB,UAAU,CAAC,EAAE,4BAA4B,EAAE,CAAC;KAC7C,EAAE,CAAC;IACJ,sBAAsB,CAAC,EAAE,8BAA8B,CAAC;IACxD,UAAU,CAAC,EAAE,oCAAoC,CAAC;IAClD,qBAAqB,CAAC,EAAE,uBAAuB,EAAE,CAAC;IAClD,0BAA0B,CAAC,EAAE,aAAa,GAAG,aAAa,GAAG,cAAc,CAAC;CAC7E,GACA,OAAO,CAAC,sCAAsC,CAAC,CAqIjD"}
1	+ {"version":3,"file":"generateRegistrationOptions.d.ts","sourceRoot":"","sources":["../../src/registration/generateRegistrationOptions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,oCAAoC,EACpC,8BAA8B,EAC9B,4BAA4B,EAC5B,eAAe,EACf,uBAAuB,EACvB,sCAAsC,EAGtC,WAAW,EACZ,MAAM,mBAAmB,CAAC;AAK3B,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,OAAO,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;AAEhG;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,EAAE,uBAAuB,EAqBtE,CAAC;AAsBF;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE;IACP,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,GAAG,WAAW,CAAC;IACjC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,QAAQ,GAAG,YAAY,GAAG,MAAM,CAAC;IACnD,kBAAkB,CAAC,EAAE;QACnB,EAAE,EAAE,eAAe,CAAC;QACpB,UAAU,CAAC,EAAE,4BAA4B,EAAE,CAAC;KAC7C,EAAE,CAAC;IACJ,sBAAsB,CAAC,EAAE,8BAA8B,CAAC;IACxD,UAAU,CAAC,EAAE,oCAAoC,CAAC;IAClD,qBAAqB,CAAC,EAAE,uBAAuB,EAAE,CAAC;IAClD,0BAA0B,CAAC,EAAE,aAAa,GAAG,aAAa,GAAG,cAAc,CAAC;CAC7E,GACA,OAAO,CAAC,sCAAsC,CAAC,CAqIjD"}

package/script/registration/verifications/tpm/parseCertInfo.d.ts CHANGED Viewed

@@ -1,24 +1,25 @@
+import type { Uint8Array_ } from '../../../types/index.js';
 /**
  * Cut up a TPM attestation's certInfo into intelligible chunks
  */
-export declare function parseCertInfo(certInfo: Uint8Array): ParsedCertInfo;
+export declare function parseCertInfo(certInfo: Uint8Array_): ParsedCertInfo;
 type ParsedCertInfo = {
     magic: number;
     type: string;
-    qualifiedSigner: Uint8Array;
-    extraData: Uint8Array;
+    qualifiedSigner: Uint8Array_;
+    extraData: Uint8Array_;
     clockInfo: {
-        clock: Uint8Array;
+        clock: Uint8Array_;
         resetCount: number;
         restartCount: number;
         safe: boolean;
     };
-    firmwareVersion: Uint8Array;
+    firmwareVersion: Uint8Array_;
     attested: {
         nameAlg: string;
-        nameAlgBuffer: Uint8Array;
-        name: Uint8Array;
-        qualifiedName: Uint8Array;
+        nameAlgBuffer: Uint8Array_;
+        name: Uint8Array_;
+        qualifiedName: Uint8Array_;
     };
 };
 export {};

package/script/registration/verifications/tpm/parseCertInfo.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"parseCertInfo.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parseCertInfo.ts"],"names":[],"mappings":"~~AAGA~~;;GAEG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,~~UAAU~~,GAAG,cAAc,~~CAkElE~~;AAED,KAAK,cAAc,GAAG;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,~~UAAU~~,CAAC;~~IAC5B~~,SAAS,EAAE,~~UAAU~~,CAAC;~~IACtB~~,SAAS,EAAE;QACT,KAAK,EAAE,~~UAAU~~,CAAC;~~QAClB~~,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,IAAI,EAAE,OAAO,CAAC;KACf,CAAC;IACF,eAAe,EAAE,~~UAAU~~,CAAC;~~IAC5B~~,QAAQ,EAAE;QACR,OAAO,EAAE,MAAM,CAAC;QAChB,aAAa,EAAE,~~UAAU~~,CAAC;~~QAC1B~~,IAAI,EAAE,~~UAAU~~,CAAC;~~QACjB~~,aAAa,EAAE,~~UAAU~~,CAAC;~~KAC3B~~,CAAC;CACH,CAAC"}
1	+ {"version":3,"file":"parseCertInfo.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parseCertInfo.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAE3D;;GAEG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,WAAW,GAAG,cAAc,CAkEnE;AAED,KAAK,cAAc,GAAG;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,WAAW,CAAC;IAC7B,SAAS,EAAE,WAAW,CAAC;IACvB,SAAS,EAAE;QACT,KAAK,EAAE,WAAW,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,IAAI,EAAE,OAAO,CAAC;KACf,CAAC;IACF,eAAe,EAAE,WAAW,CAAC;IAC7B,QAAQ,EAAE;QACR,OAAO,EAAE,MAAM,CAAC;QAChB,aAAa,EAAE,WAAW,CAAC;QAC3B,IAAI,EAAE,WAAW,CAAC;QAClB,aAAa,EAAE,WAAW,CAAC;KAC5B,CAAC;CACH,CAAC"}

package/script/registration/verifications/tpm/parsePubArea.d.ts CHANGED Viewed

@@ -1,10 +1,11 @@
+import type { Uint8Array_ } from '../../../types/index.js';
 /**
  * Break apart a TPM attestation's pubArea buffer
  *
  * See 12.2.4 TPMT_PUBLIC here:
  * https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-00.96-130315.pdf
  */
-export declare function parsePubArea(pubArea: Uint8Array): ParsedPubArea;
+export declare function parsePubArea(pubArea: Uint8Array_): ParsedPubArea;
 type ParsedPubArea = {
     type: 'TPM_ALG_RSA' | 'TPM_ALG_ECC';
     nameAlg: string;
@@ -21,12 +22,12 @@ type ParsedPubArea = {
         decrypt: boolean;
         signOrEncrypt: boolean;
     };
-    authPolicy: Uint8Array;
+    authPolicy: Uint8Array_;
     parameters: {
         rsa?: RSAParameters;
         ecc?: ECCParameters;
     };
-    unique: Uint8Array;
+    unique: Uint8Array_;
 };
 type RSAParameters = {
     symmetric: string;

package/script/registration/verifications/tpm/parsePubArea.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"parsePubArea.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parsePubArea.ts"],"names":[],"mappings":"~~AAGA~~;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,~~UAAU~~,GAAG,aAAa,~~CAyG/D~~;AAED,KAAK,aAAa,GAAG;IACnB,IAAI,EAAE,aAAa,GAAG,aAAa,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,EAAE;QAChB,QAAQ,EAAE,OAAO,CAAC;QAClB,OAAO,EAAE,OAAO,CAAC;QACjB,WAAW,EAAE,OAAO,CAAC;QACrB,mBAAmB,EAAE,OAAO,CAAC;QAC7B,YAAY,EAAE,OAAO,CAAC;QACtB,eAAe,EAAE,OAAO,CAAC;QACzB,IAAI,EAAE,OAAO,CAAC;QACd,oBAAoB,EAAE,OAAO,CAAC;QAC9B,UAAU,EAAE,OAAO,CAAC;QACpB,OAAO,EAAE,OAAO,CAAC;QACjB,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;IACF,UAAU,EAAE,~~UAAU~~,CAAC;~~IACvB~~,UAAU,EAAE;QACV,GAAG,CAAC,EAAE,aAAa,CAAC;QACpB,GAAG,CAAC,EAAE,aAAa,CAAC;KACrB,CAAC;IACF,MAAM,EAAE,~~UAAU~~,CAAC;~~CACpB~~,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb,CAAC"}
1	+ {"version":3,"file":"parsePubArea.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parsePubArea.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAE3D;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,WAAW,GAAG,aAAa,CAyGhE;AAED,KAAK,aAAa,GAAG;IACnB,IAAI,EAAE,aAAa,GAAG,aAAa,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,EAAE;QAChB,QAAQ,EAAE,OAAO,CAAC;QAClB,OAAO,EAAE,OAAO,CAAC;QACjB,WAAW,EAAE,OAAO,CAAC;QACrB,mBAAmB,EAAE,OAAO,CAAC;QAC7B,YAAY,EAAE,OAAO,CAAC;QACtB,eAAe,EAAE,OAAO,CAAC;QACzB,IAAI,EAAE,OAAO,CAAC;QACd,oBAAoB,EAAE,OAAO,CAAC;QAC9B,UAAU,EAAE,OAAO,CAAC;QACpB,OAAO,EAAE,OAAO,CAAC;QACjB,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;IACF,UAAU,EAAE,WAAW,CAAC;IACxB,UAAU,EAAE;QACV,GAAG,CAAC,EAAE,aAAa,CAAC;QACpB,GAAG,CAAC,EAAE,aAAa,CAAC;KACrB,CAAC;IACF,MAAM,EAAE,WAAW,CAAC;CACrB,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb,CAAC"}

package/script/registration/verifications/tpm/verifyAttestationTPM.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"verifyAttestationTPM.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/verifyAttestationTPM.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,qCAAqC,CAAC;~~AAuBzF~~,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,CA+VlB"}
1	+ {"version":3,"file":"verifyAttestationTPM.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/verifyAttestationTPM.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,qCAAqC,CAAC;AAwBzF,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,CA+VlB"}

package/script/registration/verifications/verifyAttestationAndroidKey.js CHANGED Viewed

@@ -83,7 +83,7 @@ async function verifyAttestationAndroidKey(options) {
         }
         catch (err) {
             const _err = err;
-            throw new Error(`${_err.message} (Android Key)`);
+            throw new Error(`${_err.message} (Android Key)`, { cause: _err });
         }
     }
     else {
@@ -97,7 +97,7 @@ async function verifyAttestationAndroidKey(options) {
         }
         catch (err) {
             const _err = err;
-            throw new Error(`${_err.message} (Android Key)`);
+            throw new Error(`${_err.message} (Android Key)`, { cause: _err });
         }
         /**
          * Make sure the root certificate is one of the Google Hardware Attestation Root certificates

package/script/registration/verifications/verifyAttestationAndroidSafetyNet.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"verifyAttestationAndroidSafetyNet.d.ts","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationAndroidSafetyNet.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AAWtF;;GAEG;AACH,wBAAsB,iCAAiC,CACrD,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,~~CA2IlB~~"}
1	+ {"version":3,"file":"verifyAttestationAndroidSafetyNet.d.ts","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationAndroidSafetyNet.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AAWtF;;GAEG;AACH,wBAAsB,iCAAiC,CACrD,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,CA4IlB"}

package/script/registration/verifications/verifyAttestationAndroidSafetyNet.js CHANGED Viewed

@@ -13,7 +13,7 @@ const verifyAttestationWithMetadata_js_1 = require("../../metadata/verifyAttesta
  * Verify an attestation response with fmt 'android-safetynet'
  */
 async function verifyAttestationAndroidSafetyNet(options) {
-    const { attStmt, clientDataHash, authData, aaguid, rootCertificates, verifyTimestampMS = true, credentialPublicKey, } = options;
+    const { attStmt, clientDataHash, authData, aaguid, rootCertificates, verifyTimestampMS = true, credentialPublicKey, attestationSafetyNetEnforceCTSCheck, } = options;
     const alg = attStmt.get('alg');
     const response = attStmt.get('response');
     const ver = attStmt.get('ver');
@@ -52,7 +52,7 @@ async function verifyAttestationAndroidSafetyNet(options) {
     if (nonce !== expectedNonce) {
         throw new Error('Could not verify payload nonce (SafetyNet)');
     }
-    if (!ctsProfileMatch) {
+    if (attestationSafetyNetEnforceCTSCheck && !ctsProfileMatch) {
         throw new Error('Could not verify device integrity (SafetyNet)');
     }
     /**