@simplewebauthn/server 13.1.2 → 13.2.1

package/script/helpers/validateCertificatePath.js

@@ -1,12 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.validateCertificatePath = validateCertificatePath;
-const asn1_schema_1 = require("@peculiar/asn1-schema");
+const x509_1 = require("@peculiar/x509");
 const isCertRevoked_js_1 = require("./isCertRevoked.js");
-const verifySignature_js_1 = require("./verifySignature.js");
-const mapX509SignatureAlgToCOSEAlg_js_1 = require("./mapX509SignatureAlgToCOSEAlg.js");
-const getCertificateInfo_js_1 = require("./getCertificateInfo.js");
-const convertPEMToBytes_js_1 = require("./convertPEMToBytes.js");
+const getWebCrypto_js_1 = require("./iso/isoCrypto/getWebCrypto.js");
 /**
  * Traverse an array of PEM certificates and ensure they form a proper chain
  * @param x5cCertsPEM Typically the result of `x5c.map(convertASN1toPEM)`
@@ -17,27 +14,97 @@ async function validateCertificatePath(x5cCertsPEM, trustAnchorsPEM = []) {
         // We have no trust anchors to chain back to, so skip path validation
         return true;
     }
+    const WebCrypto = await (0, getWebCrypto_js_1.getWebCrypto)();
+    // Prepare to work with x5c certs
+    const x5cCertsParsed = x5cCertsPEM.map((certPEM) => new x509_1.X509Certificate(certPEM));
+    // Check for any expired or temporally invalid certs in x5c
+    for (let i = 0; i < x5cCertsParsed.length; i++) {
+        const cert = x5cCertsParsed[i];
+        const certPEM = x5cCertsPEM[i];
+        try {
+            await assertCertNotRevoked(cert);
+        }
+        catch (_err) {
+            throw new Error(`Found revoked certificate in x5c:\n${certPEM}`);
+        }
+        try {
+            assertCertIsWithinValidTimeWindow(cert.notBefore, cert.notAfter);
+        }
+        catch (_err) {
+            throw new Error(`Found certificate out of validity period in x5c:\n${certPEM}`);
+        }
+    }
+    // Prepare to work with trust anchor certs
+    const trustAnchorsParsed = trustAnchorsPEM.map((certPEM) => {
+        try {
+            return new x509_1.X509Certificate(certPEM);
+        }
+        catch (err) {
+            const _err = err;
+            throw new Error(`Could not parse trust anchor certificate:\n${certPEM}`, { cause: _err });
+        }
+    });
+    // Filter out any expired or temporally invalid trust anchors certs
+    const validTrustAnchors = [];
+    for (let i = 0; i < trustAnchorsParsed.length; i++) {
+        const cert = trustAnchorsParsed[i];
+        try {
+            await assertCertNotRevoked(cert);
+        }
+        catch (_err) {
+            // Continue processing the other certs
+            continue;
+        }
+        try {
+            assertCertIsWithinValidTimeWindow(cert.notBefore, cert.notAfter);
+        }
+        catch (_err) {
+            // Continue processing the other certs
+            continue;
+        }
+        validTrustAnchors.push(cert);
+    }
+    if (validTrustAnchors.length === 0) {
+        throw new Error('No specified trust anchor was valid for verifying x5c');
+    }
+    // Try to verify x5c with each trust anchor
     let invalidSubjectAndIssuerError = false;
-    let certificateNotYetValidOrExpiredErrorMessage = undefined;
-    for (const anchorPEM of trustAnchorsPEM) {
+    for (const anchor of trustAnchorsParsed) {
         try {
-            const certsWithTrustAnchor = x5cCertsPEM.concat([anchorPEM]);
-            await _validatePath(certsWithTrustAnchor);
+            const x5cWithTrustAnchor = x5cCertsParsed.concat([anchor]);
+            if (new Set(x5cWithTrustAnchor).size !== x5cWithTrustAnchor.length) {
+                throw new Error('Invalid certificate path: found duplicate certificates');
+            }
+            // Check signatures, and notBefore and notAfter
+            for (let i = 0; i < x5cWithTrustAnchor.length - 1; i++) {
+                const subject = x5cWithTrustAnchor[i];
+                const issuer = x5cWithTrustAnchor[i + 1];
+                // Leaf or intermediate cert, make sure the next cert in the chain signed it
+                const issuerSignedSubject = await subject.verify({ publicKey: issuer.publicKey, signatureOnly: true }, WebCrypto);
+                if (!issuerSignedSubject) {
+                    throw new InvalidSubjectAndIssuer();
+                }
+                if (issuer.subject === issuer.issuer) {
+                    // Root cert detected, make sure it signed itself
+                    const issuerSignedIssuer = await issuer.verify({ publicKey: issuer.publicKey, signatureOnly: true }, WebCrypto);
+                    if (!issuerSignedIssuer) {
+                        throw new InvalidSubjectAndIssuer();
+                    }
+                    // Don't process anything else after a root cert
+                    break;
+                }
+            }
             // If we successfully validated a path then there's no need to continue. Reset any existing
             // errors that were thrown by earlier trust anchors
             invalidSubjectAndIssuerError = false;
-            certificateNotYetValidOrExpiredErrorMessage = undefined;
             break;
         }
         catch (err) {
             if (err instanceof InvalidSubjectAndIssuer) {
                 invalidSubjectAndIssuerError = true;
             }
-            else if (err instanceof CertificateNotYetValidOrExpired) {
-                certificateNotYetValidOrExpiredErrorMessage = err.message;
-            }
             else {
-                throw err;
+                throw new Error('Unexpected error while validating certificate path', { cause: err });
             }
         }
     }
@@ -45,42 +112,6 @@ async function validateCertificatePath(x5cCertsPEM, trustAnchorsPEM = []) {
     if (invalidSubjectAndIssuerError) {
         throw new InvalidSubjectAndIssuer();
     }
-    else if (certificateNotYetValidOrExpiredErrorMessage) {
-        throw new CertificateNotYetValidOrExpired(certificateNotYetValidOrExpiredErrorMessage);
-    }
-    return true;
-}
-/**
- * @param x5cCerts X.509 `x5c` certs in PEM string format
- * @param anchorCert X.509 trust anchor cert in PEM string format
- */
-async function _validatePath(x5cCertsWithTrustAnchorPEM) {
-    if (new Set(x5cCertsWithTrustAnchorPEM).size !== x5cCertsWithTrustAnchorPEM.length) {
-        throw new Error('Invalid certificate path: found duplicate certificates');
-    }
-    // Make sure no certs are revoked, and all are within their time validity window
-    for (const certificatePEM of x5cCertsWithTrustAnchorPEM) {
-        const certInfo = (0, getCertificateInfo_js_1.getCertificateInfo)((0, convertPEMToBytes_js_1.convertPEMToBytes)(certificatePEM));
-        await assertCertNotRevoked(certInfo.parsedCertificate);
-        assertCertIsWithinValidTimeWindow(certInfo, certificatePEM);
-    }
-    // Make sure each x5c cert is issued by the next certificate in the chain
-    for (let i = 0; i < (x5cCertsWithTrustAnchorPEM.length - 1); i += 1) {
-        const subjectPem = x5cCertsWithTrustAnchorPEM[i];
-        const issuerPem = x5cCertsWithTrustAnchorPEM[i + 1];
-        const subjectInfo = (0, getCertificateInfo_js_1.getCertificateInfo)((0, convertPEMToBytes_js_1.convertPEMToBytes)(subjectPem));
-        const issuerInfo = (0, getCertificateInfo_js_1.getCertificateInfo)((0, convertPEMToBytes_js_1.convertPEMToBytes)(issuerPem));
-        // Make sure subject issuer is issuer subject
-        if (subjectInfo.issuer.combined !== issuerInfo.subject.combined) {
-            throw new InvalidSubjectAndIssuer();
-        }
-        const issuerCertIsRootCert = issuerInfo.issuer.combined === issuerInfo.subject.combined;
-        await assertSubjectIsSignedByIssuer(subjectInfo.parsedCertificate, issuerPem);
-        // Perform one final check if the issuer cert is also a root certificate
-        if (issuerCertIsRootCert) {
-            await assertSubjectIsSignedByIssuer(issuerInfo.parsedCertificate, issuerPem);
-        }
-    }
     return true;
 }
 /**
@@ -90,39 +121,16 @@ async function assertCertNotRevoked(certificate) {
     // Check for certificate revocation
     const subjectCertRevoked = await (0, isCertRevoked_js_1.isCertRevoked)(certificate);
     if (subjectCertRevoked) {
-        throw new Error(`Found revoked certificate in certificate path`);
+        throw new Error('Found revoked certificate in certificate path');
     }
 }
 /**
  * Require the cert to be within its notBefore and notAfter time window
- *
- * @param certInfo Parsed cert information
- * @param certPEM PEM-formatted certificate, for error reporting
  */
-function assertCertIsWithinValidTimeWindow(certInfo, certPEM) {
-    const { notBefore, notAfter } = certInfo;
+function assertCertIsWithinValidTimeWindow(certNotBefore, certNotAfter) {
     const now = new Date(Date.now());
-    if (notBefore > now || notAfter < now) {
-        throw new CertificateNotYetValidOrExpired(`Certificate is not yet valid or expired: ${certPEM}`);
-    }
-}
-/**
- * Ensure that the subject cert has been signed by the next cert in the chain
- */
-async function assertSubjectIsSignedByIssuer(subjectCert, issuerPEM) {
-    // Verify the subject certificate's signature with the issuer cert's public key
-    const data = asn1_schema_1.AsnSerializer.serialize(subjectCert.tbsCertificate);
-    const signature = subjectCert.signatureValue;
-    const signatureAlgorithm = (0, mapX509SignatureAlgToCOSEAlg_js_1.mapX509SignatureAlgToCOSEAlg)(subjectCert.signatureAlgorithm.algorithm);
-    const issuerCertBytes = (0, convertPEMToBytes_js_1.convertPEMToBytes)(issuerPEM);
-    const verified = await (0, verifySignature_js_1.verifySignature)({
-        data: new Uint8Array(data),
-        signature: new Uint8Array(signature),
-        x509Certificate: issuerCertBytes,
-        hashAlgorithm: signatureAlgorithm,
-    });
-    if (!verified) {
-        throw new InvalidSubjectSignatureForIssuer();
+    if (certNotBefore > now || certNotAfter < now) {
+        throw new Error('Certificate is not yet valid or expired');
     }
 }
 // Custom errors to help pass on certain errors
@@ -133,16 +141,3 @@ class InvalidSubjectAndIssuer extends Error {
         this.name = 'InvalidSubjectAndIssuer';
     }
 }
-class InvalidSubjectSignatureForIssuer extends Error {
-    constructor() {
-        const message = 'Subject signature was invalid for issuer';
-        super(message);
-        this.name = 'InvalidSubjectSignatureForIssuer';
-    }
-}
-class CertificateNotYetValidOrExpired extends Error {
-    constructor(message) {
-        super(message);
-        this.name = 'CertificateNotYetValidOrExpired';
-    }
-}

package/script/helpers/validateExtFIDOGenCEAAGUID.d.ts

@@ -1,7 +1,8 @@
-import { Extensions } from '@peculiar/asn1-x509';
+import type { Extensions } from '@peculiar/asn1-x509';
+import type { Uint8Array_ } from '../types/index.js';
 /**
  * Look for the id-fido-gen-ce-aaguid certificate extension. If it's present then check it against
  * the attestation statement AAGUID.
  */
-export declare function validateExtFIDOGenCEAAGUID(certExtensions: Extensions | undefined, aaguid: Uint8Array): boolean;
+export declare function validateExtFIDOGenCEAAGUID(certExtensions: Extensions | undefined, aaguid: Uint8Array_): boolean;
 //# sourceMappingURL=validateExtFIDOGenCEAAGUID.d.ts.map

package/script/helpers/validateExtFIDOGenCEAAGUID.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validateExtFIDOGenCEAAGUID.d.ts","sourceRoot":"","sources":["../../src/helpers/validateExtFIDOGenCEAAGUID.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAWjD;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,cAAc,EAAE,UAAU,GAAG,SAAS,EACtC,MAAM,EAAE,UAAU,GACjB,OAAO,CA6BT"}
+{"version":3,"file":"validateExtFIDOGenCEAAGUID.d.ts","sourceRoot":"","sources":["../../src/helpers/validateExtFIDOGenCEAAGUID.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGtD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AASrD;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,cAAc,EAAE,UAAU,GAAG,SAAS,EACtC,MAAM,EAAE,WAAW,GAClB,OAAO,CA6BT"}

package/script/helpers/verifySignature.d.ts

@@ -1,12 +1,13 @@
 import { COSEALG } from './cose.js';
+import type { Uint8Array_ } from '../types/index.js';
 /**
  * Verify an authenticator's signature
  */
 export declare function verifySignature(opts: {
-    signature: Uint8Array;
-    data: Uint8Array;
-    credentialPublicKey?: Uint8Array;
-    x509Certificate?: Uint8Array;
+    signature: Uint8Array_;
+    data: Uint8Array_;
+    credentialPublicKey?: Uint8Array_;
+    x509Certificate?: Uint8Array_;
     hashAlgorithm?: COSEALG;
 }): Promise<boolean>;
 /**

package/script/helpers/verifySignature.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifySignature.d.ts","sourceRoot":"","sources":["../../src/helpers/verifySignature.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAiB,MAAM,WAAW,CAAC;AAKnD;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE;IACpC,SAAS,EAAE,UAAU,CAAC;IACtB,IAAI,EAAE,UAAU,CAAC;IACjB,mBAAmB,CAAC,EAAE,UAAU,CAAC;IACjC,eAAe,CAAC,EAAE,UAAU,CAAC;IAC7B,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,GAAG,OAAO,CAAC,OAAO,CAAC,CAmCnB;AAED;;;GAGG;AACH,eAAO,MAAM,yBAAyB;sBAClB,OAAO,CAAC,OAAO,CAAC;CACnC,CAAC"}
+{"version":3,"file":"verifySignature.d.ts","sourceRoot":"","sources":["../../src/helpers/verifySignature.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAiB,MAAM,WAAW,CAAC;AAInD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE;IACpC,SAAS,EAAE,WAAW,CAAC;IACvB,IAAI,EAAE,WAAW,CAAC;IAClB,mBAAmB,CAAC,EAAE,WAAW,CAAC;IAClC,eAAe,CAAC,EAAE,WAAW,CAAC;IAC9B,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,GAAG,OAAO,CAAC,OAAO,CAAC,CAmCnB;AAED;;;GAGG;AACH,eAAO,MAAM,yBAAyB;sBAClB,OAAO,CAAC,OAAO,CAAC;CACnC,CAAC"}

package/script/metadata/verifyAttestationWithMetadata.d.ts

@@ -1,14 +1,15 @@
 import type { Base64URLString } from '../types/index.js';
 import type { AlgSign, MetadataStatement } from './mdsTypes.js';
 import { type COSEALG, type COSECRV, COSEKTY } from '../helpers/cose.js';
+import type { Uint8Array_ } from '../types/index.js';
 /**
  * Match properties of the authenticator's attestation statement against expected values as
  * registered with the FIDO Alliance Metadata Service
  */
 export declare function verifyAttestationWithMetadata({ statement, credentialPublicKey, x5c, attestationStatementAlg, }: {
     statement: MetadataStatement;
-    credentialPublicKey: Uint8Array;
-    x5c: Uint8Array[] | Base64URLString[];
+    credentialPublicKey: Uint8Array_;
+    x5c: Uint8Array_[] | Base64URLString[];
     attestationStatementAlg?: number;
 }): Promise<boolean>;
 type COSEInfo = {

package/script/metadata/verifyAttestationWithMetadata.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifyAttestationWithMetadata.d.ts","sourceRoot":"","sources":["../../src/metadata/verifyAttestationWithMetadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAIhE,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,OAAO,EAEZ,OAAO,EAER,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAsB,6BAA6B,CAAC,EAClD,SAAS,EACT,mBAAmB,EACnB,GAAG,EACH,uBAAuB,GACxB,EAAE;IACD,SAAS,EAAE,iBAAiB,CAAC;IAC7B,mBAAmB,EAAE,UAAU,CAAC;IAChC,GAAG,EAAE,UAAU,EAAE,GAAG,eAAe,EAAE,CAAC;IACtC,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC,GAAG,OAAO,CAAC,OAAO,CAAC,CAoJnB;AAED,KAAK,QAAQ,GAAG;IACd,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,CAAC,EAAE,OAAO,CAAC;CACf,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,EAAE;KAAG,GAAG,IAAI,OAAO,GAAG,QAAQ;CAe9D,CAAC"}
+{"version":3,"file":"verifyAttestationWithMetadata.d.ts","sourceRoot":"","sources":["../../src/metadata/verifyAttestationWithMetadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAIhE,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,OAAO,EAEZ,OAAO,EAER,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD;;;GAGG;AACH,wBAAsB,6BAA6B,CAAC,EAClD,SAAS,EACT,mBAAmB,EACnB,GAAG,EACH,uBAAuB,GACxB,EAAE;IACD,SAAS,EAAE,iBAAiB,CAAC;IAC7B,mBAAmB,EAAE,WAAW,CAAC;IACjC,GAAG,EAAE,WAAW,EAAE,GAAG,eAAe,EAAE,CAAC;IACvC,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC,GAAG,OAAO,CAAC,OAAO,CAAC,CAoJnB;AAED,KAAK,QAAQ,GAAG;IACd,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,CAAC,EAAE,OAAO,CAAC;CACf,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,EAAE;KAAG,GAAG,IAAI,OAAO,GAAG,QAAQ;CAe9D,CAAC"}

package/script/metadata/verifyJWT.d.ts

@@ -1,3 +1,4 @@
+import type { Uint8Array_ } from '../types/index.js';
 /**
  * Lightweight verification for FIDO MDS JWTs. Supports use of EC2 and RSA.
  *
@@ -7,5 +8,5 @@
  *
  * (Pulled from https://www.rfc-editor.org/rfc/rfc7515#section-4.1.1)
  */
-export declare function verifyJWT(jwt: string, leafCert: Uint8Array): Promise<boolean>;
+export declare function verifyJWT(jwt: string, leafCert: Uint8Array_): Promise<boolean>;
 //# sourceMappingURL=verifyJWT.d.ts.map

package/script/metadata/verifyJWT.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifyJWT.d.ts","sourceRoot":"","sources":["../../src/metadata/verifyJWT.ts"],"names":[],"mappings":"AAMA;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CA0B7E"}
+{"version":3,"file":"verifyJWT.d.ts","sourceRoot":"","sources":["../../src/metadata/verifyJWT.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CA0B9E"}

package/script/registration/generateRegistrationOptions.d.ts

@@ -1,4 +1,4 @@
-import type { AuthenticationExtensionsClientInputs, AuthenticatorSelectionCriteria, AuthenticatorTransportFuture, Base64URLString, COSEAlgorithmIdentifier, PublicKeyCredentialCreationOptionsJSON } from '../types/index.js';
+import type { AuthenticationExtensionsClientInputs, AuthenticatorSelectionCriteria, AuthenticatorTransportFuture, Base64URLString, COSEAlgorithmIdentifier, PublicKeyCredentialCreationOptionsJSON, Uint8Array_ } from '../types/index.js';
 export type GenerateRegistrationOptionsOpts = Parameters<typeof generateRegistrationOptions>[0];
 /**
  * Supported crypto algo identifiers
@@ -29,8 +29,8 @@ export declare function generateRegistrationOptions(options: {
     rpName: string;
     rpID: string;
     userName: string;
-    userID?: Uint8Array;
-    challenge?: string | Uint8Array;
+    userID?: Uint8Array_;
+    challenge?: string | Uint8Array_;
     userDisplayName?: string;
     timeout?: number;
     attestationType?: 'direct' | 'enterprise' | 'none';

package/script/registration/generateRegistrationOptions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"generateRegistrationOptions.d.ts","sourceRoot":"","sources":["../../src/registration/generateRegistrationOptions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,oCAAoC,EACpC,8BAA8B,EAC9B,4BAA4B,EAC5B,eAAe,EACf,uBAAuB,EACvB,sCAAsC,EAGvC,MAAM,mBAAmB,CAAC;AAK3B,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,OAAO,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;AAEhG;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,EAAE,uBAAuB,EAqBtE,CAAC;AAsBF;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE;IACP,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,GAAG,UAAU,CAAC;IAChC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,QAAQ,GAAG,YAAY,GAAG,MAAM,CAAC;IACnD,kBAAkB,CAAC,EAAE;QACnB,EAAE,EAAE,eAAe,CAAC;QACpB,UAAU,CAAC,EAAE,4BAA4B,EAAE,CAAC;KAC7C,EAAE,CAAC;IACJ,sBAAsB,CAAC,EAAE,8BAA8B,CAAC;IACxD,UAAU,CAAC,EAAE,oCAAoC,CAAC;IAClD,qBAAqB,CAAC,EAAE,uBAAuB,EAAE,CAAC;IAClD,0BAA0B,CAAC,EAAE,aAAa,GAAG,aAAa,GAAG,cAAc,CAAC;CAC7E,GACA,OAAO,CAAC,sCAAsC,CAAC,CAqIjD"}
+{"version":3,"file":"generateRegistrationOptions.d.ts","sourceRoot":"","sources":["../../src/registration/generateRegistrationOptions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,oCAAoC,EACpC,8BAA8B,EAC9B,4BAA4B,EAC5B,eAAe,EACf,uBAAuB,EACvB,sCAAsC,EAGtC,WAAW,EACZ,MAAM,mBAAmB,CAAC;AAK3B,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,OAAO,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;AAEhG;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,EAAE,uBAAuB,EAqBtE,CAAC;AAsBF;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE;IACP,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,GAAG,WAAW,CAAC;IACjC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,QAAQ,GAAG,YAAY,GAAG,MAAM,CAAC;IACnD,kBAAkB,CAAC,EAAE;QACnB,EAAE,EAAE,eAAe,CAAC;QACpB,UAAU,CAAC,EAAE,4BAA4B,EAAE,CAAC;KAC7C,EAAE,CAAC;IACJ,sBAAsB,CAAC,EAAE,8BAA8B,CAAC;IACxD,UAAU,CAAC,EAAE,oCAAoC,CAAC;IAClD,qBAAqB,CAAC,EAAE,uBAAuB,EAAE,CAAC;IAClD,0BAA0B,CAAC,EAAE,aAAa,GAAG,aAAa,GAAG,cAAc,CAAC;CAC7E,GACA,OAAO,CAAC,sCAAsC,CAAC,CAqIjD"}

package/script/registration/verifications/tpm/parseCertInfo.d.ts

@@ -1,24 +1,25 @@
+import type { Uint8Array_ } from '../../../types/index.js';
 /**
  * Cut up a TPM attestation's certInfo into intelligible chunks
  */
-export declare function parseCertInfo(certInfo: Uint8Array): ParsedCertInfo;
+export declare function parseCertInfo(certInfo: Uint8Array_): ParsedCertInfo;
 type ParsedCertInfo = {
     magic: number;
     type: string;
-    qualifiedSigner: Uint8Array;
-    extraData: Uint8Array;
+    qualifiedSigner: Uint8Array_;
+    extraData: Uint8Array_;
     clockInfo: {
-        clock: Uint8Array;
+        clock: Uint8Array_;
         resetCount: number;
         restartCount: number;
         safe: boolean;
     };
-    firmwareVersion: Uint8Array;
+    firmwareVersion: Uint8Array_;
     attested: {
         nameAlg: string;
-        nameAlgBuffer: Uint8Array;
-        name: Uint8Array;
-        qualifiedName: Uint8Array;
+        nameAlgBuffer: Uint8Array_;
+        name: Uint8Array_;
+        qualifiedName: Uint8Array_;
     };
 };
 export {};

package/script/registration/verifications/tpm/parseCertInfo.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"parseCertInfo.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parseCertInfo.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,UAAU,GAAG,cAAc,CAkElE;AAED,KAAK,cAAc,GAAG;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,UAAU,CAAC;IAC5B,SAAS,EAAE,UAAU,CAAC;IACtB,SAAS,EAAE;QACT,KAAK,EAAE,UAAU,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,IAAI,EAAE,OAAO,CAAC;KACf,CAAC;IACF,eAAe,EAAE,UAAU,CAAC;IAC5B,QAAQ,EAAE;QACR,OAAO,EAAE,MAAM,CAAC;QAChB,aAAa,EAAE,UAAU,CAAC;QAC1B,IAAI,EAAE,UAAU,CAAC;QACjB,aAAa,EAAE,UAAU,CAAC;KAC3B,CAAC;CACH,CAAC"}
+{"version":3,"file":"parseCertInfo.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parseCertInfo.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAE3D;;GAEG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,WAAW,GAAG,cAAc,CAkEnE;AAED,KAAK,cAAc,GAAG;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,WAAW,CAAC;IAC7B,SAAS,EAAE,WAAW,CAAC;IACvB,SAAS,EAAE;QACT,KAAK,EAAE,WAAW,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;QACrB,IAAI,EAAE,OAAO,CAAC;KACf,CAAC;IACF,eAAe,EAAE,WAAW,CAAC;IAC7B,QAAQ,EAAE;QACR,OAAO,EAAE,MAAM,CAAC;QAChB,aAAa,EAAE,WAAW,CAAC;QAC3B,IAAI,EAAE,WAAW,CAAC;QAClB,aAAa,EAAE,WAAW,CAAC;KAC5B,CAAC;CACH,CAAC"}

package/script/registration/verifications/tpm/parsePubArea.d.ts

@@ -1,10 +1,11 @@
+import type { Uint8Array_ } from '../../../types/index.js';
 /**
  * Break apart a TPM attestation's pubArea buffer
  *
  * See 12.2.4 TPMT_PUBLIC here:
  * https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-00.96-130315.pdf
  */
-export declare function parsePubArea(pubArea: Uint8Array): ParsedPubArea;
+export declare function parsePubArea(pubArea: Uint8Array_): ParsedPubArea;
 type ParsedPubArea = {
     type: 'TPM_ALG_RSA' | 'TPM_ALG_ECC';
     nameAlg: string;
@@ -21,12 +22,12 @@ type ParsedPubArea = {
         decrypt: boolean;
         signOrEncrypt: boolean;
     };
-    authPolicy: Uint8Array;
+    authPolicy: Uint8Array_;
     parameters: {
         rsa?: RSAParameters;
         ecc?: ECCParameters;
     };
-    unique: Uint8Array;
+    unique: Uint8Array_;
 };
 type RSAParameters = {
     symmetric: string;

package/script/registration/verifications/tpm/parsePubArea.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"parsePubArea.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parsePubArea.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,UAAU,GAAG,aAAa,CAyG/D;AAED,KAAK,aAAa,GAAG;IACnB,IAAI,EAAE,aAAa,GAAG,aAAa,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,EAAE;QAChB,QAAQ,EAAE,OAAO,CAAC;QAClB,OAAO,EAAE,OAAO,CAAC;QACjB,WAAW,EAAE,OAAO,CAAC;QACrB,mBAAmB,EAAE,OAAO,CAAC;QAC7B,YAAY,EAAE,OAAO,CAAC;QACtB,eAAe,EAAE,OAAO,CAAC;QACzB,IAAI,EAAE,OAAO,CAAC;QACd,oBAAoB,EAAE,OAAO,CAAC;QAC9B,UAAU,EAAE,OAAO,CAAC;QACpB,OAAO,EAAE,OAAO,CAAC;QACjB,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;IACF,UAAU,EAAE,UAAU,CAAC;IACvB,UAAU,EAAE;QACV,GAAG,CAAC,EAAE,aAAa,CAAC;QACpB,GAAG,CAAC,EAAE,aAAa,CAAC;KACrB,CAAC;IACF,MAAM,EAAE,UAAU,CAAC;CACpB,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb,CAAC"}
+{"version":3,"file":"parsePubArea.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parsePubArea.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAE3D;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,WAAW,GAAG,aAAa,CAyGhE;AAED,KAAK,aAAa,GAAG;IACnB,IAAI,EAAE,aAAa,GAAG,aAAa,CAAC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,EAAE;QAChB,QAAQ,EAAE,OAAO,CAAC;QAClB,OAAO,EAAE,OAAO,CAAC;QACjB,WAAW,EAAE,OAAO,CAAC;QACrB,mBAAmB,EAAE,OAAO,CAAC;QAC7B,YAAY,EAAE,OAAO,CAAC;QACtB,eAAe,EAAE,OAAO,CAAC;QACzB,IAAI,EAAE,OAAO,CAAC;QACd,oBAAoB,EAAE,OAAO,CAAC;QAC9B,UAAU,EAAE,OAAO,CAAC;QACpB,OAAO,EAAE,OAAO,CAAC;QACjB,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;IACF,UAAU,EAAE,WAAW,CAAC;IACxB,UAAU,EAAE;QACV,GAAG,CAAC,EAAE,aAAa,CAAC;QACpB,GAAG,CAAC,EAAE,aAAa,CAAC;KACrB,CAAC;IACF,MAAM,EAAE,WAAW,CAAC;CACrB,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb,CAAC"}

package/script/registration/verifications/tpm/verifyAttestationTPM.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifyAttestationTPM.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/verifyAttestationTPM.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,qCAAqC,CAAC;AAuBzF,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,CA+VlB"}
+{"version":3,"file":"verifyAttestationTPM.d.ts","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/verifyAttestationTPM.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,qCAAqC,CAAC;AAwBzF,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,CA+VlB"}

package/script/registration/verifications/verifyAttestationAndroidKey.js

@@ -83,7 +83,7 @@ async function verifyAttestationAndroidKey(options) {
         }
         catch (err) {
             const _err = err;
-            throw new Error(`${_err.message} (Android Key)`);
+            throw new Error(`${_err.message} (Android Key)`, { cause: _err });
         }
     }
     else {
@@ -97,7 +97,7 @@ async function verifyAttestationAndroidKey(options) {
         }
         catch (err) {
             const _err = err;
-            throw new Error(`${_err.message} (Android Key)`);
+            throw new Error(`${_err.message} (Android Key)`, { cause: _err });
         }
         /**
          * Make sure the root certificate is one of the Google Hardware Attestation Root certificates

package/script/registration/verifications/verifyAttestationAndroidSafetyNet.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifyAttestationAndroidSafetyNet.d.ts","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationAndroidSafetyNet.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AAWtF;;GAEG;AACH,wBAAsB,iCAAiC,CACrD,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,CA2IlB"}
+{"version":3,"file":"verifyAttestationAndroidSafetyNet.d.ts","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationAndroidSafetyNet.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AAWtF;;GAEG;AACH,wBAAsB,iCAAiC,CACrD,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,OAAO,CAAC,CA4IlB"}

package/script/registration/verifications/verifyAttestationAndroidSafetyNet.js

@@ -13,7 +13,7 @@ const verifyAttestationWithMetadata_js_1 = require("../../metadata/verifyAttesta
  * Verify an attestation response with fmt 'android-safetynet'
  */
 async function verifyAttestationAndroidSafetyNet(options) {
-    const { attStmt, clientDataHash, authData, aaguid, rootCertificates, verifyTimestampMS = true, credentialPublicKey, } = options;
+    const { attStmt, clientDataHash, authData, aaguid, rootCertificates, verifyTimestampMS = true, credentialPublicKey, attestationSafetyNetEnforceCTSCheck, } = options;
     const alg = attStmt.get('alg');
     const response = attStmt.get('response');
     const ver = attStmt.get('ver');
@@ -52,7 +52,7 @@ async function verifyAttestationAndroidSafetyNet(options) {
     if (nonce !== expectedNonce) {
         throw new Error('Could not verify payload nonce (SafetyNet)');
     }
-    if (!ctsProfileMatch) {
+    if (attestationSafetyNetEnforceCTSCheck && !ctsProfileMatch) {
         throw new Error('Could not verify device integrity (SafetyNet)');
     }
     /**

package/script/registration/verifyRegistrationResponse.d.ts

@@ -1,4 +1,4 @@
-import type { COSEAlgorithmIdentifier, CredentialDeviceType, RegistrationResponseJSON, WebAuthnCredential } from '../types/index.js';
+import type { COSEAlgorithmIdentifier, CredentialDeviceType, RegistrationResponseJSON, Uint8Array_, WebAuthnCredential } from '../types/index.js';
 import { type AttestationFormat, type AttestationStatement } from '../helpers/decodeAttestationObject.js';
 import type { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions.js';
 /**
@@ -18,6 +18,7 @@ export type VerifyRegistrationResponseOpts = Parameters<typeof verifyRegistratio
  * @param requireUserPresence **(Optional)** - Enforce user presence by the authenticator (or skip it during auto registration) Defaults to `true`
  * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
  * @param supportedAlgorithmIDs **(Optional)** - Array of numeric COSE algorithm identifiers supported for attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms. Defaults to all supported algorithm IDs
+ * @param attestationSafetyNetEnforceCTSCheck **(Optional)** - Require that an Android device's system integrity has not been tampered with if it uses SafetyNet attestation. Defaults to `true`
  */
 export declare function verifyRegistrationResponse(options: {
     response: RegistrationResponseJSON;
@@ -28,6 +29,7 @@ export declare function verifyRegistrationResponse(options: {
     requireUserPresence?: boolean;
     requireUserVerification?: boolean;
     supportedAlgorithmIDs?: COSEAlgorithmIdentifier[];
+    attestationSafetyNetEnforceCTSCheck?: boolean;
 }): Promise<VerifiedRegistrationResponse>;
 /**
  * Result of registration verification
@@ -56,13 +58,16 @@ export declare function verifyRegistrationResponse(options: {
  * by the browser
  */
 export type VerifiedRegistrationResponse = {
-    verified: boolean;
-    registrationInfo?: {
+    verified: false;
+    registrationInfo?: never;
+} | {
+    verified: true;
+    registrationInfo: {
         fmt: AttestationFormat;
         aaguid: string;
         credential: WebAuthnCredential;
         credentialType: 'public-key';
-        attestationObject: Uint8Array;
+        attestationObject: Uint8Array_;
         userVerified: boolean;
         credentialDeviceType: CredentialDeviceType;
         credentialBackedUp: boolean;
@@ -75,14 +80,15 @@ export type VerifiedRegistrationResponse = {
  * Values passed to all attestation format verifiers, from which they are free to use as they please
  */
 export type AttestationFormatVerifierOpts = {
-    aaguid: Uint8Array;
+    aaguid: Uint8Array_;
     attStmt: AttestationStatement;
-    authData: Uint8Array;
-    clientDataHash: Uint8Array;
-    credentialID: Uint8Array;
-    credentialPublicKey: Uint8Array;
+    authData: Uint8Array_;
+    clientDataHash: Uint8Array_;
+    credentialID: Uint8Array_;
+    credentialPublicKey: Uint8Array_;
     rootCertificates: string[];
-    rpIdHash: Uint8Array;
+    rpIdHash: Uint8Array_;
     verifyTimestampMS?: boolean;
+    attestationSafetyNetEnforceCTSCheck?: boolean;
 };
 //# sourceMappingURL=verifyRegistrationResponse.d.ts.map

package/script/registration/verifyRegistrationResponse.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifyRegistrationResponse.d.ts","sourceRoot":"","sources":["../../src/registration/verifyRegistrationResponse.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,uBAAuB,EACvB,oBAAoB,EACpB,wBAAwB,EACxB,kBAAkB,EACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,KAAK,iBAAiB,EACtB,KAAK,oBAAoB,EAE1B,MAAM,uCAAuC,CAAC;AAC/C,OAAO,KAAK,EAAE,4CAA4C,EAAE,MAAM,6CAA6C,CAAC;AAoBhH;;GAEG;AACH,MAAM,MAAM,8BAA8B,GAAG,UAAU,CAAC,OAAO,0BAA0B,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9F;;;;;;;;;;;;;GAaG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE;IACP,QAAQ,EAAE,wBAAwB,CAAC;IACnC,iBAAiB,EAAE,MAAM,GAAG,CAAC,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IAChF,cAAc,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,qBAAqB,CAAC,EAAE,uBAAuB,EAAE,CAAC;CACnD,GACA,OAAO,CAAC,4BAA4B,CAAC,CAsPvC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,MAAM,4BAA4B,GAAG;IACzC,QAAQ,EAAE,OAAO,CAAC;IAClB,gBAAgB,CAAC,EAAE;QACjB,GAAG,EAAE,iBAAiB,CAAC;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,kBAAkB,CAAC;QAC/B,cAAc,EAAE,YAAY,CAAC;QAC7B,iBAAiB,EAAE,UAAU,CAAC;QAC9B,YAAY,EAAE,OAAO,CAAC;QACtB,oBAAoB,EAAE,oBAAoB,CAAC;QAC3C,kBAAkB,EAAE,OAAO,CAAC;QAC5B,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,6BAA6B,CAAC,EAAE,4CAA4C,CAAC;KAC9E,CAAC;CACH,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,6BAA6B,GAAG;IAC1C,MAAM,EAAE,UAAU,CAAC;IACnB,OAAO,EAAE,oBAAoB,CAAC;IAC9B,QAAQ,EAAE,UAAU,CAAC;IACrB,cAAc,EAAE,UAAU,CAAC;IAC3B,YAAY,EAAE,UAAU,CAAC;IACzB,mBAAmB,EAAE,UAAU,CAAC;IAChC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,QAAQ,EAAE,UAAU,CAAC;IACrB,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B,CAAC"}
+{"version":3,"file":"verifyRegistrationResponse.d.ts","sourceRoot":"","sources":["../../src/registration/verifyRegistrationResponse.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,uBAAuB,EACvB,oBAAoB,EACpB,wBAAwB,EACxB,WAAW,EACX,kBAAkB,EACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,KAAK,iBAAiB,EACtB,KAAK,oBAAoB,EAE1B,MAAM,uCAAuC,CAAC;AAC/C,OAAO,KAAK,EAAE,4CAA4C,EAAE,MAAM,6CAA6C,CAAC;AAoBhH;;GAEG;AACH,MAAM,MAAM,8BAA8B,GAAG,UAAU,CAAC,OAAO,0BAA0B,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9F;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE;IACP,QAAQ,EAAE,wBAAwB,CAAC;IACnC,iBAAiB,EAAE,MAAM,GAAG,CAAC,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IAChF,cAAc,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,qBAAqB,CAAC,EAAE,uBAAuB,EAAE,CAAC;IAClD,mCAAmC,CAAC,EAAE,OAAO,CAAC;CAC/C,GACA,OAAO,CAAC,4BAA4B,CAAC,CAqPvC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,MAAM,4BAA4B,GAAG;IACzC,QAAQ,EAAE,KAAK,CAAC;IAChB,gBAAgB,CAAC,EAAE,KAAK,CAAC;CAC1B,GAAG;IACF,QAAQ,EAAE,IAAI,CAAC;IACf,gBAAgB,EAAE;QAChB,GAAG,EAAE,iBAAiB,CAAC;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,kBAAkB,CAAC;QAC/B,cAAc,EAAE,YAAY,CAAC;QAC7B,iBAAiB,EAAE,WAAW,CAAC;QAC/B,YAAY,EAAE,OAAO,CAAC;QACtB,oBAAoB,EAAE,oBAAoB,CAAC;QAC3C,kBAAkB,EAAE,OAAO,CAAC;QAC5B,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,6BAA6B,CAAC,EAAE,4CAA4C,CAAC;KAC9E,CAAC;CACH,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,6BAA6B,GAAG;IAC1C,MAAM,EAAE,WAAW,CAAC;IACpB,OAAO,EAAE,oBAAoB,CAAC;IAC9B,QAAQ,EAAE,WAAW,CAAC;IACtB,cAAc,EAAE,WAAW,CAAC;IAC5B,YAAY,EAAE,WAAW,CAAC;IAC1B,mBAAmB,EAAE,WAAW,CAAC;IACjC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,QAAQ,EAAE,WAAW,CAAC;IACtB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,mCAAmC,CAAC,EAAE,OAAO,CAAC;CAC/C,CAAC"}

package/script/registration/verifyRegistrationResponse.js

@@ -32,9 +32,10 @@ const verifyAttestationApple_js_1 = require("./verifications/verifyAttestationAp
  * @param requireUserPresence **(Optional)** - Enforce user presence by the authenticator (or skip it during auto registration) Defaults to `true`
  * @param requireUserVerification **(Optional)** - Enforce user verification by the authenticator (via PIN, fingerprint, etc...) Defaults to `true`
  * @param supportedAlgorithmIDs **(Optional)** - Array of numeric COSE algorithm identifiers supported for attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms. Defaults to all supported algorithm IDs
+ * @param attestationSafetyNetEnforceCTSCheck **(Optional)** - Require that an Android device's system integrity has not been tampered with if it uses SafetyNet attestation. Defaults to `true`
  */
 async function verifyRegistrationResponse(options) {
-    const { response, expectedChallenge, expectedOrigin, expectedRPID, expectedType, requireUserPresence = true, requireUserVerification = true, supportedAlgorithmIDs = generateRegistrationOptions_js_1.supportedCOSEAlgorithmIdentifiers, } = options;
+    const { response, expectedChallenge, expectedOrigin, expectedRPID, expectedType, requireUserPresence = true, requireUserVerification = true, supportedAlgorithmIDs = generateRegistrationOptions_js_1.supportedCOSEAlgorithmIdentifiers, attestationSafetyNetEnforceCTSCheck = true, } = options;
     const { id, rawId, type: credentialType, response: attestationResponse } = response;
     // Ensure credential specified an ID
     if (!id) {
@@ -153,6 +154,7 @@ async function verifyRegistrationResponse(options) {
         credentialPublicKey,
         rootCertificates,
         rpIdHash,
+        attestationSafetyNetEnforceCTSCheck,
     };
     /**
      * Verification can only be performed when attestation = 'direct'
@@ -186,12 +188,13 @@ async function verifyRegistrationResponse(options) {
     else {
         throw new Error(`Unsupported Attestation Format: ${fmt}`);
     }
-    const toReturn = {
-        verified,
-    };
-    if (toReturn.verified) {
-        const { credentialDeviceType, credentialBackedUp } = (0, parseBackupFlags_js_1.parseBackupFlags)(flags);
-        toReturn.registrationInfo = {
+    if (!verified) {
+        return { verified: false };
+    }
+    const { credentialDeviceType, credentialBackedUp } = (0, parseBackupFlags_js_1.parseBackupFlags)(flags);
+    return {
+        verified: true,
+        registrationInfo: {
             fmt,
             aaguid: (0, convertAAGUIDToString_js_1.convertAAGUIDToString)(aaguid),
             credentialType,
@@ -208,7 +211,6 @@ async function verifyRegistrationResponse(options) {
             origin: clientDataJSON.origin,
             rpID: matchedRPID,
             authenticatorExtensionResults: extensionsData,
-        };
-    }
-    return toReturn;
+        },
+    };
 }

package/script/services/defaultRootCerts/mds.d.ts

@@ -8,5 +8,5 @@
  * SHA256 Fingerprint
  * CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B
  */
-export declare const GlobalSign_Root_CA_R3 = "-----BEGIN CERTIFICATE-----\n MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G\n A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp\n Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4\n MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG\n A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI\n hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8\n RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT\n gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm\n KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd\n QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ\n XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw\n DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o\n LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU\n RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp\n jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK\n 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX\n mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs\n Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH\n WD9f\n -----END CERTIFICATE-----\n ";
+export declare const GlobalSign_Root_CA_R3 = "-----BEGIN CERTIFICATE-----\nMIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G\nA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp\nZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4\nMTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG\nA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8\nRgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT\ngHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm\nKPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd\nQQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ\nXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw\nDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o\nLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU\nRUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp\njjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK\n6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX\nmcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs\nMx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH\nWD9f\n-----END CERTIFICATE-----\n ";
 //# sourceMappingURL=mds.d.ts.map

package/script/services/defaultRootCerts/mds.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mds.d.ts","sourceRoot":"","sources":["../../../src/services/defaultRootCerts/mds.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,4vCAqBhC,CAAC"}
+{"version":3,"file":"mds.d.ts","sourceRoot":"","sources":["../../../src/services/defaultRootCerts/mds.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,wuCAqBhC,CAAC"}