@simplewebauthn/server 3.0.0 → 4.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{assertion/generateAssertionOptions.d.ts → authentication/generateAuthenticationOptions.d.ts} +5 -5
- package/dist/{assertion/generateAssertionOptions.js → authentication/generateAuthenticationOptions.js} +6 -6
- package/dist/authentication/generateAuthenticationOptions.js.map +1 -0
- package/dist/{assertion/verifyAssertionResponse.d.ts → authentication/verifyAuthenticationResponse.d.ts} +12 -12
- package/dist/{assertion/verifyAssertionResponse.js → authentication/verifyAuthenticationResponse.js} +13 -12
- package/dist/authentication/verifyAuthenticationResponse.js.map +1 -0
- package/dist/helpers/convertAAGUIDToString.js +1 -1
- package/dist/helpers/convertAAGUIDToString.js.map +1 -1
- package/dist/helpers/convertCertBufferToPEM.d.ts +6 -0
- package/dist/helpers/{convertX509CertToPEM.js → convertCertBufferToPEM.js} +4 -4
- package/dist/helpers/convertCertBufferToPEM.js.map +1 -0
- package/dist/helpers/decodeAttestationObject.d.ts +2 -10
- package/dist/helpers/decodeAttestationObject.js +0 -11
- package/dist/helpers/decodeAttestationObject.js.map +1 -1
- package/dist/helpers/decodeClientDataJSON.d.ts +1 -2
- package/dist/helpers/index.d.ts +23 -0
- package/dist/helpers/index.js +39 -0
- package/dist/helpers/index.js.map +1 -0
- package/dist/helpers/isCertRevoked.js +4 -2
- package/dist/helpers/isCertRevoked.js.map +1 -1
- package/dist/helpers/logging.d.ts +16 -0
- package/dist/helpers/logging.js +27 -0
- package/dist/helpers/logging.js.map +1 -0
- package/dist/helpers/parseAuthenticatorData.js +13 -18
- package/dist/helpers/parseAuthenticatorData.js.map +1 -1
- package/dist/helpers/validateCertificatePath.d.ts +2 -1
- package/dist/helpers/validateCertificatePath.js +43 -4
- package/dist/helpers/validateCertificatePath.js.map +1 -1
- package/dist/index.d.ts +13 -11
- package/dist/index.js +12 -10
- package/dist/index.js.map +1 -1
- package/dist/metadata/mdsTypes.d.ts +207 -0
- package/dist/metadata/mdsTypes.js +3 -0
- package/dist/metadata/mdsTypes.js.map +1 -0
- package/dist/metadata/verifyAttestationWithMetadata.d.ts +5 -1
- package/dist/metadata/verifyAttestationWithMetadata.js +61 -27
- package/dist/metadata/verifyAttestationWithMetadata.js.map +1 -1
- package/dist/{attestation/generateAttestationOptions.d.ts → registration/generateRegistrationOptions.d.ts} +2 -2
- package/dist/{attestation/generateAttestationOptions.js → registration/generateRegistrationOptions.js} +3 -3
- package/dist/registration/generateRegistrationOptions.js.map +1 -0
- package/dist/{attestation → registration}/verifications/tpm/constants.d.ts +0 -0
- package/dist/{attestation → registration}/verifications/tpm/constants.js +0 -0
- package/dist/registration/verifications/tpm/constants.js.map +1 -0
- package/dist/{attestation → registration}/verifications/tpm/parseCertInfo.d.ts +0 -0
- package/dist/registration/verifications/tpm/parseCertInfo.js +53 -0
- package/dist/registration/verifications/tpm/parseCertInfo.js.map +1 -0
- package/dist/{attestation → registration}/verifications/tpm/parsePubArea.d.ts +0 -0
- package/dist/{attestation → registration}/verifications/tpm/parsePubArea.js +10 -19
- package/dist/registration/verifications/tpm/parsePubArea.js.map +1 -0
- package/dist/registration/verifications/tpm/verifyTPM.d.ts +2 -0
- package/dist/{attestation → registration}/verifications/tpm/verifyTPM.js +14 -4
- package/dist/registration/verifications/tpm/verifyTPM.js.map +1 -0
- package/dist/registration/verifications/verifyAndroidKey.d.ts +5 -0
- package/dist/{attestation → registration}/verifications/verifyAndroidKey.js +17 -12
- package/dist/registration/verifications/verifyAndroidKey.js.map +1 -0
- package/dist/registration/verifications/verifyAndroidSafetyNet.d.ts +5 -0
- package/dist/{attestation → registration}/verifications/verifyAndroidSafetyNet.js +6 -27
- package/dist/registration/verifications/verifyAndroidSafetyNet.js.map +1 -0
- package/dist/registration/verifications/verifyApple.d.ts +2 -0
- package/dist/{attestation → registration}/verifications/verifyApple.js +3 -26
- package/dist/registration/verifications/verifyApple.js.map +1 -0
- package/dist/registration/verifications/verifyFIDOU2F.d.ts +5 -0
- package/dist/{attestation → registration}/verifications/verifyFIDOU2F.js +12 -4
- package/dist/registration/verifications/verifyFIDOU2F.js.map +1 -0
- package/dist/registration/verifications/verifyPacked.d.ts +5 -0
- package/dist/{attestation → registration}/verifications/verifyPacked.js +15 -7
- package/dist/registration/verifications/verifyPacked.js.map +1 -0
- package/dist/registration/verifyRegistrationResponse.d.ts +71 -0
- package/dist/{attestation/verifyAttestationResponse.js → registration/verifyRegistrationResponse.js} +56 -92
- package/dist/registration/verifyRegistrationResponse.js.map +1 -0
- package/dist/services/defaultRootCerts/android-key.d.ts +24 -0
- package/dist/services/defaultRootCerts/android-key.js +89 -0
- package/dist/services/defaultRootCerts/android-key.js.map +1 -0
- package/dist/services/defaultRootCerts/android-safetynet.d.ts +22 -0
- package/dist/services/defaultRootCerts/android-safetynet.js +69 -0
- package/dist/services/defaultRootCerts/android-safetynet.js.map +1 -0
- package/dist/services/defaultRootCerts/apple.d.ts +11 -0
- package/dist/services/defaultRootCerts/apple.js +29 -0
- package/dist/services/defaultRootCerts/apple.js.map +1 -0
- package/dist/services/defaultRootCerts/mds.d.ts +11 -0
- package/dist/services/defaultRootCerts/mds.js +36 -0
- package/dist/services/defaultRootCerts/mds.js.map +1 -0
- package/dist/services/metadataService.d.ts +54 -0
- package/dist/{metadata → services}/metadataService.js +90 -109
- package/dist/services/metadataService.js.map +1 -0
- package/dist/services/settingsService.d.ts +26 -0
- package/dist/services/settingsService.js +63 -0
- package/dist/services/settingsService.js.map +1 -0
- package/package.json +28 -12
- package/.env +0 -2
- package/dist/assertion/generateAssertionOptions.js.map +0 -1
- package/dist/assertion/verifyAssertionResponse.js.map +0 -1
- package/dist/attestation/generateAttestationOptions.js.map +0 -1
- package/dist/attestation/verifications/tpm/constants.js.map +0 -1
- package/dist/attestation/verifications/tpm/parseCertInfo.js +0 -65
- package/dist/attestation/verifications/tpm/parseCertInfo.js.map +0 -1
- package/dist/attestation/verifications/tpm/parsePubArea.js.map +0 -1
- package/dist/attestation/verifications/tpm/verifyTPM.d.ts +0 -11
- package/dist/attestation/verifications/tpm/verifyTPM.js.map +0 -1
- package/dist/attestation/verifications/verifyAndroidKey.d.ts +0 -11
- package/dist/attestation/verifications/verifyAndroidKey.js.map +0 -1
- package/dist/attestation/verifications/verifyAndroidSafetyNet.d.ts +0 -14
- package/dist/attestation/verifications/verifyAndroidSafetyNet.js.map +0 -1
- package/dist/attestation/verifications/verifyApple.d.ts +0 -10
- package/dist/attestation/verifications/verifyApple.js.map +0 -1
- package/dist/attestation/verifications/verifyFIDOU2F.d.ts +0 -15
- package/dist/attestation/verifications/verifyFIDOU2F.js.map +0 -1
- package/dist/attestation/verifications/verifyPacked.d.ts +0 -14
- package/dist/attestation/verifications/verifyPacked.js.map +0 -1
- package/dist/attestation/verifyAttestationResponse.d.ts +0 -56
- package/dist/attestation/verifyAttestationResponse.js.map +0 -1
- package/dist/helpers/constants.d.ts +0 -30
- package/dist/helpers/constants.js +0 -52
- package/dist/helpers/constants.js.map +0 -1
- package/dist/helpers/convertX509CertToPEM.d.ts +0 -6
- package/dist/helpers/convertX509CertToPEM.js.map +0 -1
- package/dist/metadata/metadataService.d.ts +0 -75
- package/dist/metadata/metadataService.js.map +0 -1
|
@@ -8,17 +8,18 @@ const asn1_x509_1 = require("@peculiar/asn1-x509");
|
|
|
8
8
|
const decodeCredentialPublicKey_1 = __importDefault(require("../../../helpers/decodeCredentialPublicKey"));
|
|
9
9
|
const convertCOSEtoPKCS_1 = require("../../../helpers/convertCOSEtoPKCS");
|
|
10
10
|
const toHash_1 = __importDefault(require("../../../helpers/toHash"));
|
|
11
|
-
const
|
|
11
|
+
const convertCertBufferToPEM_1 = __importDefault(require("../../../helpers/convertCertBufferToPEM"));
|
|
12
|
+
const validateCertificatePath_1 = __importDefault(require("../../../helpers/validateCertificatePath"));
|
|
12
13
|
const getCertificateInfo_1 = __importDefault(require("../../../helpers/getCertificateInfo"));
|
|
13
14
|
const verifySignature_1 = __importDefault(require("../../../helpers/verifySignature"));
|
|
14
|
-
const metadataService_1 = __importDefault(require("../../../
|
|
15
|
+
const metadataService_1 = __importDefault(require("../../../services/metadataService"));
|
|
15
16
|
const verifyAttestationWithMetadata_1 = __importDefault(require("../../../metadata/verifyAttestationWithMetadata"));
|
|
16
17
|
const constants_1 = require("./constants");
|
|
17
18
|
const parseCertInfo_1 = __importDefault(require("./parseCertInfo"));
|
|
18
19
|
const parsePubArea_1 = __importDefault(require("./parsePubArea"));
|
|
19
20
|
async function verifyTPM(options) {
|
|
20
21
|
var _a;
|
|
21
|
-
const { aaguid, attStmt, authData, credentialPublicKey, clientDataHash } = options;
|
|
22
|
+
const { aaguid, attStmt, authData, credentialPublicKey, clientDataHash, rootCertificates } = options;
|
|
22
23
|
const { ver, sig, alg, x5c, pubArea, certInfo } = attStmt;
|
|
23
24
|
/**
|
|
24
25
|
* Verify structures
|
|
@@ -211,9 +212,18 @@ async function verifyTPM(options) {
|
|
|
211
212
|
throw new Error(`${err.message} (TPM)`);
|
|
212
213
|
}
|
|
213
214
|
}
|
|
215
|
+
else {
|
|
216
|
+
try {
|
|
217
|
+
// Try validating the certificate path using the root certificates set via SettingsService
|
|
218
|
+
await validateCertificatePath_1.default(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
219
|
+
}
|
|
220
|
+
catch (err) {
|
|
221
|
+
throw new Error(`${err.message} (TPM)`);
|
|
222
|
+
}
|
|
223
|
+
}
|
|
214
224
|
// Verify signature over certInfo with the public key extracted from AIK certificate.
|
|
215
225
|
// In the wise words of Yuriy Ackermann: "Get Martini friend, you are done!"
|
|
216
|
-
const leafCertPEM =
|
|
226
|
+
const leafCertPEM = convertCertBufferToPEM_1.default(x5c[0]);
|
|
217
227
|
return verifySignature_1.default(sig, certInfo, leafCertPEM, hashAlg);
|
|
218
228
|
}
|
|
219
229
|
exports.default = verifyTPM;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyTPM.js","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/verifyTPM.ts"],"names":[],"mappings":";;;;;AAAA,uDAAkD;AAClD,mDAO6B;AAI7B,2GAAmF;AACnF,0EAA2E;AAC3E,qEAA6C;AAC7C,qGAA6E;AAC7E,uGAA+E;AAC/E,6FAAqE;AACrE,uFAA+D;AAC/D,wFAAgE;AAChE,oHAA4F;AAE5F,2CAA+D;AAC/D,oEAA4C;AAC5C,kEAA0C;AAE3B,KAAK,UAAU,SAAS,CAAC,OAAsC;;IAC5E,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,mBAAmB,EAAE,cAAc,EAAE,gBAAgB,EAAE,GACxF,OAAO,CAAC;IACV,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE1D;;OAEG;IACH,IAAI,GAAG,KAAK,KAAK,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,GAAG,yBAAyB,CAAC,CAAC;KAClE;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;KACpE;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;KACvF;IAED,IAAI,CAAC,OAAO,EAAE;QACZ,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;KACxE;IAED,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;KACzE;IAED,MAAM,aAAa,GAAG,sBAAY,CAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,aAAa,CAAC;IAE5D,yFAAyF;IACzF,2FAA2F;IAC3F,MAAM,aAAa,GAAG,mCAAyB,CAAC,mBAAmB,CAAC,CAAC;IAErE,IAAI,OAAO,KAAK,aAAa,EAAE;QAC7B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QAExC,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QACD,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAW,CAAC,EAAE;YAC/B,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;SAChF;QAED,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE;YACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,MAAM,OAAO,GAAG,CAAW,CAAC;QAC5B,8FAA8F;QAC9F,MAAM,eAAe,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,IAAI,KAAK,CAAC;QAEzD,4CAA4C;QAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAEjE,IAAI,eAAe,KAAK,IAAI,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,cAAc,eAAe,YAAY,CAAC,CAAC;SAC7F;KACF;SAAM,IAAI,OAAO,KAAK,aAAa,EAAE;QACpC;;;WAGG;QACH,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QAExC,IAAI,CAAC,GAAG,EAAE;YACR,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;SAC1D;QACD,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QACD,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAW,EAAE,CAAW,CAAC,CAAC,CAAC,EAAE;YAC7D,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;SAC/E;QAED,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE;YACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,MAAM,cAAc,GAAG,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC;QAC9C,MAAM,aAAa,GAAG,yBAAa,CAAE,GAAc,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;QACrE,IAAI,cAAc,KAAK,aAAa,EAAE;YACpC,MAAM,IAAI,KAAK,CACb,mCAAmC,aAAa,gBAAgB,cAAc,aAAa,CAC5F,CAAC;SACH;KACF;SAAM;QACL,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,GAAG,CAAC,CAAC;KAC1D;IAED,MAAM,cAAc,GAAG,uBAAa,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,cAAc,CAAC;IAEtE,IAAI,KAAK,KAAK,UAAU,EAAE;QACxB,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,gCAAgC,CAAC,CAAC;KACnF;IAED,IAAI,QAAQ,KAAK,uBAAuB,EAAE;QACxC,MAAM,IAAI,KAAK,CAAC,oBAAoB,QAAQ,2CAA2C,CAAC,CAAC;KAC1F;IAED,mEAAmE;IACnE,MAAM,WAAW,GAAG,gBAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC;IAE9E,uEAAuE;IACvE,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,CAAC;IAE1E,+DAA+D;IAC/D,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE;QACvC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;KAC1D;IAED,mEAAmE;IACnE,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAEhE,8FAA8F;IAC9F,MAAM,OAAO,GAAW,+BAAW,CAAC,GAAa,CAAC,CAAC;IACnD,MAAM,iBAAiB,GAAG,gBAAM,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;IAEzD,gEAAgE;IAChE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE;QACxC,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;KAC/E;IAED;;OAEG;IACH,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE;QAClB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;KAC/D;IAED,6DAA6D;IAC7D,MAAM,YAAY,GAAG,4BAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,MAAM,EAAE,kBAAkB,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,YAAY,CAAC;IAEnF,IAAI,kBAAkB,EAAE;QACtB,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;KAC3E;IAED,mEAAmE;IACnE,IAAI,OAAO,KAAK,CAAC,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;KAC7E;IAED,wCAAwC;IACxC,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE;QACnC,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;KAC5D;IAED,4CAA4C;IAC5C,IAAI,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACrB,IAAI,SAAS,GAAG,GAAG,EAAE;QACnB,MAAM,IAAI,KAAK,CAAC,gCAAgC,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;KAChF;IAED,yCAAyC;IACzC,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACjB,IAAI,QAAQ,GAAG,GAAG,EAAE;QAClB,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;KAC9E;IAED;;OAEG;IACH,MAAM,UAAU,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAW,CAAC,CAAC;IAExD,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,UAAU,EAAE;QACzC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;KAC7D;IAED,IAAI,qBAAyD,CAAC;IAC9D,IAAI,WAAyC,CAAC;IAC9C,UAAU,CAAC,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;QACjD,IAAI,GAAG,CAAC,MAAM,KAAK,gCAAoB,EAAE;YACvC,qBAAqB,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,kCAAsB,CAAC,CAAC;SAChF;aAAM,IAAI,GAAG,CAAC,MAAM,KAAK,6BAAiB,EAAE;YAC3C,WAAW,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,4BAAgB,CAAC,CAAC;SAChE;IACH,CAAC,CAAC,CAAC;IAEH,wEAAwE;IACxE,IAAI,CAAC,qBAAqB,EAAE;QAC1B,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;KAC/E;IAED,6FAA6F;IAC7F,SAAS;IACT,IAAI,CAAC,CAAA,MAAA,qBAAqB,CAAC,CAAC,CAAC,CAAC,aAAa,0CAAG,CAAC,EAAE,MAAM,CAAA,EAAE;QACvD,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;KACvF;IAED,MAAM,EAAE,oBAAoB,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,iBAAiB,CAChF,qBAAqB,CAAC,CAAC,CAAC,CAAC,aAAa,CACvC,CAAC;IAEF,IAAI,CAAC,oBAAoB,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe,EAAE;QAC/D,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;KAC/E;IAED,IAAI,CAAC,WAAW,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;KACjF;IAED,yFAAyF;IACzF,IAAI,CAAC,6BAAiB,CAAC,oBAAoB,CAAC,EAAE;QAC5C,MAAM,IAAI,KAAK,CAAC,qCAAqC,oBAAoB,SAAS,CAAC,CAAC;KACrF;IAED,wFAAwF;IACxF,4CAA4C;IAC5C,IAAI,WAAW,CAAC,CAAC,CAAC,KAAK,cAAc,EAAE;QACrC,MAAM,IAAI,KAAK,CAAC,2BAA2B,WAAW,CAAC,CAAC,CAAC,kCAAkC,CAAC,CAAC;KAC9F;IAED,gGAAgG;IAChG,4DAA4D;IAE5D,wEAAwE;IACxE,MAAM,SAAS,GAAG,MAAM,yBAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7D,IAAI,SAAS,EAAE;QACb,IAAI;YACF,MAAM,uCAA6B,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;SAC1D;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,QAAQ,CAAC,CAAC;SACzC;KACF;SAAM;QACL,IAAI;YACF,0FAA0F;YAC1F,MAAM,iCAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;SAClF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,QAAQ,CAAC,CAAC;SACzC;KACF;IAED,qFAAqF;IACrF,4EAA4E;IAC5E,MAAM,WAAW,GAAG,gCAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,OAAO,yBAAe,CAAC,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;AAC9D,CAAC;AA9PD,4BA8PC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAAU;IAKnC,MAAM,eAAe,GAAG,cAAc,CAAC;IACvC,MAAM,QAAQ,GAAG,cAAc,CAAC;IAChC,MAAM,UAAU,GAAG,cAAc,CAAC;IAElC,IAAI,oBAAwC,CAAC;IAC7C,IAAI,aAAiC,CAAC;IACtC,IAAI,eAAmC,CAAC;IAExC;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE;QACrB,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE;YACrB,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE;gBACjC,oBAAoB,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;aAC9C;iBAAM,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE;gBACjC,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;aACvC;iBAAM,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE;gBACnC,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;aACzC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,oBAAoB;QACpB,aAAa;QACb,eAAe;KAChB,CAAC;AACJ,CAAC"}
|
|
@@ -25,14 +25,18 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
25
25
|
const asn1_schema_1 = require("@peculiar/asn1-schema");
|
|
26
26
|
const asn1_x509_1 = require("@peculiar/asn1-x509");
|
|
27
27
|
const asn1_android_1 = require("@peculiar/asn1-android");
|
|
28
|
-
const
|
|
28
|
+
const convertCertBufferToPEM_1 = __importDefault(require("../../helpers/convertCertBufferToPEM"));
|
|
29
|
+
const validateCertificatePath_1 = __importDefault(require("../../helpers/validateCertificatePath"));
|
|
29
30
|
const verifySignature_1 = __importDefault(require("../../helpers/verifySignature"));
|
|
30
31
|
const convertCOSEtoPKCS_1 = __importStar(require("../../helpers/convertCOSEtoPKCS"));
|
|
31
|
-
const metadataService_1 = __importDefault(require("../../
|
|
32
|
+
const metadataService_1 = __importDefault(require("../../services/metadataService"));
|
|
32
33
|
const verifyAttestationWithMetadata_1 = __importDefault(require("../../metadata/verifyAttestationWithMetadata"));
|
|
34
|
+
/**
|
|
35
|
+
* Verify an attestation response with fmt 'android-key'
|
|
36
|
+
*/
|
|
33
37
|
async function verifyAttestationAndroidKey(options) {
|
|
34
38
|
var _a;
|
|
35
|
-
const { authData, clientDataHash, attStmt, credentialPublicKey, aaguid } = options;
|
|
39
|
+
const { authData, clientDataHash, attStmt, credentialPublicKey, aaguid, rootCertificates } = options;
|
|
36
40
|
const { x5c, sig, alg } = attStmt;
|
|
37
41
|
if (!x5c) {
|
|
38
42
|
throw new Error('No attestation certificate provided in attestation statement (AndroidKey)');
|
|
@@ -71,12 +75,6 @@ async function verifyAttestationAndroidKey(options) {
|
|
|
71
75
|
if (softwareEnforced.allApplications !== undefined) {
|
|
72
76
|
throw new Error('teeEnforced contained "allApplications [600]" tag (AndroidKey)');
|
|
73
77
|
}
|
|
74
|
-
// TODO: Confirm that the root certificate is an expected certificate
|
|
75
|
-
// const rootCertPEM = convertX509CertToPEM(x5c[x5c.length - 1]);
|
|
76
|
-
// console.log(rootCertPEM);
|
|
77
|
-
// if (rootCertPEM !== expectedRootCert) {
|
|
78
|
-
// throw new Error('Root certificate was not expected certificate (AndroidKey)');
|
|
79
|
-
// }
|
|
80
78
|
const statement = await metadataService_1.default.getStatement(aaguid);
|
|
81
79
|
if (statement) {
|
|
82
80
|
try {
|
|
@@ -86,12 +84,19 @@ async function verifyAttestationAndroidKey(options) {
|
|
|
86
84
|
throw new Error(`${err.message} (AndroidKey)`);
|
|
87
85
|
}
|
|
88
86
|
}
|
|
87
|
+
else {
|
|
88
|
+
try {
|
|
89
|
+
// Try validating the certificate path using the root certificates set via SettingsService
|
|
90
|
+
await validateCertificatePath_1.default(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
91
|
+
}
|
|
92
|
+
catch (err) {
|
|
93
|
+
throw new Error(`${err.message} (AndroidKey)`);
|
|
94
|
+
}
|
|
95
|
+
}
|
|
89
96
|
const signatureBase = Buffer.concat([authData, clientDataHash]);
|
|
90
|
-
const leafCertPEM =
|
|
97
|
+
const leafCertPEM = convertCertBufferToPEM_1.default(x5c[0]);
|
|
91
98
|
const hashAlg = convertCOSEtoPKCS_1.COSEALGHASH[alg];
|
|
92
99
|
return verifySignature_1.default(sig, signatureBase, leafCertPEM, hashAlg);
|
|
93
100
|
}
|
|
94
101
|
exports.default = verifyAttestationAndroidKey;
|
|
95
|
-
// TODO: Find the most up-to-date expected root cert, the one from Yuriy's article doesn't match
|
|
96
|
-
const expectedRootCert = ``;
|
|
97
102
|
//# sourceMappingURL=verifyAndroidKey.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyAndroidKey.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAndroidKey.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,uDAAkD;AAClD,mDAAkD;AAClD,yDAA8E;AAI9E,kGAA0E;AAC1E,oGAA4E;AAC5E,oFAA4D;AAC5D,qFAAiF;AACjF,qFAA6D;AAC7D,iHAAyF;AAEzF;;GAEG;AACY,KAAK,UAAU,2BAA2B,CACvD,OAAsC;;IAEtC,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,mBAAmB,EAAE,MAAM,EAAE,gBAAgB,EAAE,GACxF,OAAO,CAAC;IACV,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAC;KAC9F;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;KAC5F;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;KAC3E;IAED,uFAAuF;IACvF,kDAAkD;IAClD,MAAM,UAAU,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAW,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAClC,UAAU,CAAC,cAAc,CAAC,oBAAoB,CAAC,gBAAgB,CAChE,CAAC;IAEF,0CAA0C;IAC1C,MAAM,cAAc,GAAG,2BAAiB,CAAC,mBAAmB,CAAC,CAAC;IAE9D,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE;QAC5C,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;KAC3F;IAED,4DAA4D;IAC5D,MAAM,WAAW,GAAG,MAAA,UAAU,CAAC,cAAc,CAAC,UAAU,0CAAE,IAAI,CAC5D,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,KAAK,mCAAoB,CAC3C,CAAC;IAEF,IAAI,CAAC,WAAW,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;KACzE;IAED,MAAM,iBAAiB,GAAG,uBAAS,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,6BAAc,CAAC,CAAC;IAEjF,4BAA4B;IAC5B,MAAM,EAAE,oBAAoB,EAAE,WAAW,EAAE,gBAAgB,EAAE,GAAG,iBAAiB,CAAC;IAElF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE;QACpE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED,4FAA4F;IAC5F,aAAa;IACb,IAAI,WAAW,CAAC,eAAe,KAAK,SAAS,EAAE;QAC7C,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;KACnF;IAED,IAAI,gBAAgB,CAAC,eAAe,KAAK,SAAS,EAAE;QAClD,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;KACnF;IAED,MAAM,SAAS,GAAG,MAAM,yBAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7D,IAAI,SAAS,EAAE;QACb,IAAI;YACF,MAAM,uCAA6B,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;SAC1D;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,eAAe,CAAC,CAAC;SAChD;KACF;SAAM;QACL,IAAI;YACF,0FAA0F;YAC1F,MAAM,iCAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;SAClF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,eAAe,CAAC,CAAC;SAChD;KACF;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAChE,MAAM,WAAW,GAAG,gCAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,MAAM,OAAO,GAAG,+BAAW,CAAC,GAAa,CAAC,CAAC;IAE3C,OAAO,yBAAe,CAAC,GAAG,EAAE,aAAa,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;AACnE,CAAC;AAlFD,8CAkFC"}
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse';
|
|
2
|
+
/**
|
|
3
|
+
* Verify an attestation response with fmt 'android-safetynet'
|
|
4
|
+
*/
|
|
5
|
+
export default function verifyAttestationAndroidSafetyNet(options: AttestationFormatVerifierOpts): Promise<boolean>;
|
|
@@ -8,14 +8,14 @@ const toHash_1 = __importDefault(require("../../helpers/toHash"));
|
|
|
8
8
|
const verifySignature_1 = __importDefault(require("../../helpers/verifySignature"));
|
|
9
9
|
const getCertificateInfo_1 = __importDefault(require("../../helpers/getCertificateInfo"));
|
|
10
10
|
const validateCertificatePath_1 = __importDefault(require("../../helpers/validateCertificatePath"));
|
|
11
|
-
const
|
|
12
|
-
const metadataService_1 = __importDefault(require("../../
|
|
11
|
+
const convertCertBufferToPEM_1 = __importDefault(require("../../helpers/convertCertBufferToPEM"));
|
|
12
|
+
const metadataService_1 = __importDefault(require("../../services/metadataService"));
|
|
13
13
|
const verifyAttestationWithMetadata_1 = __importDefault(require("../../metadata/verifyAttestationWithMetadata"));
|
|
14
14
|
/**
|
|
15
15
|
* Verify an attestation response with fmt 'android-safetynet'
|
|
16
16
|
*/
|
|
17
17
|
async function verifyAttestationAndroidSafetyNet(options) {
|
|
18
|
-
const { attStmt, clientDataHash, authData, aaguid, verifyTimestampMS = true } = options;
|
|
18
|
+
const { attStmt, clientDataHash, authData, aaguid, rootCertificates, verifyTimestampMS = true, } = options;
|
|
19
19
|
const { response, ver } = attStmt;
|
|
20
20
|
if (!ver) {
|
|
21
21
|
throw new Error('No ver value in attestation (SafetyNet)');
|
|
@@ -81,10 +81,9 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
81
81
|
}
|
|
82
82
|
}
|
|
83
83
|
else {
|
|
84
|
-
// Validate certificate path using a fixed global root cert
|
|
85
|
-
const path = HEADER.x5c.concat([GlobalSignRootCAR2]).map(convertX509CertToPEM_1.default);
|
|
86
84
|
try {
|
|
87
|
-
|
|
85
|
+
// Try validating the certificate path using the root certificates set via SettingsService
|
|
86
|
+
await validateCertificatePath_1.default(HEADER.x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
88
87
|
}
|
|
89
88
|
catch (err) {
|
|
90
89
|
throw new Error(`${err.message} (SafetyNet)`);
|
|
@@ -98,7 +97,7 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
98
97
|
*/
|
|
99
98
|
const signatureBaseBuffer = Buffer.from(`${jwtParts[0]}.${jwtParts[1]}`);
|
|
100
99
|
const signatureBuffer = base64url_1.default.toBuffer(SIGNATURE);
|
|
101
|
-
const leafCertPEM =
|
|
100
|
+
const leafCertPEM = convertCertBufferToPEM_1.default(leafCertBuffer);
|
|
102
101
|
const verified = verifySignature_1.default(signatureBuffer, signatureBaseBuffer, leafCertPEM);
|
|
103
102
|
/**
|
|
104
103
|
* END Verify Signature
|
|
@@ -106,24 +105,4 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
106
105
|
return verified;
|
|
107
106
|
}
|
|
108
107
|
exports.default = verifyAttestationAndroidSafetyNet;
|
|
109
|
-
/**
|
|
110
|
-
* This "GS Root R2" root certificate was downloaded from https://pki.goog/gsr2/GSR2.crt
|
|
111
|
-
* on 08/10/2019 and then run through `base64url.encode()` to get this representation.
|
|
112
|
-
*
|
|
113
|
-
* The certificate is valid until Dec 15, 2021
|
|
114
|
-
*/
|
|
115
|
-
const GlobalSignRootCAR2 = 'MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4GA1UEC' +
|
|
116
|
-
'xMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhc' +
|
|
117
|
-
'NMDYxMjE1MDgwMDAwWhcNMjExMjE1MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA' +
|
|
118
|
-
'1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKb' +
|
|
119
|
-
'PJA6-Lm8omUVCxKs-IVSbC9N_hHD6ErPLv4dfxn-G07IwXNb9rfF73OX4YJYJkhD10FPe-3t-c4isUoh7SqbKSaZeqKeMW' +
|
|
120
|
-
'hG8eoLrvozps6yWJQeXSpkqBy-0Hne_ig-1AnwblrjFuTosvNYSuetZfeLQBoZfXklqtTleiDTsvHgMCJiEbKjNS7SgfQx' +
|
|
121
|
-
'5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzdC9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ_gk' +
|
|
122
|
-
'wpRl4pazq-r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCBmTAOBgNVHQ8BAf8EBAMCAQY' +
|
|
123
|
-
'wDwYDVR0TAQH_BAUwAwEB_zAdBgNVHQ4EFgQUm-IHV2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0c' +
|
|
124
|
-
'DovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG3lm0mi3f3BmGLjANBgk' +
|
|
125
|
-
'qhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4GsJ0_WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk' +
|
|
126
|
-
'7mpM0sYmsL4h4hO291xNBrBVNpGP-DTKqttVCL1OmLNIG-6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavSot-3i9DAgBkcRcA' +
|
|
127
|
-
'tjOj4LaR0VknFBbVPFd5uRHg5h6h-u_N5GJG79G-dwfCMNYxdAfvDbbnvRG15RjF-Cv6pgsH_76tuIMRQyV-dTZsXjAzlA' +
|
|
128
|
-
'cmgQWpzU_qlULRuJQ_7TBj0_VLZjmmx6BEP3ojY-x1J96relc8geMJgEtslQIxq_H5COEBkEveegeGTLg';
|
|
129
108
|
//# sourceMappingURL=verifyAndroidSafetyNet.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyAndroidSafetyNet.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAndroidSafetyNet.ts"],"names":[],"mappings":";;;;;AAAA,0DAAkC;AAIlC,kEAA0C;AAC1C,oFAA4D;AAC5D,0FAAkE;AAClE,oGAA4E;AAC5E,kGAA0E;AAC1E,qFAA6D;AAC7D,iHAAyF;AAEzF;;GAEG;AACY,KAAK,UAAU,iCAAiC,CAC7D,OAAsC;IAEtC,MAAM,EACJ,OAAO,EACP,cAAc,EACd,QAAQ,EACR,MAAM,EACN,gBAAgB,EAChB,iBAAiB,GAAG,IAAI,GACzB,GAAG,OAAO,CAAC;IACZ,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;KAC5D;IAED,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,0BAA0B;IAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEhC,MAAM,MAAM,GAAuB,IAAI,CAAC,KAAK,CAAC,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAwB,IAAI,CAAC,KAAK,CAAC,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,MAAM,SAAS,GAA0B,QAAQ,CAAC,CAAC,CAAC,CAAC;IAErD;;OAEG;IACH,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IAExD,IAAI,iBAAiB,EAAE;QACrB,qCAAqC;QACrC,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACrB,IAAI,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,WAAW,qBAAqB,GAAG,eAAe,CAAC,CAAC;SAC3F;QAED,+EAA+E;QAC/E,MAAM,kBAAkB,GAAG,WAAW,GAAG,EAAE,GAAG,IAAI,CAAC;QACnD,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACjB,IAAI,kBAAkB,GAAG,GAAG,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,kBAAkB,2BAA2B,CAAC,CAAC;SACtF;KACF;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,gBAAM,CAAC,SAAS,CAAC,CAAC;IACtC,MAAM,aAAa,GAAG,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErD,IAAI,KAAK,KAAK,aAAa,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;KAC/D;IAED,IAAI,CAAC,eAAe,EAAE;QACpB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;KAClE;IACD;;OAEG;IAEH;;OAEG;IACH,MAAM,cAAc,GAAG,mBAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,YAAY,GAAG,4BAAkB,CAAC,cAAc,CAAC,CAAC;IAExD,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;IAEjC,qDAAqD;IACrD,+FAA+F;IAC/F,IAAI,OAAO,CAAC,EAAE,KAAK,oBAAoB,EAAE;QACvC,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,MAAM,SAAS,GAAG,MAAM,yBAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7D,IAAI,SAAS,EAAE;QACb,IAAI;YACF,6DAA6D;YAC7D,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;YACnD,MAAM,uCAA6B,CAAC,SAAS,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;SACjE;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC;SAC/C;KACF;SAAM;QACL,IAAI;YACF,0FAA0F;YAC1F,MAAM,iCAAuB,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;SACzF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC;SAC/C;KACF;IACD;;OAEG;IAEH;;OAEG;IACH,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACzE,MAAM,eAAe,GAAG,mBAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAEtD,MAAM,WAAW,GAAG,gCAAsB,CAAC,cAAc,CAAC,CAAC;IAC3D,MAAM,QAAQ,GAAG,yBAAe,CAAC,eAAe,EAAE,mBAAmB,EAAE,WAAW,CAAC,CAAC;IACpF;;OAEG;IAEH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAhHD,oDAgHC"}
|
|
@@ -6,11 +6,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
6
6
|
const asn1_schema_1 = require("@peculiar/asn1-schema");
|
|
7
7
|
const asn1_x509_1 = require("@peculiar/asn1-x509");
|
|
8
8
|
const validateCertificatePath_1 = __importDefault(require("../../helpers/validateCertificatePath"));
|
|
9
|
-
const
|
|
9
|
+
const convertCertBufferToPEM_1 = __importDefault(require("../../helpers/convertCertBufferToPEM"));
|
|
10
10
|
const toHash_1 = __importDefault(require("../../helpers/toHash"));
|
|
11
11
|
const convertCOSEtoPKCS_1 = __importDefault(require("../../helpers/convertCOSEtoPKCS"));
|
|
12
12
|
async function verifyApple(options) {
|
|
13
|
-
const { attStmt, authData, clientDataHash, credentialPublicKey } = options;
|
|
13
|
+
const { attStmt, authData, clientDataHash, credentialPublicKey, rootCertificates } = options;
|
|
14
14
|
const { x5c } = attStmt;
|
|
15
15
|
if (!x5c) {
|
|
16
16
|
throw new Error('No attestation certificate provided in attestation statement (Apple)');
|
|
@@ -18,10 +18,8 @@ async function verifyApple(options) {
|
|
|
18
18
|
/**
|
|
19
19
|
* Verify certificate path
|
|
20
20
|
*/
|
|
21
|
-
const certPath = x5c.map(convertX509CertToPEM_1.default);
|
|
22
|
-
certPath.push(AppleWebAuthnRootCertificate);
|
|
23
21
|
try {
|
|
24
|
-
await validateCertificatePath_1.default(
|
|
22
|
+
await validateCertificatePath_1.default(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
25
23
|
}
|
|
26
24
|
catch (err) {
|
|
27
25
|
throw new Error(`${err.message} (Apple)`);
|
|
@@ -62,25 +60,4 @@ async function verifyApple(options) {
|
|
|
62
60
|
return true;
|
|
63
61
|
}
|
|
64
62
|
exports.default = verifyApple;
|
|
65
|
-
/**
|
|
66
|
-
* Apple WebAuthn Root CA PEM
|
|
67
|
-
*
|
|
68
|
-
* Downloaded from https://www.apple.com/certificateauthority/Apple_WebAuthn_Root_CA.pem
|
|
69
|
-
*
|
|
70
|
-
* Valid until 03/14/2045 @ 5:00 PM PST
|
|
71
|
-
*/
|
|
72
|
-
const AppleWebAuthnRootCertificate = `-----BEGIN CERTIFICATE-----
|
|
73
|
-
MIICEjCCAZmgAwIBAgIQaB0BbHo84wIlpQGUKEdXcTAKBggqhkjOPQQDAzBLMR8w
|
|
74
|
-
HQYDVQQDDBZBcHBsZSBXZWJBdXRobiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJ
|
|
75
|
-
bmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMB4XDTIwMDMxODE4MjEzMloXDTQ1MDMx
|
|
76
|
-
NTAwMDAwMFowSzEfMB0GA1UEAwwWQXBwbGUgV2ViQXV0aG4gUm9vdCBDQTETMBEG
|
|
77
|
-
A1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTB2MBAGByqGSM49
|
|
78
|
-
AgEGBSuBBAAiA2IABCJCQ2pTVhzjl4Wo6IhHtMSAzO2cv+H9DQKev3//fG59G11k
|
|
79
|
-
xu9eI0/7o6V5uShBpe1u6l6mS19S1FEh6yGljnZAJ+2GNP1mi/YK2kSXIuTHjxA/
|
|
80
|
-
pcoRf7XkOtO4o1qlcaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJtdk
|
|
81
|
-
2cV4wlpn0afeaxLQG2PxxtcwDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2cA
|
|
82
|
-
MGQCMFrZ+9DsJ1PW9hfNdBywZDsWDbWFp28it1d/5w2RPkRX3Bbn/UbDTNLx7Jr3
|
|
83
|
-
jAGGiQIwHFj+dJZYUJR786osByBelJYsVZd2GbHQu209b5RCmGQ21gpSAk9QZW4B
|
|
84
|
-
1bWeT0vT
|
|
85
|
-
-----END CERTIFICATE-----`;
|
|
86
63
|
//# sourceMappingURL=verifyApple.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyApple.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyApple.ts"],"names":[],"mappings":";;;;;AAAA,uDAAkD;AAClD,mDAAkD;AAIlD,oGAA4E;AAC5E,kGAA0E;AAC1E,kEAA0C;AAC1C,wFAAgE;AAEjD,KAAK,UAAU,WAAW,CACvC,OAAsC;IAEtC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAC;IAC7F,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAExB,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED;;OAEG;IACH,IAAI;QACF,MAAM,iCAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;KAClF;IAAC,OAAO,GAAG,EAAE;QACZ,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC;KAC3C;IAED;;OAEG;IACH,MAAM,cAAc,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAW,CAAC,CAAC;IAC5D,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GAAG,cAAc,CAAC,cAAc,CAAC;IAE3E,IAAI,CAAC,UAAU,EAAE;QACf,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;KACxD;IAED,MAAM,YAAY,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,KAAK,wBAAwB,CAAC,CAAC;IAErF,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;KAChF;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,gBAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC5C;;;;;;OAMG;IACH,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAErE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;KAClE;IAED;;OAEG;IACH,MAAM,cAAc,GAAG,2BAAiB,CAAC,mBAAmB,CAAC,CAAC;IAC9D,MAAM,wBAAwB,GAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,gBAAgB,CAAC,CAAC;IAEpF,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE;QACpD,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AA7DD,8BA6DC"}
|
|
@@ -4,13 +4,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
6
|
const convertCOSEtoPKCS_1 = __importDefault(require("../../helpers/convertCOSEtoPKCS"));
|
|
7
|
-
const
|
|
7
|
+
const convertCertBufferToPEM_1 = __importDefault(require("../../helpers/convertCertBufferToPEM"));
|
|
8
|
+
const validateCertificatePath_1 = __importDefault(require("../../helpers/validateCertificatePath"));
|
|
8
9
|
const verifySignature_1 = __importDefault(require("../../helpers/verifySignature"));
|
|
9
10
|
/**
|
|
10
11
|
* Verify an attestation response with fmt 'fido-u2f'
|
|
11
12
|
*/
|
|
12
|
-
function verifyAttestationFIDOU2F(options) {
|
|
13
|
-
const { attStmt, clientDataHash, rpIdHash, credentialID, credentialPublicKey, aaguid = '', } = options;
|
|
13
|
+
async function verifyAttestationFIDOU2F(options) {
|
|
14
|
+
const { attStmt, clientDataHash, rpIdHash, credentialID, credentialPublicKey, aaguid = '', rootCertificates, } = options;
|
|
14
15
|
const reservedByte = Buffer.from([0x00]);
|
|
15
16
|
const publicKey = convertCOSEtoPKCS_1.default(credentialPublicKey);
|
|
16
17
|
const signatureBase = Buffer.concat([
|
|
@@ -32,7 +33,14 @@ function verifyAttestationFIDOU2F(options) {
|
|
|
32
33
|
if (aaguidToHex !== 0x00) {
|
|
33
34
|
throw new Error(`AAGUID "${aaguidToHex}" was not expected value`);
|
|
34
35
|
}
|
|
35
|
-
|
|
36
|
+
try {
|
|
37
|
+
// Try validating the certificate path using the root certificates set via SettingsService
|
|
38
|
+
await validateCertificatePath_1.default(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
39
|
+
}
|
|
40
|
+
catch (err) {
|
|
41
|
+
throw new Error(`${err.message} (FIDOU2F)`);
|
|
42
|
+
}
|
|
43
|
+
const leafCertPEM = convertCertBufferToPEM_1.default(x5c[0]);
|
|
36
44
|
return verifySignature_1.default(sig, signatureBase, leafCertPEM);
|
|
37
45
|
}
|
|
38
46
|
exports.default = verifyAttestationFIDOU2F;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyFIDOU2F.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyFIDOU2F.ts"],"names":[],"mappings":";;;;;AAEA,wFAAgE;AAChE,kGAA0E;AAC1E,oGAA4E;AAC5E,oFAA4D;AAE5D;;GAEG;AACY,KAAK,UAAU,wBAAwB,CACpD,OAAsC;IAEtC,MAAM,EACJ,OAAO,EACP,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,mBAAmB,EACnB,MAAM,GAAG,EAAE,EACX,gBAAgB,GACjB,GAAG,OAAO,CAAC;IAEZ,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,2BAAiB,CAAC,mBAAmB,CAAC,CAAC;IAEzD,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC;QAClC,YAAY;QACZ,QAAQ;QACR,cAAc;QACd,YAAY;QACZ,SAAS;KACV,CAAC,CAAC;IAEH,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAE7B,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;KAC3F;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED,gEAAgE;IAChE,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;IAChE,IAAI,WAAW,KAAK,IAAI,EAAE;QACxB,MAAM,IAAI,KAAK,CAAC,WAAW,WAAW,0BAA0B,CAAC,CAAC;KACnE;IAED,IAAI;QACF,0FAA0F;QAC1F,MAAM,iCAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;KAClF;IAAC,OAAO,GAAG,EAAE;QACZ,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,YAAY,CAAC,CAAC;KAC7C;IAED,MAAM,WAAW,GAAG,gCAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnD,OAAO,yBAAe,CAAC,GAAG,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;AAC1D,CAAC;AAlDD,2CAkDC"}
|
|
@@ -25,19 +25,19 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
25
25
|
const elliptic_1 = __importDefault(require("elliptic"));
|
|
26
26
|
const node_rsa_1 = __importDefault(require("node-rsa"));
|
|
27
27
|
const convertCOSEtoPKCS_1 = __importStar(require("../../helpers/convertCOSEtoPKCS"));
|
|
28
|
-
const constants_1 = require("../../helpers/constants");
|
|
29
28
|
const toHash_1 = __importDefault(require("../../helpers/toHash"));
|
|
30
|
-
const
|
|
29
|
+
const convertCertBufferToPEM_1 = __importDefault(require("../../helpers/convertCertBufferToPEM"));
|
|
30
|
+
const validateCertificatePath_1 = __importDefault(require("../../helpers/validateCertificatePath"));
|
|
31
31
|
const getCertificateInfo_1 = __importDefault(require("../../helpers/getCertificateInfo"));
|
|
32
32
|
const verifySignature_1 = __importDefault(require("../../helpers/verifySignature"));
|
|
33
33
|
const decodeCredentialPublicKey_1 = __importDefault(require("../../helpers/decodeCredentialPublicKey"));
|
|
34
|
-
const metadataService_1 = __importDefault(require("../../
|
|
34
|
+
const metadataService_1 = __importDefault(require("../../services/metadataService"));
|
|
35
35
|
const verifyAttestationWithMetadata_1 = __importDefault(require("../../metadata/verifyAttestationWithMetadata"));
|
|
36
36
|
/**
|
|
37
37
|
* Verify an attestation response with fmt 'packed'
|
|
38
38
|
*/
|
|
39
39
|
async function verifyAttestationPacked(options) {
|
|
40
|
-
const { attStmt, clientDataHash, authData, credentialPublicKey, aaguid } = options;
|
|
40
|
+
const { attStmt, clientDataHash, authData, credentialPublicKey, aaguid, rootCertificates } = options;
|
|
41
41
|
const { sig, x5c, alg } = attStmt;
|
|
42
42
|
if (!sig) {
|
|
43
43
|
throw new Error('No attestation signature provided in attestation statement (Packed)');
|
|
@@ -49,7 +49,7 @@ async function verifyAttestationPacked(options) {
|
|
|
49
49
|
let verified = false;
|
|
50
50
|
const pkcsPublicKey = convertCOSEtoPKCS_1.default(credentialPublicKey);
|
|
51
51
|
if (x5c) {
|
|
52
|
-
const leafCert =
|
|
52
|
+
const leafCert = convertCertBufferToPEM_1.default(x5c[0]);
|
|
53
53
|
const { subject, basicConstraintsCA, version, notBefore, notAfter } = getCertificateInfo_1.default(x5c[0]);
|
|
54
54
|
const { OU, CN, O, C } = subject;
|
|
55
55
|
if (OU !== 'Authenticator Attestation') {
|
|
@@ -85,8 +85,7 @@ async function verifyAttestationPacked(options) {
|
|
|
85
85
|
if (statement) {
|
|
86
86
|
// The presence of x5c means this is a full attestation. Check to see if attestationTypes
|
|
87
87
|
// includes packed attestations.
|
|
88
|
-
if (statement.attestationTypes.indexOf(
|
|
89
|
-
0) {
|
|
88
|
+
if (statement.attestationTypes.indexOf('basic_full') < 0) {
|
|
90
89
|
throw new Error('Metadata does not indicate support for full attestations (Packed|Full)');
|
|
91
90
|
}
|
|
92
91
|
try {
|
|
@@ -96,6 +95,15 @@ async function verifyAttestationPacked(options) {
|
|
|
96
95
|
throw new Error(`${err.message} (Packed|Full)`);
|
|
97
96
|
}
|
|
98
97
|
}
|
|
98
|
+
else {
|
|
99
|
+
try {
|
|
100
|
+
// Try validating the certificate path using the root certificates set via SettingsService
|
|
101
|
+
await validateCertificatePath_1.default(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
102
|
+
}
|
|
103
|
+
catch (err) {
|
|
104
|
+
throw new Error(`${err.message} (Packed|Full)`);
|
|
105
|
+
}
|
|
106
|
+
}
|
|
99
107
|
verified = verifySignature_1.default(sig, signatureBase, leafCert);
|
|
100
108
|
}
|
|
101
109
|
else {
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyPacked.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyPacked.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,wDAAgC;AAChC,wDAA+B;AAI/B,qFAMyC;AACzC,kEAA0C;AAC1C,kGAA0E;AAC1E,oGAA4E;AAC5E,0FAAkE;AAClE,oFAA4D;AAC5D,wGAAgF;AAChF,qFAA6D;AAC7D,iHAAyF;AAEzF;;GAEG;AACY,KAAK,UAAU,uBAAuB,CACnD,OAAsC;IAEtC,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,EAAE,gBAAgB,EAAE,GACxF,OAAO,CAAC;IAEV,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;KACxF;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,4BAA4B,CAAC,CAAC;KAChF;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAEhE,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,MAAM,aAAa,GAAG,2BAAiB,CAAC,mBAAmB,CAAC,CAAC;IAE7D,IAAI,GAAG,EAAE;QACP,MAAM,QAAQ,GAAG,gCAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAChD,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,4BAAkB,CACtF,GAAG,CAAC,CAAC,CAAC,CACP,CAAC;QAEF,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,OAAO,CAAC;QAEjC,IAAI,EAAE,KAAK,2BAA2B,EAAE;YACtC,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,IAAI,CAAC,EAAE,EAAE;YACP,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;SAC3D;QAED,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;SAC1D;QAED,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE;YACxB,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;SACpF;QAED,IAAI,kBAAkB,EAAE;YACtB,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;SACnF;QAED,IAAI,OAAO,KAAK,CAAC,EAAE;YACjB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,IAAI,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,SAAS,GAAG,GAAG,EAAE;YACnB,MAAM,IAAI,KAAK,CAAC,gCAAgC,SAAS,CAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAC;SACxF;QAED,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACjB,IAAI,QAAQ,GAAG,GAAG,EAAE;YAClB,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAC;SACtF;QAED,gGAAgG;QAChG,4DAA4D;QAE5D,qFAAqF;QACrF,MAAM,SAAS,GAAG,MAAM,yBAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC7D,IAAI,SAAS,EAAE;YACb,yFAAyF;YACzF,gCAAgC;YAChC,IAAI,SAAS,CAAC,gBAAgB,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE;gBACxD,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;aAC3F;YAED,IAAI;gBACF,MAAM,uCAA6B,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;aAC1D;YAAC,OAAO,GAAG,EAAE;gBACZ,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC;aACjD;SACF;aAAM;YACL,IAAI;gBACF,0FAA0F;gBAC1F,MAAM,iCAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;aAClF;YAAC,OAAO,GAAG,EAAE;gBACZ,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC;aACjD;SACF;QAED,QAAQ,GAAG,yBAAe,CAAC,GAAG,EAAE,aAAa,EAAE,QAAQ,CAAC,CAAC;KAC1D;SAAM;QACL,MAAM,aAAa,GAAG,mCAAyB,CAAC,mBAAmB,CAAC,CAAC;QAErE,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,GAAG,CAAC,CAAC;QAE5C,IAAI,CAAC,GAAG,EAAE;YACR,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;SAClE;QAED,MAAM,OAAO,GAAW,+BAAW,CAAC,GAAa,CAAC,CAAC;QAEnD,IAAI,GAAG,KAAK,2BAAO,CAAC,GAAG,EAAE;YACvB,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,GAAG,CAAC,CAAC;YAE5C,IAAI,CAAC,GAAG,EAAE;gBACR,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;aACrE;YAED,MAAM,iBAAiB,GAAG,gBAAM,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAEzD;;;;;;;;eAQG;YACH,MAAM,EAAE,GAAG,IAAI,kBAAQ,CAAC,EAAE,CAAC,2BAAO,CAAC,GAAa,CAAC,CAAC,CAAC;YACnD,MAAM,GAAG,GAAG,EAAE,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;YAE5C,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC;SAC/C;aAAM,IAAI,GAAG,KAAK,2BAAO,CAAC,GAAG,EAAE;YAC9B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;YAExC,IAAI,CAAC,CAAC,EAAE;gBACN,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;aAC/D;YAED,MAAM,aAAa,GAAG,iCAAa,CAAC,GAAa,CAAC,CAAC;YAEnD,0BAA0B;YAC1B,MAAM,GAAG,GAAG,IAAI,kBAAO,EAAE,CAAC;YAC1B,GAAG,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC;YAClC,GAAG,CAAC,SAAS,CACX;gBACE,CAAC,EAAE,CAAW;gBACd,CAAC,EAAE,KAAK;aACT,EACD,mBAAmB,CACpB,CAAC;YAEF,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;SAC3C;aAAM,IAAI,GAAG,KAAK,2BAAO,CAAC,GAAG,EAAE;YAC9B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;YAExC,IAAI,CAAC,CAAC,EAAE;gBACN,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;aAC/D;YAED,MAAM,iBAAiB,GAAG,gBAAM,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAEzD,MAAM,GAAG,GAAG,IAAI,kBAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAC1C,GAAG,CAAC,aAAa,CAAC,CAAW,CAAC,CAAC;YAE/B,mCAAmC;YACnC,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;SAC9D;KACF;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAlKD,0CAkKC"}
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
/// <reference types="node" />
|
|
2
|
+
import { RegistrationCredentialJSON, COSEAlgorithmIdentifier } from '@simplewebauthn/typescript-types';
|
|
3
|
+
import { AttestationFormat, AttestationStatement } from '../helpers/decodeAttestationObject';
|
|
4
|
+
export declare type VerifyRegistrationResponseOpts = {
|
|
5
|
+
credential: RegistrationCredentialJSON;
|
|
6
|
+
expectedChallenge: string | ChallengeVerifier;
|
|
7
|
+
expectedOrigin: string | string[];
|
|
8
|
+
expectedRPID?: string | string[];
|
|
9
|
+
requireUserVerification?: boolean;
|
|
10
|
+
supportedAlgorithmIDs?: COSEAlgorithmIdentifier[];
|
|
11
|
+
};
|
|
12
|
+
export declare type ChallengeVerifier = (challenge: string) => boolean;
|
|
13
|
+
/**
|
|
14
|
+
* Verify that the user has legitimately completed the registration process
|
|
15
|
+
*
|
|
16
|
+
* **Options:**
|
|
17
|
+
*
|
|
18
|
+
* @param credential Authenticator credential returned by browser's `startAuthentication()`
|
|
19
|
+
* @param expectedChallenge The base64url-encoded `options.challenge` returned by
|
|
20
|
+
* `generateRegistrationOptions()`
|
|
21
|
+
* @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
|
|
22
|
+
* @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
|
|
23
|
+
* @param requireUserVerification (Optional) Enforce user verification by the authenticator
|
|
24
|
+
* (via PIN, fingerprint, etc...)
|
|
25
|
+
* @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
|
|
26
|
+
* attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
|
|
27
|
+
*/
|
|
28
|
+
export default function verifyRegistrationResponse(options: VerifyRegistrationResponseOpts): Promise<VerifiedRegistrationResponse>;
|
|
29
|
+
/**
|
|
30
|
+
* Result of registration verification
|
|
31
|
+
*
|
|
32
|
+
* @param verified If the assertion response could be verified
|
|
33
|
+
* @param registrationInfo.fmt Type of attestation
|
|
34
|
+
* @param registrationInfo.counter The number of times the authenticator reported it has been used.
|
|
35
|
+
* Should be kept in a DB for later reference to help prevent replay attacks
|
|
36
|
+
* @param registrationInfo.aaguid Authenticator's Attestation GUID indicating the type of the
|
|
37
|
+
* authenticator
|
|
38
|
+
* @param registrationInfo.credentialPublicKey The credential's public key
|
|
39
|
+
* @param registrationInfo.credentialID The credential's credential ID for the public key above
|
|
40
|
+
* @param registrationInfo.credentialType The type of the credential returned by the browser
|
|
41
|
+
* @param registrationInfo.userVerified Whether the user was uniquely identified during attestation
|
|
42
|
+
* @param registrationInfo.attestationObject The raw `response.attestationObject` Buffer returned by
|
|
43
|
+
* the authenticator
|
|
44
|
+
*/
|
|
45
|
+
export declare type VerifiedRegistrationResponse = {
|
|
46
|
+
verified: boolean;
|
|
47
|
+
registrationInfo?: {
|
|
48
|
+
fmt: AttestationFormat;
|
|
49
|
+
counter: number;
|
|
50
|
+
aaguid: string;
|
|
51
|
+
credentialPublicKey: Buffer;
|
|
52
|
+
credentialID: Buffer;
|
|
53
|
+
credentialType: string;
|
|
54
|
+
userVerified: boolean;
|
|
55
|
+
attestationObject: Buffer;
|
|
56
|
+
};
|
|
57
|
+
};
|
|
58
|
+
/**
|
|
59
|
+
* Values passed to all attestation format verifiers, from which they are free to use as they please
|
|
60
|
+
*/
|
|
61
|
+
export declare type AttestationFormatVerifierOpts = {
|
|
62
|
+
aaguid: Buffer;
|
|
63
|
+
attStmt: AttestationStatement;
|
|
64
|
+
authData: Buffer;
|
|
65
|
+
clientDataHash: Buffer;
|
|
66
|
+
credentialID: Buffer;
|
|
67
|
+
credentialPublicKey: Buffer;
|
|
68
|
+
rootCertificates: string[];
|
|
69
|
+
rpIdHash: Buffer;
|
|
70
|
+
verifyTimestampMS?: boolean;
|
|
71
|
+
};
|