@simplewebauthn/server 5.1.0 → 5.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authentication/generateAuthenticationOptions.d.ts +2 -2
- package/dist/authentication/generateAuthenticationOptions.js +1 -1
- package/dist/authentication/generateAuthenticationOptions.js.map +1 -1
- package/dist/authentication/verifyAuthenticationResponse.d.ts +8 -1
- package/dist/authentication/verifyAuthenticationResponse.js +13 -9
- package/dist/authentication/verifyAuthenticationResponse.js.map +1 -1
- package/dist/helpers/convertCOSEtoPKCS.js +1 -1
- package/dist/helpers/convertCOSEtoPKCS.js.map +1 -1
- package/dist/helpers/convertPublicKeyToPEM.js +4 -3
- package/dist/helpers/convertPublicKeyToPEM.js.map +1 -1
- package/dist/helpers/decodeCbor.js +10 -2
- package/dist/helpers/decodeCbor.js.map +1 -1
- package/dist/helpers/decodeCredentialPublicKey.js +1 -1
- package/dist/helpers/decodeCredentialPublicKey.js.map +1 -1
- package/dist/helpers/isCertRevoked.js +2 -2
- package/dist/helpers/isCertRevoked.js.map +1 -1
- package/dist/helpers/logging.js +1 -1
- package/dist/helpers/logging.js.map +1 -1
- package/dist/helpers/parseAuthenticatorData.d.ts +2 -0
- package/dist/helpers/parseAuthenticatorData.js +10 -6
- package/dist/helpers/parseAuthenticatorData.js.map +1 -1
- package/dist/helpers/parseBackupFlags.d.ts +16 -0
- package/dist/helpers/parseBackupFlags.js +30 -0
- package/dist/helpers/parseBackupFlags.js.map +1 -0
- package/dist/helpers/validateCertificatePath.js +3 -3
- package/dist/helpers/validateCertificatePath.js.map +1 -1
- package/dist/metadata/verifyAttestationWithMetadata.js +4 -3
- package/dist/metadata/verifyAttestationWithMetadata.js.map +1 -1
- package/dist/registration/generateRegistrationOptions.d.ts +2 -2
- package/dist/registration/generateRegistrationOptions.js +1 -1
- package/dist/registration/generateRegistrationOptions.js.map +1 -1
- package/dist/registration/verifications/tpm/verifyTPM.js +14 -12
- package/dist/registration/verifications/tpm/verifyTPM.js.map +1 -1
- package/dist/registration/verifications/verifyAndroidKey.js +14 -8
- package/dist/registration/verifications/verifyAndroidKey.js.map +1 -1
- package/dist/registration/verifications/verifyAndroidSafetyNet.js +10 -8
- package/dist/registration/verifications/verifyAndroidSafetyNet.js.map +1 -1
- package/dist/registration/verifications/verifyApple.js +5 -4
- package/dist/registration/verifications/verifyApple.js.map +1 -1
- package/dist/registration/verifications/verifyFIDOU2F.js +6 -5
- package/dist/registration/verifications/verifyFIDOU2F.js.map +1 -1
- package/dist/registration/verifications/verifyPacked.js +18 -12
- package/dist/registration/verifications/verifyPacked.js.map +1 -1
- package/dist/registration/verifyRegistrationResponse.d.ts +12 -5
- package/dist/registration/verifyRegistrationResponse.js +20 -16
- package/dist/registration/verifyRegistrationResponse.js.map +1 -1
- package/dist/services/metadataService.js +5 -5
- package/dist/services/metadataService.js.map +1 -1
- package/dist/services/settingsService.js +1 -1
- package/dist/services/settingsService.js.map +1 -1
- package/package.json +6 -6
|
@@ -42,11 +42,11 @@ async function verifyTPM(options) {
|
|
|
42
42
|
if (!certInfo) {
|
|
43
43
|
throw new Error('Attestation statement did not contain certInfo (TPM)');
|
|
44
44
|
}
|
|
45
|
-
const parsedPubArea = parsePubArea_1.default(pubArea);
|
|
45
|
+
const parsedPubArea = (0, parsePubArea_1.default)(pubArea);
|
|
46
46
|
const { unique, type: pubType, parameters } = parsedPubArea;
|
|
47
47
|
// Verify that the public key specified by the parameters and unique fields of pubArea is
|
|
48
48
|
// identical to the credentialPublicKey in the attestedCredentialData in authenticatorData.
|
|
49
|
-
const cosePublicKey = decodeCredentialPublicKey_1.default(credentialPublicKey);
|
|
49
|
+
const cosePublicKey = (0, decodeCredentialPublicKey_1.default)(credentialPublicKey);
|
|
50
50
|
if (pubType === 'TPM_ALG_RSA') {
|
|
51
51
|
const n = cosePublicKey.get(convertCOSEtoPKCS_1.COSEKEYS.n);
|
|
52
52
|
const e = cosePublicKey.get(convertCOSEtoPKCS_1.COSEKEYS.e);
|
|
@@ -103,7 +103,7 @@ async function verifyTPM(options) {
|
|
|
103
103
|
else {
|
|
104
104
|
throw new Error(`Unsupported pubArea.type "${pubType}"`);
|
|
105
105
|
}
|
|
106
|
-
const parsedCertInfo = parseCertInfo_1.default(certInfo);
|
|
106
|
+
const parsedCertInfo = (0, parseCertInfo_1.default)(certInfo);
|
|
107
107
|
const { magic, type: certType, attested, extraData } = parsedCertInfo;
|
|
108
108
|
if (magic !== 0xff544347) {
|
|
109
109
|
throw new Error(`Unexpected magic value "${magic}", expected "0xff544347" (TPM)`);
|
|
@@ -112,7 +112,7 @@ async function verifyTPM(options) {
|
|
|
112
112
|
throw new Error(`Unexpected type "${certType}", expected "TPM_ST_ATTEST_CERTIFY" (TPM)`);
|
|
113
113
|
}
|
|
114
114
|
// Hash pubArea to create pubAreaHash using the nameAlg in attested
|
|
115
|
-
const pubAreaHash = toHash_1.default(pubArea, attested.nameAlg.replace('TPM_ALG_', ''));
|
|
115
|
+
const pubAreaHash = (0, toHash_1.default)(pubArea, attested.nameAlg.replace('TPM_ALG_', ''));
|
|
116
116
|
// Concatenate attested.nameAlg and pubAreaHash to create attestedName.
|
|
117
117
|
const attestedName = Buffer.concat([attested.nameAlgBuffer, pubAreaHash]);
|
|
118
118
|
// Check that certInfo.attested.name is equals to attestedName.
|
|
@@ -123,7 +123,7 @@ async function verifyTPM(options) {
|
|
|
123
123
|
const attToBeSigned = Buffer.concat([authData, clientDataHash]);
|
|
124
124
|
// Hash attToBeSigned using the algorithm specified in attStmt.alg to create attToBeSignedHash
|
|
125
125
|
const hashAlg = convertCOSEtoPKCS_1.COSEALGHASH[alg];
|
|
126
|
-
const attToBeSignedHash = toHash_1.default(attToBeSigned, hashAlg);
|
|
126
|
+
const attToBeSignedHash = (0, toHash_1.default)(attToBeSigned, hashAlg);
|
|
127
127
|
// Check that certInfo.extraData is equals to attToBeSignedHash.
|
|
128
128
|
if (!extraData.equals(attToBeSignedHash)) {
|
|
129
129
|
throw new Error('CertInfo extra data did not equal hashed attestation (TPM)');
|
|
@@ -135,7 +135,7 @@ async function verifyTPM(options) {
|
|
|
135
135
|
throw new Error('No certificates present in x5c array (TPM)');
|
|
136
136
|
}
|
|
137
137
|
// Pick a leaf AIK certificate of the x5c array and parse it.
|
|
138
|
-
const leafCertInfo = getCertificateInfo_1.default(x5c[0]);
|
|
138
|
+
const leafCertInfo = (0, getCertificateInfo_1.default)(x5c[0]);
|
|
139
139
|
const { basicConstraintsCA, version, subject, notAfter, notBefore } = leafCertInfo;
|
|
140
140
|
if (basicConstraintsCA) {
|
|
141
141
|
throw new Error('Certificate basic constraints CA was not `false` (TPM)');
|
|
@@ -206,25 +206,27 @@ async function verifyTPM(options) {
|
|
|
206
206
|
const statement = await metadataService_1.default.getStatement(aaguid);
|
|
207
207
|
if (statement) {
|
|
208
208
|
try {
|
|
209
|
-
await verifyAttestationWithMetadata_1.default(statement, credentialPublicKey, x5c);
|
|
209
|
+
await (0, verifyAttestationWithMetadata_1.default)(statement, credentialPublicKey, x5c);
|
|
210
210
|
}
|
|
211
211
|
catch (err) {
|
|
212
|
-
|
|
212
|
+
const _err = err;
|
|
213
|
+
throw new Error(`${_err.message} (TPM)`);
|
|
213
214
|
}
|
|
214
215
|
}
|
|
215
216
|
else {
|
|
216
217
|
try {
|
|
217
218
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
218
|
-
await validateCertificatePath_1.default(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
219
|
+
await (0, validateCertificatePath_1.default)(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
219
220
|
}
|
|
220
221
|
catch (err) {
|
|
221
|
-
|
|
222
|
+
const _err = err;
|
|
223
|
+
throw new Error(`${_err.message} (TPM)`);
|
|
222
224
|
}
|
|
223
225
|
}
|
|
224
226
|
// Verify signature over certInfo with the public key extracted from AIK certificate.
|
|
225
227
|
// In the wise words of Yuriy Ackermann: "Get Martini friend, you are done!"
|
|
226
|
-
const leafCertPEM = convertCertBufferToPEM_1.default(x5c[0]);
|
|
227
|
-
return verifySignature_1.default(sig, certInfo, leafCertPEM, hashAlg);
|
|
228
|
+
const leafCertPEM = (0, convertCertBufferToPEM_1.default)(x5c[0]);
|
|
229
|
+
return (0, verifySignature_1.default)(sig, certInfo, leafCertPEM, hashAlg);
|
|
228
230
|
}
|
|
229
231
|
exports.default = verifyTPM;
|
|
230
232
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifyTPM.js","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/verifyTPM.ts"],"names":[],"mappings":";;;;;AAAA,uDAAkD;AAClD,mDAO6B;AAI7B,2GAAmF;AACnF,0EAA2E;AAC3E,qEAA6C;AAC7C,qGAA6E;AAC7E,uGAA+E;AAC/E,6FAAqE;AACrE,uFAA+D;AAC/D,wFAAgE;AAChE,oHAA4F;AAE5F,2CAA+D;AAC/D,oEAA4C;AAC5C,kEAA0C;AAE3B,KAAK,UAAU,SAAS,CAAC,OAAsC;;IAC5E,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,mBAAmB,EAAE,cAAc,EAAE,gBAAgB,EAAE,GACxF,OAAO,CAAC;IACV,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE1D;;OAEG;IACH,IAAI,GAAG,KAAK,KAAK,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,GAAG,yBAAyB,CAAC,CAAC;KAClE;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;KACpE;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;KACvF;IAED,IAAI,CAAC,OAAO,EAAE;QACZ,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;KACxE;IAED,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;KACzE;IAED,MAAM,aAAa,GAAG,sBAAY,
|
|
1
|
+
{"version":3,"file":"verifyTPM.js","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/verifyTPM.ts"],"names":[],"mappings":";;;;;AAAA,uDAAkD;AAClD,mDAO6B;AAI7B,2GAAmF;AACnF,0EAA2E;AAC3E,qEAA6C;AAC7C,qGAA6E;AAC7E,uGAA+E;AAC/E,6FAAqE;AACrE,uFAA+D;AAC/D,wFAAgE;AAChE,oHAA4F;AAE5F,2CAA+D;AAC/D,oEAA4C;AAC5C,kEAA0C;AAE3B,KAAK,UAAU,SAAS,CAAC,OAAsC;;IAC5E,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,mBAAmB,EAAE,cAAc,EAAE,gBAAgB,EAAE,GACxF,OAAO,CAAC;IACV,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE1D;;OAEG;IACH,IAAI,GAAG,KAAK,KAAK,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,GAAG,yBAAyB,CAAC,CAAC;KAClE;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;KACpE;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;KACvF;IAED,IAAI,CAAC,OAAO,EAAE;QACZ,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;KACxE;IAED,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;KACzE;IAED,MAAM,aAAa,GAAG,IAAA,sBAAY,EAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,aAAa,CAAC;IAE5D,yFAAyF;IACzF,2FAA2F;IAC3F,MAAM,aAAa,GAAG,IAAA,mCAAyB,EAAC,mBAAmB,CAAC,CAAC;IAErE,IAAI,OAAO,KAAK,aAAa,EAAE;QAC7B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QAExC,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QACD,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAW,CAAC,EAAE;YAC/B,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;SAChF;QAED,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE;YACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,MAAM,OAAO,GAAG,CAAW,CAAC;QAC5B,8FAA8F;QAC9F,MAAM,eAAe,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,IAAI,KAAK,CAAC;QAEzD,4CAA4C;QAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAEjE,IAAI,eAAe,KAAK,IAAI,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,cAAc,eAAe,YAAY,CAAC,CAAC;SAC7F;KACF;SAAM,IAAI,OAAO,KAAK,aAAa,EAAE;QACpC;;;WAGG;QACH,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QAExC,IAAI,CAAC,GAAG,EAAE;YACR,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;SAC1D;QACD,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QACD,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAW,EAAE,CAAW,CAAC,CAAC,CAAC,EAAE;YAC7D,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;SAC/E;QAED,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE;YACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,MAAM,cAAc,GAAG,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC;QAC9C,MAAM,aAAa,GAAG,yBAAa,CAAE,GAAc,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;QACrE,IAAI,cAAc,KAAK,aAAa,EAAE;YACpC,MAAM,IAAI,KAAK,CACb,mCAAmC,aAAa,gBAAgB,cAAc,aAAa,CAC5F,CAAC;SACH;KACF;SAAM;QACL,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,GAAG,CAAC,CAAC;KAC1D;IAED,MAAM,cAAc,GAAG,IAAA,uBAAa,EAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,cAAc,CAAC;IAEtE,IAAI,KAAK,KAAK,UAAU,EAAE;QACxB,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,gCAAgC,CAAC,CAAC;KACnF;IAED,IAAI,QAAQ,KAAK,uBAAuB,EAAE;QACxC,MAAM,IAAI,KAAK,CAAC,oBAAoB,QAAQ,2CAA2C,CAAC,CAAC;KAC1F;IAED,mEAAmE;IACnE,MAAM,WAAW,GAAG,IAAA,gBAAM,EAAC,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC;IAE9E,uEAAuE;IACvE,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,CAAC;IAE1E,+DAA+D;IAC/D,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE;QACvC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;KAC1D;IAED,mEAAmE;IACnE,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAEhE,8FAA8F;IAC9F,MAAM,OAAO,GAAW,+BAAW,CAAC,GAAa,CAAC,CAAC;IACnD,MAAM,iBAAiB,GAAG,IAAA,gBAAM,EAAC,aAAa,EAAE,OAAO,CAAC,CAAC;IAEzD,gEAAgE;IAChE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE;QACxC,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;KAC/E;IAED;;OAEG;IACH,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE;QAClB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;KAC/D;IAED,6DAA6D;IAC7D,MAAM,YAAY,GAAG,IAAA,4BAAkB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,MAAM,EAAE,kBAAkB,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,YAAY,CAAC;IAEnF,IAAI,kBAAkB,EAAE;QACtB,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;KAC3E;IAED,mEAAmE;IACnE,IAAI,OAAO,KAAK,CAAC,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;KAC7E;IAED,wCAAwC;IACxC,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE;QACnC,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;KAC5D;IAED,4CAA4C;IAC5C,IAAI,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACrB,IAAI,SAAS,GAAG,GAAG,EAAE;QACnB,MAAM,IAAI,KAAK,CAAC,gCAAgC,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;KAChF;IAED,yCAAyC;IACzC,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACjB,IAAI,QAAQ,GAAG,GAAG,EAAE;QAClB,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;KAC9E;IAED;;OAEG;IACH,MAAM,UAAU,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAW,CAAC,CAAC;IAExD,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,UAAU,EAAE;QACzC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;KAC7D;IAED,IAAI,qBAAyD,CAAC;IAC9D,IAAI,WAAyC,CAAC;IAC9C,UAAU,CAAC,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;QACjD,IAAI,GAAG,CAAC,MAAM,KAAK,gCAAoB,EAAE;YACvC,qBAAqB,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,kCAAsB,CAAC,CAAC;SAChF;aAAM,IAAI,GAAG,CAAC,MAAM,KAAK,6BAAiB,EAAE;YAC3C,WAAW,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,4BAAgB,CAAC,CAAC;SAChE;IACH,CAAC,CAAC,CAAC;IAEH,wEAAwE;IACxE,IAAI,CAAC,qBAAqB,EAAE;QAC1B,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;KAC/E;IAED,6FAA6F;IAC7F,SAAS;IACT,IAAI,CAAC,CAAA,MAAA,qBAAqB,CAAC,CAAC,CAAC,CAAC,aAAa,0CAAG,CAAC,EAAE,MAAM,CAAA,EAAE;QACvD,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;KACvF;IAED,MAAM,EAAE,oBAAoB,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,iBAAiB,CAChF,qBAAqB,CAAC,CAAC,CAAC,CAAC,aAAa,CACvC,CAAC;IAEF,IAAI,CAAC,oBAAoB,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe,EAAE;QAC/D,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;KAC/E;IAED,IAAI,CAAC,WAAW,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;KACjF;IAED,yFAAyF;IACzF,IAAI,CAAC,6BAAiB,CAAC,oBAAoB,CAAC,EAAE;QAC5C,MAAM,IAAI,KAAK,CAAC,qCAAqC,oBAAoB,SAAS,CAAC,CAAC;KACrF;IAED,wFAAwF;IACxF,4CAA4C;IAC5C,IAAI,WAAW,CAAC,CAAC,CAAC,KAAK,cAAc,EAAE;QACrC,MAAM,IAAI,KAAK,CAAC,2BAA2B,WAAW,CAAC,CAAC,CAAC,kCAAkC,CAAC,CAAC;KAC9F;IAED,gGAAgG;IAChG,4DAA4D;IAE5D,wEAAwE;IACxE,MAAM,SAAS,GAAG,MAAM,yBAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7D,IAAI,SAAS,EAAE;QACb,IAAI;YACF,MAAM,IAAA,uCAA6B,EAAC,SAAS,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;SAC1E;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,QAAQ,CAAC,CAAC;SAC1C;KACF;SAAM;QACL,IAAI;YACF,0FAA0F;YAC1F,MAAM,IAAA,iCAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;SAClF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,QAAQ,CAAC,CAAC;SAC1C;KACF;IAED,qFAAqF;IACrF,4EAA4E;IAC5E,MAAM,WAAW,GAAG,IAAA,gCAAsB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,OAAO,IAAA,yBAAe,EAAC,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;AAC9D,CAAC;AAhQD,4BAgQC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAAU;IAKnC,MAAM,eAAe,GAAG,cAAc,CAAC;IACvC,MAAM,QAAQ,GAAG,cAAc,CAAC;IAChC,MAAM,UAAU,GAAG,cAAc,CAAC;IAElC,IAAI,oBAAwC,CAAC;IAC7C,IAAI,aAAiC,CAAC;IACtC,IAAI,eAAmC,CAAC;IAExC;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE;QACrB,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE;YACrB,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE;gBACjC,oBAAoB,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;aAC9C;iBAAM,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE;gBACjC,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;aACvC;iBAAM,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE;gBACnC,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;aACzC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,oBAAoB;QACpB,aAAa;QACb,eAAe;KAChB,CAAC;AACJ,CAAC"}
|
|
@@ -1,7 +1,11 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
3
|
if (k2 === undefined) k2 = k;
|
|
4
|
-
Object.
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
5
9
|
}) : (function(o, m, k, k2) {
|
|
6
10
|
if (k2 === undefined) k2 = k;
|
|
7
11
|
o[k2] = m[k];
|
|
@@ -52,7 +56,7 @@ async function verifyAttestationAndroidKey(options) {
|
|
|
52
56
|
const parsedCert = asn1_schema_1.AsnParser.parse(x5c[0], asn1_x509_1.Certificate);
|
|
53
57
|
const parsedCertPubKey = Buffer.from(parsedCert.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey);
|
|
54
58
|
// Convert the credentialPublicKey to PKCS
|
|
55
|
-
const credPubKeyPKCS = convertCOSEtoPKCS_1.default(credentialPublicKey);
|
|
59
|
+
const credPubKeyPKCS = (0, convertCOSEtoPKCS_1.default)(credentialPublicKey);
|
|
56
60
|
if (!credPubKeyPKCS.equals(parsedCertPubKey)) {
|
|
57
61
|
throw new Error('Credential public key does not equal leaf cert public key (AndroidKey)');
|
|
58
62
|
}
|
|
@@ -78,25 +82,27 @@ async function verifyAttestationAndroidKey(options) {
|
|
|
78
82
|
const statement = await metadataService_1.default.getStatement(aaguid);
|
|
79
83
|
if (statement) {
|
|
80
84
|
try {
|
|
81
|
-
await verifyAttestationWithMetadata_1.default(statement, credentialPublicKey, x5c);
|
|
85
|
+
await (0, verifyAttestationWithMetadata_1.default)(statement, credentialPublicKey, x5c);
|
|
82
86
|
}
|
|
83
87
|
catch (err) {
|
|
84
|
-
|
|
88
|
+
const _err = err;
|
|
89
|
+
throw new Error(`${_err.message} (AndroidKey)`);
|
|
85
90
|
}
|
|
86
91
|
}
|
|
87
92
|
else {
|
|
88
93
|
try {
|
|
89
94
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
90
|
-
await validateCertificatePath_1.default(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
95
|
+
await (0, validateCertificatePath_1.default)(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
91
96
|
}
|
|
92
97
|
catch (err) {
|
|
93
|
-
|
|
98
|
+
const _err = err;
|
|
99
|
+
throw new Error(`${_err.message} (AndroidKey)`);
|
|
94
100
|
}
|
|
95
101
|
}
|
|
96
102
|
const signatureBase = Buffer.concat([authData, clientDataHash]);
|
|
97
|
-
const leafCertPEM = convertCertBufferToPEM_1.default(x5c[0]);
|
|
103
|
+
const leafCertPEM = (0, convertCertBufferToPEM_1.default)(x5c[0]);
|
|
98
104
|
const hashAlg = convertCOSEtoPKCS_1.COSEALGHASH[alg];
|
|
99
|
-
return verifySignature_1.default(sig, signatureBase, leafCertPEM, hashAlg);
|
|
105
|
+
return (0, verifySignature_1.default)(sig, signatureBase, leafCertPEM, hashAlg);
|
|
100
106
|
}
|
|
101
107
|
exports.default = verifyAttestationAndroidKey;
|
|
102
108
|
//# sourceMappingURL=verifyAndroidKey.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifyAndroidKey.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAndroidKey.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"verifyAndroidKey.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAndroidKey.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uDAAkD;AAClD,mDAAkD;AAClD,yDAA8E;AAI9E,kGAA0E;AAC1E,oGAA4E;AAC5E,oFAA4D;AAC5D,qFAAiF;AACjF,qFAA6D;AAC7D,iHAAyF;AAEzF;;GAEG;AACY,KAAK,UAAU,2BAA2B,CACvD,OAAsC;;IAEtC,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,mBAAmB,EAAE,MAAM,EAAE,gBAAgB,EAAE,GACxF,OAAO,CAAC;IACV,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAC;KAC9F;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;KAC5F;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;KAC3E;IAED,uFAAuF;IACvF,kDAAkD;IAClD,MAAM,UAAU,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAW,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAClC,UAAU,CAAC,cAAc,CAAC,oBAAoB,CAAC,gBAAgB,CAChE,CAAC;IAEF,0CAA0C;IAC1C,MAAM,cAAc,GAAG,IAAA,2BAAiB,EAAC,mBAAmB,CAAC,CAAC;IAE9D,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE;QAC5C,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;KAC3F;IAED,4DAA4D;IAC5D,MAAM,WAAW,GAAG,MAAA,UAAU,CAAC,cAAc,CAAC,UAAU,0CAAE,IAAI,CAC5D,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,KAAK,mCAAoB,CAC3C,CAAC;IAEF,IAAI,CAAC,WAAW,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;KACzE;IAED,MAAM,iBAAiB,GAAG,uBAAS,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,6BAAc,CAAC,CAAC;IAEjF,4BAA4B;IAC5B,MAAM,EAAE,oBAAoB,EAAE,WAAW,EAAE,gBAAgB,EAAE,GAAG,iBAAiB,CAAC;IAElF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE;QACpE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED,4FAA4F;IAC5F,aAAa;IACb,IAAI,WAAW,CAAC,eAAe,KAAK,SAAS,EAAE;QAC7C,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;KACnF;IAED,IAAI,gBAAgB,CAAC,eAAe,KAAK,SAAS,EAAE;QAClD,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;KACnF;IAED,MAAM,SAAS,GAAG,MAAM,yBAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7D,IAAI,SAAS,EAAE;QACb,IAAI;YACF,MAAM,IAAA,uCAA6B,EAAC,SAAS,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;SAC1E;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,eAAe,CAAC,CAAC;SACjD;KACF;SAAM;QACL,IAAI;YACF,0FAA0F;YAC1F,MAAM,IAAA,iCAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;SAClF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,eAAe,CAAC,CAAC;SACjD;KACF;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAChE,MAAM,WAAW,GAAG,IAAA,gCAAsB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,MAAM,OAAO,GAAG,+BAAW,CAAC,GAAa,CAAC,CAAC;IAE3C,OAAO,IAAA,yBAAe,EAAC,GAAG,EAAE,aAAa,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;AACnE,CAAC;AApFD,8CAoFC"}
|
|
@@ -47,7 +47,7 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
47
47
|
}
|
|
48
48
|
}
|
|
49
49
|
const nonceBase = Buffer.concat([authData, clientDataHash]);
|
|
50
|
-
const nonceBuffer = toHash_1.default(nonceBase);
|
|
50
|
+
const nonceBuffer = (0, toHash_1.default)(nonceBase);
|
|
51
51
|
const expectedNonce = nonceBuffer.toString('base64');
|
|
52
52
|
if (nonce !== expectedNonce) {
|
|
53
53
|
throw new Error('Could not verify payload nonce (SafetyNet)');
|
|
@@ -62,7 +62,7 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
62
62
|
* START Verify Header
|
|
63
63
|
*/
|
|
64
64
|
const leafCertBuffer = base64url_1.default.toBuffer(HEADER.x5c[0]);
|
|
65
|
-
const leafCertInfo = getCertificateInfo_1.default(leafCertBuffer);
|
|
65
|
+
const leafCertInfo = (0, getCertificateInfo_1.default)(leafCertBuffer);
|
|
66
66
|
const { subject } = leafCertInfo;
|
|
67
67
|
// Ensure the certificate was issued to this hostname
|
|
68
68
|
// See https://developer.android.com/training/safetynet/attestation#verify-attestation-response
|
|
@@ -72,19 +72,21 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
72
72
|
const statement = await metadataService_1.default.getStatement(aaguid);
|
|
73
73
|
if (statement) {
|
|
74
74
|
try {
|
|
75
|
-
await verifyAttestationWithMetadata_1.default(statement, credentialPublicKey, HEADER.x5c);
|
|
75
|
+
await (0, verifyAttestationWithMetadata_1.default)(statement, credentialPublicKey, HEADER.x5c);
|
|
76
76
|
}
|
|
77
77
|
catch (err) {
|
|
78
|
-
|
|
78
|
+
const _err = err;
|
|
79
|
+
throw new Error(`${_err.message} (SafetyNet)`);
|
|
79
80
|
}
|
|
80
81
|
}
|
|
81
82
|
else {
|
|
82
83
|
try {
|
|
83
84
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
84
|
-
await validateCertificatePath_1.default(HEADER.x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
85
|
+
await (0, validateCertificatePath_1.default)(HEADER.x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
85
86
|
}
|
|
86
87
|
catch (err) {
|
|
87
|
-
|
|
88
|
+
const _err = err;
|
|
89
|
+
throw new Error(`${_err.message} (SafetyNet)`);
|
|
88
90
|
}
|
|
89
91
|
}
|
|
90
92
|
/**
|
|
@@ -95,8 +97,8 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
95
97
|
*/
|
|
96
98
|
const signatureBaseBuffer = Buffer.from(`${jwtParts[0]}.${jwtParts[1]}`);
|
|
97
99
|
const signatureBuffer = base64url_1.default.toBuffer(SIGNATURE);
|
|
98
|
-
const leafCertPEM = convertCertBufferToPEM_1.default(leafCertBuffer);
|
|
99
|
-
const verified = verifySignature_1.default(signatureBuffer, signatureBaseBuffer, leafCertPEM);
|
|
100
|
+
const leafCertPEM = (0, convertCertBufferToPEM_1.default)(leafCertBuffer);
|
|
101
|
+
const verified = (0, verifySignature_1.default)(signatureBuffer, signatureBaseBuffer, leafCertPEM);
|
|
100
102
|
/**
|
|
101
103
|
* END Verify Signature
|
|
102
104
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifyAndroidSafetyNet.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAndroidSafetyNet.ts"],"names":[],"mappings":";;;;;AAAA,0DAAkC;AAIlC,kEAA0C;AAC1C,oFAA4D;AAC5D,0FAAkE;AAClE,oGAA4E;AAC5E,kGAA0E;AAC1E,qFAA6D;AAC7D,iHAAyF;AAEzF;;GAEG;AACY,KAAK,UAAU,iCAAiC,CAC7D,OAAsC;IAEtC,MAAM,EACJ,OAAO,EACP,cAAc,EACd,QAAQ,EACR,MAAM,EACN,gBAAgB,EAChB,iBAAiB,GAAG,IAAI,EACxB,mBAAmB,GACpB,GAAG,OAAO,CAAC;IACZ,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;KAC5D;IAED,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,0BAA0B;IAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEhC,MAAM,MAAM,GAAuB,IAAI,CAAC,KAAK,CAAC,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAwB,IAAI,CAAC,KAAK,CAAC,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,MAAM,SAAS,GAA0B,QAAQ,CAAC,CAAC,CAAC,CAAC;IAErD;;OAEG;IACH,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IAExD,IAAI,iBAAiB,EAAE;QACrB,qCAAqC;QACrC,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACrB,IAAI,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,WAAW,qBAAqB,GAAG,eAAe,CAAC,CAAC;SAC3F;QAED,+EAA+E;QAC/E,MAAM,kBAAkB,GAAG,WAAW,GAAG,EAAE,GAAG,IAAI,CAAC;QACnD,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACjB,IAAI,kBAAkB,GAAG,GAAG,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,kBAAkB,2BAA2B,CAAC,CAAC;SACtF;KACF;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,gBAAM,
|
|
1
|
+
{"version":3,"file":"verifyAndroidSafetyNet.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAndroidSafetyNet.ts"],"names":[],"mappings":";;;;;AAAA,0DAAkC;AAIlC,kEAA0C;AAC1C,oFAA4D;AAC5D,0FAAkE;AAClE,oGAA4E;AAC5E,kGAA0E;AAC1E,qFAA6D;AAC7D,iHAAyF;AAEzF;;GAEG;AACY,KAAK,UAAU,iCAAiC,CAC7D,OAAsC;IAEtC,MAAM,EACJ,OAAO,EACP,cAAc,EACd,QAAQ,EACR,MAAM,EACN,gBAAgB,EAChB,iBAAiB,GAAG,IAAI,EACxB,mBAAmB,GACpB,GAAG,OAAO,CAAC;IACZ,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;KAC5D;IAED,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,0BAA0B;IAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEhC,MAAM,MAAM,GAAuB,IAAI,CAAC,KAAK,CAAC,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAwB,IAAI,CAAC,KAAK,CAAC,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,MAAM,SAAS,GAA0B,QAAQ,CAAC,CAAC,CAAC,CAAC;IAErD;;OAEG;IACH,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IAExD,IAAI,iBAAiB,EAAE;QACrB,qCAAqC;QACrC,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACrB,IAAI,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,WAAW,qBAAqB,GAAG,eAAe,CAAC,CAAC;SAC3F;QAED,+EAA+E;QAC/E,MAAM,kBAAkB,GAAG,WAAW,GAAG,EAAE,GAAG,IAAI,CAAC;QACnD,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACjB,IAAI,kBAAkB,GAAG,GAAG,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,kBAAkB,2BAA2B,CAAC,CAAC;SACtF;KACF;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,IAAA,gBAAM,EAAC,SAAS,CAAC,CAAC;IACtC,MAAM,aAAa,GAAG,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErD,IAAI,KAAK,KAAK,aAAa,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;KAC/D;IAED,IAAI,CAAC,eAAe,EAAE;QACpB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;KAClE;IACD;;OAEG;IAEH;;OAEG;IACH,MAAM,cAAc,GAAG,mBAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,YAAY,GAAG,IAAA,4BAAkB,EAAC,cAAc,CAAC,CAAC;IAExD,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;IAEjC,qDAAqD;IACrD,+FAA+F;IAC/F,IAAI,OAAO,CAAC,EAAE,KAAK,oBAAoB,EAAE;QACvC,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,MAAM,SAAS,GAAG,MAAM,yBAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7D,IAAI,SAAS,EAAE;QACb,IAAI;YACF,MAAM,IAAA,uCAA6B,EAAC,SAAS,EAAE,mBAAmB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;SACjF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,cAAc,CAAC,CAAC;SAChD;KACF;SAAM;QACL,IAAI;YACF,0FAA0F;YAC1F,MAAM,IAAA,iCAAuB,EAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;SACzF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,cAAc,CAAC,CAAC;SAChD;KACF;IACD;;OAEG;IAEH;;OAEG;IACH,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACzE,MAAM,eAAe,GAAG,mBAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAEtD,MAAM,WAAW,GAAG,IAAA,gCAAsB,EAAC,cAAc,CAAC,CAAC;IAC3D,MAAM,QAAQ,GAAG,IAAA,yBAAe,EAAC,eAAe,EAAE,mBAAmB,EAAE,WAAW,CAAC,CAAC;IACpF;;OAEG;IAEH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAjHD,oDAiHC"}
|
|
@@ -19,10 +19,11 @@ async function verifyApple(options) {
|
|
|
19
19
|
* Verify certificate path
|
|
20
20
|
*/
|
|
21
21
|
try {
|
|
22
|
-
await validateCertificatePath_1.default(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
22
|
+
await (0, validateCertificatePath_1.default)(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
23
23
|
}
|
|
24
24
|
catch (err) {
|
|
25
|
-
|
|
25
|
+
const _err = err;
|
|
26
|
+
throw new Error(`${_err.message} (Apple)`);
|
|
26
27
|
}
|
|
27
28
|
/**
|
|
28
29
|
* Compare nonce in certificate extension to computed nonce
|
|
@@ -37,7 +38,7 @@ async function verifyApple(options) {
|
|
|
37
38
|
throw new Error('credCert missing "1.2.840.113635.100.8.2" extension (Apple)');
|
|
38
39
|
}
|
|
39
40
|
const nonceToHash = Buffer.concat([authData, clientDataHash]);
|
|
40
|
-
const nonce = toHash_1.default(nonceToHash, 'SHA256');
|
|
41
|
+
const nonce = (0, toHash_1.default)(nonceToHash, 'SHA256');
|
|
41
42
|
/**
|
|
42
43
|
* Ignore the first six ASN.1 structure bytes that define the nonce as an OCTET STRING. Should
|
|
43
44
|
* trim off <Buffer 30 24 a1 22 04 20>
|
|
@@ -52,7 +53,7 @@ async function verifyApple(options) {
|
|
|
52
53
|
/**
|
|
53
54
|
* Verify credential public key matches the Subject Public Key of credCert
|
|
54
55
|
*/
|
|
55
|
-
const credPubKeyPKCS = convertCOSEtoPKCS_1.default(credentialPublicKey);
|
|
56
|
+
const credPubKeyPKCS = (0, convertCOSEtoPKCS_1.default)(credentialPublicKey);
|
|
56
57
|
const credCertSubjectPublicKey = Buffer.from(subjectPublicKeyInfo.subjectPublicKey);
|
|
57
58
|
if (!credPubKeyPKCS.equals(credCertSubjectPublicKey)) {
|
|
58
59
|
throw new Error('Credential public key does not equal credCert public key (Apple)');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifyApple.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyApple.ts"],"names":[],"mappings":";;;;;AAAA,uDAAkD;AAClD,mDAAkD;AAIlD,oGAA4E;AAC5E,kGAA0E;AAC1E,kEAA0C;AAC1C,wFAAgE;AAEjD,KAAK,UAAU,WAAW,CACvC,OAAsC;IAEtC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAC;IAC7F,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAExB,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED;;OAEG;IACH,IAAI;QACF,MAAM,iCAAuB,
|
|
1
|
+
{"version":3,"file":"verifyApple.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyApple.ts"],"names":[],"mappings":";;;;;AAAA,uDAAkD;AAClD,mDAAkD;AAIlD,oGAA4E;AAC5E,kGAA0E;AAC1E,kEAA0C;AAC1C,wFAAgE;AAEjD,KAAK,UAAU,WAAW,CACvC,OAAsC;IAEtC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAC;IAC7F,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAExB,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED;;OAEG;IACH,IAAI;QACF,MAAM,IAAA,iCAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;KAClF;IAAC,OAAO,GAAG,EAAE;QACZ,MAAM,IAAI,GAAG,GAAY,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,UAAU,CAAC,CAAC;KAC5C;IAED;;OAEG;IACH,MAAM,cAAc,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAW,CAAC,CAAC;IAC5D,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GAAG,cAAc,CAAC,cAAc,CAAC;IAE3E,IAAI,CAAC,UAAU,EAAE;QACf,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;KACxD;IAED,MAAM,YAAY,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,KAAK,wBAAwB,CAAC,CAAC;IAErF,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;KAChF;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,IAAA,gBAAM,EAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC5C;;;;;;OAMG;IACH,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAErE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;KAClE;IAED;;OAEG;IACH,MAAM,cAAc,GAAG,IAAA,2BAAiB,EAAC,mBAAmB,CAAC,CAAC;IAC9D,MAAM,wBAAwB,GAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,gBAAgB,CAAC,CAAC;IAEpF,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE;QACpD,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AA9DD,8BA8DC"}
|
|
@@ -13,7 +13,7 @@ const verifySignature_1 = __importDefault(require("../../helpers/verifySignature
|
|
|
13
13
|
async function verifyAttestationFIDOU2F(options) {
|
|
14
14
|
const { attStmt, clientDataHash, rpIdHash, credentialID, credentialPublicKey, aaguid = '', rootCertificates, } = options;
|
|
15
15
|
const reservedByte = Buffer.from([0x00]);
|
|
16
|
-
const publicKey = convertCOSEtoPKCS_1.default(credentialPublicKey);
|
|
16
|
+
const publicKey = (0, convertCOSEtoPKCS_1.default)(credentialPublicKey);
|
|
17
17
|
const signatureBase = Buffer.concat([
|
|
18
18
|
reservedByte,
|
|
19
19
|
rpIdHash,
|
|
@@ -35,13 +35,14 @@ async function verifyAttestationFIDOU2F(options) {
|
|
|
35
35
|
}
|
|
36
36
|
try {
|
|
37
37
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
38
|
-
await validateCertificatePath_1.default(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
38
|
+
await (0, validateCertificatePath_1.default)(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
39
39
|
}
|
|
40
40
|
catch (err) {
|
|
41
|
-
|
|
41
|
+
const _err = err;
|
|
42
|
+
throw new Error(`${_err.message} (FIDOU2F)`);
|
|
42
43
|
}
|
|
43
|
-
const leafCertPEM = convertCertBufferToPEM_1.default(x5c[0]);
|
|
44
|
-
return verifySignature_1.default(sig, signatureBase, leafCertPEM);
|
|
44
|
+
const leafCertPEM = (0, convertCertBufferToPEM_1.default)(x5c[0]);
|
|
45
|
+
return (0, verifySignature_1.default)(sig, signatureBase, leafCertPEM);
|
|
45
46
|
}
|
|
46
47
|
exports.default = verifyAttestationFIDOU2F;
|
|
47
48
|
//# sourceMappingURL=verifyFIDOU2F.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifyFIDOU2F.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyFIDOU2F.ts"],"names":[],"mappings":";;;;;AAEA,wFAAgE;AAChE,kGAA0E;AAC1E,oGAA4E;AAC5E,oFAA4D;AAE5D;;GAEG;AACY,KAAK,UAAU,wBAAwB,CACpD,OAAsC;IAEtC,MAAM,EACJ,OAAO,EACP,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,mBAAmB,EACnB,MAAM,GAAG,EAAE,EACX,gBAAgB,GACjB,GAAG,OAAO,CAAC;IAEZ,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,2BAAiB,
|
|
1
|
+
{"version":3,"file":"verifyFIDOU2F.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyFIDOU2F.ts"],"names":[],"mappings":";;;;;AAEA,wFAAgE;AAChE,kGAA0E;AAC1E,oGAA4E;AAC5E,oFAA4D;AAE5D;;GAEG;AACY,KAAK,UAAU,wBAAwB,CACpD,OAAsC;IAEtC,MAAM,EACJ,OAAO,EACP,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,mBAAmB,EACnB,MAAM,GAAG,EAAE,EACX,gBAAgB,GACjB,GAAG,OAAO,CAAC;IAEZ,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,IAAA,2BAAiB,EAAC,mBAAmB,CAAC,CAAC;IAEzD,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC;QAClC,YAAY;QACZ,QAAQ;QACR,cAAc;QACd,YAAY;QACZ,SAAS;KACV,CAAC,CAAC;IAEH,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAE7B,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;KAC3F;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED,gEAAgE;IAChE,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;IAChE,IAAI,WAAW,KAAK,IAAI,EAAE;QACxB,MAAM,IAAI,KAAK,CAAC,WAAW,WAAW,0BAA0B,CAAC,CAAC;KACnE;IAED,IAAI;QACF,0FAA0F;QAC1F,MAAM,IAAA,iCAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;KAClF;IAAC,OAAO,GAAG,EAAE;QACZ,MAAM,IAAI,GAAG,GAAY,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,YAAY,CAAC,CAAC;KAC9C;IAED,MAAM,WAAW,GAAG,IAAA,gCAAsB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnD,OAAO,IAAA,yBAAe,EAAC,GAAG,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;AAC1D,CAAC;AAnDD,2CAmDC"}
|
|
@@ -1,7 +1,11 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
3
|
if (k2 === undefined) k2 = k;
|
|
4
|
-
Object.
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
5
9
|
}) : (function(o, m, k, k2) {
|
|
6
10
|
if (k2 === undefined) k2 = k;
|
|
7
11
|
o[k2] = m[k];
|
|
@@ -47,10 +51,10 @@ async function verifyAttestationPacked(options) {
|
|
|
47
51
|
}
|
|
48
52
|
const signatureBase = Buffer.concat([authData, clientDataHash]);
|
|
49
53
|
let verified = false;
|
|
50
|
-
const pkcsPublicKey = convertCOSEtoPKCS_1.default(credentialPublicKey);
|
|
54
|
+
const pkcsPublicKey = (0, convertCOSEtoPKCS_1.default)(credentialPublicKey);
|
|
51
55
|
if (x5c) {
|
|
52
|
-
const leafCert = convertCertBufferToPEM_1.default(x5c[0]);
|
|
53
|
-
const { subject, basicConstraintsCA, version, notBefore, notAfter } = getCertificateInfo_1.default(x5c[0]);
|
|
56
|
+
const leafCert = (0, convertCertBufferToPEM_1.default)(x5c[0]);
|
|
57
|
+
const { subject, basicConstraintsCA, version, notBefore, notAfter } = (0, getCertificateInfo_1.default)(x5c[0]);
|
|
54
58
|
const { OU, CN, O, C } = subject;
|
|
55
59
|
if (OU !== 'Authenticator Attestation') {
|
|
56
60
|
throw new Error('Certificate OU was not "Authenticator Attestation" (Packed|Full)');
|
|
@@ -89,25 +93,27 @@ async function verifyAttestationPacked(options) {
|
|
|
89
93
|
throw new Error('Metadata does not indicate support for full attestations (Packed|Full)');
|
|
90
94
|
}
|
|
91
95
|
try {
|
|
92
|
-
await verifyAttestationWithMetadata_1.default(statement, credentialPublicKey, x5c);
|
|
96
|
+
await (0, verifyAttestationWithMetadata_1.default)(statement, credentialPublicKey, x5c);
|
|
93
97
|
}
|
|
94
98
|
catch (err) {
|
|
95
|
-
|
|
99
|
+
const _err = err;
|
|
100
|
+
throw new Error(`${_err.message} (Packed|Full)`);
|
|
96
101
|
}
|
|
97
102
|
}
|
|
98
103
|
else {
|
|
99
104
|
try {
|
|
100
105
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
101
|
-
await validateCertificatePath_1.default(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
106
|
+
await (0, validateCertificatePath_1.default)(x5c.map(convertCertBufferToPEM_1.default), rootCertificates);
|
|
102
107
|
}
|
|
103
108
|
catch (err) {
|
|
104
|
-
|
|
109
|
+
const _err = err;
|
|
110
|
+
throw new Error(`${_err.message} (Packed|Full)`);
|
|
105
111
|
}
|
|
106
112
|
}
|
|
107
|
-
verified = verifySignature_1.default(sig, signatureBase, leafCert);
|
|
113
|
+
verified = (0, verifySignature_1.default)(sig, signatureBase, leafCert);
|
|
108
114
|
}
|
|
109
115
|
else {
|
|
110
|
-
const cosePublicKey = decodeCredentialPublicKey_1.default(credentialPublicKey);
|
|
116
|
+
const cosePublicKey = (0, decodeCredentialPublicKey_1.default)(credentialPublicKey);
|
|
111
117
|
const kty = cosePublicKey.get(convertCOSEtoPKCS_1.COSEKEYS.kty);
|
|
112
118
|
if (!kty) {
|
|
113
119
|
throw new Error('COSE public key was missing kty (Packed|Self)');
|
|
@@ -118,7 +124,7 @@ async function verifyAttestationPacked(options) {
|
|
|
118
124
|
if (!crv) {
|
|
119
125
|
throw new Error('COSE public key was missing kty crv (Packed|EC2)');
|
|
120
126
|
}
|
|
121
|
-
const signatureBaseHash = toHash_1.default(signatureBase, hashAlg);
|
|
127
|
+
const signatureBaseHash = (0, toHash_1.default)(signatureBase, hashAlg);
|
|
122
128
|
/**
|
|
123
129
|
* Instantiating the curve here is _very_ computationally heavy - a bit of profiling
|
|
124
130
|
* (in compiled JS, not TS) reported an average of ~125ms to execute this line. The elliptic
|
|
@@ -152,7 +158,7 @@ async function verifyAttestationPacked(options) {
|
|
|
152
158
|
if (!x) {
|
|
153
159
|
throw new Error('COSE public key was missing x (Packed|OKP)');
|
|
154
160
|
}
|
|
155
|
-
const signatureBaseHash = toHash_1.default(signatureBase, hashAlg);
|
|
161
|
+
const signatureBaseHash = (0, toHash_1.default)(signatureBase, hashAlg);
|
|
156
162
|
const key = new elliptic_1.default.eddsa('ed25519');
|
|
157
163
|
key.keyFromPublic(x);
|
|
158
164
|
// TODO: is `publicKey` right here?
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifyPacked.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyPacked.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"verifyPacked.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyPacked.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wDAAgC;AAChC,wDAA+B;AAI/B,qFAMyC;AACzC,kEAA0C;AAC1C,kGAA0E;AAC1E,oGAA4E;AAC5E,0FAAkE;AAClE,oFAA4D;AAC5D,wGAAgF;AAChF,qFAA6D;AAC7D,iHAAyF;AAEzF;;GAEG;AACY,KAAK,UAAU,uBAAuB,CACnD,OAAsC;IAEtC,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,EAAE,gBAAgB,EAAE,GACxF,OAAO,CAAC;IAEV,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;KACxF;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,4BAA4B,CAAC,CAAC;KAChF;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAEhE,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,MAAM,aAAa,GAAG,IAAA,2BAAiB,EAAC,mBAAmB,CAAC,CAAC;IAE7D,IAAI,GAAG,EAAE;QACP,MAAM,QAAQ,GAAG,IAAA,gCAAsB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAChD,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,IAAA,4BAAkB,EACtF,GAAG,CAAC,CAAC,CAAC,CACP,CAAC;QAEF,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,OAAO,CAAC;QAEjC,IAAI,EAAE,KAAK,2BAA2B,EAAE;YACtC,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,IAAI,CAAC,EAAE,EAAE;YACP,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;SAC3D;QAED,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;SAC1D;QAED,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE;YACxB,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;SACpF;QAED,IAAI,kBAAkB,EAAE;YACtB,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;SACnF;QAED,IAAI,OAAO,KAAK,CAAC,EAAE;YACjB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,IAAI,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,SAAS,GAAG,GAAG,EAAE;YACnB,MAAM,IAAI,KAAK,CAAC,gCAAgC,SAAS,CAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAC;SACxF;QAED,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACjB,IAAI,QAAQ,GAAG,GAAG,EAAE;YAClB,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAC;SACtF;QAED,gGAAgG;QAChG,4DAA4D;QAE5D,qFAAqF;QACrF,MAAM,SAAS,GAAG,MAAM,yBAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC7D,IAAI,SAAS,EAAE;YACb,yFAAyF;YACzF,gCAAgC;YAChC,IAAI,SAAS,CAAC,gBAAgB,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE;gBACxD,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;aAC3F;YAED,IAAI;gBACF,MAAM,IAAA,uCAA6B,EAAC,SAAS,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;aAC1E;YAAC,OAAO,GAAG,EAAE;gBACZ,MAAM,IAAI,GAAG,GAAY,CAAC;gBAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,gBAAgB,CAAC,CAAC;aAClD;SACF;aAAM;YACL,IAAI;gBACF,0FAA0F;gBAC1F,MAAM,IAAA,iCAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,gCAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;aAClF;YAAC,OAAO,GAAG,EAAE;gBACZ,MAAM,IAAI,GAAG,GAAY,CAAC;gBAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,gBAAgB,CAAC,CAAC;aAClD;SACF;QAED,QAAQ,GAAG,IAAA,yBAAe,EAAC,GAAG,EAAE,aAAa,EAAE,QAAQ,CAAC,CAAC;KAC1D;SAAM;QACL,MAAM,aAAa,GAAG,IAAA,mCAAyB,EAAC,mBAAmB,CAAC,CAAC;QAErE,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,GAAG,CAAC,CAAC;QAE5C,IAAI,CAAC,GAAG,EAAE;YACR,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;SAClE;QAED,MAAM,OAAO,GAAW,+BAAW,CAAC,GAAa,CAAC,CAAC;QAEnD,IAAI,GAAG,KAAK,2BAAO,CAAC,GAAG,EAAE;YACvB,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,GAAG,CAAC,CAAC;YAE5C,IAAI,CAAC,GAAG,EAAE;gBACR,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;aACrE;YAED,MAAM,iBAAiB,GAAG,IAAA,gBAAM,EAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAEzD;;;;;;;;eAQG;YACH,MAAM,EAAE,GAAG,IAAI,kBAAQ,CAAC,EAAE,CAAC,2BAAO,CAAC,GAAa,CAAC,CAAC,CAAC;YACnD,MAAM,GAAG,GAAG,EAAE,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;YAE5C,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC;SAC/C;aAAM,IAAI,GAAG,KAAK,2BAAO,CAAC,GAAG,EAAE;YAC9B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;YAExC,IAAI,CAAC,CAAC,EAAE;gBACN,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;aAC/D;YAED,MAAM,aAAa,GAAG,iCAAa,CAAC,GAAa,CAAC,CAAC;YAEnD,0BAA0B;YAC1B,MAAM,GAAG,GAAG,IAAI,kBAAO,EAAE,CAAC;YAC1B,GAAG,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC;YAClC,GAAG,CAAC,SAAS,CACX;gBACE,CAAC,EAAE,CAAW;gBACd,CAAC,EAAE,KAAK;aACT,EACD,mBAAmB,CACpB,CAAC;YAEF,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;SAC3C;aAAM,IAAI,GAAG,KAAK,2BAAO,CAAC,GAAG,EAAE;YAC9B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;YAExC,IAAI,CAAC,CAAC,EAAE;gBACN,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;aAC/D;YAED,MAAM,iBAAiB,GAAG,IAAA,gBAAM,EAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAEzD,MAAM,GAAG,GAAG,IAAI,kBAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAC1C,GAAG,CAAC,aAAa,CAAC,CAAW,CAAC,CAAC;YAE/B,mCAAmC;YACnC,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;SAC9D;KACF;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AApKD,0CAoKC"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/// <reference types="node" />
|
|
2
|
-
import { RegistrationCredentialJSON, COSEAlgorithmIdentifier } from '@simplewebauthn/typescript-types';
|
|
2
|
+
import { RegistrationCredentialJSON, COSEAlgorithmIdentifier, CredentialDeviceType } from '@simplewebauthn/typescript-types';
|
|
3
3
|
import { AttestationFormat, AttestationStatement } from '../helpers/decodeAttestationObject';
|
|
4
4
|
export declare type VerifyRegistrationResponseOpts = {
|
|
5
5
|
credential: RegistrationCredentialJSON;
|
|
@@ -31,7 +31,7 @@ export default function verifyRegistrationResponse(options: VerifyRegistrationRe
|
|
|
31
31
|
* @param verified If the assertion response could be verified
|
|
32
32
|
* @param registrationInfo.fmt Type of attestation
|
|
33
33
|
* @param registrationInfo.counter The number of times the authenticator reported it has been used.
|
|
34
|
-
* Should be kept in a DB for later reference to help prevent replay attacks
|
|
34
|
+
* **Should be kept in a DB for later reference to help prevent replay attacks!**
|
|
35
35
|
* @param registrationInfo.aaguid Authenticator's Attestation GUID indicating the type of the
|
|
36
36
|
* authenticator
|
|
37
37
|
* @param registrationInfo.credentialPublicKey The credential's public key
|
|
@@ -40,6 +40,11 @@ export default function verifyRegistrationResponse(options: VerifyRegistrationRe
|
|
|
40
40
|
* @param registrationInfo.userVerified Whether the user was uniquely identified during attestation
|
|
41
41
|
* @param registrationInfo.attestationObject The raw `response.attestationObject` Buffer returned by
|
|
42
42
|
* the authenticator
|
|
43
|
+
* @param registrationInfo.credentialDeviceType Whether this is a single-device or multi-device
|
|
44
|
+
* credential. **Should be kept in a DB for later reference!**
|
|
45
|
+
* @param registrationInfo.credentialBackedUp Whether or not the multi-device credential has been
|
|
46
|
+
* backed up. Always `false` for single-device credentials. **Should be kept in a DB for later
|
|
47
|
+
* reference!**
|
|
43
48
|
*/
|
|
44
49
|
export declare type VerifiedRegistrationResponse = {
|
|
45
50
|
verified: boolean;
|
|
@@ -47,11 +52,13 @@ export declare type VerifiedRegistrationResponse = {
|
|
|
47
52
|
fmt: AttestationFormat;
|
|
48
53
|
counter: number;
|
|
49
54
|
aaguid: string;
|
|
50
|
-
credentialPublicKey: Buffer;
|
|
51
55
|
credentialID: Buffer;
|
|
52
|
-
|
|
53
|
-
|
|
56
|
+
credentialPublicKey: Buffer;
|
|
57
|
+
credentialType: "public-key";
|
|
54
58
|
attestationObject: Buffer;
|
|
59
|
+
userVerified: boolean;
|
|
60
|
+
credentialDeviceType: CredentialDeviceType;
|
|
61
|
+
credentialBackedUp: boolean;
|
|
55
62
|
};
|
|
56
63
|
};
|
|
57
64
|
/**
|
|
@@ -11,6 +11,7 @@ const toHash_1 = __importDefault(require("../helpers/toHash"));
|
|
|
11
11
|
const decodeCredentialPublicKey_1 = __importDefault(require("../helpers/decodeCredentialPublicKey"));
|
|
12
12
|
const convertCOSEtoPKCS_1 = require("../helpers/convertCOSEtoPKCS");
|
|
13
13
|
const convertAAGUIDToString_1 = __importDefault(require("../helpers/convertAAGUIDToString"));
|
|
14
|
+
const parseBackupFlags_1 = require("../helpers/parseBackupFlags");
|
|
14
15
|
const settingsService_1 = __importDefault(require("../services/settingsService"));
|
|
15
16
|
const generateRegistrationOptions_1 = require("./generateRegistrationOptions");
|
|
16
17
|
const verifyFIDOU2F_1 = __importDefault(require("./verifications/verifyFIDOU2F"));
|
|
@@ -49,7 +50,7 @@ async function verifyRegistrationResponse(options) {
|
|
|
49
50
|
if (credentialType !== 'public-key') {
|
|
50
51
|
throw new Error(`Unexpected credential type ${credentialType}, expected "public-key"`);
|
|
51
52
|
}
|
|
52
|
-
const clientDataJSON = decodeClientDataJSON_1.default(response.clientDataJSON);
|
|
53
|
+
const clientDataJSON = (0, decodeClientDataJSON_1.default)(response.clientDataJSON);
|
|
53
54
|
const { type, origin, challenge, tokenBinding } = clientDataJSON;
|
|
54
55
|
// Make sure we're handling an registration
|
|
55
56
|
if (type !== 'webauthn.create') {
|
|
@@ -84,14 +85,14 @@ async function verifyRegistrationResponse(options) {
|
|
|
84
85
|
}
|
|
85
86
|
}
|
|
86
87
|
const attestationObject = base64url_1.default.toBuffer(response.attestationObject);
|
|
87
|
-
const decodedAttestationObject = decodeAttestationObject_1.default(attestationObject);
|
|
88
|
+
const decodedAttestationObject = (0, decodeAttestationObject_1.default)(attestationObject);
|
|
88
89
|
const { fmt, authData, attStmt } = decodedAttestationObject;
|
|
89
|
-
const parsedAuthData = parseAuthenticatorData_1.default(authData);
|
|
90
|
+
const parsedAuthData = (0, parseAuthenticatorData_1.default)(authData);
|
|
90
91
|
const { aaguid, rpIdHash, flags, credentialID, counter, credentialPublicKey } = parsedAuthData;
|
|
91
92
|
// Make sure the response's RP ID is ours
|
|
92
93
|
if (expectedRPID) {
|
|
93
94
|
if (typeof expectedRPID === 'string') {
|
|
94
|
-
const expectedRPIDHash = toHash_1.default(Buffer.from(expectedRPID, 'ascii'));
|
|
95
|
+
const expectedRPIDHash = (0, toHash_1.default)(Buffer.from(expectedRPID, 'ascii'));
|
|
95
96
|
if (!rpIdHash.equals(expectedRPIDHash)) {
|
|
96
97
|
throw new Error(`Unexpected RP ID hash`);
|
|
97
98
|
}
|
|
@@ -99,7 +100,7 @@ async function verifyRegistrationResponse(options) {
|
|
|
99
100
|
else {
|
|
100
101
|
// Go through each expected RP ID and try to find one that matches
|
|
101
102
|
const foundMatch = expectedRPID.some(expected => {
|
|
102
|
-
const expectedRPIDHash = toHash_1.default(Buffer.from(expected, 'ascii'));
|
|
103
|
+
const expectedRPIDHash = (0, toHash_1.default)(Buffer.from(expected, 'ascii'));
|
|
103
104
|
return rpIdHash.equals(expectedRPIDHash);
|
|
104
105
|
});
|
|
105
106
|
if (!foundMatch) {
|
|
@@ -124,7 +125,7 @@ async function verifyRegistrationResponse(options) {
|
|
|
124
125
|
if (!aaguid) {
|
|
125
126
|
throw new Error('No AAGUID was present during registration');
|
|
126
127
|
}
|
|
127
|
-
const decodedPublicKey = decodeCredentialPublicKey_1.default(credentialPublicKey);
|
|
128
|
+
const decodedPublicKey = (0, decodeCredentialPublicKey_1.default)(credentialPublicKey);
|
|
128
129
|
const alg = decodedPublicKey.get(convertCOSEtoPKCS_1.COSEKEYS.alg);
|
|
129
130
|
if (typeof alg !== 'number') {
|
|
130
131
|
throw new Error('Credential public key was missing numeric alg');
|
|
@@ -134,7 +135,7 @@ async function verifyRegistrationResponse(options) {
|
|
|
134
135
|
const supported = supportedAlgorithmIDs.join(', ');
|
|
135
136
|
throw new Error(`Unexpected public key alg "${alg}", expected one of "${supported}"`);
|
|
136
137
|
}
|
|
137
|
-
const clientDataHash = toHash_1.default(base64url_1.default.toBuffer(response.clientDataJSON));
|
|
138
|
+
const clientDataHash = (0, toHash_1.default)(base64url_1.default.toBuffer(response.clientDataJSON));
|
|
138
139
|
const rootCertificates = settingsService_1.default.getRootCertificates({ identifier: fmt });
|
|
139
140
|
// Prepare arguments to pass to the relevant verification method
|
|
140
141
|
const verifierOpts = {
|
|
@@ -152,22 +153,22 @@ async function verifyRegistrationResponse(options) {
|
|
|
152
153
|
*/
|
|
153
154
|
let verified = false;
|
|
154
155
|
if (fmt === 'fido-u2f') {
|
|
155
|
-
verified = await verifyFIDOU2F_1.default(verifierOpts);
|
|
156
|
+
verified = await (0, verifyFIDOU2F_1.default)(verifierOpts);
|
|
156
157
|
}
|
|
157
158
|
else if (fmt === 'packed') {
|
|
158
|
-
verified = await verifyPacked_1.default(verifierOpts);
|
|
159
|
+
verified = await (0, verifyPacked_1.default)(verifierOpts);
|
|
159
160
|
}
|
|
160
161
|
else if (fmt === 'android-safetynet') {
|
|
161
|
-
verified = await verifyAndroidSafetyNet_1.default(verifierOpts);
|
|
162
|
+
verified = await (0, verifyAndroidSafetyNet_1.default)(verifierOpts);
|
|
162
163
|
}
|
|
163
164
|
else if (fmt === 'android-key') {
|
|
164
|
-
verified = await verifyAndroidKey_1.default(verifierOpts);
|
|
165
|
+
verified = await (0, verifyAndroidKey_1.default)(verifierOpts);
|
|
165
166
|
}
|
|
166
167
|
else if (fmt === 'tpm') {
|
|
167
|
-
verified = await verifyTPM_1.default(verifierOpts);
|
|
168
|
+
verified = await (0, verifyTPM_1.default)(verifierOpts);
|
|
168
169
|
}
|
|
169
170
|
else if (fmt === 'apple') {
|
|
170
|
-
verified = await verifyApple_1.default(verifierOpts);
|
|
171
|
+
verified = await (0, verifyApple_1.default)(verifierOpts);
|
|
171
172
|
}
|
|
172
173
|
else if (fmt === 'none') {
|
|
173
174
|
if (Object.keys(attStmt).length > 0) {
|
|
@@ -183,15 +184,18 @@ async function verifyRegistrationResponse(options) {
|
|
|
183
184
|
verified,
|
|
184
185
|
};
|
|
185
186
|
if (toReturn.verified) {
|
|
187
|
+
const { credentialDeviceType, credentialBackedUp } = (0, parseBackupFlags_1.parseBackupFlags)(flags);
|
|
186
188
|
toReturn.registrationInfo = {
|
|
187
189
|
fmt,
|
|
188
190
|
counter,
|
|
189
|
-
aaguid: convertAAGUIDToString_1.default(aaguid),
|
|
190
|
-
credentialPublicKey,
|
|
191
|
+
aaguid: (0, convertAAGUIDToString_1.default)(aaguid),
|
|
191
192
|
credentialID,
|
|
193
|
+
credentialPublicKey,
|
|
192
194
|
credentialType,
|
|
193
|
-
userVerified: flags.uv,
|
|
194
195
|
attestationObject,
|
|
196
|
+
userVerified: flags.uv,
|
|
197
|
+
credentialDeviceType,
|
|
198
|
+
credentialBackedUp,
|
|
195
199
|
};
|
|
196
200
|
}
|
|
197
201
|
return toReturn;
|