@simplewebauthn/server 5.3.0 → 5.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authentication/generateAuthenticationOptions.d.ts +1 -1
- package/dist/authentication/generateAuthenticationOptions.js +4 -3
- package/dist/authentication/generateAuthenticationOptions.js.map +1 -1
- package/dist/authentication/verifyAuthenticationResponse.d.ts +5 -1
- package/dist/authentication/verifyAuthenticationResponse.js +19 -17
- package/dist/authentication/verifyAuthenticationResponse.js.map +1 -1
- package/dist/helpers/convertAAGUIDToString.d.ts +1 -1
- package/dist/helpers/convertAAGUIDToString.js +2 -1
- package/dist/helpers/convertAAGUIDToString.js.map +1 -1
- package/dist/helpers/convertCOSEtoPKCS.d.ts +1 -1
- package/dist/helpers/convertCOSEtoPKCS.js +2 -2
- package/dist/helpers/convertCOSEtoPKCS.js.map +1 -1
- package/dist/helpers/convertCertBufferToPEM.d.ts +1 -1
- package/dist/helpers/convertCertBufferToPEM.js +2 -1
- package/dist/helpers/convertCertBufferToPEM.js.map +1 -1
- package/dist/helpers/convertPublicKeyToPEM.d.ts +1 -1
- package/dist/helpers/convertPublicKeyToPEM.js +2 -1
- package/dist/helpers/convertPublicKeyToPEM.js.map +1 -1
- package/dist/helpers/decodeAttestationObject.d.ts +1 -1
- package/dist/helpers/decodeAttestationObject.js +2 -1
- package/dist/helpers/decodeAttestationObject.js.map +1 -1
- package/dist/helpers/decodeAuthenticatorExtensions.d.ts +20 -0
- package/dist/helpers/decodeAuthenticatorExtensions.js +25 -0
- package/dist/helpers/decodeAuthenticatorExtensions.js.map +1 -0
- package/dist/helpers/decodeClientDataJSON.d.ts +1 -1
- package/dist/helpers/decodeClientDataJSON.js +2 -1
- package/dist/helpers/decodeClientDataJSON.js.map +1 -1
- package/dist/helpers/decodeCredentialPublicKey.d.ts +1 -1
- package/dist/helpers/decodeCredentialPublicKey.js +2 -1
- package/dist/helpers/decodeCredentialPublicKey.js.map +1 -1
- package/dist/helpers/generateChallenge.d.ts +1 -1
- package/dist/helpers/generateChallenge.js +2 -1
- package/dist/helpers/generateChallenge.js.map +1 -1
- package/dist/helpers/getCertificateInfo.d.ts +1 -1
- package/dist/helpers/getCertificateInfo.js +2 -1
- package/dist/helpers/getCertificateInfo.js.map +1 -1
- package/dist/helpers/index.d.ts +15 -15
- package/dist/helpers/index.js +30 -33
- package/dist/helpers/index.js.map +1 -1
- package/dist/helpers/isBase64URLString.d.ts +1 -1
- package/dist/helpers/isBase64URLString.js +2 -1
- package/dist/helpers/isBase64URLString.js.map +1 -1
- package/dist/helpers/isCertRevoked.d.ts +1 -1
- package/dist/helpers/isCertRevoked.js +4 -3
- package/dist/helpers/isCertRevoked.js.map +1 -1
- package/dist/helpers/parseAuthenticatorData.d.ts +3 -1
- package/dist/helpers/parseAuthenticatorData.js +12 -7
- package/dist/helpers/parseAuthenticatorData.js.map +1 -1
- package/dist/helpers/parseBackupFlags.js.map +1 -1
- package/dist/helpers/toHash.d.ts +1 -1
- package/dist/helpers/toHash.js +2 -1
- package/dist/helpers/toHash.js.map +1 -1
- package/dist/helpers/validateCertificatePath.d.ts +1 -1
- package/dist/helpers/validateCertificatePath.js +4 -6
- package/dist/helpers/validateCertificatePath.js.map +1 -1
- package/dist/helpers/verifySignature.d.ts +1 -1
- package/dist/helpers/verifySignature.js +2 -1
- package/dist/helpers/verifySignature.js.map +1 -1
- package/dist/index.d.ts +6 -6
- package/dist/index.js +12 -15
- package/dist/index.js.map +1 -1
- package/dist/metadata/parseJWT.d.ts +1 -1
- package/dist/metadata/parseJWT.js +2 -1
- package/dist/metadata/parseJWT.js.map +1 -1
- package/dist/metadata/verifyAttestationWithMetadata.d.ts +1 -1
- package/dist/metadata/verifyAttestationWithMetadata.js +9 -11
- package/dist/metadata/verifyAttestationWithMetadata.js.map +1 -1
- package/dist/registration/generateRegistrationOptions.d.ts +1 -1
- package/dist/registration/generateRegistrationOptions.js +4 -4
- package/dist/registration/generateRegistrationOptions.js.map +1 -1
- package/dist/registration/verifications/tpm/parseCertInfo.d.ts +1 -1
- package/dist/registration/verifications/tpm/parseCertInfo.js +2 -1
- package/dist/registration/verifications/tpm/parseCertInfo.js.map +1 -1
- package/dist/registration/verifications/tpm/parsePubArea.d.ts +1 -1
- package/dist/registration/verifications/tpm/parsePubArea.js +2 -1
- package/dist/registration/verifications/tpm/parsePubArea.js.map +1 -1
- package/dist/registration/verifications/tpm/verifyAttestationTPM.d.ts +2 -0
- package/dist/registration/verifications/tpm/{verifyTPM.js → verifyAttestationTPM.js} +25 -27
- package/dist/registration/verifications/tpm/verifyAttestationTPM.js.map +1 -0
- package/dist/registration/verifications/{verifyAndroidKey.d.ts → verifyAttestationAndroidKey.d.ts} +1 -1
- package/dist/registration/verifications/{verifyAndroidKey.js → verifyAttestationAndroidKey.js} +15 -40
- package/dist/registration/verifications/verifyAttestationAndroidKey.js.map +1 -0
- package/dist/registration/verifications/{verifyAndroidSafetyNet.d.ts → verifyAttestationAndroidSafetyNet.d.ts} +1 -1
- package/dist/registration/verifications/{verifyAndroidSafetyNet.js → verifyAttestationAndroidSafetyNet.js} +17 -16
- package/dist/registration/verifications/verifyAttestationAndroidSafetyNet.js.map +1 -0
- package/dist/registration/verifications/verifyAttestationApple.d.ts +2 -0
- package/dist/registration/verifications/{verifyApple.js → verifyAttestationApple.js} +11 -13
- package/dist/registration/verifications/verifyAttestationApple.js.map +1 -0
- package/dist/registration/verifications/{verifyFIDOU2F.d.ts → verifyAttestationFIDOU2F.d.ts} +1 -1
- package/dist/registration/verifications/{verifyFIDOU2F.js → verifyAttestationFIDOU2F.js} +11 -13
- package/dist/registration/verifications/verifyAttestationFIDOU2F.js.map +1 -0
- package/dist/registration/verifications/{verifyPacked.d.ts → verifyAttestationPacked.d.ts} +1 -1
- package/dist/registration/verifications/{verifyPacked.js → verifyAttestationPacked.js} +22 -44
- package/dist/registration/verifications/verifyAttestationPacked.js.map +1 -0
- package/dist/registration/verifyRegistrationResponse.d.ts +6 -2
- package/dist/registration/verifyRegistrationResponse.js +32 -30
- package/dist/registration/verifyRegistrationResponse.js.map +1 -1
- package/dist/services/metadataService.d.ts +2 -2
- package/dist/services/metadataService.js +13 -14
- package/dist/services/metadataService.js.map +1 -1
- package/dist/services/settingsService.d.ts +3 -3
- package/dist/services/settingsService.js +9 -12
- package/dist/services/settingsService.js.map +1 -1
- package/package.json +3 -3
- package/dist/registration/verifications/tpm/verifyTPM.d.ts +0 -2
- package/dist/registration/verifications/tpm/verifyTPM.js.map +0 -1
- package/dist/registration/verifications/verifyAndroidKey.js.map +0 -1
- package/dist/registration/verifications/verifyAndroidSafetyNet.js.map +0 -1
- package/dist/registration/verifications/verifyApple.d.ts +0 -2
- package/dist/registration/verifications/verifyApple.js.map +0 -1
- package/dist/registration/verifications/verifyFIDOU2F.js.map +0 -1
- package/dist/registration/verifications/verifyPacked.js.map +0 -1
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
/**
|
|
3
3
|
* Cut up a TPM attestation's certInfo into intelligible chunks
|
|
4
4
|
*/
|
|
5
|
-
export
|
|
5
|
+
export declare function parseCertInfo(certInfo: Buffer): ParsedCertInfo;
|
|
6
6
|
declare type ParsedCertInfo = {
|
|
7
7
|
magic: number;
|
|
8
8
|
type: string;
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.parseCertInfo = void 0;
|
|
3
4
|
const constants_1 = require("./constants");
|
|
4
5
|
/**
|
|
5
6
|
* Cut up a TPM attestation's certInfo into intelligible chunks
|
|
@@ -49,5 +50,5 @@ function parseCertInfo(certInfo) {
|
|
|
49
50
|
attested,
|
|
50
51
|
};
|
|
51
52
|
}
|
|
52
|
-
exports.
|
|
53
|
+
exports.parseCertInfo = parseCertInfo;
|
|
53
54
|
//# sourceMappingURL=parseCertInfo.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"parseCertInfo.js","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parseCertInfo.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"parseCertInfo.js","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parseCertInfo.ts"],"names":[],"mappings":";;;AAAA,2CAA8C;AAE9C;;GAEG;AACH,SAAgB,aAAa,CAAC,QAAgB;IAC5C,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,uBAAuB;IACvB,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAEtE,+CAA+C;IAC/C,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3D,MAAM,IAAI,GAAG,kBAAM,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IAEhD,8CAA8C;IAC9C,MAAM,qBAAqB,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACtF,MAAM,eAAe,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,qBAAqB,CAAC,CAAC,CAAC;IAEpF,4CAA4C;IAC5C,MAAM,eAAe,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAChF,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,eAAe,CAAC,CAAC,CAAC;IAExE,oEAAoE;IACpE,MAAM,eAAe,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG;QAChB,KAAK,EAAE,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;QAClC,UAAU,EAAE,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;QACxD,YAAY,EAAE,eAAe,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;QAC3D,IAAI,EAAE,CAAC,CAAC,eAAe,CAAC,EAAE,CAAC;KAC5B,CAAC;IAEF,8BAA8B;IAC9B,MAAM,eAAe,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;IAEhE,gBAAgB;IAChB,MAAM,kBAAkB,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnF,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,kBAAkB,CAAC,CAAC,CAAC;IAE9E,0CAA0C;IAC1C,MAAM,mBAAmB,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACpF,MAAM,aAAa,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,mBAAmB,CAAC,CAAC,CAAC;IAEhF,MAAM,QAAQ,GAAG;QACf,OAAO,EAAE,mBAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC1D,aAAa,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;QACvC,IAAI,EAAE,YAAY;QAClB,aAAa;KACd,CAAC;IAEF,OAAO;QACL,KAAK;QACL,IAAI;QACJ,eAAe;QACf,SAAS;QACT,SAAS;QACT,eAAe;QACf,QAAQ;KACT,CAAC;AACJ,CAAC;AAtDD,sCAsDC"}
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
/**
|
|
3
3
|
* Break apart a TPM attestation's pubArea buffer
|
|
4
4
|
*/
|
|
5
|
-
export
|
|
5
|
+
export declare function parsePubArea(pubArea: Buffer): ParsedPubArea;
|
|
6
6
|
declare type ParsedPubArea = {
|
|
7
7
|
type: 'TPM_ALG_RSA' | 'TPM_ALG_ECC';
|
|
8
8
|
nameAlg: string;
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.parsePubArea = void 0;
|
|
3
4
|
const constants_1 = require("./constants");
|
|
4
5
|
/**
|
|
5
6
|
* Break apart a TPM attestation's pubArea buffer
|
|
@@ -63,5 +64,5 @@ function parsePubArea(pubArea) {
|
|
|
63
64
|
unique,
|
|
64
65
|
};
|
|
65
66
|
}
|
|
66
|
-
exports.
|
|
67
|
+
exports.parsePubArea = parsePubArea;
|
|
67
68
|
//# sourceMappingURL=parsePubArea.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"parsePubArea.js","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parsePubArea.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"parsePubArea.js","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/parsePubArea.ts"],"names":[],"mappings":";;;AAAA,2CAAqD;AAErD;;GAEG;AACH,SAAgB,YAAY,CAAC,OAAe;IAC1C,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;IAC1D,MAAM,IAAI,GAAG,mBAAO,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IAEjD,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,mBAAO,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IAEvD,uCAAuC;IACvC,MAAM,mBAAmB,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnF,MAAM,gBAAgB,GAAG;QACvB,QAAQ,EAAE,CAAC,CAAC,CAAC,mBAAmB,GAAG,CAAC,CAAC;QACrC,OAAO,EAAE,CAAC,CAAC,CAAC,mBAAmB,GAAG,CAAC,CAAC;QACpC,WAAW,EAAE,CAAC,CAAC,CAAC,mBAAmB,GAAG,CAAC,CAAC;QACxC,mBAAmB,EAAE,CAAC,CAAC,CAAC,mBAAmB,GAAG,EAAE,CAAC;QACjD,YAAY,EAAE,CAAC,CAAC,CAAC,mBAAmB,GAAG,EAAE,CAAC;QAC1C,eAAe,EAAE,CAAC,CAAC,CAAC,mBAAmB,GAAG,EAAE,CAAC;QAC7C,IAAI,EAAE,CAAC,CAAC,CAAC,mBAAmB,GAAG,GAAG,CAAC;QACnC,oBAAoB,EAAE,CAAC,CAAC,CAAC,mBAAmB,GAAG,IAAI,CAAC;QACpD,UAAU,EAAE,CAAC,CAAC,CAAC,mBAAmB,GAAG,KAAK,CAAC;QAC3C,OAAO,EAAE,CAAC,CAAC,CAAC,mBAAmB,GAAG,KAAK,CAAC;QACxC,aAAa,EAAE,CAAC,CAAC,CAAC,mBAAmB,GAAG,MAAM,CAAC;KAChD,CAAC;IAEF,6CAA6C;IAC7C,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAChF,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,gBAAgB,CAAC,CAAC,CAAC;IAEzE,oDAAoD;IACpD,MAAM,UAAU,GAAiD,EAAE,CAAC;IACpE,IAAI,IAAI,KAAK,aAAa,EAAE;QAC1B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC;QAE1D,UAAU,CAAC,GAAG,GAAG;YACf,SAAS,EAAE,mBAAO,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACzD,MAAM,EAAE,mBAAO,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACtD,OAAO,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;YAC9C,QAAQ,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;SACjD,CAAC;KACH;SAAM,IAAI,IAAI,KAAK,aAAa,EAAE;QACjC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QAEzD,UAAU,CAAC,GAAG,GAAG;YACf,SAAS,EAAE,mBAAO,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACzD,MAAM,EAAE,mBAAO,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACtD,OAAO,EAAE,yBAAa,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC7D,GAAG,EAAE,mBAAO,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;SACpD,CAAC;KACH;SAAM;QACL,MAAM,IAAI,KAAK,CAAC,oBAAoB,IAAI,SAAS,CAAC,CAAC;KACpD;IAED,qCAAqC;IACrC,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5E,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,IAAI,YAAY,CAAC,CAAC,CAAC;IAEjE,OAAO;QACL,IAAI;QACJ,OAAO;QACP,gBAAgB;QAChB,UAAU;QACV,UAAU;QACV,MAAM;KACP,CAAC;AACJ,CAAC;AAjED,oCAiEC"}
|
|
@@ -1,23 +1,21 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
-
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
-
};
|
|
5
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.verifyAttestationTPM = void 0;
|
|
6
4
|
const asn1_schema_1 = require("@peculiar/asn1-schema");
|
|
7
5
|
const asn1_x509_1 = require("@peculiar/asn1-x509");
|
|
8
|
-
const decodeCredentialPublicKey_1 =
|
|
6
|
+
const decodeCredentialPublicKey_1 = require("../../../helpers/decodeCredentialPublicKey");
|
|
9
7
|
const convertCOSEtoPKCS_1 = require("../../../helpers/convertCOSEtoPKCS");
|
|
10
|
-
const toHash_1 =
|
|
11
|
-
const convertCertBufferToPEM_1 =
|
|
12
|
-
const validateCertificatePath_1 =
|
|
13
|
-
const getCertificateInfo_1 =
|
|
14
|
-
const verifySignature_1 =
|
|
15
|
-
const metadataService_1 =
|
|
16
|
-
const verifyAttestationWithMetadata_1 =
|
|
8
|
+
const toHash_1 = require("../../../helpers/toHash");
|
|
9
|
+
const convertCertBufferToPEM_1 = require("../../../helpers/convertCertBufferToPEM");
|
|
10
|
+
const validateCertificatePath_1 = require("../../../helpers/validateCertificatePath");
|
|
11
|
+
const getCertificateInfo_1 = require("../../../helpers/getCertificateInfo");
|
|
12
|
+
const verifySignature_1 = require("../../../helpers/verifySignature");
|
|
13
|
+
const metadataService_1 = require("../../../services/metadataService");
|
|
14
|
+
const verifyAttestationWithMetadata_1 = require("../../../metadata/verifyAttestationWithMetadata");
|
|
17
15
|
const constants_1 = require("./constants");
|
|
18
|
-
const parseCertInfo_1 =
|
|
19
|
-
const parsePubArea_1 =
|
|
20
|
-
async function
|
|
16
|
+
const parseCertInfo_1 = require("./parseCertInfo");
|
|
17
|
+
const parsePubArea_1 = require("./parsePubArea");
|
|
18
|
+
async function verifyAttestationTPM(options) {
|
|
21
19
|
var _a;
|
|
22
20
|
const { aaguid, attStmt, authData, credentialPublicKey, clientDataHash, rootCertificates } = options;
|
|
23
21
|
const { ver, sig, alg, x5c, pubArea, certInfo } = attStmt;
|
|
@@ -42,11 +40,11 @@ async function verifyTPM(options) {
|
|
|
42
40
|
if (!certInfo) {
|
|
43
41
|
throw new Error('Attestation statement did not contain certInfo (TPM)');
|
|
44
42
|
}
|
|
45
|
-
const parsedPubArea = (0, parsePubArea_1.
|
|
43
|
+
const parsedPubArea = (0, parsePubArea_1.parsePubArea)(pubArea);
|
|
46
44
|
const { unique, type: pubType, parameters } = parsedPubArea;
|
|
47
45
|
// Verify that the public key specified by the parameters and unique fields of pubArea is
|
|
48
46
|
// identical to the credentialPublicKey in the attestedCredentialData in authenticatorData.
|
|
49
|
-
const cosePublicKey = (0, decodeCredentialPublicKey_1.
|
|
47
|
+
const cosePublicKey = (0, decodeCredentialPublicKey_1.decodeCredentialPublicKey)(credentialPublicKey);
|
|
50
48
|
if (pubType === 'TPM_ALG_RSA') {
|
|
51
49
|
const n = cosePublicKey.get(convertCOSEtoPKCS_1.COSEKEYS.n);
|
|
52
50
|
const e = cosePublicKey.get(convertCOSEtoPKCS_1.COSEKEYS.e);
|
|
@@ -103,7 +101,7 @@ async function verifyTPM(options) {
|
|
|
103
101
|
else {
|
|
104
102
|
throw new Error(`Unsupported pubArea.type "${pubType}"`);
|
|
105
103
|
}
|
|
106
|
-
const parsedCertInfo = (0, parseCertInfo_1.
|
|
104
|
+
const parsedCertInfo = (0, parseCertInfo_1.parseCertInfo)(certInfo);
|
|
107
105
|
const { magic, type: certType, attested, extraData } = parsedCertInfo;
|
|
108
106
|
if (magic !== 0xff544347) {
|
|
109
107
|
throw new Error(`Unexpected magic value "${magic}", expected "0xff544347" (TPM)`);
|
|
@@ -112,7 +110,7 @@ async function verifyTPM(options) {
|
|
|
112
110
|
throw new Error(`Unexpected type "${certType}", expected "TPM_ST_ATTEST_CERTIFY" (TPM)`);
|
|
113
111
|
}
|
|
114
112
|
// Hash pubArea to create pubAreaHash using the nameAlg in attested
|
|
115
|
-
const pubAreaHash = (0, toHash_1.
|
|
113
|
+
const pubAreaHash = (0, toHash_1.toHash)(pubArea, attested.nameAlg.replace('TPM_ALG_', ''));
|
|
116
114
|
// Concatenate attested.nameAlg and pubAreaHash to create attestedName.
|
|
117
115
|
const attestedName = Buffer.concat([attested.nameAlgBuffer, pubAreaHash]);
|
|
118
116
|
// Check that certInfo.attested.name is equals to attestedName.
|
|
@@ -123,7 +121,7 @@ async function verifyTPM(options) {
|
|
|
123
121
|
const attToBeSigned = Buffer.concat([authData, clientDataHash]);
|
|
124
122
|
// Hash attToBeSigned using the algorithm specified in attStmt.alg to create attToBeSignedHash
|
|
125
123
|
const hashAlg = convertCOSEtoPKCS_1.COSEALGHASH[alg];
|
|
126
|
-
const attToBeSignedHash = (0, toHash_1.
|
|
124
|
+
const attToBeSignedHash = (0, toHash_1.toHash)(attToBeSigned, hashAlg);
|
|
127
125
|
// Check that certInfo.extraData is equals to attToBeSignedHash.
|
|
128
126
|
if (!extraData.equals(attToBeSignedHash)) {
|
|
129
127
|
throw new Error('CertInfo extra data did not equal hashed attestation (TPM)');
|
|
@@ -135,7 +133,7 @@ async function verifyTPM(options) {
|
|
|
135
133
|
throw new Error('No certificates present in x5c array (TPM)');
|
|
136
134
|
}
|
|
137
135
|
// Pick a leaf AIK certificate of the x5c array and parse it.
|
|
138
|
-
const leafCertInfo = (0, getCertificateInfo_1.
|
|
136
|
+
const leafCertInfo = (0, getCertificateInfo_1.getCertificateInfo)(x5c[0]);
|
|
139
137
|
const { basicConstraintsCA, version, subject, notAfter, notBefore } = leafCertInfo;
|
|
140
138
|
if (basicConstraintsCA) {
|
|
141
139
|
throw new Error('Certificate basic constraints CA was not `false` (TPM)');
|
|
@@ -203,10 +201,10 @@ async function verifyTPM(options) {
|
|
|
203
201
|
// TODO: If certificate contains id-fido-gen-ce-aaguid(1.3.6.1.4.1.45724.1.1.4) extension, check
|
|
204
202
|
// that it’s value is set to the same AAGUID as in authData.
|
|
205
203
|
// Run some metadata checks if a statement exists for this authenticator
|
|
206
|
-
const statement = await metadataService_1.
|
|
204
|
+
const statement = await metadataService_1.MetadataService.getStatement(aaguid);
|
|
207
205
|
if (statement) {
|
|
208
206
|
try {
|
|
209
|
-
await (0, verifyAttestationWithMetadata_1.
|
|
207
|
+
await (0, verifyAttestationWithMetadata_1.verifyAttestationWithMetadata)(statement, credentialPublicKey, x5c);
|
|
210
208
|
}
|
|
211
209
|
catch (err) {
|
|
212
210
|
const _err = err;
|
|
@@ -216,7 +214,7 @@ async function verifyTPM(options) {
|
|
|
216
214
|
else {
|
|
217
215
|
try {
|
|
218
216
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
219
|
-
await (0, validateCertificatePath_1.
|
|
217
|
+
await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
|
|
220
218
|
}
|
|
221
219
|
catch (err) {
|
|
222
220
|
const _err = err;
|
|
@@ -225,10 +223,10 @@ async function verifyTPM(options) {
|
|
|
225
223
|
}
|
|
226
224
|
// Verify signature over certInfo with the public key extracted from AIK certificate.
|
|
227
225
|
// In the wise words of Yuriy Ackermann: "Get Martini friend, you are done!"
|
|
228
|
-
const leafCertPEM = (0, convertCertBufferToPEM_1.
|
|
229
|
-
return (0, verifySignature_1.
|
|
226
|
+
const leafCertPEM = (0, convertCertBufferToPEM_1.convertCertBufferToPEM)(x5c[0]);
|
|
227
|
+
return (0, verifySignature_1.verifySignature)(sig, certInfo, leafCertPEM, hashAlg);
|
|
230
228
|
}
|
|
231
|
-
exports.
|
|
229
|
+
exports.verifyAttestationTPM = verifyAttestationTPM;
|
|
232
230
|
/**
|
|
233
231
|
* Contain logic for pulling TPM-specific values out of subjectAlternativeName extension
|
|
234
232
|
*/
|
|
@@ -286,4 +284,4 @@ function getTcgAtTpmValues(root) {
|
|
|
286
284
|
tcgAtTpmVersion,
|
|
287
285
|
};
|
|
288
286
|
}
|
|
289
|
-
//# sourceMappingURL=
|
|
287
|
+
//# sourceMappingURL=verifyAttestationTPM.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyAttestationTPM.js","sourceRoot":"","sources":["../../../../src/registration/verifications/tpm/verifyAttestationTPM.ts"],"names":[],"mappings":";;;AAAA,uDAAkD;AAClD,mDAO6B;AAI7B,0FAAuF;AACvF,0EAA2E;AAC3E,oDAAiD;AACjD,oFAAiF;AACjF,sFAAmF;AACnF,4EAAyE;AACzE,sEAAmE;AACnE,uEAAoE;AACpE,mGAAgG;AAEhG,2CAA+D;AAC/D,mDAAgD;AAChD,iDAA8C;AAEvC,KAAK,UAAU,oBAAoB,CAAC,OAAsC;;IAC/E,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,mBAAmB,EAAE,cAAc,EAAE,gBAAgB,EAAE,GACxF,OAAO,CAAC;IACV,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE1D;;OAEG;IACH,IAAI,GAAG,KAAK,KAAK,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,GAAG,yBAAyB,CAAC,CAAC;KAClE;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;KACpE;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;KACvF;IAED,IAAI,CAAC,OAAO,EAAE;QACZ,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;KACxE;IAED,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;KACzE;IAED,MAAM,aAAa,GAAG,IAAA,2BAAY,EAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,aAAa,CAAC;IAE5D,yFAAyF;IACzF,2FAA2F;IAC3F,MAAM,aAAa,GAAG,IAAA,qDAAyB,EAAC,mBAAmB,CAAC,CAAC;IAErE,IAAI,OAAO,KAAK,aAAa,EAAE;QAC7B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QAExC,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QACD,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAW,CAAC,EAAE;YAC/B,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;SAChF;QAED,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE;YACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,MAAM,OAAO,GAAG,CAAW,CAAC;QAC5B,8FAA8F;QAC9F,MAAM,eAAe,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,IAAI,KAAK,CAAC;QAEzD,4CAA4C;QAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAEjE,IAAI,eAAe,KAAK,IAAI,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,cAAc,eAAe,YAAY,CAAC,CAAC;SAC7F;KACF;SAAM,IAAI,OAAO,KAAK,aAAa,EAAE;QACpC;;;WAGG;QACH,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;QAExC,IAAI,CAAC,GAAG,EAAE;YACR,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;SAC1D;QACD,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QACD,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;SACxD;QAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAW,EAAE,CAAW,CAAC,CAAC,CAAC,EAAE;YAC7D,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;SAC/E;QAED,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE;YACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,MAAM,cAAc,GAAG,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC;QAC9C,MAAM,aAAa,GAAG,yBAAa,CAAE,GAAc,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;QACrE,IAAI,cAAc,KAAK,aAAa,EAAE;YACpC,MAAM,IAAI,KAAK,CACb,mCAAmC,aAAa,gBAAgB,cAAc,aAAa,CAC5F,CAAC;SACH;KACF;SAAM;QACL,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,GAAG,CAAC,CAAC;KAC1D;IAED,MAAM,cAAc,GAAG,IAAA,6BAAa,EAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,cAAc,CAAC;IAEtE,IAAI,KAAK,KAAK,UAAU,EAAE;QACxB,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,gCAAgC,CAAC,CAAC;KACnF;IAED,IAAI,QAAQ,KAAK,uBAAuB,EAAE;QACxC,MAAM,IAAI,KAAK,CAAC,oBAAoB,QAAQ,2CAA2C,CAAC,CAAC;KAC1F;IAED,mEAAmE;IACnE,MAAM,WAAW,GAAG,IAAA,eAAM,EAAC,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC;IAE9E,uEAAuE;IACvE,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,CAAC;IAE1E,+DAA+D;IAC/D,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE;QACvC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;KAC1D;IAED,mEAAmE;IACnE,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAEhE,8FAA8F;IAC9F,MAAM,OAAO,GAAW,+BAAW,CAAC,GAAa,CAAC,CAAC;IACnD,MAAM,iBAAiB,GAAG,IAAA,eAAM,EAAC,aAAa,EAAE,OAAO,CAAC,CAAC;IAEzD,gEAAgE;IAChE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE;QACxC,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;KAC/E;IAED;;OAEG;IACH,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE;QAClB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;KAC/D;IAED,6DAA6D;IAC7D,MAAM,YAAY,GAAG,IAAA,uCAAkB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,MAAM,EAAE,kBAAkB,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,YAAY,CAAC;IAEnF,IAAI,kBAAkB,EAAE;QACtB,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;KAC3E;IAED,mEAAmE;IACnE,IAAI,OAAO,KAAK,CAAC,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;KAC7E;IAED,wCAAwC;IACxC,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE;QACnC,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;KAC5D;IAED,4CAA4C;IAC5C,IAAI,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACrB,IAAI,SAAS,GAAG,GAAG,EAAE;QACnB,MAAM,IAAI,KAAK,CAAC,gCAAgC,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;KAChF;IAED,yCAAyC;IACzC,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACjB,IAAI,QAAQ,GAAG,GAAG,EAAE;QAClB,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;KAC9E;IAED;;OAEG;IACH,MAAM,UAAU,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAW,CAAC,CAAC;IAExD,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,UAAU,EAAE;QACzC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;KAC7D;IAED,IAAI,qBAAyD,CAAC;IAC9D,IAAI,WAAyC,CAAC;IAC9C,UAAU,CAAC,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;QACjD,IAAI,GAAG,CAAC,MAAM,KAAK,gCAAoB,EAAE;YACvC,qBAAqB,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,kCAAsB,CAAC,CAAC;SAChF;aAAM,IAAI,GAAG,CAAC,MAAM,KAAK,6BAAiB,EAAE;YAC3C,WAAW,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,4BAAgB,CAAC,CAAC;SAChE;IACH,CAAC,CAAC,CAAC;IAEH,wEAAwE;IACxE,IAAI,CAAC,qBAAqB,EAAE;QAC1B,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;KAC/E;IAED,6FAA6F;IAC7F,SAAS;IACT,IAAI,CAAC,CAAA,MAAA,qBAAqB,CAAC,CAAC,CAAC,CAAC,aAAa,0CAAG,CAAC,EAAE,MAAM,CAAA,EAAE;QACvD,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;KACvF;IAED,MAAM,EAAE,oBAAoB,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,iBAAiB,CAChF,qBAAqB,CAAC,CAAC,CAAC,CAAC,aAAa,CACvC,CAAC;IAEF,IAAI,CAAC,oBAAoB,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe,EAAE;QAC/D,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;KAC/E;IAED,IAAI,CAAC,WAAW,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;KACjF;IAED,yFAAyF;IACzF,IAAI,CAAC,6BAAiB,CAAC,oBAAoB,CAAC,EAAE;QAC5C,MAAM,IAAI,KAAK,CAAC,qCAAqC,oBAAoB,SAAS,CAAC,CAAC;KACrF;IAED,wFAAwF;IACxF,4CAA4C;IAC5C,IAAI,WAAW,CAAC,CAAC,CAAC,KAAK,cAAc,EAAE;QACrC,MAAM,IAAI,KAAK,CAAC,2BAA2B,WAAW,CAAC,CAAC,CAAC,kCAAkC,CAAC,CAAC;KAC9F;IAED,gGAAgG;IAChG,4DAA4D;IAE5D,wEAAwE;IACxE,MAAM,SAAS,GAAG,MAAM,iCAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7D,IAAI,SAAS,EAAE;QACb,IAAI;YACF,MAAM,IAAA,6DAA6B,EAAC,SAAS,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;SAC1E;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,QAAQ,CAAC,CAAC;SAC1C;KACF;SAAM;QACL,IAAI;YACF,0FAA0F;YAC1F,MAAM,IAAA,iDAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,+CAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;SAClF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,QAAQ,CAAC,CAAC;SAC1C;KACF;IAED,qFAAqF;IACrF,4EAA4E;IAC5E,MAAM,WAAW,GAAG,IAAA,+CAAsB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,OAAO,IAAA,iCAAe,EAAC,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;AAC9D,CAAC;AAhQD,oDAgQC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAAU;IAKnC,MAAM,eAAe,GAAG,cAAc,CAAC;IACvC,MAAM,QAAQ,GAAG,cAAc,CAAC;IAChC,MAAM,UAAU,GAAG,cAAc,CAAC;IAElC,IAAI,oBAAwC,CAAC;IAC7C,IAAI,aAAiC,CAAC;IACtC,IAAI,eAAmC,CAAC;IAExC;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE;QACrB,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE;YACrB,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE;gBACjC,oBAAoB,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;aAC9C;iBAAM,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE;gBACjC,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;aACvC;iBAAM,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE;gBACnC,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;aACzC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,oBAAoB;QACpB,aAAa;QACb,eAAe;KAChB,CAAC;AACJ,CAAC"}
|
package/dist/registration/verifications/{verifyAndroidKey.d.ts → verifyAttestationAndroidKey.d.ts}
RENAMED
|
@@ -2,4 +2,4 @@ import type { AttestationFormatVerifierOpts } from '../verifyRegistrationRespons
|
|
|
2
2
|
/**
|
|
3
3
|
* Verify an attestation response with fmt 'android-key'
|
|
4
4
|
*/
|
|
5
|
-
export
|
|
5
|
+
export declare function verifyAttestationAndroidKey(options: AttestationFormatVerifierOpts): Promise<boolean>;
|
package/dist/registration/verifications/{verifyAndroidKey.js → verifyAttestationAndroidKey.js}
RENAMED
|
@@ -1,40 +1,15 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
-
if (k2 === undefined) k2 = k;
|
|
4
|
-
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
-
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
-
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
-
}
|
|
8
|
-
Object.defineProperty(o, k2, desc);
|
|
9
|
-
}) : (function(o, m, k, k2) {
|
|
10
|
-
if (k2 === undefined) k2 = k;
|
|
11
|
-
o[k2] = m[k];
|
|
12
|
-
}));
|
|
13
|
-
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
-
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
-
}) : function(o, v) {
|
|
16
|
-
o["default"] = v;
|
|
17
|
-
});
|
|
18
|
-
var __importStar = (this && this.__importStar) || function (mod) {
|
|
19
|
-
if (mod && mod.__esModule) return mod;
|
|
20
|
-
var result = {};
|
|
21
|
-
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
|
22
|
-
__setModuleDefault(result, mod);
|
|
23
|
-
return result;
|
|
24
|
-
};
|
|
25
|
-
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
26
|
-
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
27
|
-
};
|
|
28
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.verifyAttestationAndroidKey = void 0;
|
|
29
4
|
const asn1_schema_1 = require("@peculiar/asn1-schema");
|
|
30
5
|
const asn1_x509_1 = require("@peculiar/asn1-x509");
|
|
31
6
|
const asn1_android_1 = require("@peculiar/asn1-android");
|
|
32
|
-
const convertCertBufferToPEM_1 =
|
|
33
|
-
const validateCertificatePath_1 =
|
|
34
|
-
const verifySignature_1 =
|
|
35
|
-
const convertCOSEtoPKCS_1 =
|
|
36
|
-
const metadataService_1 =
|
|
37
|
-
const verifyAttestationWithMetadata_1 =
|
|
7
|
+
const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
|
|
8
|
+
const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
|
|
9
|
+
const verifySignature_1 = require("../../helpers/verifySignature");
|
|
10
|
+
const convertCOSEtoPKCS_1 = require("../../helpers/convertCOSEtoPKCS");
|
|
11
|
+
const metadataService_1 = require("../../services/metadataService");
|
|
12
|
+
const verifyAttestationWithMetadata_1 = require("../../metadata/verifyAttestationWithMetadata");
|
|
38
13
|
/**
|
|
39
14
|
* Verify an attestation response with fmt 'android-key'
|
|
40
15
|
*/
|
|
@@ -56,7 +31,7 @@ async function verifyAttestationAndroidKey(options) {
|
|
|
56
31
|
const parsedCert = asn1_schema_1.AsnParser.parse(x5c[0], asn1_x509_1.Certificate);
|
|
57
32
|
const parsedCertPubKey = Buffer.from(parsedCert.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey);
|
|
58
33
|
// Convert the credentialPublicKey to PKCS
|
|
59
|
-
const credPubKeyPKCS = (0, convertCOSEtoPKCS_1.
|
|
34
|
+
const credPubKeyPKCS = (0, convertCOSEtoPKCS_1.convertCOSEtoPKCS)(credentialPublicKey);
|
|
60
35
|
if (!credPubKeyPKCS.equals(parsedCertPubKey)) {
|
|
61
36
|
throw new Error('Credential public key does not equal leaf cert public key (AndroidKey)');
|
|
62
37
|
}
|
|
@@ -79,10 +54,10 @@ async function verifyAttestationAndroidKey(options) {
|
|
|
79
54
|
if (softwareEnforced.allApplications !== undefined) {
|
|
80
55
|
throw new Error('teeEnforced contained "allApplications [600]" tag (AndroidKey)');
|
|
81
56
|
}
|
|
82
|
-
const statement = await metadataService_1.
|
|
57
|
+
const statement = await metadataService_1.MetadataService.getStatement(aaguid);
|
|
83
58
|
if (statement) {
|
|
84
59
|
try {
|
|
85
|
-
await (0, verifyAttestationWithMetadata_1.
|
|
60
|
+
await (0, verifyAttestationWithMetadata_1.verifyAttestationWithMetadata)(statement, credentialPublicKey, x5c);
|
|
86
61
|
}
|
|
87
62
|
catch (err) {
|
|
88
63
|
const _err = err;
|
|
@@ -92,7 +67,7 @@ async function verifyAttestationAndroidKey(options) {
|
|
|
92
67
|
else {
|
|
93
68
|
try {
|
|
94
69
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
95
|
-
await (0, validateCertificatePath_1.
|
|
70
|
+
await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
|
|
96
71
|
}
|
|
97
72
|
catch (err) {
|
|
98
73
|
const _err = err;
|
|
@@ -100,9 +75,9 @@ async function verifyAttestationAndroidKey(options) {
|
|
|
100
75
|
}
|
|
101
76
|
}
|
|
102
77
|
const signatureBase = Buffer.concat([authData, clientDataHash]);
|
|
103
|
-
const leafCertPEM = (0, convertCertBufferToPEM_1.
|
|
78
|
+
const leafCertPEM = (0, convertCertBufferToPEM_1.convertCertBufferToPEM)(x5c[0]);
|
|
104
79
|
const hashAlg = convertCOSEtoPKCS_1.COSEALGHASH[alg];
|
|
105
|
-
return (0, verifySignature_1.
|
|
80
|
+
return (0, verifySignature_1.verifySignature)(sig, signatureBase, leafCertPEM, hashAlg);
|
|
106
81
|
}
|
|
107
|
-
exports.
|
|
108
|
-
//# sourceMappingURL=
|
|
82
|
+
exports.verifyAttestationAndroidKey = verifyAttestationAndroidKey;
|
|
83
|
+
//# sourceMappingURL=verifyAttestationAndroidKey.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyAttestationAndroidKey.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationAndroidKey.ts"],"names":[],"mappings":";;;AAAA,uDAAkD;AAClD,mDAAkD;AAClD,yDAA8E;AAI9E,iFAA8E;AAC9E,mFAAgF;AAChF,mEAAgE;AAChE,uEAAiF;AACjF,oEAAiE;AACjE,gGAA6F;AAE7F;;GAEG;AACI,KAAK,UAAU,2BAA2B,CAC/C,OAAsC;;IAEtC,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,mBAAmB,EAAE,MAAM,EAAE,gBAAgB,EAAE,GACxF,OAAO,CAAC;IACV,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAC;KAC9F;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;KAC5F;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;KAC3E;IAED,uFAAuF;IACvF,kDAAkD;IAClD,MAAM,UAAU,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAW,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAClC,UAAU,CAAC,cAAc,CAAC,oBAAoB,CAAC,gBAAgB,CAChE,CAAC;IAEF,0CAA0C;IAC1C,MAAM,cAAc,GAAG,IAAA,qCAAiB,EAAC,mBAAmB,CAAC,CAAC;IAE9D,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE;QAC5C,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;KAC3F;IAED,4DAA4D;IAC5D,MAAM,WAAW,GAAG,MAAA,UAAU,CAAC,cAAc,CAAC,UAAU,0CAAE,IAAI,CAC5D,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,KAAK,mCAAoB,CAC3C,CAAC;IAEF,IAAI,CAAC,WAAW,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;KACzE;IAED,MAAM,iBAAiB,GAAG,uBAAS,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,6BAAc,CAAC,CAAC;IAEjF,4BAA4B;IAC5B,MAAM,EAAE,oBAAoB,EAAE,WAAW,EAAE,gBAAgB,EAAE,GAAG,iBAAiB,CAAC;IAElF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE;QACpE,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED,4FAA4F;IAC5F,aAAa;IACb,IAAI,WAAW,CAAC,eAAe,KAAK,SAAS,EAAE;QAC7C,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;KACnF;IAED,IAAI,gBAAgB,CAAC,eAAe,KAAK,SAAS,EAAE;QAClD,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;KACnF;IAED,MAAM,SAAS,GAAG,MAAM,iCAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7D,IAAI,SAAS,EAAE;QACb,IAAI;YACF,MAAM,IAAA,6DAA6B,EAAC,SAAS,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;SAC1E;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,eAAe,CAAC,CAAC;SACjD;KACF;SAAM;QACL,IAAI;YACF,0FAA0F;YAC1F,MAAM,IAAA,iDAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,+CAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;SAClF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,eAAe,CAAC,CAAC;SACjD;KACF;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAChE,MAAM,WAAW,GAAG,IAAA,+CAAsB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,MAAM,OAAO,GAAG,+BAAW,CAAC,GAAa,CAAC,CAAC;IAE3C,OAAO,IAAA,iCAAe,EAAC,GAAG,EAAE,aAAa,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;AACnE,CAAC;AApFD,kEAoFC"}
|
|
@@ -2,4 +2,4 @@ import type { AttestationFormatVerifierOpts } from '../verifyRegistrationRespons
|
|
|
2
2
|
/**
|
|
3
3
|
* Verify an attestation response with fmt 'android-safetynet'
|
|
4
4
|
*/
|
|
5
|
-
export
|
|
5
|
+
export declare function verifyAttestationAndroidSafetyNet(options: AttestationFormatVerifierOpts): Promise<boolean>;
|
|
@@ -3,14 +3,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.verifyAttestationAndroidSafetyNet = void 0;
|
|
6
7
|
const base64url_1 = __importDefault(require("base64url"));
|
|
7
|
-
const toHash_1 =
|
|
8
|
-
const verifySignature_1 =
|
|
9
|
-
const getCertificateInfo_1 =
|
|
10
|
-
const validateCertificatePath_1 =
|
|
11
|
-
const convertCertBufferToPEM_1 =
|
|
12
|
-
const metadataService_1 =
|
|
13
|
-
const verifyAttestationWithMetadata_1 =
|
|
8
|
+
const toHash_1 = require("../../helpers/toHash");
|
|
9
|
+
const verifySignature_1 = require("../../helpers/verifySignature");
|
|
10
|
+
const getCertificateInfo_1 = require("../../helpers/getCertificateInfo");
|
|
11
|
+
const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
|
|
12
|
+
const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
|
|
13
|
+
const metadataService_1 = require("../../services/metadataService");
|
|
14
|
+
const verifyAttestationWithMetadata_1 = require("../../metadata/verifyAttestationWithMetadata");
|
|
14
15
|
/**
|
|
15
16
|
* Verify an attestation response with fmt 'android-safetynet'
|
|
16
17
|
*/
|
|
@@ -47,7 +48,7 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
47
48
|
}
|
|
48
49
|
}
|
|
49
50
|
const nonceBase = Buffer.concat([authData, clientDataHash]);
|
|
50
|
-
const nonceBuffer = (0, toHash_1.
|
|
51
|
+
const nonceBuffer = (0, toHash_1.toHash)(nonceBase);
|
|
51
52
|
const expectedNonce = nonceBuffer.toString('base64');
|
|
52
53
|
if (nonce !== expectedNonce) {
|
|
53
54
|
throw new Error('Could not verify payload nonce (SafetyNet)');
|
|
@@ -62,17 +63,17 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
62
63
|
* START Verify Header
|
|
63
64
|
*/
|
|
64
65
|
const leafCertBuffer = base64url_1.default.toBuffer(HEADER.x5c[0]);
|
|
65
|
-
const leafCertInfo = (0, getCertificateInfo_1.
|
|
66
|
+
const leafCertInfo = (0, getCertificateInfo_1.getCertificateInfo)(leafCertBuffer);
|
|
66
67
|
const { subject } = leafCertInfo;
|
|
67
68
|
// Ensure the certificate was issued to this hostname
|
|
68
69
|
// See https://developer.android.com/training/safetynet/attestation#verify-attestation-response
|
|
69
70
|
if (subject.CN !== 'attest.android.com') {
|
|
70
71
|
throw new Error('Certificate common name was not "attest.android.com" (SafetyNet)');
|
|
71
72
|
}
|
|
72
|
-
const statement = await metadataService_1.
|
|
73
|
+
const statement = await metadataService_1.MetadataService.getStatement(aaguid);
|
|
73
74
|
if (statement) {
|
|
74
75
|
try {
|
|
75
|
-
await (0, verifyAttestationWithMetadata_1.
|
|
76
|
+
await (0, verifyAttestationWithMetadata_1.verifyAttestationWithMetadata)(statement, credentialPublicKey, HEADER.x5c);
|
|
76
77
|
}
|
|
77
78
|
catch (err) {
|
|
78
79
|
const _err = err;
|
|
@@ -82,7 +83,7 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
82
83
|
else {
|
|
83
84
|
try {
|
|
84
85
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
85
|
-
await (0, validateCertificatePath_1.
|
|
86
|
+
await (0, validateCertificatePath_1.validateCertificatePath)(HEADER.x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
|
|
86
87
|
}
|
|
87
88
|
catch (err) {
|
|
88
89
|
const _err = err;
|
|
@@ -97,12 +98,12 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
97
98
|
*/
|
|
98
99
|
const signatureBaseBuffer = Buffer.from(`${jwtParts[0]}.${jwtParts[1]}`);
|
|
99
100
|
const signatureBuffer = base64url_1.default.toBuffer(SIGNATURE);
|
|
100
|
-
const leafCertPEM = (0, convertCertBufferToPEM_1.
|
|
101
|
-
const verified = (0, verifySignature_1.
|
|
101
|
+
const leafCertPEM = (0, convertCertBufferToPEM_1.convertCertBufferToPEM)(leafCertBuffer);
|
|
102
|
+
const verified = (0, verifySignature_1.verifySignature)(signatureBuffer, signatureBaseBuffer, leafCertPEM);
|
|
102
103
|
/**
|
|
103
104
|
* END Verify Signature
|
|
104
105
|
*/
|
|
105
106
|
return verified;
|
|
106
107
|
}
|
|
107
|
-
exports.
|
|
108
|
-
//# sourceMappingURL=
|
|
108
|
+
exports.verifyAttestationAndroidSafetyNet = verifyAttestationAndroidSafetyNet;
|
|
109
|
+
//# sourceMappingURL=verifyAttestationAndroidSafetyNet.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyAttestationAndroidSafetyNet.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationAndroidSafetyNet.ts"],"names":[],"mappings":";;;;;;AAAA,0DAAkC;AAIlC,iDAA8C;AAC9C,mEAAgE;AAChE,yEAAsE;AACtE,mFAAgF;AAChF,iFAA8E;AAC9E,oEAAiE;AACjE,gGAA6F;AAE7F;;GAEG;AACI,KAAK,UAAU,iCAAiC,CACrD,OAAsC;IAEtC,MAAM,EACJ,OAAO,EACP,cAAc,EACd,QAAQ,EACR,MAAM,EACN,gBAAgB,EAChB,iBAAiB,GAAG,IAAI,EACxB,mBAAmB,GACpB,GAAG,OAAO,CAAC;IACZ,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;KAC5D;IAED,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,0BAA0B;IAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEhC,MAAM,MAAM,GAAuB,IAAI,CAAC,KAAK,CAAC,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAwB,IAAI,CAAC,KAAK,CAAC,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,MAAM,SAAS,GAA0B,QAAQ,CAAC,CAAC,CAAC,CAAC;IAErD;;OAEG;IACH,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IAExD,IAAI,iBAAiB,EAAE;QACrB,qCAAqC;QACrC,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACrB,IAAI,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,WAAW,qBAAqB,GAAG,eAAe,CAAC,CAAC;SAC3F;QAED,+EAA+E;QAC/E,MAAM,kBAAkB,GAAG,WAAW,GAAG,EAAE,GAAG,IAAI,CAAC;QACnD,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACjB,IAAI,kBAAkB,GAAG,GAAG,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,kBAAkB,2BAA2B,CAAC,CAAC;SACtF;KACF;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,IAAA,eAAM,EAAC,SAAS,CAAC,CAAC;IACtC,MAAM,aAAa,GAAG,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErD,IAAI,KAAK,KAAK,aAAa,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;KAC/D;IAED,IAAI,CAAC,eAAe,EAAE;QACpB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;KAClE;IACD;;OAEG;IAEH;;OAEG;IACH,MAAM,cAAc,GAAG,mBAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,YAAY,GAAG,IAAA,uCAAkB,EAAC,cAAc,CAAC,CAAC;IAExD,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;IAEjC,qDAAqD;IACrD,+FAA+F;IAC/F,IAAI,OAAO,CAAC,EAAE,KAAK,oBAAoB,EAAE;QACvC,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,MAAM,SAAS,GAAG,MAAM,iCAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7D,IAAI,SAAS,EAAE;QACb,IAAI;YACF,MAAM,IAAA,6DAA6B,EAAC,SAAS,EAAE,mBAAmB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;SACjF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,cAAc,CAAC,CAAC;SAChD;KACF;SAAM;QACL,IAAI;YACF,0FAA0F;YAC1F,MAAM,IAAA,iDAAuB,EAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,+CAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;SACzF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,cAAc,CAAC,CAAC;SAChD;KACF;IACD;;OAEG;IAEH;;OAEG;IACH,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACzE,MAAM,eAAe,GAAG,mBAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAEtD,MAAM,WAAW,GAAG,IAAA,+CAAsB,EAAC,cAAc,CAAC,CAAC;IAC3D,MAAM,QAAQ,GAAG,IAAA,iCAAe,EAAC,eAAe,EAAE,mBAAmB,EAAE,WAAW,CAAC,CAAC;IACpF;;OAEG;IAEH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAjHD,8EAiHC"}
|
|
@@ -1,15 +1,13 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
-
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
-
};
|
|
5
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.verifyAttestationApple = void 0;
|
|
6
4
|
const asn1_schema_1 = require("@peculiar/asn1-schema");
|
|
7
5
|
const asn1_x509_1 = require("@peculiar/asn1-x509");
|
|
8
|
-
const validateCertificatePath_1 =
|
|
9
|
-
const convertCertBufferToPEM_1 =
|
|
10
|
-
const toHash_1 =
|
|
11
|
-
const convertCOSEtoPKCS_1 =
|
|
12
|
-
async function
|
|
6
|
+
const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
|
|
7
|
+
const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
|
|
8
|
+
const toHash_1 = require("../../helpers/toHash");
|
|
9
|
+
const convertCOSEtoPKCS_1 = require("../../helpers/convertCOSEtoPKCS");
|
|
10
|
+
async function verifyAttestationApple(options) {
|
|
13
11
|
const { attStmt, authData, clientDataHash, credentialPublicKey, rootCertificates } = options;
|
|
14
12
|
const { x5c } = attStmt;
|
|
15
13
|
if (!x5c) {
|
|
@@ -19,7 +17,7 @@ async function verifyApple(options) {
|
|
|
19
17
|
* Verify certificate path
|
|
20
18
|
*/
|
|
21
19
|
try {
|
|
22
|
-
await (0, validateCertificatePath_1.
|
|
20
|
+
await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
|
|
23
21
|
}
|
|
24
22
|
catch (err) {
|
|
25
23
|
const _err = err;
|
|
@@ -38,7 +36,7 @@ async function verifyApple(options) {
|
|
|
38
36
|
throw new Error('credCert missing "1.2.840.113635.100.8.2" extension (Apple)');
|
|
39
37
|
}
|
|
40
38
|
const nonceToHash = Buffer.concat([authData, clientDataHash]);
|
|
41
|
-
const nonce = (0, toHash_1.
|
|
39
|
+
const nonce = (0, toHash_1.toHash)(nonceToHash, 'SHA256');
|
|
42
40
|
/**
|
|
43
41
|
* Ignore the first six ASN.1 structure bytes that define the nonce as an OCTET STRING. Should
|
|
44
42
|
* trim off <Buffer 30 24 a1 22 04 20>
|
|
@@ -53,12 +51,12 @@ async function verifyApple(options) {
|
|
|
53
51
|
/**
|
|
54
52
|
* Verify credential public key matches the Subject Public Key of credCert
|
|
55
53
|
*/
|
|
56
|
-
const credPubKeyPKCS = (0, convertCOSEtoPKCS_1.
|
|
54
|
+
const credPubKeyPKCS = (0, convertCOSEtoPKCS_1.convertCOSEtoPKCS)(credentialPublicKey);
|
|
57
55
|
const credCertSubjectPublicKey = Buffer.from(subjectPublicKeyInfo.subjectPublicKey);
|
|
58
56
|
if (!credPubKeyPKCS.equals(credCertSubjectPublicKey)) {
|
|
59
57
|
throw new Error('Credential public key does not equal credCert public key (Apple)');
|
|
60
58
|
}
|
|
61
59
|
return true;
|
|
62
60
|
}
|
|
63
|
-
exports.
|
|
64
|
-
//# sourceMappingURL=
|
|
61
|
+
exports.verifyAttestationApple = verifyAttestationApple;
|
|
62
|
+
//# sourceMappingURL=verifyAttestationApple.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyAttestationApple.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationApple.ts"],"names":[],"mappings":";;;AAAA,uDAAkD;AAClD,mDAAkD;AAIlD,mFAAgF;AAChF,iFAA8E;AAC9E,iDAA8C;AAC9C,uEAAoE;AAE7D,KAAK,UAAU,sBAAsB,CAC1C,OAAsC;IAEtC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAC;IAC7F,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAExB,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED;;OAEG;IACH,IAAI;QACF,MAAM,IAAA,iDAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,+CAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;KAClF;IAAC,OAAO,GAAG,EAAE;QACZ,MAAM,IAAI,GAAG,GAAY,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,UAAU,CAAC,CAAC;KAC5C;IAED;;OAEG;IACH,MAAM,cAAc,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAW,CAAC,CAAC;IAC5D,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GAAG,cAAc,CAAC,cAAc,CAAC;IAE3E,IAAI,CAAC,UAAU,EAAE;QACf,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;KACxD;IAED,MAAM,YAAY,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,KAAK,wBAAwB,CAAC,CAAC;IAErF,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;KAChF;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,IAAA,eAAM,EAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC5C;;;;;;OAMG;IACH,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAErE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;KAClE;IAED;;OAEG;IACH,MAAM,cAAc,GAAG,IAAA,qCAAiB,EAAC,mBAAmB,CAAC,CAAC;IAC9D,MAAM,wBAAwB,GAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,gBAAgB,CAAC,CAAC;IAEpF,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE;QACpD,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AA9DD,wDA8DC"}
|
package/dist/registration/verifications/{verifyFIDOU2F.d.ts → verifyAttestationFIDOU2F.d.ts}
RENAMED
|
@@ -2,4 +2,4 @@ import type { AttestationFormatVerifierOpts } from '../verifyRegistrationRespons
|
|
|
2
2
|
/**
|
|
3
3
|
* Verify an attestation response with fmt 'fido-u2f'
|
|
4
4
|
*/
|
|
5
|
-
export
|
|
5
|
+
export declare function verifyAttestationFIDOU2F(options: AttestationFormatVerifierOpts): Promise<boolean>;
|
|
@@ -1,19 +1,17 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
-
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
-
};
|
|
5
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
|
|
7
|
-
const
|
|
8
|
-
const
|
|
9
|
-
const
|
|
3
|
+
exports.verifyAttestationFIDOU2F = void 0;
|
|
4
|
+
const convertCOSEtoPKCS_1 = require("../../helpers/convertCOSEtoPKCS");
|
|
5
|
+
const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
|
|
6
|
+
const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
|
|
7
|
+
const verifySignature_1 = require("../../helpers/verifySignature");
|
|
10
8
|
/**
|
|
11
9
|
* Verify an attestation response with fmt 'fido-u2f'
|
|
12
10
|
*/
|
|
13
11
|
async function verifyAttestationFIDOU2F(options) {
|
|
14
12
|
const { attStmt, clientDataHash, rpIdHash, credentialID, credentialPublicKey, aaguid = '', rootCertificates, } = options;
|
|
15
13
|
const reservedByte = Buffer.from([0x00]);
|
|
16
|
-
const publicKey = (0, convertCOSEtoPKCS_1.
|
|
14
|
+
const publicKey = (0, convertCOSEtoPKCS_1.convertCOSEtoPKCS)(credentialPublicKey);
|
|
17
15
|
const signatureBase = Buffer.concat([
|
|
18
16
|
reservedByte,
|
|
19
17
|
rpIdHash,
|
|
@@ -35,14 +33,14 @@ async function verifyAttestationFIDOU2F(options) {
|
|
|
35
33
|
}
|
|
36
34
|
try {
|
|
37
35
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
38
|
-
await (0, validateCertificatePath_1.
|
|
36
|
+
await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
|
|
39
37
|
}
|
|
40
38
|
catch (err) {
|
|
41
39
|
const _err = err;
|
|
42
40
|
throw new Error(`${_err.message} (FIDOU2F)`);
|
|
43
41
|
}
|
|
44
|
-
const leafCertPEM = (0, convertCertBufferToPEM_1.
|
|
45
|
-
return (0, verifySignature_1.
|
|
42
|
+
const leafCertPEM = (0, convertCertBufferToPEM_1.convertCertBufferToPEM)(x5c[0]);
|
|
43
|
+
return (0, verifySignature_1.verifySignature)(sig, signatureBase, leafCertPEM);
|
|
46
44
|
}
|
|
47
|
-
exports.
|
|
48
|
-
//# sourceMappingURL=
|
|
45
|
+
exports.verifyAttestationFIDOU2F = verifyAttestationFIDOU2F;
|
|
46
|
+
//# sourceMappingURL=verifyAttestationFIDOU2F.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyAttestationFIDOU2F.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationFIDOU2F.ts"],"names":[],"mappings":";;;AAEA,uEAAoE;AACpE,iFAA8E;AAC9E,mFAAgF;AAChF,mEAAgE;AAEhE;;GAEG;AACI,KAAK,UAAU,wBAAwB,CAC5C,OAAsC;IAEtC,MAAM,EACJ,OAAO,EACP,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,mBAAmB,EACnB,MAAM,GAAG,EAAE,EACX,gBAAgB,GACjB,GAAG,OAAO,CAAC;IAEZ,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,IAAA,qCAAiB,EAAC,mBAAmB,CAAC,CAAC;IAEzD,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC;QAClC,YAAY;QACZ,QAAQ;QACR,cAAc;QACd,YAAY;QACZ,SAAS;KACV,CAAC,CAAC;IAEH,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAE7B,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;KAC3F;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED,gEAAgE;IAChE,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;IAChE,IAAI,WAAW,KAAK,IAAI,EAAE;QACxB,MAAM,IAAI,KAAK,CAAC,WAAW,WAAW,0BAA0B,CAAC,CAAC;KACnE;IAED,IAAI;QACF,0FAA0F;QAC1F,MAAM,IAAA,iDAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,+CAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;KAClF;IAAC,OAAO,GAAG,EAAE;QACZ,MAAM,IAAI,GAAG,GAAY,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,YAAY,CAAC,CAAC;KAC9C;IAED,MAAM,WAAW,GAAG,IAAA,+CAAsB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnD,OAAO,IAAA,iCAAe,EAAC,GAAG,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;AAC1D,CAAC;AAnDD,4DAmDC"}
|
|
@@ -2,4 +2,4 @@ import type { AttestationFormatVerifierOpts } from '../verifyRegistrationRespons
|
|
|
2
2
|
/**
|
|
3
3
|
* Verify an attestation response with fmt 'packed'
|
|
4
4
|
*/
|
|
5
|
-
export
|
|
5
|
+
export declare function verifyAttestationPacked(options: AttestationFormatVerifierOpts): Promise<boolean>;
|