@simplewebauthn/server 5.3.0 → 5.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authentication/generateAuthenticationOptions.d.ts +1 -1
- package/dist/authentication/generateAuthenticationOptions.js +4 -3
- package/dist/authentication/generateAuthenticationOptions.js.map +1 -1
- package/dist/authentication/verifyAuthenticationResponse.d.ts +5 -1
- package/dist/authentication/verifyAuthenticationResponse.js +19 -17
- package/dist/authentication/verifyAuthenticationResponse.js.map +1 -1
- package/dist/helpers/convertAAGUIDToString.d.ts +1 -1
- package/dist/helpers/convertAAGUIDToString.js +2 -1
- package/dist/helpers/convertAAGUIDToString.js.map +1 -1
- package/dist/helpers/convertCOSEtoPKCS.d.ts +1 -1
- package/dist/helpers/convertCOSEtoPKCS.js +2 -2
- package/dist/helpers/convertCOSEtoPKCS.js.map +1 -1
- package/dist/helpers/convertCertBufferToPEM.d.ts +1 -1
- package/dist/helpers/convertCertBufferToPEM.js +2 -1
- package/dist/helpers/convertCertBufferToPEM.js.map +1 -1
- package/dist/helpers/convertPublicKeyToPEM.d.ts +1 -1
- package/dist/helpers/convertPublicKeyToPEM.js +2 -1
- package/dist/helpers/convertPublicKeyToPEM.js.map +1 -1
- package/dist/helpers/decodeAttestationObject.d.ts +1 -1
- package/dist/helpers/decodeAttestationObject.js +2 -1
- package/dist/helpers/decodeAttestationObject.js.map +1 -1
- package/dist/helpers/decodeAuthenticatorExtensions.d.ts +20 -0
- package/dist/helpers/decodeAuthenticatorExtensions.js +25 -0
- package/dist/helpers/decodeAuthenticatorExtensions.js.map +1 -0
- package/dist/helpers/decodeClientDataJSON.d.ts +1 -1
- package/dist/helpers/decodeClientDataJSON.js +2 -1
- package/dist/helpers/decodeClientDataJSON.js.map +1 -1
- package/dist/helpers/decodeCredentialPublicKey.d.ts +1 -1
- package/dist/helpers/decodeCredentialPublicKey.js +2 -1
- package/dist/helpers/decodeCredentialPublicKey.js.map +1 -1
- package/dist/helpers/generateChallenge.d.ts +1 -1
- package/dist/helpers/generateChallenge.js +2 -1
- package/dist/helpers/generateChallenge.js.map +1 -1
- package/dist/helpers/getCertificateInfo.d.ts +1 -1
- package/dist/helpers/getCertificateInfo.js +2 -1
- package/dist/helpers/getCertificateInfo.js.map +1 -1
- package/dist/helpers/index.d.ts +15 -15
- package/dist/helpers/index.js +30 -33
- package/dist/helpers/index.js.map +1 -1
- package/dist/helpers/isBase64URLString.d.ts +1 -1
- package/dist/helpers/isBase64URLString.js +2 -1
- package/dist/helpers/isBase64URLString.js.map +1 -1
- package/dist/helpers/isCertRevoked.d.ts +1 -1
- package/dist/helpers/isCertRevoked.js +4 -3
- package/dist/helpers/isCertRevoked.js.map +1 -1
- package/dist/helpers/parseAuthenticatorData.d.ts +3 -1
- package/dist/helpers/parseAuthenticatorData.js +12 -7
- package/dist/helpers/parseAuthenticatorData.js.map +1 -1
- package/dist/helpers/parseBackupFlags.js.map +1 -1
- package/dist/helpers/toHash.d.ts +1 -1
- package/dist/helpers/toHash.js +2 -1
- package/dist/helpers/toHash.js.map +1 -1
- package/dist/helpers/validateCertificatePath.d.ts +1 -1
- package/dist/helpers/validateCertificatePath.js +4 -6
- package/dist/helpers/validateCertificatePath.js.map +1 -1
- package/dist/helpers/verifySignature.d.ts +1 -1
- package/dist/helpers/verifySignature.js +2 -1
- package/dist/helpers/verifySignature.js.map +1 -1
- package/dist/index.d.ts +6 -6
- package/dist/index.js +12 -15
- package/dist/index.js.map +1 -1
- package/dist/metadata/parseJWT.d.ts +1 -1
- package/dist/metadata/parseJWT.js +2 -1
- package/dist/metadata/parseJWT.js.map +1 -1
- package/dist/metadata/verifyAttestationWithMetadata.d.ts +1 -1
- package/dist/metadata/verifyAttestationWithMetadata.js +30 -18
- package/dist/metadata/verifyAttestationWithMetadata.js.map +1 -1
- package/dist/registration/generateRegistrationOptions.d.ts +1 -1
- package/dist/registration/generateRegistrationOptions.js +4 -4
- package/dist/registration/generateRegistrationOptions.js.map +1 -1
- package/dist/registration/verifications/tpm/constants.d.ts +30 -0
- package/dist/registration/verifications/tpm/constants.js +36 -2
- package/dist/registration/verifications/tpm/constants.js.map +1 -1
- package/dist/registration/verifications/tpm/parseCertInfo.d.ts +1 -1
- package/dist/registration/verifications/tpm/parseCertInfo.js +2 -1
- package/dist/registration/verifications/tpm/parseCertInfo.js.map +1 -1
- package/dist/registration/verifications/tpm/parsePubArea.d.ts +4 -1
- package/dist/registration/verifications/tpm/parsePubArea.js +23 -4
- package/dist/registration/verifications/tpm/parsePubArea.js.map +1 -1
- package/dist/registration/verifications/tpm/verifyAttestationTPM.d.ts +2 -0
- package/dist/registration/verifications/tpm/{verifyTPM.js → verifyAttestationTPM.js} +28 -34
- package/dist/registration/verifications/tpm/verifyAttestationTPM.js.map +1 -0
- package/dist/registration/verifications/{verifyAndroidKey.d.ts → verifyAttestationAndroidKey.d.ts} +1 -1
- package/dist/registration/verifications/{verifyAndroidKey.js → verifyAttestationAndroidKey.js} +15 -40
- package/dist/registration/verifications/verifyAttestationAndroidKey.js.map +1 -0
- package/dist/registration/verifications/{verifyAndroidSafetyNet.d.ts → verifyAttestationAndroidSafetyNet.d.ts} +1 -1
- package/dist/registration/verifications/{verifyAndroidSafetyNet.js → verifyAttestationAndroidSafetyNet.js} +17 -16
- package/dist/registration/verifications/verifyAttestationAndroidSafetyNet.js.map +1 -0
- package/dist/registration/verifications/verifyAttestationApple.d.ts +2 -0
- package/dist/registration/verifications/{verifyApple.js → verifyAttestationApple.js} +11 -13
- package/dist/registration/verifications/verifyAttestationApple.js.map +1 -0
- package/dist/registration/verifications/{verifyFIDOU2F.d.ts → verifyAttestationFIDOU2F.d.ts} +1 -1
- package/dist/registration/verifications/{verifyFIDOU2F.js → verifyAttestationFIDOU2F.js} +11 -13
- package/dist/registration/verifications/verifyAttestationFIDOU2F.js.map +1 -0
- package/dist/registration/verifications/{verifyPacked.d.ts → verifyAttestationPacked.d.ts} +1 -1
- package/dist/registration/verifications/{verifyPacked.js → verifyAttestationPacked.js} +22 -44
- package/dist/registration/verifications/verifyAttestationPacked.js.map +1 -0
- package/dist/registration/verifyRegistrationResponse.d.ts +6 -2
- package/dist/registration/verifyRegistrationResponse.js +32 -30
- package/dist/registration/verifyRegistrationResponse.js.map +1 -1
- package/dist/services/metadataService.d.ts +2 -2
- package/dist/services/metadataService.js +13 -14
- package/dist/services/metadataService.js.map +1 -1
- package/dist/services/settingsService.d.ts +3 -3
- package/dist/services/settingsService.js +9 -12
- package/dist/services/settingsService.js.map +1 -1
- package/package.json +3 -3
- package/dist/registration/verifications/tpm/verifyTPM.d.ts +0 -2
- package/dist/registration/verifications/tpm/verifyTPM.js.map +0 -1
- package/dist/registration/verifications/verifyAndroidKey.js.map +0 -1
- package/dist/registration/verifications/verifyAndroidSafetyNet.js.map +0 -1
- package/dist/registration/verifications/verifyApple.d.ts +0 -2
- package/dist/registration/verifications/verifyApple.js.map +0 -1
- package/dist/registration/verifications/verifyFIDOU2F.js.map +0 -1
- package/dist/registration/verifications/verifyPacked.js.map +0 -1
|
@@ -3,14 +3,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.verifyAttestationAndroidSafetyNet = void 0;
|
|
6
7
|
const base64url_1 = __importDefault(require("base64url"));
|
|
7
|
-
const toHash_1 =
|
|
8
|
-
const verifySignature_1 =
|
|
9
|
-
const getCertificateInfo_1 =
|
|
10
|
-
const validateCertificatePath_1 =
|
|
11
|
-
const convertCertBufferToPEM_1 =
|
|
12
|
-
const metadataService_1 =
|
|
13
|
-
const verifyAttestationWithMetadata_1 =
|
|
8
|
+
const toHash_1 = require("../../helpers/toHash");
|
|
9
|
+
const verifySignature_1 = require("../../helpers/verifySignature");
|
|
10
|
+
const getCertificateInfo_1 = require("../../helpers/getCertificateInfo");
|
|
11
|
+
const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
|
|
12
|
+
const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
|
|
13
|
+
const metadataService_1 = require("../../services/metadataService");
|
|
14
|
+
const verifyAttestationWithMetadata_1 = require("../../metadata/verifyAttestationWithMetadata");
|
|
14
15
|
/**
|
|
15
16
|
* Verify an attestation response with fmt 'android-safetynet'
|
|
16
17
|
*/
|
|
@@ -47,7 +48,7 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
47
48
|
}
|
|
48
49
|
}
|
|
49
50
|
const nonceBase = Buffer.concat([authData, clientDataHash]);
|
|
50
|
-
const nonceBuffer = (0, toHash_1.
|
|
51
|
+
const nonceBuffer = (0, toHash_1.toHash)(nonceBase);
|
|
51
52
|
const expectedNonce = nonceBuffer.toString('base64');
|
|
52
53
|
if (nonce !== expectedNonce) {
|
|
53
54
|
throw new Error('Could not verify payload nonce (SafetyNet)');
|
|
@@ -62,17 +63,17 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
62
63
|
* START Verify Header
|
|
63
64
|
*/
|
|
64
65
|
const leafCertBuffer = base64url_1.default.toBuffer(HEADER.x5c[0]);
|
|
65
|
-
const leafCertInfo = (0, getCertificateInfo_1.
|
|
66
|
+
const leafCertInfo = (0, getCertificateInfo_1.getCertificateInfo)(leafCertBuffer);
|
|
66
67
|
const { subject } = leafCertInfo;
|
|
67
68
|
// Ensure the certificate was issued to this hostname
|
|
68
69
|
// See https://developer.android.com/training/safetynet/attestation#verify-attestation-response
|
|
69
70
|
if (subject.CN !== 'attest.android.com') {
|
|
70
71
|
throw new Error('Certificate common name was not "attest.android.com" (SafetyNet)');
|
|
71
72
|
}
|
|
72
|
-
const statement = await metadataService_1.
|
|
73
|
+
const statement = await metadataService_1.MetadataService.getStatement(aaguid);
|
|
73
74
|
if (statement) {
|
|
74
75
|
try {
|
|
75
|
-
await (0, verifyAttestationWithMetadata_1.
|
|
76
|
+
await (0, verifyAttestationWithMetadata_1.verifyAttestationWithMetadata)(statement, credentialPublicKey, HEADER.x5c);
|
|
76
77
|
}
|
|
77
78
|
catch (err) {
|
|
78
79
|
const _err = err;
|
|
@@ -82,7 +83,7 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
82
83
|
else {
|
|
83
84
|
try {
|
|
84
85
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
85
|
-
await (0, validateCertificatePath_1.
|
|
86
|
+
await (0, validateCertificatePath_1.validateCertificatePath)(HEADER.x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
|
|
86
87
|
}
|
|
87
88
|
catch (err) {
|
|
88
89
|
const _err = err;
|
|
@@ -97,12 +98,12 @@ async function verifyAttestationAndroidSafetyNet(options) {
|
|
|
97
98
|
*/
|
|
98
99
|
const signatureBaseBuffer = Buffer.from(`${jwtParts[0]}.${jwtParts[1]}`);
|
|
99
100
|
const signatureBuffer = base64url_1.default.toBuffer(SIGNATURE);
|
|
100
|
-
const leafCertPEM = (0, convertCertBufferToPEM_1.
|
|
101
|
-
const verified = (0, verifySignature_1.
|
|
101
|
+
const leafCertPEM = (0, convertCertBufferToPEM_1.convertCertBufferToPEM)(leafCertBuffer);
|
|
102
|
+
const verified = (0, verifySignature_1.verifySignature)(signatureBuffer, signatureBaseBuffer, leafCertPEM);
|
|
102
103
|
/**
|
|
103
104
|
* END Verify Signature
|
|
104
105
|
*/
|
|
105
106
|
return verified;
|
|
106
107
|
}
|
|
107
|
-
exports.
|
|
108
|
-
//# sourceMappingURL=
|
|
108
|
+
exports.verifyAttestationAndroidSafetyNet = verifyAttestationAndroidSafetyNet;
|
|
109
|
+
//# sourceMappingURL=verifyAttestationAndroidSafetyNet.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyAttestationAndroidSafetyNet.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationAndroidSafetyNet.ts"],"names":[],"mappings":";;;;;;AAAA,0DAAkC;AAIlC,iDAA8C;AAC9C,mEAAgE;AAChE,yEAAsE;AACtE,mFAAgF;AAChF,iFAA8E;AAC9E,oEAAiE;AACjE,gGAA6F;AAE7F;;GAEG;AACI,KAAK,UAAU,iCAAiC,CACrD,OAAsC;IAEtC,MAAM,EACJ,OAAO,EACP,cAAc,EACd,QAAQ,EACR,MAAM,EACN,gBAAgB,EAChB,iBAAiB,GAAG,IAAI,EACxB,mBAAmB,GACpB,GAAG,OAAO,CAAC;IACZ,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;KAC5D;IAED,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,0BAA0B;IAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEhC,MAAM,MAAM,GAAuB,IAAI,CAAC,KAAK,CAAC,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAwB,IAAI,CAAC,KAAK,CAAC,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,MAAM,SAAS,GAA0B,QAAQ,CAAC,CAAC,CAAC,CAAC;IAErD;;OAEG;IACH,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IAExD,IAAI,iBAAiB,EAAE;QACrB,qCAAqC;QACrC,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACrB,IAAI,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,WAAW,qBAAqB,GAAG,eAAe,CAAC,CAAC;SAC3F;QAED,+EAA+E;QAC/E,MAAM,kBAAkB,GAAG,WAAW,GAAG,EAAE,GAAG,IAAI,CAAC;QACnD,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACjB,IAAI,kBAAkB,GAAG,GAAG,EAAE;YAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,kBAAkB,2BAA2B,CAAC,CAAC;SACtF;KACF;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,IAAA,eAAM,EAAC,SAAS,CAAC,CAAC;IACtC,MAAM,aAAa,GAAG,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErD,IAAI,KAAK,KAAK,aAAa,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;KAC/D;IAED,IAAI,CAAC,eAAe,EAAE;QACpB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;KAClE;IACD;;OAEG;IAEH;;OAEG;IACH,MAAM,cAAc,GAAG,mBAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,YAAY,GAAG,IAAA,uCAAkB,EAAC,cAAc,CAAC,CAAC;IAExD,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;IAEjC,qDAAqD;IACrD,+FAA+F;IAC/F,IAAI,OAAO,CAAC,EAAE,KAAK,oBAAoB,EAAE;QACvC,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,MAAM,SAAS,GAAG,MAAM,iCAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC7D,IAAI,SAAS,EAAE;QACb,IAAI;YACF,MAAM,IAAA,6DAA6B,EAAC,SAAS,EAAE,mBAAmB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;SACjF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,cAAc,CAAC,CAAC;SAChD;KACF;SAAM;QACL,IAAI;YACF,0FAA0F;YAC1F,MAAM,IAAA,iDAAuB,EAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,+CAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;SACzF;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAI,GAAG,GAAY,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,cAAc,CAAC,CAAC;SAChD;KACF;IACD;;OAEG;IAEH;;OAEG;IACH,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACzE,MAAM,eAAe,GAAG,mBAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAEtD,MAAM,WAAW,GAAG,IAAA,+CAAsB,EAAC,cAAc,CAAC,CAAC;IAC3D,MAAM,QAAQ,GAAG,IAAA,iCAAe,EAAC,eAAe,EAAE,mBAAmB,EAAE,WAAW,CAAC,CAAC;IACpF;;OAEG;IAEH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAjHD,8EAiHC"}
|
|
@@ -1,15 +1,13 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
-
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
-
};
|
|
5
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.verifyAttestationApple = void 0;
|
|
6
4
|
const asn1_schema_1 = require("@peculiar/asn1-schema");
|
|
7
5
|
const asn1_x509_1 = require("@peculiar/asn1-x509");
|
|
8
|
-
const validateCertificatePath_1 =
|
|
9
|
-
const convertCertBufferToPEM_1 =
|
|
10
|
-
const toHash_1 =
|
|
11
|
-
const convertCOSEtoPKCS_1 =
|
|
12
|
-
async function
|
|
6
|
+
const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
|
|
7
|
+
const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
|
|
8
|
+
const toHash_1 = require("../../helpers/toHash");
|
|
9
|
+
const convertCOSEtoPKCS_1 = require("../../helpers/convertCOSEtoPKCS");
|
|
10
|
+
async function verifyAttestationApple(options) {
|
|
13
11
|
const { attStmt, authData, clientDataHash, credentialPublicKey, rootCertificates } = options;
|
|
14
12
|
const { x5c } = attStmt;
|
|
15
13
|
if (!x5c) {
|
|
@@ -19,7 +17,7 @@ async function verifyApple(options) {
|
|
|
19
17
|
* Verify certificate path
|
|
20
18
|
*/
|
|
21
19
|
try {
|
|
22
|
-
await (0, validateCertificatePath_1.
|
|
20
|
+
await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
|
|
23
21
|
}
|
|
24
22
|
catch (err) {
|
|
25
23
|
const _err = err;
|
|
@@ -38,7 +36,7 @@ async function verifyApple(options) {
|
|
|
38
36
|
throw new Error('credCert missing "1.2.840.113635.100.8.2" extension (Apple)');
|
|
39
37
|
}
|
|
40
38
|
const nonceToHash = Buffer.concat([authData, clientDataHash]);
|
|
41
|
-
const nonce = (0, toHash_1.
|
|
39
|
+
const nonce = (0, toHash_1.toHash)(nonceToHash, 'SHA256');
|
|
42
40
|
/**
|
|
43
41
|
* Ignore the first six ASN.1 structure bytes that define the nonce as an OCTET STRING. Should
|
|
44
42
|
* trim off <Buffer 30 24 a1 22 04 20>
|
|
@@ -53,12 +51,12 @@ async function verifyApple(options) {
|
|
|
53
51
|
/**
|
|
54
52
|
* Verify credential public key matches the Subject Public Key of credCert
|
|
55
53
|
*/
|
|
56
|
-
const credPubKeyPKCS = (0, convertCOSEtoPKCS_1.
|
|
54
|
+
const credPubKeyPKCS = (0, convertCOSEtoPKCS_1.convertCOSEtoPKCS)(credentialPublicKey);
|
|
57
55
|
const credCertSubjectPublicKey = Buffer.from(subjectPublicKeyInfo.subjectPublicKey);
|
|
58
56
|
if (!credPubKeyPKCS.equals(credCertSubjectPublicKey)) {
|
|
59
57
|
throw new Error('Credential public key does not equal credCert public key (Apple)');
|
|
60
58
|
}
|
|
61
59
|
return true;
|
|
62
60
|
}
|
|
63
|
-
exports.
|
|
64
|
-
//# sourceMappingURL=
|
|
61
|
+
exports.verifyAttestationApple = verifyAttestationApple;
|
|
62
|
+
//# sourceMappingURL=verifyAttestationApple.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyAttestationApple.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationApple.ts"],"names":[],"mappings":";;;AAAA,uDAAkD;AAClD,mDAAkD;AAIlD,mFAAgF;AAChF,iFAA8E;AAC9E,iDAA8C;AAC9C,uEAAoE;AAE7D,KAAK,UAAU,sBAAsB,CAC1C,OAAsC;IAEtC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAC;IAC7F,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAExB,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED;;OAEG;IACH,IAAI;QACF,MAAM,IAAA,iDAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,+CAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;KAClF;IAAC,OAAO,GAAG,EAAE;QACZ,MAAM,IAAI,GAAG,GAAY,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,UAAU,CAAC,CAAC;KAC5C;IAED;;OAEG;IACH,MAAM,cAAc,GAAG,uBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,uBAAW,CAAC,CAAC;IAC5D,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GAAG,cAAc,CAAC,cAAc,CAAC;IAE3E,IAAI,CAAC,UAAU,EAAE;QACf,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;KACxD;IAED,MAAM,YAAY,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,KAAK,wBAAwB,CAAC,CAAC;IAErF,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;KAChF;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,IAAA,eAAM,EAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC5C;;;;;;OAMG;IACH,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAErE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;KAClE;IAED;;OAEG;IACH,MAAM,cAAc,GAAG,IAAA,qCAAiB,EAAC,mBAAmB,CAAC,CAAC;IAC9D,MAAM,wBAAwB,GAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,gBAAgB,CAAC,CAAC;IAEpF,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE;QACpD,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;KACrF;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AA9DD,wDA8DC"}
|
package/dist/registration/verifications/{verifyFIDOU2F.d.ts → verifyAttestationFIDOU2F.d.ts}
RENAMED
|
@@ -2,4 +2,4 @@ import type { AttestationFormatVerifierOpts } from '../verifyRegistrationRespons
|
|
|
2
2
|
/**
|
|
3
3
|
* Verify an attestation response with fmt 'fido-u2f'
|
|
4
4
|
*/
|
|
5
|
-
export
|
|
5
|
+
export declare function verifyAttestationFIDOU2F(options: AttestationFormatVerifierOpts): Promise<boolean>;
|
|
@@ -1,19 +1,17 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
-
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
-
};
|
|
5
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
|
|
7
|
-
const
|
|
8
|
-
const
|
|
9
|
-
const
|
|
3
|
+
exports.verifyAttestationFIDOU2F = void 0;
|
|
4
|
+
const convertCOSEtoPKCS_1 = require("../../helpers/convertCOSEtoPKCS");
|
|
5
|
+
const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
|
|
6
|
+
const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
|
|
7
|
+
const verifySignature_1 = require("../../helpers/verifySignature");
|
|
10
8
|
/**
|
|
11
9
|
* Verify an attestation response with fmt 'fido-u2f'
|
|
12
10
|
*/
|
|
13
11
|
async function verifyAttestationFIDOU2F(options) {
|
|
14
12
|
const { attStmt, clientDataHash, rpIdHash, credentialID, credentialPublicKey, aaguid = '', rootCertificates, } = options;
|
|
15
13
|
const reservedByte = Buffer.from([0x00]);
|
|
16
|
-
const publicKey = (0, convertCOSEtoPKCS_1.
|
|
14
|
+
const publicKey = (0, convertCOSEtoPKCS_1.convertCOSEtoPKCS)(credentialPublicKey);
|
|
17
15
|
const signatureBase = Buffer.concat([
|
|
18
16
|
reservedByte,
|
|
19
17
|
rpIdHash,
|
|
@@ -35,14 +33,14 @@ async function verifyAttestationFIDOU2F(options) {
|
|
|
35
33
|
}
|
|
36
34
|
try {
|
|
37
35
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
38
|
-
await (0, validateCertificatePath_1.
|
|
36
|
+
await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
|
|
39
37
|
}
|
|
40
38
|
catch (err) {
|
|
41
39
|
const _err = err;
|
|
42
40
|
throw new Error(`${_err.message} (FIDOU2F)`);
|
|
43
41
|
}
|
|
44
|
-
const leafCertPEM = (0, convertCertBufferToPEM_1.
|
|
45
|
-
return (0, verifySignature_1.
|
|
42
|
+
const leafCertPEM = (0, convertCertBufferToPEM_1.convertCertBufferToPEM)(x5c[0]);
|
|
43
|
+
return (0, verifySignature_1.verifySignature)(sig, signatureBase, leafCertPEM);
|
|
46
44
|
}
|
|
47
|
-
exports.
|
|
48
|
-
//# sourceMappingURL=
|
|
45
|
+
exports.verifyAttestationFIDOU2F = verifyAttestationFIDOU2F;
|
|
46
|
+
//# sourceMappingURL=verifyAttestationFIDOU2F.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyAttestationFIDOU2F.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationFIDOU2F.ts"],"names":[],"mappings":";;;AAEA,uEAAoE;AACpE,iFAA8E;AAC9E,mFAAgF;AAChF,mEAAgE;AAEhE;;GAEG;AACI,KAAK,UAAU,wBAAwB,CAC5C,OAAsC;IAEtC,MAAM,EACJ,OAAO,EACP,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,mBAAmB,EACnB,MAAM,GAAG,EAAE,EACX,gBAAgB,GACjB,GAAG,OAAO,CAAC;IAEZ,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,IAAA,qCAAiB,EAAC,mBAAmB,CAAC,CAAC;IAEzD,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC;QAClC,YAAY;QACZ,QAAQ;QACR,cAAc;QACd,YAAY;QACZ,SAAS;KACV,CAAC,CAAC;IAEH,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAE7B,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;KAC3F;IAED,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;KACzF;IAED,gEAAgE;IAChE,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;IAChE,IAAI,WAAW,KAAK,IAAI,EAAE;QACxB,MAAM,IAAI,KAAK,CAAC,WAAW,WAAW,0BAA0B,CAAC,CAAC;KACnE;IAED,IAAI;QACF,0FAA0F;QAC1F,MAAM,IAAA,iDAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,+CAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;KAClF;IAAC,OAAO,GAAG,EAAE;QACZ,MAAM,IAAI,GAAG,GAAY,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,YAAY,CAAC,CAAC;KAC9C;IAED,MAAM,WAAW,GAAG,IAAA,+CAAsB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnD,OAAO,IAAA,iCAAe,EAAC,GAAG,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;AAC1D,CAAC;AAnDD,4DAmDC"}
|
|
@@ -2,4 +2,4 @@ import type { AttestationFormatVerifierOpts } from '../verifyRegistrationRespons
|
|
|
2
2
|
/**
|
|
3
3
|
* Verify an attestation response with fmt 'packed'
|
|
4
4
|
*/
|
|
5
|
-
export
|
|
5
|
+
export declare function verifyAttestationPacked(options: AttestationFormatVerifierOpts): Promise<boolean>;
|
|
@@ -1,42 +1,20 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
-
if (k2 === undefined) k2 = k;
|
|
4
|
-
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
-
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
-
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
-
}
|
|
8
|
-
Object.defineProperty(o, k2, desc);
|
|
9
|
-
}) : (function(o, m, k, k2) {
|
|
10
|
-
if (k2 === undefined) k2 = k;
|
|
11
|
-
o[k2] = m[k];
|
|
12
|
-
}));
|
|
13
|
-
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
-
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
-
}) : function(o, v) {
|
|
16
|
-
o["default"] = v;
|
|
17
|
-
});
|
|
18
|
-
var __importStar = (this && this.__importStar) || function (mod) {
|
|
19
|
-
if (mod && mod.__esModule) return mod;
|
|
20
|
-
var result = {};
|
|
21
|
-
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
|
22
|
-
__setModuleDefault(result, mod);
|
|
23
|
-
return result;
|
|
24
|
-
};
|
|
25
2
|
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
26
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
27
4
|
};
|
|
28
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.verifyAttestationPacked = void 0;
|
|
29
7
|
const elliptic_1 = __importDefault(require("elliptic"));
|
|
30
8
|
const node_rsa_1 = __importDefault(require("node-rsa"));
|
|
31
|
-
const convertCOSEtoPKCS_1 =
|
|
32
|
-
const toHash_1 =
|
|
33
|
-
const convertCertBufferToPEM_1 =
|
|
34
|
-
const validateCertificatePath_1 =
|
|
35
|
-
const getCertificateInfo_1 =
|
|
36
|
-
const verifySignature_1 =
|
|
37
|
-
const decodeCredentialPublicKey_1 =
|
|
38
|
-
const metadataService_1 =
|
|
39
|
-
const verifyAttestationWithMetadata_1 =
|
|
9
|
+
const convertCOSEtoPKCS_1 = require("../../helpers/convertCOSEtoPKCS");
|
|
10
|
+
const toHash_1 = require("../../helpers/toHash");
|
|
11
|
+
const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
|
|
12
|
+
const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
|
|
13
|
+
const getCertificateInfo_1 = require("../../helpers/getCertificateInfo");
|
|
14
|
+
const verifySignature_1 = require("../../helpers/verifySignature");
|
|
15
|
+
const decodeCredentialPublicKey_1 = require("../../helpers/decodeCredentialPublicKey");
|
|
16
|
+
const metadataService_1 = require("../../services/metadataService");
|
|
17
|
+
const verifyAttestationWithMetadata_1 = require("../../metadata/verifyAttestationWithMetadata");
|
|
40
18
|
/**
|
|
41
19
|
* Verify an attestation response with fmt 'packed'
|
|
42
20
|
*/
|
|
@@ -51,10 +29,10 @@ async function verifyAttestationPacked(options) {
|
|
|
51
29
|
}
|
|
52
30
|
const signatureBase = Buffer.concat([authData, clientDataHash]);
|
|
53
31
|
let verified = false;
|
|
54
|
-
const pkcsPublicKey = (0, convertCOSEtoPKCS_1.
|
|
32
|
+
const pkcsPublicKey = (0, convertCOSEtoPKCS_1.convertCOSEtoPKCS)(credentialPublicKey);
|
|
55
33
|
if (x5c) {
|
|
56
|
-
const leafCert = (0, convertCertBufferToPEM_1.
|
|
57
|
-
const { subject, basicConstraintsCA, version, notBefore, notAfter } = (0, getCertificateInfo_1.
|
|
34
|
+
const leafCert = (0, convertCertBufferToPEM_1.convertCertBufferToPEM)(x5c[0]);
|
|
35
|
+
const { subject, basicConstraintsCA, version, notBefore, notAfter } = (0, getCertificateInfo_1.getCertificateInfo)(x5c[0]);
|
|
58
36
|
const { OU, CN, O, C } = subject;
|
|
59
37
|
if (OU !== 'Authenticator Attestation') {
|
|
60
38
|
throw new Error('Certificate OU was not "Authenticator Attestation" (Packed|Full)');
|
|
@@ -85,7 +63,7 @@ async function verifyAttestationPacked(options) {
|
|
|
85
63
|
// TODO: If certificate contains id-fido-gen-ce-aaguid(1.3.6.1.4.1.45724.1.1.4) extension, check
|
|
86
64
|
// that it’s value is set to the same AAGUID as in authData.
|
|
87
65
|
// If available, validate attestation alg and x5c with info in the metadata statement
|
|
88
|
-
const statement = await metadataService_1.
|
|
66
|
+
const statement = await metadataService_1.MetadataService.getStatement(aaguid);
|
|
89
67
|
if (statement) {
|
|
90
68
|
// The presence of x5c means this is a full attestation. Check to see if attestationTypes
|
|
91
69
|
// includes packed attestations.
|
|
@@ -93,7 +71,7 @@ async function verifyAttestationPacked(options) {
|
|
|
93
71
|
throw new Error('Metadata does not indicate support for full attestations (Packed|Full)');
|
|
94
72
|
}
|
|
95
73
|
try {
|
|
96
|
-
await (0, verifyAttestationWithMetadata_1.
|
|
74
|
+
await (0, verifyAttestationWithMetadata_1.verifyAttestationWithMetadata)(statement, credentialPublicKey, x5c);
|
|
97
75
|
}
|
|
98
76
|
catch (err) {
|
|
99
77
|
const _err = err;
|
|
@@ -103,17 +81,17 @@ async function verifyAttestationPacked(options) {
|
|
|
103
81
|
else {
|
|
104
82
|
try {
|
|
105
83
|
// Try validating the certificate path using the root certificates set via SettingsService
|
|
106
|
-
await (0, validateCertificatePath_1.
|
|
84
|
+
await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
|
|
107
85
|
}
|
|
108
86
|
catch (err) {
|
|
109
87
|
const _err = err;
|
|
110
88
|
throw new Error(`${_err.message} (Packed|Full)`);
|
|
111
89
|
}
|
|
112
90
|
}
|
|
113
|
-
verified = (0, verifySignature_1.
|
|
91
|
+
verified = (0, verifySignature_1.verifySignature)(sig, signatureBase, leafCert);
|
|
114
92
|
}
|
|
115
93
|
else {
|
|
116
|
-
const cosePublicKey = (0, decodeCredentialPublicKey_1.
|
|
94
|
+
const cosePublicKey = (0, decodeCredentialPublicKey_1.decodeCredentialPublicKey)(credentialPublicKey);
|
|
117
95
|
const kty = cosePublicKey.get(convertCOSEtoPKCS_1.COSEKEYS.kty);
|
|
118
96
|
if (!kty) {
|
|
119
97
|
throw new Error('COSE public key was missing kty (Packed|Self)');
|
|
@@ -124,7 +102,7 @@ async function verifyAttestationPacked(options) {
|
|
|
124
102
|
if (!crv) {
|
|
125
103
|
throw new Error('COSE public key was missing kty crv (Packed|EC2)');
|
|
126
104
|
}
|
|
127
|
-
const signatureBaseHash = (0, toHash_1.
|
|
105
|
+
const signatureBaseHash = (0, toHash_1.toHash)(signatureBase, hashAlg);
|
|
128
106
|
/**
|
|
129
107
|
* Instantiating the curve here is _very_ computationally heavy - a bit of profiling
|
|
130
108
|
* (in compiled JS, not TS) reported an average of ~125ms to execute this line. The elliptic
|
|
@@ -158,7 +136,7 @@ async function verifyAttestationPacked(options) {
|
|
|
158
136
|
if (!x) {
|
|
159
137
|
throw new Error('COSE public key was missing x (Packed|OKP)');
|
|
160
138
|
}
|
|
161
|
-
const signatureBaseHash = (0, toHash_1.
|
|
139
|
+
const signatureBaseHash = (0, toHash_1.toHash)(signatureBase, hashAlg);
|
|
162
140
|
const key = new elliptic_1.default.eddsa('ed25519');
|
|
163
141
|
key.keyFromPublic(x);
|
|
164
142
|
// TODO: is `publicKey` right here?
|
|
@@ -167,5 +145,5 @@ async function verifyAttestationPacked(options) {
|
|
|
167
145
|
}
|
|
168
146
|
return verified;
|
|
169
147
|
}
|
|
170
|
-
exports.
|
|
171
|
-
//# sourceMappingURL=
|
|
148
|
+
exports.verifyAttestationPacked = verifyAttestationPacked;
|
|
149
|
+
//# sourceMappingURL=verifyAttestationPacked.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyAttestationPacked.js","sourceRoot":"","sources":["../../../src/registration/verifications/verifyAttestationPacked.ts"],"names":[],"mappings":";;;;;;AAAA,wDAAgC;AAChC,wDAA+B;AAI/B,uEAOyC;AACzC,iDAA8C;AAC9C,iFAA8E;AAC9E,mFAAgF;AAChF,yEAAsE;AACtE,mEAAgE;AAChE,uFAAoF;AACpF,oEAAiE;AACjE,gGAA6F;AAE7F;;GAEG;AACI,KAAK,UAAU,uBAAuB,CAC3C,OAAsC;IAEtC,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,EAAE,gBAAgB,EAAE,GACxF,OAAO,CAAC;IAEV,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;KACxF;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,4BAA4B,CAAC,CAAC;KAChF;IAED,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;IAEhE,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,MAAM,aAAa,GAAG,IAAA,qCAAiB,EAAC,mBAAmB,CAAC,CAAC;IAE7D,IAAI,GAAG,EAAE;QACP,MAAM,QAAQ,GAAG,IAAA,+CAAsB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAChD,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,IAAA,uCAAkB,EACtF,GAAG,CAAC,CAAC,CAAC,CACP,CAAC;QAEF,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,OAAO,CAAC;QAEjC,IAAI,EAAE,KAAK,2BAA2B,EAAE;YACtC,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,IAAI,CAAC,EAAE,EAAE;YACP,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;SAC3D;QAED,IAAI,CAAC,CAAC,EAAE;YACN,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;SAC1D;QAED,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE;YACxB,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;SACpF;QAED,IAAI,kBAAkB,EAAE;YACtB,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;SACnF;QAED,IAAI,OAAO,KAAK,CAAC,EAAE;YACjB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;SACrF;QAED,IAAI,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,SAAS,GAAG,GAAG,EAAE;YACnB,MAAM,IAAI,KAAK,CAAC,gCAAgC,SAAS,CAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAC;SACxF;QAED,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACjB,IAAI,QAAQ,GAAG,GAAG,EAAE;YAClB,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,CAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAC;SACtF;QAED,gGAAgG;QAChG,4DAA4D;QAE5D,qFAAqF;QACrF,MAAM,SAAS,GAAG,MAAM,iCAAe,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC7D,IAAI,SAAS,EAAE;YACb,yFAAyF;YACzF,gCAAgC;YAChC,IAAI,SAAS,CAAC,gBAAgB,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE;gBACxD,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;aAC3F;YAED,IAAI;gBACF,MAAM,IAAA,6DAA6B,EAAC,SAAS,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;aAC1E;YAAC,OAAO,GAAG,EAAE;gBACZ,MAAM,IAAI,GAAG,GAAY,CAAC;gBAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,gBAAgB,CAAC,CAAC;aAClD;SACF;aAAM;YACL,IAAI;gBACF,0FAA0F;gBAC1F,MAAM,IAAA,iDAAuB,EAAC,GAAG,CAAC,GAAG,CAAC,+CAAsB,CAAC,EAAE,gBAAgB,CAAC,CAAC;aAClF;YAAC,OAAO,GAAG,EAAE;gBACZ,MAAM,IAAI,GAAG,GAAY,CAAC;gBAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,gBAAgB,CAAC,CAAC;aAClD;SACF;QAED,QAAQ,GAAG,IAAA,iCAAe,EAAC,GAAG,EAAE,aAAa,EAAE,QAAQ,CAAC,CAAC;KAC1D;SAAM;QACL,MAAM,aAAa,GAAG,IAAA,qDAAyB,EAAC,mBAAmB,CAAC,CAAC;QAErE,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,GAAG,CAAC,CAAC;QAE5C,IAAI,CAAC,GAAG,EAAE;YACR,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;SAClE;QAED,MAAM,OAAO,GAAW,+BAAW,CAAC,GAAa,CAAC,CAAC;QAEnD,IAAI,GAAG,KAAK,2BAAO,CAAC,GAAG,EAAE;YACvB,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,GAAG,CAAC,CAAC;YAE5C,IAAI,CAAC,GAAG,EAAE;gBACR,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;aACrE;YAED,MAAM,iBAAiB,GAAG,IAAA,eAAM,EAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAEzD;;;;;;;;eAQG;YACH,MAAM,EAAE,GAAG,IAAI,kBAAQ,CAAC,EAAE,CAAC,2BAAO,CAAC,GAAa,CAAC,CAAC,CAAC;YACnD,MAAM,GAAG,GAAG,EAAE,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;YAE5C,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC;SAC/C;aAAM,IAAI,GAAG,KAAK,2BAAO,CAAC,GAAG,EAAE;YAC9B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;YAExC,IAAI,CAAC,CAAC,EAAE;gBACN,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;aAC/D;YAED,MAAM,aAAa,GAAG,iCAAa,CAAC,GAAa,CAAC,CAAC;YAEnD,0BAA0B;YAC1B,MAAM,GAAG,GAAG,IAAI,kBAAO,EAAE,CAAC;YAC1B,GAAG,CAAC,UAAU,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC;YAClC,GAAG,CAAC,SAAS,CACX;gBACE,CAAC,EAAE,CAAW;gBACd,CAAC,EAAE,KAAK;aACT,EACD,mBAAmB,CACpB,CAAC;YAEF,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;SAC3C;aAAM,IAAI,GAAG,KAAK,2BAAO,CAAC,GAAG,EAAE;YAC9B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,4BAAQ,CAAC,CAAC,CAAC,CAAC;YAExC,IAAI,CAAC,CAAC,EAAE;gBACN,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;aAC/D;YAED,MAAM,iBAAiB,GAAG,IAAA,eAAM,EAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAEzD,MAAM,GAAG,GAAG,IAAI,kBAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAC1C,GAAG,CAAC,aAAa,CAAC,CAAW,CAAC,CAAC;YAE/B,mCAAmC;YACnC,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;SAC9D;KACF;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AApKD,0DAoKC"}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
/// <reference types="node" />
|
|
2
2
|
import { RegistrationCredentialJSON, COSEAlgorithmIdentifier, CredentialDeviceType } from '@simplewebauthn/typescript-types';
|
|
3
3
|
import { AttestationFormat, AttestationStatement } from '../helpers/decodeAttestationObject';
|
|
4
|
+
import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions';
|
|
4
5
|
export declare type VerifyRegistrationResponseOpts = {
|
|
5
6
|
credential: RegistrationCredentialJSON;
|
|
6
7
|
expectedChallenge: string | ((challenge: string) => boolean);
|
|
@@ -24,7 +25,7 @@ export declare type VerifyRegistrationResponseOpts = {
|
|
|
24
25
|
* @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
|
|
25
26
|
* attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
|
|
26
27
|
*/
|
|
27
|
-
export
|
|
28
|
+
export declare function verifyRegistrationResponse(options: VerifyRegistrationResponseOpts): Promise<VerifiedRegistrationResponse>;
|
|
28
29
|
/**
|
|
29
30
|
* Result of registration verification
|
|
30
31
|
*
|
|
@@ -45,6 +46,8 @@ export default function verifyRegistrationResponse(options: VerifyRegistrationRe
|
|
|
45
46
|
* @param registrationInfo.credentialBackedUp Whether or not the multi-device credential has been
|
|
46
47
|
* backed up. Always `false` for single-device credentials. **Should be kept in a DB for later
|
|
47
48
|
* reference!**
|
|
49
|
+
* @param registrationInfo?.authenticatorExtensionResults The authenticator extensions returned
|
|
50
|
+
* by the browser
|
|
48
51
|
*/
|
|
49
52
|
export declare type VerifiedRegistrationResponse = {
|
|
50
53
|
verified: boolean;
|
|
@@ -54,11 +57,12 @@ export declare type VerifiedRegistrationResponse = {
|
|
|
54
57
|
aaguid: string;
|
|
55
58
|
credentialID: Buffer;
|
|
56
59
|
credentialPublicKey: Buffer;
|
|
57
|
-
credentialType:
|
|
60
|
+
credentialType: 'public-key';
|
|
58
61
|
attestationObject: Buffer;
|
|
59
62
|
userVerified: boolean;
|
|
60
63
|
credentialDeviceType: CredentialDeviceType;
|
|
61
64
|
credentialBackedUp: boolean;
|
|
65
|
+
authenticatorExtensionResults?: AuthenticationExtensionsAuthenticatorOutputs;
|
|
62
66
|
};
|
|
63
67
|
};
|
|
64
68
|
/**
|
|
@@ -3,23 +3,24 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.verifyRegistrationResponse = void 0;
|
|
6
7
|
const base64url_1 = __importDefault(require("base64url"));
|
|
7
|
-
const decodeAttestationObject_1 =
|
|
8
|
-
const decodeClientDataJSON_1 =
|
|
9
|
-
const parseAuthenticatorData_1 =
|
|
10
|
-
const toHash_1 =
|
|
11
|
-
const decodeCredentialPublicKey_1 =
|
|
8
|
+
const decodeAttestationObject_1 = require("../helpers/decodeAttestationObject");
|
|
9
|
+
const decodeClientDataJSON_1 = require("../helpers/decodeClientDataJSON");
|
|
10
|
+
const parseAuthenticatorData_1 = require("../helpers/parseAuthenticatorData");
|
|
11
|
+
const toHash_1 = require("../helpers/toHash");
|
|
12
|
+
const decodeCredentialPublicKey_1 = require("../helpers/decodeCredentialPublicKey");
|
|
12
13
|
const convertCOSEtoPKCS_1 = require("../helpers/convertCOSEtoPKCS");
|
|
13
|
-
const convertAAGUIDToString_1 =
|
|
14
|
+
const convertAAGUIDToString_1 = require("../helpers/convertAAGUIDToString");
|
|
14
15
|
const parseBackupFlags_1 = require("../helpers/parseBackupFlags");
|
|
15
|
-
const settingsService_1 =
|
|
16
|
+
const settingsService_1 = require("../services/settingsService");
|
|
16
17
|
const generateRegistrationOptions_1 = require("./generateRegistrationOptions");
|
|
17
|
-
const
|
|
18
|
-
const
|
|
19
|
-
const
|
|
20
|
-
const
|
|
21
|
-
const
|
|
22
|
-
const
|
|
18
|
+
const verifyAttestationFIDOU2F_1 = require("./verifications/verifyAttestationFIDOU2F");
|
|
19
|
+
const verifyAttestationPacked_1 = require("./verifications/verifyAttestationPacked");
|
|
20
|
+
const verifyAttestationAndroidSafetyNet_1 = require("./verifications/verifyAttestationAndroidSafetyNet");
|
|
21
|
+
const verifyAttestationTPM_1 = require("./verifications/tpm/verifyAttestationTPM");
|
|
22
|
+
const verifyAttestationAndroidKey_1 = require("./verifications/verifyAttestationAndroidKey");
|
|
23
|
+
const verifyAttestationApple_1 = require("./verifications/verifyAttestationApple");
|
|
23
24
|
/**
|
|
24
25
|
* Verify that the user has legitimately completed the registration process
|
|
25
26
|
*
|
|
@@ -50,7 +51,7 @@ async function verifyRegistrationResponse(options) {
|
|
|
50
51
|
if (credentialType !== 'public-key') {
|
|
51
52
|
throw new Error(`Unexpected credential type ${credentialType}, expected "public-key"`);
|
|
52
53
|
}
|
|
53
|
-
const clientDataJSON = (0, decodeClientDataJSON_1.
|
|
54
|
+
const clientDataJSON = (0, decodeClientDataJSON_1.decodeClientDataJSON)(response.clientDataJSON);
|
|
54
55
|
const { type, origin, challenge, tokenBinding } = clientDataJSON;
|
|
55
56
|
// Make sure we're handling an registration
|
|
56
57
|
if (type !== 'webauthn.create') {
|
|
@@ -85,14 +86,14 @@ async function verifyRegistrationResponse(options) {
|
|
|
85
86
|
}
|
|
86
87
|
}
|
|
87
88
|
const attestationObject = base64url_1.default.toBuffer(response.attestationObject);
|
|
88
|
-
const decodedAttestationObject = (0, decodeAttestationObject_1.
|
|
89
|
+
const decodedAttestationObject = (0, decodeAttestationObject_1.decodeAttestationObject)(attestationObject);
|
|
89
90
|
const { fmt, authData, attStmt } = decodedAttestationObject;
|
|
90
|
-
const parsedAuthData = (0, parseAuthenticatorData_1.
|
|
91
|
-
const { aaguid, rpIdHash, flags, credentialID, counter, credentialPublicKey } = parsedAuthData;
|
|
91
|
+
const parsedAuthData = (0, parseAuthenticatorData_1.parseAuthenticatorData)(authData);
|
|
92
|
+
const { aaguid, rpIdHash, flags, credentialID, counter, credentialPublicKey, extensionsData } = parsedAuthData;
|
|
92
93
|
// Make sure the response's RP ID is ours
|
|
93
94
|
if (expectedRPID) {
|
|
94
95
|
if (typeof expectedRPID === 'string') {
|
|
95
|
-
const expectedRPIDHash = (0, toHash_1.
|
|
96
|
+
const expectedRPIDHash = (0, toHash_1.toHash)(Buffer.from(expectedRPID, 'ascii'));
|
|
96
97
|
if (!rpIdHash.equals(expectedRPIDHash)) {
|
|
97
98
|
throw new Error(`Unexpected RP ID hash`);
|
|
98
99
|
}
|
|
@@ -100,7 +101,7 @@ async function verifyRegistrationResponse(options) {
|
|
|
100
101
|
else {
|
|
101
102
|
// Go through each expected RP ID and try to find one that matches
|
|
102
103
|
const foundMatch = expectedRPID.some(expected => {
|
|
103
|
-
const expectedRPIDHash = (0, toHash_1.
|
|
104
|
+
const expectedRPIDHash = (0, toHash_1.toHash)(Buffer.from(expected, 'ascii'));
|
|
104
105
|
return rpIdHash.equals(expectedRPIDHash);
|
|
105
106
|
});
|
|
106
107
|
if (!foundMatch) {
|
|
@@ -125,7 +126,7 @@ async function verifyRegistrationResponse(options) {
|
|
|
125
126
|
if (!aaguid) {
|
|
126
127
|
throw new Error('No AAGUID was present during registration');
|
|
127
128
|
}
|
|
128
|
-
const decodedPublicKey = (0, decodeCredentialPublicKey_1.
|
|
129
|
+
const decodedPublicKey = (0, decodeCredentialPublicKey_1.decodeCredentialPublicKey)(credentialPublicKey);
|
|
129
130
|
const alg = decodedPublicKey.get(convertCOSEtoPKCS_1.COSEKEYS.alg);
|
|
130
131
|
if (typeof alg !== 'number') {
|
|
131
132
|
throw new Error('Credential public key was missing numeric alg');
|
|
@@ -135,8 +136,8 @@ async function verifyRegistrationResponse(options) {
|
|
|
135
136
|
const supported = supportedAlgorithmIDs.join(', ');
|
|
136
137
|
throw new Error(`Unexpected public key alg "${alg}", expected one of "${supported}"`);
|
|
137
138
|
}
|
|
138
|
-
const clientDataHash = (0, toHash_1.
|
|
139
|
-
const rootCertificates = settingsService_1.
|
|
139
|
+
const clientDataHash = (0, toHash_1.toHash)(base64url_1.default.toBuffer(response.clientDataJSON));
|
|
140
|
+
const rootCertificates = settingsService_1.SettingsService.getRootCertificates({ identifier: fmt });
|
|
140
141
|
// Prepare arguments to pass to the relevant verification method
|
|
141
142
|
const verifierOpts = {
|
|
142
143
|
aaguid,
|
|
@@ -153,22 +154,22 @@ async function verifyRegistrationResponse(options) {
|
|
|
153
154
|
*/
|
|
154
155
|
let verified = false;
|
|
155
156
|
if (fmt === 'fido-u2f') {
|
|
156
|
-
verified = await (0,
|
|
157
|
+
verified = await (0, verifyAttestationFIDOU2F_1.verifyAttestationFIDOU2F)(verifierOpts);
|
|
157
158
|
}
|
|
158
159
|
else if (fmt === 'packed') {
|
|
159
|
-
verified = await (0,
|
|
160
|
+
verified = await (0, verifyAttestationPacked_1.verifyAttestationPacked)(verifierOpts);
|
|
160
161
|
}
|
|
161
162
|
else if (fmt === 'android-safetynet') {
|
|
162
|
-
verified = await (0,
|
|
163
|
+
verified = await (0, verifyAttestationAndroidSafetyNet_1.verifyAttestationAndroidSafetyNet)(verifierOpts);
|
|
163
164
|
}
|
|
164
165
|
else if (fmt === 'android-key') {
|
|
165
|
-
verified = await (0,
|
|
166
|
+
verified = await (0, verifyAttestationAndroidKey_1.verifyAttestationAndroidKey)(verifierOpts);
|
|
166
167
|
}
|
|
167
168
|
else if (fmt === 'tpm') {
|
|
168
|
-
verified = await (0,
|
|
169
|
+
verified = await (0, verifyAttestationTPM_1.verifyAttestationTPM)(verifierOpts);
|
|
169
170
|
}
|
|
170
171
|
else if (fmt === 'apple') {
|
|
171
|
-
verified = await (0,
|
|
172
|
+
verified = await (0, verifyAttestationApple_1.verifyAttestationApple)(verifierOpts);
|
|
172
173
|
}
|
|
173
174
|
else if (fmt === 'none') {
|
|
174
175
|
if (Object.keys(attStmt).length > 0) {
|
|
@@ -188,7 +189,7 @@ async function verifyRegistrationResponse(options) {
|
|
|
188
189
|
toReturn.registrationInfo = {
|
|
189
190
|
fmt,
|
|
190
191
|
counter,
|
|
191
|
-
aaguid: (0, convertAAGUIDToString_1.
|
|
192
|
+
aaguid: (0, convertAAGUIDToString_1.convertAAGUIDToString)(aaguid),
|
|
192
193
|
credentialID,
|
|
193
194
|
credentialPublicKey,
|
|
194
195
|
credentialType,
|
|
@@ -196,9 +197,10 @@ async function verifyRegistrationResponse(options) {
|
|
|
196
197
|
userVerified: flags.uv,
|
|
197
198
|
credentialDeviceType,
|
|
198
199
|
credentialBackedUp,
|
|
200
|
+
authenticatorExtensionResults: extensionsData,
|
|
199
201
|
};
|
|
200
202
|
}
|
|
201
203
|
return toReturn;
|
|
202
204
|
}
|
|
203
|
-
exports.
|
|
205
|
+
exports.verifyRegistrationResponse = verifyRegistrationResponse;
|
|
204
206
|
//# sourceMappingURL=verifyRegistrationResponse.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifyRegistrationResponse.js","sourceRoot":"","sources":["../../src/registration/verifyRegistrationResponse.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"verifyRegistrationResponse.js","sourceRoot":"","sources":["../../src/registration/verifyRegistrationResponse.ts"],"names":[],"mappings":";;;;;;AAAA,0DAAkC;AAOlC,gFAI4C;AAE5C,0EAAuE;AACvE,8EAA2E;AAC3E,8CAA2C;AAC3C,oFAAiF;AACjF,oEAAwD;AACxD,4EAAyE;AACzE,kEAA+D;AAC/D,iEAA8D;AAE9D,+EAAkF;AAClF,uFAAoF;AACpF,qFAAkF;AAClF,yGAAsG;AACtG,mFAAgF;AAChF,6FAA0F;AAC1F,mFAAgF;AAWhF;;;;;;;;;;;;;;GAcG;AACI,KAAK,UAAU,0BAA0B,CAC9C,OAAuC;IAEvC,MAAM,EACJ,UAAU,EACV,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,uBAAuB,GAAG,KAAK,EAC/B,qBAAqB,GAAG,+DAAiC,GAC1D,GAAG,OAAO,CAAC;IACZ,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAC;IAEjE,oCAAoC;IACpC,IAAI,CAAC,EAAE,EAAE;QACP,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;KAC1C;IAED,iCAAiC;IACjC,IAAI,EAAE,KAAK,KAAK,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;KAC5D;IAED,0CAA0C;IAC1C,IAAI,cAAc,KAAK,YAAY,EAAE;QACnC,MAAM,IAAI,KAAK,CAAC,8BAA8B,cAAc,yBAAyB,CAAC,CAAC;KACxF;IAED,MAAM,cAAc,GAAG,IAAA,2CAAoB,EAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;IAErE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,cAAc,CAAC;IAEjE,2CAA2C;IAC3C,IAAI,IAAI,KAAK,iBAAiB,EAAE;QAC9B,MAAM,IAAI,KAAK,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAC;KACnE;IAED,sDAAsD;IACtD,IAAI,OAAO,iBAAiB,KAAK,UAAU,EAAE;QAC3C,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,EAAE;YACjC,MAAM,IAAI,KAAK,CACb,iFAAiF,SAAS,GAAG,CAC9F,CAAC;SACH;KACF;SAAM,IAAI,SAAS,KAAK,iBAAiB,EAAE;QAC1C,MAAM,IAAI,KAAK,CACb,+CAA+C,SAAS,gBAAgB,iBAAiB,GAAG,CAC7F,CAAC;KACH;IAED,oCAAoC;IACpC,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE;QACjC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE;YACpC,MAAM,IAAI,KAAK,CACb,4CAA4C,MAAM,uBAAuB,cAAc,CAAC,IAAI,CAC1F,IAAI,CACL,EAAE,CACJ,CAAC;SACH;KACF;SAAM;QACL,IAAI,MAAM,KAAK,cAAc,EAAE;YAC7B,MAAM,IAAI,KAAK,CACb,4CAA4C,MAAM,gBAAgB,cAAc,GAAG,CACpF,CAAC;SACH;KACF;IAED,IAAI,YAAY,EAAE;QAChB,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE;YACpC,MAAM,IAAI,KAAK,CAAC,sCAAsC,YAAY,GAAG,CAAC,CAAC;SACxE;QAED,IAAI,CAAC,SAAS,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YAC9E,MAAM,IAAI,KAAK,CAAC,4CAA4C,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;SACrF;KACF;IAED,MAAM,iBAAiB,GAAG,mBAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;IACzE,MAAM,wBAAwB,GAAG,IAAA,iDAAuB,EAAC,iBAAiB,CAAC,CAAC;IAC5E,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,wBAAwB,CAAC;IAE5D,MAAM,cAAc,GAAG,IAAA,+CAAsB,EAAC,QAAQ,CAAC,CAAC;IACxD,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,GAC3F,cAAc,CAAC;IAEjB,yCAAyC;IACzC,IAAI,YAAY,EAAE;QAChB,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE;YACpC,MAAM,gBAAgB,GAAG,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;YACpE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE;gBACtC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;aAC1C;SACF;aAAM;YACL,kEAAkE;YAClE,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;gBAC9C,MAAM,gBAAgB,GAAG,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;gBAChE,OAAO,QAAQ,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YAC3C,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,UAAU,EAAE;gBACf,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;aAC1C;SACF;KACF;IAED,2CAA2C;IAC3C,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;KACzD;IAED,yCAAyC;IACzC,IAAI,uBAAuB,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE;QACxC,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;KAC/E;IAED,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;KACnE;IAED,IAAI,CAAC,mBAAmB,EAAE;QACxB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;KAChE;IAED,IAAI,CAAC,MAAM,EAAE;QACX,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;KAC9D;IAED,MAAM,gBAAgB,GAAG,IAAA,qDAAyB,EAAC,mBAAmB,CAAC,CAAC;IACxE,MAAM,GAAG,GAAG,gBAAgB,CAAC,GAAG,CAAC,4BAAQ,CAAC,GAAG,CAAC,CAAC;IAE/C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;KAClE;IAED,kFAAkF;IAClF,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,GAAa,CAAC,EAAE;QAClD,MAAM,SAAS,GAAG,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,uBAAuB,SAAS,GAAG,CAAC,CAAC;KACvF;IAED,MAAM,cAAc,GAAG,IAAA,eAAM,EAAC,mBAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC;IAC3E,MAAM,gBAAgB,GAAG,iCAAe,CAAC,mBAAmB,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;IAElF,gEAAgE;IAChE,MAAM,YAAY,GAAkC;QAClD,MAAM;QACN,OAAO;QACP,QAAQ;QACR,cAAc;QACd,YAAY;QACZ,mBAAmB;QACnB,gBAAgB;QAChB,QAAQ;KACT,CAAC;IAEF;;OAEG;IACH,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,GAAG,KAAK,UAAU,EAAE;QACtB,QAAQ,GAAG,MAAM,IAAA,mDAAwB,EAAC,YAAY,CAAC,CAAC;KACzD;SAAM,IAAI,GAAG,KAAK,QAAQ,EAAE;QAC3B,QAAQ,GAAG,MAAM,IAAA,iDAAuB,EAAC,YAAY,CAAC,CAAC;KACxD;SAAM,IAAI,GAAG,KAAK,mBAAmB,EAAE;QACtC,QAAQ,GAAG,MAAM,IAAA,qEAAiC,EAAC,YAAY,CAAC,CAAC;KAClE;SAAM,IAAI,GAAG,KAAK,aAAa,EAAE;QAChC,QAAQ,GAAG,MAAM,IAAA,yDAA2B,EAAC,YAAY,CAAC,CAAC;KAC5D;SAAM,IAAI,GAAG,KAAK,KAAK,EAAE;QACxB,QAAQ,GAAG,MAAM,IAAA,2CAAoB,EAAC,YAAY,CAAC,CAAC;KACrD;SAAM,IAAI,GAAG,KAAK,OAAO,EAAE;QAC1B,QAAQ,GAAG,MAAM,IAAA,+CAAsB,EAAC,YAAY,CAAC,CAAC;KACvD;SAAM,IAAI,GAAG,KAAK,MAAM,EAAE;QACzB,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE;YACnC,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;SAC1E;QACD,kFAAkF;QAClF,QAAQ,GAAG,IAAI,CAAC;KACjB;SAAM;QACL,MAAM,IAAI,KAAK,CAAC,mCAAmC,GAAG,EAAE,CAAC,CAAC;KAC3D;IAED,MAAM,QAAQ,GAAiC;QAC7C,QAAQ;KACT,CAAC;IAEF,IAAI,QAAQ,CAAC,QAAQ,EAAE;QACrB,MAAM,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,GAAG,IAAA,mCAAgB,EAAC,KAAK,CAAC,CAAC;QAE7E,QAAQ,CAAC,gBAAgB,GAAG;YAC1B,GAAG;YACH,OAAO;YACP,MAAM,EAAE,IAAA,6CAAqB,EAAC,MAAM,CAAC;YACrC,YAAY;YACZ,mBAAmB;YACnB,cAAc;YACd,iBAAiB;YACjB,YAAY,EAAE,KAAK,CAAC,EAAE;YACtB,oBAAoB;YACpB,kBAAkB;YAClB,6BAA6B,EAAE,cAAc;SAC9C,CAAC;KACH;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AA5MD,gEA4MC"}
|