@simplewebauthn/server 7.4.0 → 8.0.0-alpha.0

package/LICENSE.md

@@ -2,20 +2,17 @@ MIT License
 
 Copyright (c) 2020 Matthew Miller
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
+associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute,
+sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all copies or substantial
+portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
+OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -1,4 +1,5 @@
 <!-- omit in toc -->
+
 # @simplewebauthn/server
 
 ![WebAuthn](https://img.shields.io/badge/WebAuthn-Simplified-blueviolet?style=for-the-badge&logo=WebAuthn)
@@ -20,11 +21,14 @@ npm install @simplewebauthn/server
 
 ## Usage
 
-You can find in-depth documentation on this package here: https://simplewebauthn.dev/docs/packages/server
+You can find in-depth documentation on this package here:
+https://simplewebauthn.dev/docs/packages/server
 
 ## Supported Attestation Formats
 
-SimpleWebAuthn supports [all current WebAuthn attestation formats](https://w3c.github.io/webauthn/#sctn-defined-attestation-formats), including:
+SimpleWebAuthn supports
+[all current WebAuthn attestation formats](https://w3c.github.io/webauthn/#sctn-defined-attestation-formats),
+including:
 
 - **Android Key**
 - **Android SafetyNet**

package/{dist → esm}/authentication/generateAuthenticationOptions.d.ts

@@ -1,4 +1,4 @@
-import type { AuthenticationExtensionsClientInputs, PublicKeyCredentialRequestOptionsJSON, PublicKeyCredentialDescriptorFuture, UserVerificationRequirement } from '@simplewebauthn/typescript-types';
+import type { AuthenticationExtensionsClientInputs, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialRequestOptionsJSON, UserVerificationRequirement } from '../deps.js';
 export type GenerateAuthenticationOptionsOpts = {
     allowCredentials?: PublicKeyCredentialDescriptorFuture[];
     challenge?: string | Uint8Array;
@@ -20,4 +20,4 @@ export type GenerateAuthenticationOptionsOpts = {
  * @param extensions Additional plugins the authenticator or browser should use during authentication
  * @param rpID Valid domain name (after `https://`)
  */
-export declare function generateAuthenticationOptions(options?: GenerateAuthenticationOptionsOpts): PublicKeyCredentialRequestOptionsJSON;
+export declare function generateAuthenticationOptions(options?: GenerateAuthenticationOptionsOpts): Promise<PublicKeyCredentialRequestOptionsJSON>;

package/esm/authentication/generateAuthenticationOptions.js

@@ -0,0 +1,36 @@
+import { isoBase64URL, isoUint8Array } from '../helpers/iso/index.js';
+import { generateChallenge } from '../helpers/generateChallenge.js';
+/**
+ * Prepare a value to pass into navigator.credentials.get(...) for authenticator "login"
+ *
+ * @param allowCredentials Authenticators previously registered by the user, if any. If undefined
+ * the client will ask the user which credential they want to use
+ * @param challenge Random value the authenticator needs to sign and pass back
+ * user for authentication
+ * @param timeout How long (in ms) the user can take to complete authentication
+ * @param userVerification Set to `'discouraged'` when asserting as part of a 2FA flow, otherwise
+ * set to `'preferred'` or `'required'` as desired.
+ * @param extensions Additional plugins the authenticator or browser should use during authentication
+ * @param rpID Valid domain name (after `https://`)
+ */
+export async function generateAuthenticationOptions(options = {}) {
+    const { allowCredentials, challenge = await generateChallenge(), timeout = 60000, userVerification = 'preferred', extensions, rpID, } = options;
+    /**
+     * Preserve ability to specify `string` values for challenges
+     */
+    let _challenge = challenge;
+    if (typeof _challenge === 'string') {
+        _challenge = isoUint8Array.fromUTF8String(_challenge);
+    }
+    return {
+        challenge: isoBase64URL.fromBuffer(_challenge),
+        allowCredentials: allowCredentials?.map((cred) => ({
+            ...cred,
+            id: isoBase64URL.fromBuffer(cred.id),
+        })),
+        timeout,
+        userVerification,
+        extensions,
+        rpId: rpID,
+    };
+}

package/{dist → esm}/authentication/verifyAuthenticationResponse.d.ts

@@ -1,5 +1,5 @@
-import { AuthenticationResponseJSON, AuthenticatorDevice, CredentialDeviceType, UserVerificationRequirement } from '@simplewebauthn/typescript-types';
-import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions';
+import type { AuthenticationResponseJSON, AuthenticatorDevice, CredentialDeviceType, UserVerificationRequirement } from '../deps.js';
+import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions.js';
 export type VerifyAuthenticationResponseOpts = {
     response: AuthenticationResponseJSON;
     expectedChallenge: string | ((challenge: string) => boolean);

package/esm/authentication/verifyAuthenticationResponse.js

@@ -0,0 +1,164 @@
+import { decodeClientDataJSON } from '../helpers/decodeClientDataJSON.js';
+import { toHash } from '../helpers/toHash.js';
+import { verifySignature } from '../helpers/verifySignature.js';
+import { parseAuthenticatorData } from '../helpers/parseAuthenticatorData.js';
+import { parseBackupFlags } from '../helpers/parseBackupFlags.js';
+import { matchExpectedRPID } from '../helpers/matchExpectedRPID.js';
+import { isoBase64URL, isoUint8Array } from '../helpers/iso/index.js';
+/**
+ * Verify that the user has legitimately completed the login process
+ *
+ * **Options:**
+ *
+ * @param response Response returned by **@simplewebauthn/browser**'s `startAssertion()`
+ * @param expectedChallenge The base64url-encoded `options.challenge` returned by
+ * `generateAuthenticationOptions()`
+ * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID
+ * @param requireUserVerification (Optional) Enforce user verification by the authenticator
+ * (via PIN, fingerprint, etc...)
+ * @param advancedFIDOConfig (Optional) Options for satisfying more stringent FIDO RP feature
+ * requirements
+ * @param advancedFIDOConfig.userVerification (Optional) Enable alternative rules for evaluating the
+ * User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional
+ * unless this value is `"required"`
+ */
+export async function verifyAuthenticationResponse(options) {
+    const { response, expectedChallenge, expectedOrigin, expectedRPID, authenticator, requireUserVerification = true, advancedFIDOConfig, } = options;
+    const { id, rawId, type: credentialType, response: assertionResponse } = response;
+    // Ensure credential specified an ID
+    if (!id) {
+        throw new Error('Missing credential ID');
+    }
+    // Ensure ID is base64url-encoded
+    if (id !== rawId) {
+        throw new Error('Credential ID was not base64url-encoded');
+    }
+    // Make sure credential type is public-key
+    if (credentialType !== 'public-key') {
+        throw new Error(`Unexpected credential type ${credentialType}, expected "public-key"`);
+    }
+    if (!response) {
+        throw new Error('Credential missing response');
+    }
+    if (typeof assertionResponse?.clientDataJSON !== 'string') {
+        throw new Error('Credential response clientDataJSON was not a string');
+    }
+    const clientDataJSON = decodeClientDataJSON(assertionResponse.clientDataJSON);
+    const { type, origin, challenge, tokenBinding } = clientDataJSON;
+    // Make sure we're handling an authentication
+    if (type !== 'webauthn.get') {
+        throw new Error(`Unexpected authentication response type: ${type}`);
+    }
+    // Ensure the device provided the challenge we gave it
+    if (typeof expectedChallenge === 'function') {
+        if (!expectedChallenge(challenge)) {
+            throw new Error(`Custom challenge verifier returned false for registration response challenge "${challenge}"`);
+        }
+    }
+    else if (challenge !== expectedChallenge) {
+        throw new Error(`Unexpected authentication response challenge "${challenge}", expected "${expectedChallenge}"`);
+    }
+    // Check that the origin is our site
+    if (Array.isArray(expectedOrigin)) {
+        if (!expectedOrigin.includes(origin)) {
+            const joinedExpectedOrigin = expectedOrigin.join(', ');
+            throw new Error(`Unexpected authentication response origin "${origin}", expected one of: ${joinedExpectedOrigin}`);
+        }
+    }
+    else {
+        if (origin !== expectedOrigin) {
+            throw new Error(`Unexpected authentication response origin "${origin}", expected "${expectedOrigin}"`);
+        }
+    }
+    if (!isoBase64URL.isBase64url(assertionResponse.authenticatorData)) {
+        throw new Error('Credential response authenticatorData was not a base64url string');
+    }
+    if (!isoBase64URL.isBase64url(assertionResponse.signature)) {
+        throw new Error('Credential response signature was not a base64url string');
+    }
+    if (assertionResponse.userHandle &&
+        typeof assertionResponse.userHandle !== 'string') {
+        throw new Error('Credential response userHandle was not a string');
+    }
+    if (tokenBinding) {
+        if (typeof tokenBinding !== 'object') {
+            throw new Error('ClientDataJSON tokenBinding was not an object');
+        }
+        if (['present', 'supported', 'notSupported'].indexOf(tokenBinding.status) < 0) {
+            throw new Error(`Unexpected tokenBinding status ${tokenBinding.status}`);
+        }
+    }
+    const authDataBuffer = isoBase64URL.toBuffer(assertionResponse.authenticatorData);
+    const parsedAuthData = parseAuthenticatorData(authDataBuffer);
+    const { rpIdHash, flags, counter, extensionsData } = parsedAuthData;
+    // Make sure the response's RP ID is ours
+    let expectedRPIDs = [];
+    if (typeof expectedRPID === 'string') {
+        expectedRPIDs = [expectedRPID];
+    }
+    else {
+        expectedRPIDs = expectedRPID;
+    }
+    const matchedRPID = await matchExpectedRPID(rpIdHash, expectedRPIDs);
+    if (advancedFIDOConfig !== undefined) {
+        const { userVerification: fidoUserVerification } = advancedFIDOConfig;
+        /**
+         * Use FIDO Conformance-defined rules for verifying UP and UV flags
+         */
+        if (fidoUserVerification === 'required') {
+            // Require `flags.uv` be true (implies `flags.up` is true)
+            if (!flags.uv) {
+                throw new Error('User verification required, but user could not be verified');
+            }
+        }
+        else if (fidoUserVerification === 'preferred' ||
+            fidoUserVerification === 'discouraged') {
+            // Ignore `flags.uv`
+        }
+    }
+    else {
+        /**
+         * Use WebAuthn spec-defined rules for verifying UP and UV flags
+         */
+        // WebAuthn only requires the user presence flag be true
+        if (!flags.up) {
+            throw new Error('User not present during authentication');
+        }
+        // Enforce user verification if required
+        if (requireUserVerification && !flags.uv) {
+            throw new Error('User verification required, but user could not be verified');
+        }
+    }
+    const clientDataHash = await toHash(isoBase64URL.toBuffer(assertionResponse.clientDataJSON));
+    const signatureBase = isoUint8Array.concat([authDataBuffer, clientDataHash]);
+    const signature = isoBase64URL.toBuffer(assertionResponse.signature);
+    if ((counter > 0 || authenticator.counter > 0) &&
+        counter <= authenticator.counter) {
+        // Error out when the counter in the DB is greater than or equal to the counter in the
+        // dataStruct. It's related to how the authenticator maintains the number of times its been
+        // used for this client. If this happens, then someone's somehow increased the counter
+        // on the device without going through this site
+        throw new Error(`Response counter value ${counter} was lower than expected ${authenticator.counter}`);
+    }
+    const { credentialDeviceType, credentialBackedUp } = parseBackupFlags(flags);
+    const toReturn = {
+        verified: await verifySignature({
+            signature,
+            data: signatureBase,
+            credentialPublicKey: authenticator.credentialPublicKey,
+        }),
+        authenticationInfo: {
+            newCounter: counter,
+            credentialID: authenticator.credentialID,
+            userVerified: flags.uv,
+            credentialDeviceType,
+            credentialBackedUp,
+            authenticatorExtensionResults: extensionsData,
+            origin: clientDataJSON.origin,
+            rpID: matchedRPID,
+        },
+    };
+    return toReturn;
+}

package/esm/deps.d.ts

@@ -0,0 +1,10 @@
+export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/typescript-types';
+export * as cborx from 'cbor-x';
+export { fetch as crossFetch } from 'cross-fetch';
+export { default as debug } from 'debug';
+export type { Debugger } from '@types/debug';
+export { AsnParser, AsnSerializer } from '@peculiar/asn1-schema';
+export { AuthorityKeyIdentifier, BasicConstraints, Certificate, CertificateList, CRLDistributionPoints, ExtendedKeyUsage, id_ce_authorityKeyIdentifier, id_ce_basicConstraints, id_ce_cRLDistributionPoints, id_ce_extKeyUsage, id_ce_subjectAltName, id_ce_subjectKeyIdentifier, Name, SubjectAlternativeName, SubjectKeyIdentifier, } from '@peculiar/asn1-x509';
+export { ECDSASigValue, ECParameters, id_ecPublicKey, id_secp256r1, id_secp384r1, } from '@peculiar/asn1-ecc';
+export { RSAPublicKey } from '@peculiar/asn1-rsa';
+export { id_ce_keyDescription, KeyDescription } from '@peculiar/asn1-android';

package/esm/deps.js

@@ -0,0 +1,12 @@
+// cbor (a.k.a. cbor-x in Node land)
+export * as cborx from 'cbor-x';
+// cross-fetch
+export { fetch as crossFetch } from 'cross-fetch';
+// debug
+export { default as debug } from 'debug';
+// @peculiar libraries
+export { AsnParser, AsnSerializer } from '@peculiar/asn1-schema';
+export { AuthorityKeyIdentifier, BasicConstraints, Certificate, CertificateList, CRLDistributionPoints, ExtendedKeyUsage, id_ce_authorityKeyIdentifier, id_ce_basicConstraints, id_ce_cRLDistributionPoints, id_ce_extKeyUsage, id_ce_subjectAltName, id_ce_subjectKeyIdentifier, Name, SubjectAlternativeName, SubjectKeyIdentifier, } from '@peculiar/asn1-x509';
+export { ECDSASigValue, ECParameters, id_ecPublicKey, id_secp256r1, id_secp384r1, } from '@peculiar/asn1-ecc';
+export { RSAPublicKey } from '@peculiar/asn1-rsa';
+export { id_ce_keyDescription, KeyDescription } from '@peculiar/asn1-android';

package/esm/helpers/convertAAGUIDToString.js

@@ -0,0 +1,17 @@
+import { isoUint8Array } from './iso/index.js';
+/**
+ * Convert the aaguid buffer in authData into a UUID string
+ */
+export function convertAAGUIDToString(aaguid) {
+    // Raw Hex: adce000235bcc60a648b0b25f1f05503
+    const hex = isoUint8Array.toHex(aaguid);
+    const segments = [
+        hex.slice(0, 8),
+        hex.slice(8, 12),
+        hex.slice(12, 16),
+        hex.slice(16, 20),
+        hex.slice(20, 32), // 8
+    ];
+    // Formatted: adce0002-35bc-c60a-648b-0b25f1f05503
+    return segments.join('-');
+}

package/esm/helpers/convertCOSEtoPKCS.js

@@ -0,0 +1,21 @@
+import { isoCBOR, isoUint8Array } from './iso/index.js';
+import { COSEKEYS } from './cose.js';
+/**
+ * Takes COSE-encoded public key and converts it to PKCS key
+ */
+export function convertCOSEtoPKCS(cosePublicKey) {
+    // This is a little sloppy, I'm using COSEPublicKeyEC2 since it could have both x and y, but when
+    // there's no y it means it's probably better typed as COSEPublicKeyOKP. I'll leave this for now
+    // and revisit it later if it ever becomes an actual problem.
+    const struct = isoCBOR.decodeFirst(cosePublicKey);
+    const tag = Uint8Array.from([0x04]);
+    const x = struct.get(COSEKEYS.x);
+    const y = struct.get(COSEKEYS.y);
+    if (!x) {
+        throw new Error('COSE public key was missing x');
+    }
+    if (y) {
+        return isoUint8Array.concat([tag, x, y]);
+    }
+    return isoUint8Array.concat([tag, x]);
+}

package/{dist → esm}/helpers/convertCertBufferToPEM.d.ts

@@ -1,4 +1,4 @@
-import type { Base64URLString } from '@simplewebauthn/typescript-types';
+import type { Base64URLString } from '../deps.js';
 /**
  * Convert buffer to an OpenSSL-compatible PEM text format.
  */

package/esm/helpers/convertCertBufferToPEM.js

@@ -0,0 +1,31 @@
+import { isoBase64URL } from './iso/index.js';
+/**
+ * Convert buffer to an OpenSSL-compatible PEM text format.
+ */
+export function convertCertBufferToPEM(certBuffer) {
+    let b64cert;
+    /**
+     * Get certBuffer to a base64 representation
+     */
+    if (typeof certBuffer === 'string') {
+        if (isoBase64URL.isBase64url(certBuffer)) {
+            b64cert = isoBase64URL.toBase64(certBuffer);
+        }
+        else if (isoBase64URL.isBase64(certBuffer)) {
+            b64cert = certBuffer;
+        }
+        else {
+            throw new Error('Certificate is not a valid base64 or base64url string');
+        }
+    }
+    else {
+        b64cert = isoBase64URL.fromBuffer(certBuffer, 'base64');
+    }
+    let PEMKey = '';
+    for (let i = 0; i < Math.ceil(b64cert.length / 64); i += 1) {
+        const start = 64 * i;
+        PEMKey += `${b64cert.substr(start, 64)}\n`;
+    }
+    PEMKey = `-----BEGIN CERTIFICATE-----\n${PEMKey}-----END CERTIFICATE-----\n`;
+    return PEMKey;
+}

package/esm/helpers/convertPEMToBytes.js

@@ -0,0 +1,11 @@
+import { isoBase64URL } from './iso/index.js';
+/**
+ * Take a certificate in PEM format and convert it to bytes
+ */
+export function convertPEMToBytes(pem) {
+    const certBase64 = pem
+        .replace('-----BEGIN CERTIFICATE-----', '')
+        .replace('-----END CERTIFICATE-----', '')
+        .replace(/[\n ]/g, '');
+    return isoBase64URL.toBuffer(certBase64, 'base64');
+}

package/{dist → esm}/helpers/convertX509PublicKeyToCOSE.d.ts

@@ -1,2 +1,2 @@
-import { COSEPublicKey } from './cose';
+import { COSEPublicKey } from './cose.js';
 export declare function convertX509PublicKeyToCOSE(x509Certificate: Uint8Array): COSEPublicKey;

package/esm/helpers/convertX509PublicKeyToCOSE.js

@@ -0,0 +1,70 @@
+import { AsnParser, Certificate, ECParameters, id_ecPublicKey, id_secp256r1, id_secp384r1, RSAPublicKey, } from '../deps.js';
+import { COSECRV, COSEKEYS, COSEKTY, } from './cose.js';
+import { mapX509SignatureAlgToCOSEAlg } from './mapX509SignatureAlgToCOSEAlg.js';
+export function convertX509PublicKeyToCOSE(x509Certificate) {
+    let cosePublicKey = new Map();
+    /**
+     * Time to extract the public key from an X.509 certificate
+     */
+    const x509 = AsnParser.parse(x509Certificate, Certificate);
+    const { tbsCertificate } = x509;
+    const { subjectPublicKeyInfo, signature: _tbsSignature } = tbsCertificate;
+    const signatureAlgorithm = _tbsSignature.algorithm;
+    const publicKeyAlgorithmID = subjectPublicKeyInfo.algorithm.algorithm;
+    if (publicKeyAlgorithmID === id_ecPublicKey) {
+        /**
+         * EC2 Public Key
+         */
+        if (!subjectPublicKeyInfo.algorithm.parameters) {
+            throw new Error('Certificate public key was missing parameters (EC2)');
+        }
+        const ecParameters = AsnParser.parse(new Uint8Array(subjectPublicKeyInfo.algorithm.parameters), ECParameters);
+        let crv = -999;
+        const { namedCurve } = ecParameters;
+        if (namedCurve === id_secp256r1) {
+            crv = COSECRV.P256;
+        }
+        else if (namedCurve === id_secp384r1) {
+            crv = COSECRV.P384;
+        }
+        else {
+            throw new Error(`Certificate public key contained unexpected namedCurve ${namedCurve} (EC2)`);
+        }
+        const subjectPublicKey = new Uint8Array(subjectPublicKeyInfo.subjectPublicKey);
+        let x;
+        let y;
+        if (subjectPublicKey[0] === 0x04) {
+            // Public key is in "uncompressed form", so we can split the remaining bytes in half
+            let pointer = 1;
+            const halfLength = (subjectPublicKey.length - 1) / 2;
+            x = subjectPublicKey.slice(pointer, pointer += halfLength);
+            y = subjectPublicKey.slice(pointer);
+        }
+        else {
+            throw new Error('TODO: Figure out how to handle public keys in "compressed form"');
+        }
+        const coseEC2PubKey = new Map();
+        coseEC2PubKey.set(COSEKEYS.kty, COSEKTY.EC2);
+        coseEC2PubKey.set(COSEKEYS.alg, mapX509SignatureAlgToCOSEAlg(signatureAlgorithm));
+        coseEC2PubKey.set(COSEKEYS.crv, crv);
+        coseEC2PubKey.set(COSEKEYS.x, x);
+        coseEC2PubKey.set(COSEKEYS.y, y);
+        cosePublicKey = coseEC2PubKey;
+    }
+    else if (publicKeyAlgorithmID === '1.2.840.113549.1.1.1') {
+        /**
+         * RSA public key
+         */
+        const rsaPublicKey = AsnParser.parse(subjectPublicKeyInfo.subjectPublicKey, RSAPublicKey);
+        const coseRSAPubKey = new Map();
+        coseRSAPubKey.set(COSEKEYS.kty, COSEKTY.RSA);
+        coseRSAPubKey.set(COSEKEYS.alg, mapX509SignatureAlgToCOSEAlg(signatureAlgorithm));
+        coseRSAPubKey.set(COSEKEYS.n, new Uint8Array(rsaPublicKey.modulus));
+        coseRSAPubKey.set(COSEKEYS.e, new Uint8Array(rsaPublicKey.publicExponent));
+        cosePublicKey = coseRSAPubKey;
+    }
+    else {
+        throw new Error(`Certificate public key contained unexpected algorithm ID ${publicKeyAlgorithmID}`);
+    }
+    return cosePublicKey;
+}

package/{dist → esm}/helpers/cose.d.ts

@@ -72,7 +72,8 @@ export declare enum COSECRV {
     P256 = 1,
     P384 = 2,
     P521 = 3,
-    ED25519 = 6
+    ED25519 = 6,
+    SECP256K1 = 8
 }
 export declare function isCOSECrv(crv: number | undefined): crv is COSECRV;
 /**

package/esm/helpers/cose.js

@@ -0,0 +1,81 @@
+export function isCOSEPublicKeyOKP(cosePublicKey) {
+    const kty = cosePublicKey.get(COSEKEYS.kty);
+    return isCOSEKty(kty) && kty === COSEKTY.OKP;
+}
+export function isCOSEPublicKeyEC2(cosePublicKey) {
+    const kty = cosePublicKey.get(COSEKEYS.kty);
+    return isCOSEKty(kty) && kty === COSEKTY.EC2;
+}
+export function isCOSEPublicKeyRSA(cosePublicKey) {
+    const kty = cosePublicKey.get(COSEKEYS.kty);
+    return isCOSEKty(kty) && kty === COSEKTY.RSA;
+}
+/**
+ * COSE Keys
+ *
+ * https://www.iana.org/assignments/cose/cose.xhtml#key-common-parameters
+ * https://www.iana.org/assignments/cose/cose.xhtml#key-type-parameters
+ */
+export var COSEKEYS;
+(function (COSEKEYS) {
+    COSEKEYS[COSEKEYS["kty"] = 1] = "kty";
+    COSEKEYS[COSEKEYS["alg"] = 3] = "alg";
+    COSEKEYS[COSEKEYS["crv"] = -1] = "crv";
+    COSEKEYS[COSEKEYS["x"] = -2] = "x";
+    COSEKEYS[COSEKEYS["y"] = -3] = "y";
+    COSEKEYS[COSEKEYS["n"] = -1] = "n";
+    COSEKEYS[COSEKEYS["e"] = -2] = "e";
+})(COSEKEYS || (COSEKEYS = {}));
+/**
+ * COSE Key Types
+ *
+ * https://www.iana.org/assignments/cose/cose.xhtml#key-type
+ */
+export var COSEKTY;
+(function (COSEKTY) {
+    COSEKTY[COSEKTY["OKP"] = 1] = "OKP";
+    COSEKTY[COSEKTY["EC2"] = 2] = "EC2";
+    COSEKTY[COSEKTY["RSA"] = 3] = "RSA";
+})(COSEKTY || (COSEKTY = {}));
+export function isCOSEKty(kty) {
+    return Object.values(COSEKTY).indexOf(kty) >= 0;
+}
+/**
+ * COSE Curves
+ *
+ * https://www.iana.org/assignments/cose/cose.xhtml#elliptic-curves
+ */
+export var COSECRV;
+(function (COSECRV) {
+    COSECRV[COSECRV["P256"] = 1] = "P256";
+    COSECRV[COSECRV["P384"] = 2] = "P384";
+    COSECRV[COSECRV["P521"] = 3] = "P521";
+    COSECRV[COSECRV["ED25519"] = 6] = "ED25519";
+    COSECRV[COSECRV["SECP256K1"] = 8] = "SECP256K1";
+})(COSECRV || (COSECRV = {}));
+export function isCOSECrv(crv) {
+    return Object.values(COSECRV).indexOf(crv) >= 0;
+}
+/**
+ * COSE Algorithms
+ *
+ * https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ */
+export var COSEALG;
+(function (COSEALG) {
+    COSEALG[COSEALG["ES256"] = -7] = "ES256";
+    COSEALG[COSEALG["EdDSA"] = -8] = "EdDSA";
+    COSEALG[COSEALG["ES384"] = -35] = "ES384";
+    COSEALG[COSEALG["ES512"] = -36] = "ES512";
+    COSEALG[COSEALG["PS256"] = -37] = "PS256";
+    COSEALG[COSEALG["PS384"] = -38] = "PS384";
+    COSEALG[COSEALG["PS512"] = -39] = "PS512";
+    COSEALG[COSEALG["ES256K"] = -47] = "ES256K";
+    COSEALG[COSEALG["RS256"] = -257] = "RS256";
+    COSEALG[COSEALG["RS384"] = -258] = "RS384";
+    COSEALG[COSEALG["RS512"] = -259] = "RS512";
+    COSEALG[COSEALG["RS1"] = -65535] = "RS1";
+})(COSEALG || (COSEALG = {}));
+export function isCOSEAlg(alg) {
+    return Object.values(COSEALG).indexOf(alg) >= 0;
+}

package/{dist → esm}/helpers/decodeAttestationObject.d.ts

@@ -24,3 +24,6 @@ export type AttestationStatement = {
     get(key: 'pubArea'): Uint8Array | undefined;
     readonly size: number;
 };
+export declare const _decodeAttestationObjectInternals: {
+    stubThis: (value: AttestationObject) => AttestationObject;
+};

package/esm/helpers/decodeAttestationObject.js

@@ -0,0 +1,13 @@
+import { isoCBOR } from './iso/index.js';
+/**
+ * Convert an AttestationObject buffer to a proper object
+ *
+ * @param base64AttestationObject Attestation Object buffer
+ */
+export function decodeAttestationObject(attestationObject) {
+    return _decodeAttestationObjectInternals.stubThis(isoCBOR.decodeFirst(attestationObject));
+}
+// Make it possible to stub the return value during testing
+export const _decodeAttestationObjectInternals = {
+    stubThis: (value) => value,
+};

package/esm/helpers/decodeAuthenticatorExtensions.js

@@ -0,0 +1,34 @@
+import { isoCBOR } from './iso/index.js';
+/**
+ * Convert authenticator extension data buffer to a proper object
+ *
+ * @param extensionData Authenticator Extension Data buffer
+ */
+export function decodeAuthenticatorExtensions(extensionData) {
+    let toCBOR;
+    try {
+        toCBOR = isoCBOR.decodeFirst(extensionData);
+    }
+    catch (err) {
+        const _err = err;
+        throw new Error(`Error decoding authenticator extensions: ${_err.message}`);
+    }
+    return convertMapToObjectDeep(toCBOR);
+}
+/**
+ * CBOR-encoded extensions can be deeply-nested Maps, which are too deep for a simple
+ * `Object.entries()`. This method will recursively make sure that all Maps are converted into
+ * basic objects.
+ */
+function convertMapToObjectDeep(input) {
+    const mapped = {};
+    for (const [key, value] of input) {
+        if (value instanceof Map) {
+            mapped[key] = convertMapToObjectDeep(value);
+        }
+        else {
+            mapped[key] = value;
+        }
+    }
+    return mapped;
+}

package/{dist → esm}/helpers/decodeClientDataJSON.d.ts

@@ -12,3 +12,6 @@ export type ClientDataJSON = {
         status: 'present' | 'supported' | 'not-supported';
     };
 };
+export declare const _decodeClientDataJSONInternals: {
+    stubThis: (value: ClientDataJSON) => ClientDataJSON;
+};

package/esm/helpers/decodeClientDataJSON.js

@@ -0,0 +1,13 @@
+import { isoBase64URL } from './iso/index.js';
+/**
+ * Decode an authenticator's base64url-encoded clientDataJSON to JSON
+ */
+export function decodeClientDataJSON(data) {
+    const toString = isoBase64URL.toString(data);
+    const clientData = JSON.parse(toString);
+    return _decodeClientDataJSONInternals.stubThis(clientData);
+}
+// Make it possible to stub the return value during testing
+export const _decodeClientDataJSONInternals = {
+    stubThis: (value) => value,
+};

package/esm/helpers/decodeCredentialPublicKey.d.ts

@@ -0,0 +1,5 @@
+import { COSEPublicKey } from './cose.js';
+export declare function decodeCredentialPublicKey(publicKey: Uint8Array): COSEPublicKey;
+export declare const _decodeCredentialPublicKeyInternals: {
+    stubThis: (value: COSEPublicKey) => COSEPublicKey;
+};