@simplewebauthn/server 7.4.0 → 8.0.0-alpha.0

package/script/metadata/mdsTypes.d.ts

@@ -0,0 +1,216 @@
+import type { Base64URLString } from '../deps.js';
+/**
+ * Metadata Service structures
+ * https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html
+ */
+export type MDSJWTHeader = {
+    alg: string;
+    typ: string;
+    x5c: Base64URLString[];
+};
+export type MDSJWTPayload = {
+    legalHeader: string;
+    no: number;
+    nextUpdate: string;
+    entries: MetadataBLOBPayloadEntry[];
+};
+export type MetadataBLOBPayloadEntry = {
+    aaid?: string;
+    aaguid?: string;
+    attestationCertificateKeyIdentifiers?: string[];
+    metadataStatement?: MetadataStatement;
+    biometricStatusReports?: BiometricStatusReport[];
+    statusReports: StatusReport[];
+    timeOfLastStatusChange: string;
+    rogueListURL?: string;
+    rogueListHash?: string;
+};
+export type BiometricStatusReport = {
+    certLevel: number;
+    modality: UserVerify;
+    effectiveDate?: string;
+    certificationDescriptor?: string;
+    certificateNumber?: string;
+    certificationPolicyVersion?: string;
+    certificationRequirementsVersion?: string;
+};
+export type StatusReport = {
+    status: AuthenticatorStatus;
+    effectiveDate?: string;
+    authenticatorVersion?: number;
+    certificate?: string;
+    url?: string;
+    certificationDescriptor?: string;
+    certificateNumber?: string;
+    certificationPolicyVersion?: string;
+    certificationRequirementsVersion?: string;
+};
+export type AuthenticatorStatus = 'NOT_FIDO_CERTIFIED' | 'FIDO_CERTIFIED' | 'USER_VERIFICATION_BYPASS' | 'ATTESTATION_KEY_COMPROMISE' | 'USER_KEY_REMOTE_COMPROMISE' | 'USER_KEY_PHYSICAL_COMPROMISE' | 'UPDATE_AVAILABLE' | 'REVOKED' | 'SELF_ASSERTION_SUBMITTED' | 'FIDO_CERTIFIED_L1' | 'FIDO_CERTIFIED_L1plus' | 'FIDO_CERTIFIED_L2' | 'FIDO_CERTIFIED_L2plus' | 'FIDO_CERTIFIED_L3' | 'FIDO_CERTIFIED_L3plus';
+/**
+ * Types defined in the FIDO Metadata Statement spec
+ *
+ * See https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html
+ */
+export type CodeAccuracyDescriptor = {
+    base: number;
+    minLength: number;
+    maxRetries?: number;
+    blockSlowdown?: number;
+};
+export type BiometricAccuracyDescriptor = {
+    selfAttestedFRR?: number;
+    selfAttestedFAR?: number;
+    maxTemplates?: number;
+    maxRetries?: number;
+    blockSlowdown?: number;
+};
+export type PatternAccuracyDescriptor = {
+    minComplexity: number;
+    maxRetries?: number;
+    blockSlowdown?: number;
+};
+export type VerificationMethodDescriptor = {
+    userVerificationMethod: UserVerify;
+    caDesc?: CodeAccuracyDescriptor;
+    baDesc?: BiometricAccuracyDescriptor;
+    paDesc?: PatternAccuracyDescriptor;
+};
+export type VerificationMethodANDCombinations = VerificationMethodDescriptor[];
+export type rgbPaletteEntry = {
+    r: number;
+    g: number;
+    b: number;
+};
+export type DisplayPNGCharacteristicsDescriptor = {
+    width: number;
+    height: number;
+    bitDepth: number;
+    colorType: number;
+    compression: number;
+    filter: number;
+    interlace: number;
+    plte?: rgbPaletteEntry[];
+};
+export type EcdaaTrustAnchor = {
+    X: string;
+    Y: string;
+    c: string;
+    sx: string;
+    sy: string;
+    G1Curve: string;
+};
+export type ExtensionDescriptor = {
+    id: string;
+    tag?: number;
+    data?: string;
+    fail_if_unknown: boolean;
+};
+export type AlternativeDescriptions = {
+    [langCode: string]: string;
+};
+export type MetadataStatement = {
+    legalHeader?: string;
+    aaid?: string;
+    aaguid?: string;
+    attestationCertificateKeyIdentifiers?: string[];
+    description: string;
+    alternativeDescriptions?: AlternativeDescriptions;
+    authenticatorVersion: number;
+    protocolFamily: string;
+    schema: number;
+    upv: Version[];
+    authenticationAlgorithms: AlgSign[];
+    publicKeyAlgAndEncodings: AlgKey[];
+    attestationTypes: Attestation[];
+    userVerificationDetails: VerificationMethodANDCombinations[];
+    keyProtection: KeyProtection[];
+    isKeyRestricted?: boolean;
+    isFreshUserVerificationRequired?: boolean;
+    matcherProtection: MatcherProtection[];
+    cryptoStrength?: number;
+    attachmentHint?: AttachmentHint[];
+    tcDisplay: TransactionConfirmationDisplay[];
+    tcDisplayContentType?: string;
+    tcDisplayPNGCharacteristics?: DisplayPNGCharacteristicsDescriptor[];
+    attestationRootCertificates: string[];
+    ecdaaTrustAnchors?: EcdaaTrustAnchor[];
+    icon?: string;
+    supportedExtensions?: ExtensionDescriptor[];
+    authenticatorGetInfo?: AuthenticatorGetInfo;
+};
+/**
+ * Types declared in other specs
+ */
+/**
+ * USER_VERIFY
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#user-verification-methods
+ */
+export type UserVerify = 'presence_internal' | 'fingerprint_internal' | 'passcode_internal' | 'voiceprint_internal' | 'faceprint_internal' | 'location_internal' | 'eyeprint_internal' | 'pattern_internal' | 'handprint_internal' | 'passcode_external' | 'pattern_external' | 'none' | 'all';
+/**
+ * ALG_SIGN
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#authentication-algorithms
+ *
+ * Using this helpful TS pattern here so that we can strongly enforce the existence of COSE info
+ * mappings in `algSignToCOSEInfoMap` in verifyAttestationWithMetadata.ts
+ */
+export type AlgSign = typeof AlgSign[number];
+declare const AlgSign: readonly ["secp256r1_ecdsa_sha256_raw", "secp256r1_ecdsa_sha256_der", "rsassa_pss_sha256_raw", "rsassa_pss_sha256_der", "secp256k1_ecdsa_sha256_raw", "secp256k1_ecdsa_sha256_der", "rsassa_pss_sha384_raw", "rsassa_pkcsv15_sha256_raw", "rsassa_pkcsv15_sha384_raw", "rsassa_pkcsv15_sha512_raw", "rsassa_pkcsv15_sha1_raw", "secp384r1_ecdsa_sha384_raw", "secp512r1_ecdsa_sha256_raw", "ed25519_eddsa_sha512_raw"];
+/**
+ * ALG_KEY
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#public-key-representation-formats
+ */
+export type AlgKey = 'ecc_x962_raw' | 'ecc_x962_der' | 'rsa_2048_raw' | 'rsa_2048_der' | 'cose';
+/**
+ * ATTESTATION
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#authenticator-attestation-types
+ */
+export type Attestation = 'basic_full' | 'basic_surrogate' | 'ecdaa' | 'attca' | 'anonca' | 'none';
+/**
+ * KEY_PROTECTION
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#key-protection-types
+ */
+export type KeyProtection = 'software' | 'hardware' | 'tee' | 'secure_element' | 'remote_handle';
+/**
+ * MATCHER_PROTECTION
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#matcher-protection-types
+ */
+export type MatcherProtection = 'software' | 'tee' | 'on_chip';
+/**
+ * ATTACHMENT_HINT
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#authenticator-attachment-hints
+ */
+export type AttachmentHint = 'internal' | 'external' | 'wired' | 'wireless' | 'nfc' | 'bluetooth' | 'network' | 'ready' | 'wifi_direct';
+/**
+ * TRANSACTION_CONFIRMATION_DISPLAY
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#transaction-confirmation-display-types
+ */
+export type TransactionConfirmationDisplay = 'any' | 'privileged_software' | 'tee' | 'hardware' | 'remote';
+/**
+ * https://fidoalliance.org/specs/fido-uaf-v1.2-ps-20201020/fido-uaf-protocol-v1.2-ps-20201020.html#version-interface
+ */
+export type Version = {
+    major: number;
+    minor: number;
+};
+/**
+ * https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetInfoz
+ */
+export type AuthenticatorGetInfo = {
+    versions: ('FIDO_2_0' | 'U2F_V2')[];
+    extensions?: string[];
+    aaguid: string;
+    options?: {
+        plat?: boolean;
+        rk?: boolean;
+        clientPin?: boolean;
+        up?: boolean;
+        uv?: boolean;
+    };
+    maxMsgSize?: number;
+    pinProtocols?: number[];
+    algorithms?: {
+        type: 'public-key';
+        alg: number;
+    }[];
+};
+export {};

package/{dist → script}/metadata/mdsTypes.js

@@ -16,4 +16,3 @@ const AlgSign = [
     'secp512r1_ecdsa_sha256_raw',
     'ed25519_eddsa_sha512_raw',
 ];
-//# sourceMappingURL=mdsTypes.js.map

package/script/metadata/parseJWT.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Process a JWT into Javascript-friendly data structures
+ */
+export declare function parseJWT<T1, T2>(jwt: string): [T1, T2, string];

package/{dist → script}/metadata/parseJWT.js

@@ -1,17 +1,16 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.parseJWT = void 0;
-const iso_1 = require("../helpers/iso");
+const index_js_1 = require("../helpers/iso/index.js");
 /**
  * Process a JWT into Javascript-friendly data structures
  */
 function parseJWT(jwt) {
     const parts = jwt.split('.');
     return [
-        JSON.parse(iso_1.isoBase64URL.toString(parts[0])),
-        JSON.parse(iso_1.isoBase64URL.toString(parts[1])),
+        JSON.parse(index_js_1.isoBase64URL.toString(parts[0])),
+        JSON.parse(index_js_1.isoBase64URL.toString(parts[1])),
         parts[2],
     ];
 }
 exports.parseJWT = parseJWT;
-//# sourceMappingURL=parseJWT.js.map

package/script/metadata/verifyAttestationWithMetadata.d.ts

@@ -0,0 +1,29 @@
+import type { Base64URLString } from '../deps.js';
+import type { AlgSign, MetadataStatement } from './mdsTypes.js';
+import { COSEALG, COSECRV, COSEKTY } from '../helpers/cose.js';
+/**
+ * Match properties of the authenticator's attestation statement against expected values as
+ * registered with the FIDO Alliance Metadata Service
+ */
+export declare function verifyAttestationWithMetadata({ statement, credentialPublicKey, x5c, attestationStatementAlg, }: {
+    statement: MetadataStatement;
+    credentialPublicKey: Uint8Array;
+    x5c: Uint8Array[] | Base64URLString[];
+    attestationStatementAlg?: number;
+}): Promise<boolean>;
+type COSEInfo = {
+    kty: COSEKTY;
+    alg: COSEALG;
+    crv?: COSECRV;
+};
+/**
+ * Convert ALG_SIGN values to COSE info
+ *
+ * Values pulled from `ALG_KEY_COSE` definitions in the FIDO Registry of Predefined Values
+ *
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#authentication-algorithms
+ */
+export declare const algSignToCOSEInfoMap: {
+    [key in AlgSign]: COSEInfo;
+};
+export {};

package/{dist → script}/metadata/verifyAttestationWithMetadata.js

@@ -1,19 +1,19 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.algSignToCOSEInfoMap = exports.verifyAttestationWithMetadata = void 0;
-const convertCertBufferToPEM_1 = require("../helpers/convertCertBufferToPEM");
-const validateCertificatePath_1 = require("../helpers/validateCertificatePath");
-const decodeCredentialPublicKey_1 = require("../helpers/decodeCredentialPublicKey");
-const cose_1 = require("../helpers/cose");
+const convertCertBufferToPEM_js_1 = require("../helpers/convertCertBufferToPEM.js");
+const validateCertificatePath_js_1 = require("../helpers/validateCertificatePath.js");
+const decodeCredentialPublicKey_js_1 = require("../helpers/decodeCredentialPublicKey.js");
+const cose_js_1 = require("../helpers/cose.js");
 /**
  * Match properties of the authenticator's attestation statement against expected values as
  * registered with the FIDO Alliance Metadata Service
  */
 async function verifyAttestationWithMetadata({ statement, credentialPublicKey, x5c, attestationStatementAlg, }) {
-    const { authenticationAlgorithms, authenticatorGetInfo, attestationRootCertificates } = statement;
+    const { authenticationAlgorithms, authenticatorGetInfo, attestationRootCertificates, } = statement;
     // Make sure the alg in the attestation statement matches one of the ones specified in metadata
     const keypairCOSEAlgs = new Set();
-    authenticationAlgorithms.forEach(algSign => {
+    authenticationAlgorithms.forEach((algSign) => {
         // Map algSign string to { kty, alg, crv }
         const algSignCOSEINFO = exports.algSignToCOSEInfoMap[algSign];
         // Keeping this statement here just in case MDS returns something unexpected
@@ -22,9 +22,9 @@ async function verifyAttestationWithMetadata({ statement, credentialPublicKey, x
         }
     });
     // Extract the public key's COSE info for comparison
-    const decodedPublicKey = (0, decodeCredentialPublicKey_1.decodeCredentialPublicKey)(credentialPublicKey);
-    const kty = decodedPublicKey.get(cose_1.COSEKEYS.kty);
-    const alg = decodedPublicKey.get(cose_1.COSEKEYS.alg);
+    const decodedPublicKey = (0, decodeCredentialPublicKey_js_1.decodeCredentialPublicKey)(credentialPublicKey);
+    const kty = decodedPublicKey.get(cose_js_1.COSEKEYS.kty);
+    const alg = decodedPublicKey.get(cose_js_1.COSEKEYS.alg);
     if (!kty) {
         throw new Error('Credential public key was missing kty');
     }
@@ -36,8 +36,8 @@ async function verifyAttestationWithMetadata({ statement, credentialPublicKey, x
     }
     // Assume everything is a number because these values should be
     const publicKeyCOSEInfo = { kty, alg };
-    if ((0, cose_1.isCOSEPublicKeyEC2)(decodedPublicKey)) {
-        const crv = decodedPublicKey.get(cose_1.COSEKEYS.crv);
+    if ((0, cose_js_1.isCOSEPublicKeyEC2)(decodedPublicKey)) {
+        const crv = decodedPublicKey.get(cose_js_1.COSEKEYS.crv);
         publicKeyCOSEInfo.crv = crv;
     }
     /**
@@ -47,9 +47,10 @@ async function verifyAttestationWithMetadata({ statement, credentialPublicKey, x
     let foundMatch = false;
     for (const keypairAlg of keypairCOSEAlgs) {
         // Make sure algorithm and key type match
-        if (keypairAlg.alg === publicKeyCOSEInfo.alg && keypairAlg.kty === publicKeyCOSEInfo.kty) {
+        if (keypairAlg.alg === publicKeyCOSEInfo.alg &&
+            keypairAlg.kty === publicKeyCOSEInfo.kty) {
             // If not an RSA keypair then make sure curve numbers match too
-            if ((keypairAlg.kty === cose_1.COSEKTY.EC2 || keypairAlg.kty === cose_1.COSEKTY.OKP) &&
+            if ((keypairAlg.kty === cose_js_1.COSEKTY.EC2 || keypairAlg.kty === cose_js_1.COSEKTY.OKP) &&
                 keypairAlg.crv === publicKeyCOSEInfo.crv) {
                 foundMatch = true;
             }
@@ -76,7 +77,7 @@ async function verifyAttestationWithMetadata({ statement, credentialPublicKey, x
          * ]
          * ```
          */
-        const debugMDSAlgs = authenticationAlgorithms.map(algSign => `'${algSign}' (COSE info: ${stringifyCOSEInfo(exports.algSignToCOSEInfoMap[algSign])})`);
+        const debugMDSAlgs = authenticationAlgorithms.map((algSign) => `'${algSign}' (COSE info: ${stringifyCOSEInfo(exports.algSignToCOSEInfoMap[algSign])})`);
         const strMDSAlgs = JSON.stringify(debugMDSAlgs, null, 2).replace(/"/g, '');
         /**
          * Construct useful error output about the public key
@@ -87,27 +88,29 @@ async function verifyAttestationWithMetadata({ statement, credentialPublicKey, x
     /**
      * Confirm the attestation statement's algorithm is one supported according to metadata
      */
-    if (attestationStatementAlg !== undefined && (authenticatorGetInfo === null || authenticatorGetInfo === void 0 ? void 0 : authenticatorGetInfo.algorithms) !== undefined) {
-        const getInfoAlgs = authenticatorGetInfo.algorithms.map(_alg => _alg.alg);
+    if (attestationStatementAlg !== undefined &&
+        authenticatorGetInfo?.algorithms !== undefined) {
+        const getInfoAlgs = authenticatorGetInfo.algorithms.map((_alg) => _alg.alg);
         if (getInfoAlgs.indexOf(attestationStatementAlg) < 0) {
             throw new Error(`Attestation statement alg ${attestationStatementAlg} did not match one of ${getInfoAlgs}`);
         }
     }
     // Prepare to check the certificate chain
-    const authenticatorCerts = x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM);
-    const statementRootCerts = attestationRootCertificates.map(convertCertBufferToPEM_1.convertCertBufferToPEM);
+    const authenticatorCerts = x5c.map(convertCertBufferToPEM_js_1.convertCertBufferToPEM);
+    const statementRootCerts = attestationRootCertificates.map(convertCertBufferToPEM_js_1.convertCertBufferToPEM);
     /**
      * If an authenticator returns exactly one certificate in its x5c, and that cert is found in the
      * metadata statement then the authenticator is "self-referencing". In this case we forego
      * certificate chain validation.
      */
     let authenticatorIsSelfReferencing = false;
-    if (authenticatorCerts.length === 1 && statementRootCerts.indexOf(authenticatorCerts[0]) >= 0) {
+    if (authenticatorCerts.length === 1 &&
+        statementRootCerts.indexOf(authenticatorCerts[0]) >= 0) {
         authenticatorIsSelfReferencing = true;
     }
     if (!authenticatorIsSelfReferencing) {
         try {
-            await (0, validateCertificatePath_1.validateCertificatePath)(authenticatorCerts, statementRootCerts);
+            await (0, validateCertificatePath_js_1.validateCertificatePath)(authenticatorCerts, statementRootCerts);
         }
         catch (err) {
             const _err = err;
@@ -150,7 +153,7 @@ exports.algSignToCOSEInfoMap = {
 function stringifyCOSEInfo(info) {
     const { kty, alg, crv } = info;
     let toReturn = '';
-    if (kty !== cose_1.COSEKTY.RSA) {
+    if (kty !== cose_js_1.COSEKTY.RSA) {
         toReturn = `{ kty: ${kty}, alg: ${alg}, crv: ${crv} }`;
     }
     else {
@@ -158,4 +161,3 @@ function stringifyCOSEInfo(info) {
     }
     return toReturn;
 }
-//# sourceMappingURL=verifyAttestationWithMetadata.js.map

package/script/metadata/verifyJWT.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Lightweight verification for FIDO MDS JWTs. Supports use of EC2 and RSA.
+ *
+ * If this ever needs to support more JWS algorithms, here's the list of them:
+ *
+ * https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1
+ *
+ * (Pulled from https://www.rfc-editor.org/rfc/rfc7515#section-4.1.1)
+ */
+export declare function verifyJWT(jwt: string, leafCert: Uint8Array): Promise<boolean>;

package/script/metadata/verifyJWT.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyJWT = void 0;
+const convertX509PublicKeyToCOSE_js_1 = require("../helpers/convertX509PublicKeyToCOSE.js");
+const index_js_1 = require("../helpers/iso/index.js");
+const cose_js_1 = require("../helpers/cose.js");
+const verifyEC2_js_1 = require("../helpers/iso/isoCrypto/verifyEC2.js");
+const verifyRSA_js_1 = require("../helpers/iso/isoCrypto/verifyRSA.js");
+/**
+ * Lightweight verification for FIDO MDS JWTs. Supports use of EC2 and RSA.
+ *
+ * If this ever needs to support more JWS algorithms, here's the list of them:
+ *
+ * https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1
+ *
+ * (Pulled from https://www.rfc-editor.org/rfc/rfc7515#section-4.1.1)
+ */
+function verifyJWT(jwt, leafCert) {
+    const [header, payload, signature] = jwt.split('.');
+    const certCOSE = (0, convertX509PublicKeyToCOSE_js_1.convertX509PublicKeyToCOSE)(leafCert);
+    const data = index_js_1.isoUint8Array.fromUTF8String(`${header}.${payload}`);
+    const signatureBytes = index_js_1.isoBase64URL.toBuffer(signature);
+    if ((0, cose_js_1.isCOSEPublicKeyEC2)(certCOSE)) {
+        return (0, verifyEC2_js_1.verifyEC2)({
+            data,
+            signature: signatureBytes,
+            cosePublicKey: certCOSE,
+            shaHashOverride: cose_js_1.COSEALG.ES256,
+        });
+    }
+    else if ((0, cose_js_1.isCOSEPublicKeyRSA)(certCOSE)) {
+        return (0, verifyRSA_js_1.verifyRSA)({
+            data,
+            signature: signatureBytes,
+            cosePublicKey: certCOSE,
+        });
+    }
+    const kty = certCOSE.get(cose_js_1.COSEKEYS.kty);
+    throw new Error(`JWT verification with public key of kty ${kty} is not supported by this method`);
+}
+exports.verifyJWT = verifyJWT;

package/script/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "commonjs"
+}

package/script/registration/generateRegistrationOptions.d.ts

@@ -0,0 +1,43 @@
+import type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticatorSelectionCriteria, COSEAlgorithmIdentifier, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture } from '../deps.js';
+export type GenerateRegistrationOptionsOpts = {
+    rpName: string;
+    rpID: string;
+    userID: string;
+    userName: string;
+    challenge?: string | Uint8Array;
+    userDisplayName?: string;
+    timeout?: number;
+    attestationType?: AttestationConveyancePreference;
+    excludeCredentials?: PublicKeyCredentialDescriptorFuture[];
+    authenticatorSelection?: AuthenticatorSelectionCriteria;
+    extensions?: AuthenticationExtensionsClientInputs;
+    supportedAlgorithmIDs?: COSEAlgorithmIdentifier[];
+};
+/**
+ * Supported crypto algo identifiers
+ * See https://w3c.github.io/webauthn/#sctn-alg-identifier
+ * and https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ */
+export declare const supportedCOSEAlgorithmIdentifiers: COSEAlgorithmIdentifier[];
+/**
+ * Prepare a value to pass into navigator.credentials.create(...) for authenticator "registration"
+ *
+ * **Options:**
+ *
+ * @param rpName User-visible, "friendly" website/service name
+ * @param rpID Valid domain name (after `https://`)
+ * @param userID User's website-specific unique ID
+ * @param userName User's website-specific username (email, etc...)
+ * @param challenge Random value the authenticator needs to sign and pass back
+ * @param userDisplayName User's actual name
+ * @param timeout How long (in ms) the user can take to complete attestation
+ * @param attestationType Specific attestation statement
+ * @param excludeCredentials Authenticators registered by the user so the user can't register the
+ * same credential multiple times
+ * @param authenticatorSelection Advanced criteria for restricting the types of authenticators that
+ * may be used
+ * @param extensions Additional plugins the authenticator or browser should use during attestation
+ * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
+ * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ */
+export declare function generateRegistrationOptions(options: GenerateRegistrationOptionsOpts): Promise<PublicKeyCredentialCreationOptionsJSON>;

package/{dist → script}/registration/generateRegistrationOptions.js

@@ -1,8 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.generateRegistrationOptions = exports.supportedCOSEAlgorithmIdentifiers = void 0;
-const generateChallenge_1 = require("../helpers/generateChallenge");
-const iso_1 = require("../helpers/iso");
+const generateChallenge_js_1 = require("../helpers/generateChallenge.js");
+const index_js_1 = require("../helpers/iso/index.js");
 /**
  * Supported crypto algo identifiers
  * See https://w3c.github.io/webauthn/#sctn-alg-identifier
@@ -69,12 +69,12 @@ const defaultSupportedAlgorithmIDs = [-8, -7, -257];
  * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
  * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
  */
-function generateRegistrationOptions(options) {
-    const { rpName, rpID, userID, userName, challenge = (0, generateChallenge_1.generateChallenge)(), userDisplayName = userName, timeout = 60000, attestationType = 'none', excludeCredentials = [], authenticatorSelection = defaultAuthenticatorSelection, extensions, supportedAlgorithmIDs = defaultSupportedAlgorithmIDs, } = options;
+async function generateRegistrationOptions(options) {
+    const { rpName, rpID, userID, userName, challenge = await (0, generateChallenge_js_1.generateChallenge)(), userDisplayName = userName, timeout = 60000, attestationType = 'none', excludeCredentials = [], authenticatorSelection = defaultAuthenticatorSelection, extensions, supportedAlgorithmIDs = defaultSupportedAlgorithmIDs, } = options;
     /**
      * Prepare pubKeyCredParams from the array of algorithm ID's
      */
-    const pubKeyCredParams = supportedAlgorithmIDs.map(id => ({
+    const pubKeyCredParams = supportedAlgorithmIDs.map((id) => ({
         alg: id,
         type: 'public-key',
     }));
@@ -116,10 +116,10 @@ function generateRegistrationOptions(options) {
      */
     let _challenge = challenge;
     if (typeof _challenge === 'string') {
-        _challenge = iso_1.isoUint8Array.fromASCIIString(_challenge);
+        _challenge = index_js_1.isoUint8Array.fromASCIIString(_challenge);
     }
     return {
-        challenge: iso_1.isoBase64URL.fromBuffer(_challenge),
+        challenge: index_js_1.isoBase64URL.fromBuffer(_challenge),
         rp: {
             name: rpName,
             id: rpID,
@@ -132,9 +132,9 @@ function generateRegistrationOptions(options) {
         pubKeyCredParams,
         timeout,
         attestation: attestationType,
-        excludeCredentials: excludeCredentials.map(cred => ({
+        excludeCredentials: excludeCredentials.map((cred) => ({
             ...cred,
-            id: iso_1.isoBase64URL.fromBuffer(cred.id),
+            id: index_js_1.isoBase64URL.fromBuffer(cred.id),
         })),
         authenticatorSelection,
         extensions: {
@@ -144,4 +144,3 @@ function generateRegistrationOptions(options) {
     };
 }
 exports.generateRegistrationOptions = generateRegistrationOptions;
-//# sourceMappingURL=generateRegistrationOptions.js.map

package/script/registration/verifications/tpm/constants.d.ts

@@ -0,0 +1,47 @@
+/**
+ * A whole lotta domain knowledge is captured here, with hazy connections to source
+ * documents. Good places to start searching for more info on these values are the
+ * following Trusted Computing Group TPM Library docs linked in the WebAuthn API:
+ *
+ * - https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf
+ * - https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf
+ * - https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf
+ */
+/**
+ * 6.9 TPM_ST (Structure Tags)
+ */
+export declare const TPM_ST: {
+    [key: number]: string;
+};
+/**
+ * 6.3 TPM_ALG_ID
+ */
+export declare const TPM_ALG: {
+    [key: number]: string;
+};
+/**
+ * 6.4 TPM_ECC_CURVE
+ */
+export declare const TPM_ECC_CURVE: {
+    [key: number]: string;
+};
+type ManufacturerInfo = {
+    name: string;
+    id: string;
+};
+/**
+ * Sourced from https://trustedcomputinggroup.org/resource/vendor-id-registry/
+ *
+ * Latest version:
+ * https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-Vendor-ID-Registry-Version-1.02-Revision-1.00.pdf
+ */
+export declare const TPM_MANUFACTURERS: {
+    [key: string]: ManufacturerInfo;
+};
+/**
+ * Match TPM public area curve ID's to `crv` numbers used in COSE public keys
+ */
+export declare const TPM_ECC_CURVE_COSE_CRV_MAP: {
+    [key: string]: number;
+};
+export {};

package/{dist → script}/registration/verifications/tpm/constants.js

@@ -1,5 +1,5 @@
 "use strict";
-/* eslint-disable @typescript-eslint/ban-ts-comment */
+// deno-lint-ignore-file no-dupe-keys
 /**
  * A whole lotta domain knowledge is captured here, with hazy connections to source
  * documents. Good places to start searching for more info on these values are the
@@ -183,4 +183,3 @@ exports.TPM_ECC_CURVE_COSE_CRV_MAP = {
     TPM_ECC_BN_P256: 1,
     TPM_ECC_SM2_P256: 1, // p256
 };
-//# sourceMappingURL=constants.js.map

package/script/registration/verifications/tpm/parseCertInfo.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Cut up a TPM attestation's certInfo into intelligible chunks
+ */
+export declare function parseCertInfo(certInfo: Uint8Array): ParsedCertInfo;
+type ParsedCertInfo = {
+    magic: number;
+    type: string;
+    qualifiedSigner: Uint8Array;
+    extraData: Uint8Array;
+    clockInfo: {
+        clock: Uint8Array;
+        resetCount: number;
+        restartCount: number;
+        safe: boolean;
+    };
+    firmwareVersion: Uint8Array;
+    attested: {
+        nameAlg: string;
+        nameAlgBuffer: Uint8Array;
+        name: Uint8Array;
+        qualifiedName: Uint8Array;
+    };
+};
+export {};