@simplewebauthn/server 7.4.0 → 8.0.0-alpha.0

package/{dist → script}/registration/verifications/verifyAttestationAndroidSafetyNet.js

@@ -1,14 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifyAttestationAndroidSafetyNet = void 0;
-const toHash_1 = require("../../helpers/toHash");
-const verifySignature_1 = require("../../helpers/verifySignature");
-const getCertificateInfo_1 = require("../../helpers/getCertificateInfo");
-const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
-const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
-const iso_1 = require("../../helpers/iso");
-const metadataService_1 = require("../../services/metadataService");
-const verifyAttestationWithMetadata_1 = require("../../metadata/verifyAttestationWithMetadata");
+const toHash_js_1 = require("../../helpers/toHash.js");
+const verifySignature_js_1 = require("../../helpers/verifySignature.js");
+const getCertificateInfo_js_1 = require("../../helpers/getCertificateInfo.js");
+const validateCertificatePath_js_1 = require("../../helpers/validateCertificatePath.js");
+const convertCertBufferToPEM_js_1 = require("../../helpers/convertCertBufferToPEM.js");
+const index_js_1 = require("../../helpers/iso/index.js");
+const metadataService_js_1 = require("../../services/metadataService.js");
+const verifyAttestationWithMetadata_js_1 = require("../../metadata/verifyAttestationWithMetadata.js");
 /**
  * Verify an attestation response with fmt 'android-safetynet'
  */
@@ -24,10 +24,10 @@ async function verifyAttestationAndroidSafetyNet(options) {
         throw new Error('No response was included in attStmt by authenticator (SafetyNet)');
     }
     // Prepare to verify a JWT
-    const jwt = iso_1.isoUint8Array.toUTF8String(response);
+    const jwt = index_js_1.isoUint8Array.toUTF8String(response);
     const jwtParts = jwt.split('.');
-    const HEADER = JSON.parse(iso_1.isoBase64URL.toString(jwtParts[0]));
-    const PAYLOAD = JSON.parse(iso_1.isoBase64URL.toString(jwtParts[1]));
+    const HEADER = JSON.parse(index_js_1.isoBase64URL.toString(jwtParts[0]));
+    const PAYLOAD = JSON.parse(index_js_1.isoBase64URL.toString(jwtParts[1]));
     const SIGNATURE = jwtParts[2];
     /**
      * START Verify PAYLOAD
@@ -46,9 +46,9 @@ async function verifyAttestationAndroidSafetyNet(options) {
             throw new Error(`Payload timestamp "${timestampPlusDelay}" has expired (SafetyNet)`);
         }
     }
-    const nonceBase = iso_1.isoUint8Array.concat([authData, clientDataHash]);
-    const nonceBuffer = await (0, toHash_1.toHash)(nonceBase);
-    const expectedNonce = iso_1.isoBase64URL.fromBuffer(nonceBuffer, 'base64');
+    const nonceBase = index_js_1.isoUint8Array.concat([authData, clientDataHash]);
+    const nonceBuffer = await (0, toHash_js_1.toHash)(nonceBase);
+    const expectedNonce = index_js_1.isoBase64URL.fromBuffer(nonceBuffer, 'base64');
     if (nonce !== expectedNonce) {
         throw new Error('Could not verify payload nonce (SafetyNet)');
     }
@@ -62,18 +62,18 @@ async function verifyAttestationAndroidSafetyNet(options) {
      * START Verify Header
      */
     // `HEADER.x5c[0]` is definitely a base64 string
-    const leafCertBuffer = iso_1.isoBase64URL.toBuffer(HEADER.x5c[0], 'base64');
-    const leafCertInfo = (0, getCertificateInfo_1.getCertificateInfo)(leafCertBuffer);
+    const leafCertBuffer = index_js_1.isoBase64URL.toBuffer(HEADER.x5c[0], 'base64');
+    const leafCertInfo = (0, getCertificateInfo_js_1.getCertificateInfo)(leafCertBuffer);
     const { subject } = leafCertInfo;
     // Ensure the certificate was issued to this hostname
     // See https://developer.android.com/training/safetynet/attestation#verify-attestation-response
     if (subject.CN !== 'attest.android.com') {
         throw new Error('Certificate common name was not "attest.android.com" (SafetyNet)');
     }
-    const statement = await metadataService_1.MetadataService.getStatement(aaguid);
+    const statement = await metadataService_js_1.MetadataService.getStatement(aaguid);
     if (statement) {
         try {
-            await (0, verifyAttestationWithMetadata_1.verifyAttestationWithMetadata)({
+            await (0, verifyAttestationWithMetadata_js_1.verifyAttestationWithMetadata)({
                 statement,
                 credentialPublicKey,
                 x5c: HEADER.x5c,
@@ -88,7 +88,7 @@ async function verifyAttestationAndroidSafetyNet(options) {
     else {
         try {
             // Try validating the certificate path using the root certificates set via SettingsService
-            await (0, validateCertificatePath_1.validateCertificatePath)(HEADER.x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
+            await (0, validateCertificatePath_js_1.validateCertificatePath)(HEADER.x5c.map(convertCertBufferToPEM_js_1.convertCertBufferToPEM), rootCertificates);
         }
         catch (err) {
             const _err = err;
@@ -101,9 +101,9 @@ async function verifyAttestationAndroidSafetyNet(options) {
     /**
      * START Verify Signature
      */
-    const signatureBaseBuffer = iso_1.isoUint8Array.fromUTF8String(`${jwtParts[0]}.${jwtParts[1]}`);
-    const signatureBuffer = iso_1.isoBase64URL.toBuffer(SIGNATURE);
-    const verified = await (0, verifySignature_1.verifySignature)({
+    const signatureBaseBuffer = index_js_1.isoUint8Array.fromUTF8String(`${jwtParts[0]}.${jwtParts[1]}`);
+    const signatureBuffer = index_js_1.isoBase64URL.toBuffer(SIGNATURE);
+    const verified = await (0, verifySignature_js_1.verifySignature)({
         signature: signatureBuffer,
         data: signatureBaseBuffer,
         x509Certificate: leafCertBuffer,
@@ -114,4 +114,3 @@ async function verifyAttestationAndroidSafetyNet(options) {
     return verified;
 }
 exports.verifyAttestationAndroidSafetyNet = verifyAttestationAndroidSafetyNet;
-//# sourceMappingURL=verifyAttestationAndroidSafetyNet.js.map

package/script/registration/verifications/verifyAttestationApple.d.ts

@@ -0,0 +1,2 @@
+import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse.js';
+export declare function verifyAttestationApple(options: AttestationFormatVerifierOpts): Promise<boolean>;

package/{dist → script}/registration/verifications/verifyAttestationApple.js

@@ -1,15 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifyAttestationApple = void 0;
-const asn1_schema_1 = require("@peculiar/asn1-schema");
-const asn1_x509_1 = require("@peculiar/asn1-x509");
-const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
-const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
-const toHash_1 = require("../../helpers/toHash");
-const convertCOSEtoPKCS_1 = require("../../helpers/convertCOSEtoPKCS");
-const iso_1 = require("../../helpers/iso");
+const deps_js_1 = require("../../deps.js");
+const validateCertificatePath_js_1 = require("../../helpers/validateCertificatePath.js");
+const convertCertBufferToPEM_js_1 = require("../../helpers/convertCertBufferToPEM.js");
+const toHash_js_1 = require("../../helpers/toHash.js");
+const convertCOSEtoPKCS_js_1 = require("../../helpers/convertCOSEtoPKCS.js");
+const index_js_1 = require("../../helpers/iso/index.js");
 async function verifyAttestationApple(options) {
-    const { attStmt, authData, clientDataHash, credentialPublicKey, rootCertificates } = options;
+    const { attStmt, authData, clientDataHash, credentialPublicKey, rootCertificates, } = options;
     const x5c = attStmt.get('x5c');
     if (!x5c) {
         throw new Error('No attestation certificate provided in attestation statement (Apple)');
@@ -18,7 +17,7 @@ async function verifyAttestationApple(options) {
      * Verify certificate path
      */
     try {
-        await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
+        await (0, validateCertificatePath_js_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_js_1.convertCertBufferToPEM), rootCertificates);
     }
     catch (err) {
         const _err = err;
@@ -27,17 +26,17 @@ async function verifyAttestationApple(options) {
     /**
      * Compare nonce in certificate extension to computed nonce
      */
-    const parsedCredCert = asn1_schema_1.AsnParser.parse(x5c[0], asn1_x509_1.Certificate);
+    const parsedCredCert = deps_js_1.AsnParser.parse(x5c[0], deps_js_1.Certificate);
     const { extensions, subjectPublicKeyInfo } = parsedCredCert.tbsCertificate;
     if (!extensions) {
         throw new Error('credCert missing extensions (Apple)');
     }
-    const extCertNonce = extensions.find(ext => ext.extnID === '1.2.840.113635.100.8.2');
+    const extCertNonce = extensions.find((ext) => ext.extnID === '1.2.840.113635.100.8.2');
     if (!extCertNonce) {
         throw new Error('credCert missing "1.2.840.113635.100.8.2" extension (Apple)');
     }
-    const nonceToHash = iso_1.isoUint8Array.concat([authData, clientDataHash]);
-    const nonce = await (0, toHash_1.toHash)(nonceToHash);
+    const nonceToHash = index_js_1.isoUint8Array.concat([authData, clientDataHash]);
+    const nonce = await (0, toHash_js_1.toHash)(nonceToHash);
     /**
      * Ignore the first six ASN.1 structure bytes that define the nonce as an OCTET STRING. Should
      * trim off <Buffer 30 24 a1 22 04 20>
@@ -46,18 +45,17 @@ async function verifyAttestationApple(options) {
      * find out where it's defined (doesn't seem to be publicly documented at the moment...)
      */
     const extNonce = new Uint8Array(extCertNonce.extnValue.buffer).slice(6);
-    if (!iso_1.isoUint8Array.areEqual(nonce, extNonce)) {
+    if (!index_js_1.isoUint8Array.areEqual(nonce, extNonce)) {
         throw new Error(`credCert nonce was not expected value (Apple)`);
     }
     /**
      * Verify credential public key matches the Subject Public Key of credCert
      */
-    const credPubKeyPKCS = (0, convertCOSEtoPKCS_1.convertCOSEtoPKCS)(credentialPublicKey);
+    const credPubKeyPKCS = (0, convertCOSEtoPKCS_js_1.convertCOSEtoPKCS)(credentialPublicKey);
     const credCertSubjectPublicKey = new Uint8Array(subjectPublicKeyInfo.subjectPublicKey);
-    if (!iso_1.isoUint8Array.areEqual(credPubKeyPKCS, credCertSubjectPublicKey)) {
+    if (!index_js_1.isoUint8Array.areEqual(credPubKeyPKCS, credCertSubjectPublicKey)) {
         throw new Error('Credential public key does not equal credCert public key (Apple)');
     }
     return true;
 }
 exports.verifyAttestationApple = verifyAttestationApple;
-//# sourceMappingURL=verifyAttestationApple.js.map

package/script/registration/verifications/verifyAttestationFIDOU2F.d.ts

@@ -0,0 +1,5 @@
+import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse.js';
+/**
+ * Verify an attestation response with fmt 'fido-u2f'
+ */
+export declare function verifyAttestationFIDOU2F(options: AttestationFormatVerifierOpts): Promise<boolean>;

package/{dist → script}/registration/verifications/verifyAttestationFIDOU2F.js

@@ -1,20 +1,20 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifyAttestationFIDOU2F = void 0;
-const convertCOSEtoPKCS_1 = require("../../helpers/convertCOSEtoPKCS");
-const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
-const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
-const verifySignature_1 = require("../../helpers/verifySignature");
-const iso_1 = require("../../helpers/iso");
-const cose_1 = require("../../helpers/cose");
+const convertCOSEtoPKCS_js_1 = require("../../helpers/convertCOSEtoPKCS.js");
+const convertCertBufferToPEM_js_1 = require("../../helpers/convertCertBufferToPEM.js");
+const validateCertificatePath_js_1 = require("../../helpers/validateCertificatePath.js");
+const verifySignature_js_1 = require("../../helpers/verifySignature.js");
+const index_js_1 = require("../../helpers/iso/index.js");
+const cose_js_1 = require("../../helpers/cose.js");
 /**
  * Verify an attestation response with fmt 'fido-u2f'
  */
 async function verifyAttestationFIDOU2F(options) {
     const { attStmt, clientDataHash, rpIdHash, credentialID, credentialPublicKey, aaguid, rootCertificates, } = options;
     const reservedByte = Uint8Array.from([0x00]);
-    const publicKey = (0, convertCOSEtoPKCS_1.convertCOSEtoPKCS)(credentialPublicKey);
-    const signatureBase = iso_1.isoUint8Array.concat([
+    const publicKey = (0, convertCOSEtoPKCS_js_1.convertCOSEtoPKCS)(credentialPublicKey);
+    const signatureBase = index_js_1.isoUint8Array.concat([
         reservedByte,
         rpIdHash,
         clientDataHash,
@@ -30,24 +30,23 @@ async function verifyAttestationFIDOU2F(options) {
         throw new Error('No attestation signature provided in attestation statement (FIDOU2F)');
     }
     // FIDO spec says that aaguid _must_ equal 0x00 here to be legit
-    const aaguidToHex = Number.parseInt(iso_1.isoUint8Array.toHex(aaguid), 16);
+    const aaguidToHex = Number.parseInt(index_js_1.isoUint8Array.toHex(aaguid), 16);
     if (aaguidToHex !== 0x00) {
         throw new Error(`AAGUID "${aaguidToHex}" was not expected value`);
     }
     try {
         // Try validating the certificate path using the root certificates set via SettingsService
-        await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
+        await (0, validateCertificatePath_js_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_js_1.convertCertBufferToPEM), rootCertificates);
     }
     catch (err) {
         const _err = err;
         throw new Error(`${_err.message} (FIDOU2F)`);
     }
-    return (0, verifySignature_1.verifySignature)({
+    return (0, verifySignature_js_1.verifySignature)({
         signature: sig,
         data: signatureBase,
         x509Certificate: x5c[0],
-        hashAlgorithm: cose_1.COSEALG.ES256,
+        hashAlgorithm: cose_js_1.COSEALG.ES256,
     });
 }
 exports.verifyAttestationFIDOU2F = verifyAttestationFIDOU2F;
-//# sourceMappingURL=verifyAttestationFIDOU2F.js.map

package/script/registration/verifications/verifyAttestationPacked.d.ts

@@ -0,0 +1,5 @@
+import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse.js';
+/**
+ * Verify an attestation response with fmt 'packed'
+ */
+export declare function verifyAttestationPacked(options: AttestationFormatVerifierOpts): Promise<boolean>;

package/{dist → script}/registration/verifications/verifyAttestationPacked.js

@@ -1,19 +1,19 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifyAttestationPacked = void 0;
-const cose_1 = require("../../helpers/cose");
-const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
-const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
-const getCertificateInfo_1 = require("../../helpers/getCertificateInfo");
-const verifySignature_1 = require("../../helpers/verifySignature");
-const iso_1 = require("../../helpers/iso");
-const metadataService_1 = require("../../services/metadataService");
-const verifyAttestationWithMetadata_1 = require("../../metadata/verifyAttestationWithMetadata");
+const cose_js_1 = require("../../helpers/cose.js");
+const convertCertBufferToPEM_js_1 = require("../../helpers/convertCertBufferToPEM.js");
+const validateCertificatePath_js_1 = require("../../helpers/validateCertificatePath.js");
+const getCertificateInfo_js_1 = require("../../helpers/getCertificateInfo.js");
+const verifySignature_js_1 = require("../../helpers/verifySignature.js");
+const index_js_1 = require("../../helpers/iso/index.js");
+const metadataService_js_1 = require("../../services/metadataService.js");
+const verifyAttestationWithMetadata_js_1 = require("../../metadata/verifyAttestationWithMetadata.js");
 /**
  * Verify an attestation response with fmt 'packed'
  */
 async function verifyAttestationPacked(options) {
-    const { attStmt, clientDataHash, authData, credentialPublicKey, aaguid, rootCertificates } = options;
+    const { attStmt, clientDataHash, authData, credentialPublicKey, aaguid, rootCertificates, } = options;
     const sig = attStmt.get('sig');
     const x5c = attStmt.get('x5c');
     const alg = attStmt.get('alg');
@@ -23,13 +23,13 @@ async function verifyAttestationPacked(options) {
     if (!alg) {
         throw new Error('Attestation statement did not contain alg (Packed)');
     }
-    if (!(0, cose_1.isCOSEAlg)(alg)) {
+    if (!(0, cose_js_1.isCOSEAlg)(alg)) {
         throw new Error(`Attestation statement contained invalid alg ${alg} (Packed)`);
     }
-    const signatureBase = iso_1.isoUint8Array.concat([authData, clientDataHash]);
+    const signatureBase = index_js_1.isoUint8Array.concat([authData, clientDataHash]);
     let verified = false;
     if (x5c) {
-        const { subject, basicConstraintsCA, version, notBefore, notAfter } = (0, getCertificateInfo_1.getCertificateInfo)(x5c[0]);
+        const { subject, basicConstraintsCA, version, notBefore, notAfter } = (0, getCertificateInfo_js_1.getCertificateInfo)(x5c[0]);
         const { OU, CN, O, C } = subject;
         if (OU !== 'Authenticator Attestation') {
             throw new Error('Certificate OU was not "Authenticator Attestation" (Packed|Full)');
@@ -60,7 +60,7 @@ async function verifyAttestationPacked(options) {
         // TODO: If certificate contains id-fido-gen-ce-aaguid(1.3.6.1.4.1.45724.1.1.4) extension, check
         // that it’s value is set to the same AAGUID as in authData.
         // If available, validate attestation alg and x5c with info in the metadata statement
-        const statement = await metadataService_1.MetadataService.getStatement(aaguid);
+        const statement = await metadataService_js_1.MetadataService.getStatement(aaguid);
         if (statement) {
             // The presence of x5c means this is a full attestation. Check to see if attestationTypes
             // includes packed attestations.
@@ -68,7 +68,7 @@ async function verifyAttestationPacked(options) {
                 throw new Error('Metadata does not indicate support for full attestations (Packed|Full)');
             }
             try {
-                await (0, verifyAttestationWithMetadata_1.verifyAttestationWithMetadata)({
+                await (0, verifyAttestationWithMetadata_js_1.verifyAttestationWithMetadata)({
                     statement,
                     credentialPublicKey,
                     x5c,
@@ -83,21 +83,21 @@ async function verifyAttestationPacked(options) {
         else {
             try {
                 // Try validating the certificate path using the root certificates set via SettingsService
-                await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
+                await (0, validateCertificatePath_js_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_js_1.convertCertBufferToPEM), rootCertificates);
             }
             catch (err) {
                 const _err = err;
                 throw new Error(`${_err.message} (Packed|Full)`);
             }
         }
-        verified = await (0, verifySignature_1.verifySignature)({
+        verified = await (0, verifySignature_js_1.verifySignature)({
             signature: sig,
             data: signatureBase,
             x509Certificate: x5c[0],
         });
     }
     else {
-        verified = await (0, verifySignature_1.verifySignature)({
+        verified = await (0, verifySignature_js_1.verifySignature)({
             signature: sig,
             data: signatureBase,
             credentialPublicKey,
@@ -107,4 +107,3 @@ async function verifyAttestationPacked(options) {
     return verified;
 }
 exports.verifyAttestationPacked = verifyAttestationPacked;
-//# sourceMappingURL=verifyAttestationPacked.js.map

package/script/registration/verifyRegistrationResponse.d.ts

@@ -0,0 +1,85 @@
+import type { COSEAlgorithmIdentifier, CredentialDeviceType, RegistrationResponseJSON } from '../deps.js';
+import { AttestationFormat, AttestationStatement } from '../helpers/decodeAttestationObject.js';
+import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions.js';
+export type VerifyRegistrationResponseOpts = {
+    response: RegistrationResponseJSON;
+    expectedChallenge: string | ((challenge: string) => boolean);
+    expectedOrigin: string | string[];
+    expectedRPID?: string | string[];
+    requireUserVerification?: boolean;
+    supportedAlgorithmIDs?: COSEAlgorithmIdentifier[];
+};
+/**
+ * Verify that the user has legitimately completed the registration process
+ *
+ * **Options:**
+ *
+ * @param response Response returned by **@simplewebauthn/browser**'s `startAuthentication()`
+ * @param expectedChallenge The base64url-encoded `options.challenge` returned by
+ * `generateRegistrationOptions()`
+ * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param requireUserVerification (Optional) Enforce user verification by the authenticator
+ * (via PIN, fingerprint, etc...)
+ * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
+ * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ */
+export declare function verifyRegistrationResponse(options: VerifyRegistrationResponseOpts): Promise<VerifiedRegistrationResponse>;
+/**
+ * Result of registration verification
+ *
+ * @param verified If the assertion response could be verified
+ * @param registrationInfo.fmt Type of attestation
+ * @param registrationInfo.counter The number of times the authenticator reported it has been used.
+ * **Should be kept in a DB for later reference to help prevent replay attacks!**
+ * @param registrationInfo.aaguid Authenticator's Attestation GUID indicating the type of the
+ * authenticator
+ * @param registrationInfo.credentialPublicKey The credential's public key
+ * @param registrationInfo.credentialID The credential's credential ID for the public key above
+ * @param registrationInfo.credentialType The type of the credential returned by the browser
+ * @param registrationInfo.userVerified Whether the user was uniquely identified during attestation
+ * @param registrationInfo.attestationObject The raw `response.attestationObject` Buffer returned by
+ * the authenticator
+ * @param registrationInfo.credentialDeviceType Whether this is a single-device or multi-device
+ * credential. **Should be kept in a DB for later reference!**
+ * @param registrationInfo.credentialBackedUp Whether or not the multi-device credential has been
+ * backed up. Always `false` for single-device credentials. **Should be kept in a DB for later
+ * reference!**
+ * @param registrationInfo.origin The origin of the website that the registration occurred on
+ * @param registrationInfo?.rpID The RP ID that the registration occurred on, if one or more were
+ * specified in the registration options
+ * @param registrationInfo?.authenticatorExtensionResults The authenticator extensions returned
+ * by the browser
+ */
+export type VerifiedRegistrationResponse = {
+    verified: boolean;
+    registrationInfo?: {
+        fmt: AttestationFormat;
+        counter: number;
+        aaguid: string;
+        credentialID: Uint8Array;
+        credentialPublicKey: Uint8Array;
+        credentialType: 'public-key';
+        attestationObject: Uint8Array;
+        userVerified: boolean;
+        credentialDeviceType: CredentialDeviceType;
+        credentialBackedUp: boolean;
+        origin: string;
+        rpID?: string;
+        authenticatorExtensionResults?: AuthenticationExtensionsAuthenticatorOutputs;
+    };
+};
+/**
+ * Values passed to all attestation format verifiers, from which they are free to use as they please
+ */
+export type AttestationFormatVerifierOpts = {
+    aaguid: Uint8Array;
+    attStmt: AttestationStatement;
+    authData: Uint8Array;
+    clientDataHash: Uint8Array;
+    credentialID: Uint8Array;
+    credentialPublicKey: Uint8Array;
+    rootCertificates: string[];
+    rpIdHash: Uint8Array;
+    verifyTimestampMS?: boolean;
+};

package/{dist → script}/registration/verifyRegistrationResponse.js

@@ -1,24 +1,24 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifyRegistrationResponse = void 0;
-const decodeAttestationObject_1 = require("../helpers/decodeAttestationObject");
-const decodeClientDataJSON_1 = require("../helpers/decodeClientDataJSON");
-const parseAuthenticatorData_1 = require("../helpers/parseAuthenticatorData");
-const toHash_1 = require("../helpers/toHash");
-const decodeCredentialPublicKey_1 = require("../helpers/decodeCredentialPublicKey");
-const cose_1 = require("../helpers/cose");
-const convertAAGUIDToString_1 = require("../helpers/convertAAGUIDToString");
-const parseBackupFlags_1 = require("../helpers/parseBackupFlags");
-const matchExpectedRPID_1 = require("../helpers/matchExpectedRPID");
-const iso_1 = require("../helpers/iso");
-const settingsService_1 = require("../services/settingsService");
-const generateRegistrationOptions_1 = require("./generateRegistrationOptions");
-const verifyAttestationFIDOU2F_1 = require("./verifications/verifyAttestationFIDOU2F");
-const verifyAttestationPacked_1 = require("./verifications/verifyAttestationPacked");
-const verifyAttestationAndroidSafetyNet_1 = require("./verifications/verifyAttestationAndroidSafetyNet");
-const verifyAttestationTPM_1 = require("./verifications/tpm/verifyAttestationTPM");
-const verifyAttestationAndroidKey_1 = require("./verifications/verifyAttestationAndroidKey");
-const verifyAttestationApple_1 = require("./verifications/verifyAttestationApple");
+const decodeAttestationObject_js_1 = require("../helpers/decodeAttestationObject.js");
+const decodeClientDataJSON_js_1 = require("../helpers/decodeClientDataJSON.js");
+const parseAuthenticatorData_js_1 = require("../helpers/parseAuthenticatorData.js");
+const toHash_js_1 = require("../helpers/toHash.js");
+const decodeCredentialPublicKey_js_1 = require("../helpers/decodeCredentialPublicKey.js");
+const cose_js_1 = require("../helpers/cose.js");
+const convertAAGUIDToString_js_1 = require("../helpers/convertAAGUIDToString.js");
+const parseBackupFlags_js_1 = require("../helpers/parseBackupFlags.js");
+const matchExpectedRPID_js_1 = require("../helpers/matchExpectedRPID.js");
+const index_js_1 = require("../helpers/iso/index.js");
+const settingsService_js_1 = require("../services/settingsService.js");
+const generateRegistrationOptions_js_1 = require("./generateRegistrationOptions.js");
+const verifyAttestationFIDOU2F_js_1 = require("./verifications/verifyAttestationFIDOU2F.js");
+const verifyAttestationPacked_js_1 = require("./verifications/verifyAttestationPacked.js");
+const verifyAttestationAndroidSafetyNet_js_1 = require("./verifications/verifyAttestationAndroidSafetyNet.js");
+const verifyAttestationTPM_js_1 = require("./verifications/tpm/verifyAttestationTPM.js");
+const verifyAttestationAndroidKey_js_1 = require("./verifications/verifyAttestationAndroidKey.js");
+const verifyAttestationApple_js_1 = require("./verifications/verifyAttestationApple.js");
 /**
  * Verify that the user has legitimately completed the registration process
  *
@@ -35,7 +35,7 @@ const verifyAttestationApple_1 = require("./verifications/verifyAttestationApple
  * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
  */
 async function verifyRegistrationResponse(options) {
-    const { response, expectedChallenge, expectedOrigin, expectedRPID, requireUserVerification = true, supportedAlgorithmIDs = generateRegistrationOptions_1.supportedCOSEAlgorithmIdentifiers, } = options;
+    const { response, expectedChallenge, expectedOrigin, expectedRPID, requireUserVerification = true, supportedAlgorithmIDs = generateRegistrationOptions_js_1.supportedCOSEAlgorithmIdentifiers, } = options;
     const { id, rawId, type: credentialType, response: attestationResponse } = response;
     // Ensure credential specified an ID
     if (!id) {
@@ -49,7 +49,7 @@ async function verifyRegistrationResponse(options) {
     if (credentialType !== 'public-key') {
         throw new Error(`Unexpected credential type ${credentialType}, expected "public-key"`);
     }
-    const clientDataJSON = (0, decodeClientDataJSON_1.decodeClientDataJSON)(attestationResponse.clientDataJSON);
+    const clientDataJSON = (0, decodeClientDataJSON_js_1.decodeClientDataJSON)(attestationResponse.clientDataJSON);
     const { type, origin, challenge, tokenBinding } = clientDataJSON;
     // Make sure we're handling an registration
     if (type !== 'webauthn.create') {
@@ -83,13 +83,13 @@ async function verifyRegistrationResponse(options) {
             throw new Error(`Unexpected tokenBinding.status value of "${tokenBinding.status}"`);
         }
     }
-    const attestationObject = iso_1.isoBase64URL.toBuffer(attestationResponse.attestationObject);
-    const decodedAttestationObject = (0, decodeAttestationObject_1.decodeAttestationObject)(attestationObject);
+    const attestationObject = index_js_1.isoBase64URL.toBuffer(attestationResponse.attestationObject);
+    const decodedAttestationObject = (0, decodeAttestationObject_js_1.decodeAttestationObject)(attestationObject);
     const fmt = decodedAttestationObject.get('fmt');
     const authData = decodedAttestationObject.get('authData');
     const attStmt = decodedAttestationObject.get('attStmt');
-    const parsedAuthData = (0, parseAuthenticatorData_1.parseAuthenticatorData)(authData);
-    const { aaguid, rpIdHash, flags, credentialID, counter, credentialPublicKey, extensionsData } = parsedAuthData;
+    const parsedAuthData = (0, parseAuthenticatorData_js_1.parseAuthenticatorData)(authData);
+    const { aaguid, rpIdHash, flags, credentialID, counter, credentialPublicKey, extensionsData, } = parsedAuthData;
     // Make sure the response's RP ID is ours
     let matchedRPID;
     if (expectedRPID) {
@@ -100,7 +100,7 @@ async function verifyRegistrationResponse(options) {
         else {
             expectedRPIDs = expectedRPID;
         }
-        matchedRPID = await (0, matchExpectedRPID_1.matchExpectedRPID)(rpIdHash, expectedRPIDs);
+        matchedRPID = await (0, matchExpectedRPID_js_1.matchExpectedRPID)(rpIdHash, expectedRPIDs);
     }
     // Make sure someone was physically present
     if (!flags.up) {
@@ -119,8 +119,8 @@ async function verifyRegistrationResponse(options) {
     if (!aaguid) {
         throw new Error('No AAGUID was present during registration');
     }
-    const decodedPublicKey = (0, decodeCredentialPublicKey_1.decodeCredentialPublicKey)(credentialPublicKey);
-    const alg = decodedPublicKey.get(cose_1.COSEKEYS.alg);
+    const decodedPublicKey = (0, decodeCredentialPublicKey_js_1.decodeCredentialPublicKey)(credentialPublicKey);
+    const alg = decodedPublicKey.get(cose_js_1.COSEKEYS.alg);
     if (typeof alg !== 'number') {
         throw new Error('Credential public key was missing numeric alg');
     }
@@ -129,8 +129,10 @@ async function verifyRegistrationResponse(options) {
         const supported = supportedAlgorithmIDs.join(', ');
         throw new Error(`Unexpected public key alg "${alg}", expected one of "${supported}"`);
     }
-    const clientDataHash = await (0, toHash_1.toHash)(iso_1.isoBase64URL.toBuffer(attestationResponse.clientDataJSON));
-    const rootCertificates = settingsService_1.SettingsService.getRootCertificates({ identifier: fmt });
+    const clientDataHash = await (0, toHash_js_1.toHash)(index_js_1.isoBase64URL.toBuffer(attestationResponse.clientDataJSON));
+    const rootCertificates = settingsService_js_1.SettingsService.getRootCertificates({
+        identifier: fmt,
+    });
     // Prepare arguments to pass to the relevant verification method
     const verifierOpts = {
         aaguid,
@@ -147,22 +149,22 @@ async function verifyRegistrationResponse(options) {
      */
     let verified = false;
     if (fmt === 'fido-u2f') {
-        verified = await (0, verifyAttestationFIDOU2F_1.verifyAttestationFIDOU2F)(verifierOpts);
+        verified = await (0, verifyAttestationFIDOU2F_js_1.verifyAttestationFIDOU2F)(verifierOpts);
     }
     else if (fmt === 'packed') {
-        verified = await (0, verifyAttestationPacked_1.verifyAttestationPacked)(verifierOpts);
+        verified = await (0, verifyAttestationPacked_js_1.verifyAttestationPacked)(verifierOpts);
     }
     else if (fmt === 'android-safetynet') {
-        verified = await (0, verifyAttestationAndroidSafetyNet_1.verifyAttestationAndroidSafetyNet)(verifierOpts);
+        verified = await (0, verifyAttestationAndroidSafetyNet_js_1.verifyAttestationAndroidSafetyNet)(verifierOpts);
     }
     else if (fmt === 'android-key') {
-        verified = await (0, verifyAttestationAndroidKey_1.verifyAttestationAndroidKey)(verifierOpts);
+        verified = await (0, verifyAttestationAndroidKey_js_1.verifyAttestationAndroidKey)(verifierOpts);
     }
     else if (fmt === 'tpm') {
-        verified = await (0, verifyAttestationTPM_1.verifyAttestationTPM)(verifierOpts);
+        verified = await (0, verifyAttestationTPM_js_1.verifyAttestationTPM)(verifierOpts);
     }
     else if (fmt === 'apple') {
-        verified = await (0, verifyAttestationApple_1.verifyAttestationApple)(verifierOpts);
+        verified = await (0, verifyAttestationApple_js_1.verifyAttestationApple)(verifierOpts);
     }
     else if (fmt === 'none') {
         if (attStmt.size > 0) {
@@ -178,11 +180,11 @@ async function verifyRegistrationResponse(options) {
         verified,
     };
     if (toReturn.verified) {
-        const { credentialDeviceType, credentialBackedUp } = (0, parseBackupFlags_1.parseBackupFlags)(flags);
+        const { credentialDeviceType, credentialBackedUp } = (0, parseBackupFlags_js_1.parseBackupFlags)(flags);
         toReturn.registrationInfo = {
             fmt,
             counter,
-            aaguid: (0, convertAAGUIDToString_1.convertAAGUIDToString)(aaguid),
+            aaguid: (0, convertAAGUIDToString_js_1.convertAAGUIDToString)(aaguid),
             credentialID,
             credentialPublicKey,
             credentialType,
@@ -198,4 +200,3 @@ async function verifyRegistrationResponse(options) {
     return toReturn;
 }
 exports.verifyRegistrationResponse = verifyRegistrationResponse;
-//# sourceMappingURL=verifyRegistrationResponse.js.map

package/script/services/defaultRootCerts/android-key.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Google Hardware Attestation Root 1
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (first entry)
+ *
+ * Valid until 2026-05-24 @ 09:28 PST
+ *
+ * SHA256 Fingerprint
+ * C1:98:4A:3E:F4:5C:1E:2A:91:85:51:DE:10:60:3C:86:F7:05:1B:22:49:C4:89:1C:AE:32:30:EA:BD:0C:97:D5
+ */
+export declare const Google_Hardware_Attestation_Root_1 = "-----BEGIN CERTIFICATE-----\nMIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\nBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYy\nODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS\nSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7\ntv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj\nnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq\nC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ\noVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O\nJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg\nsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi\nigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M\nRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E\naDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um\nAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYD\nVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAO\nBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lk\nLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQAD\nggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfB\nPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00m\nqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rY\nDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPm\nQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4u\nJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyD\nCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79Iy\nZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxD\nqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23Uaic\nMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1\nwDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk\n-----END CERTIFICATE-----\n";
+/**
+ * Google Hardware Attestation Root 2
+ *
+ * Downloaded from https://developer.android.com/training/articles/security-key-attestation#root_certificate
+ * (second entry)
+ *
+ * Valid until 2034-11-18 @ 12:37 PST
+ *
+ * SHA256 Fingerprint
+ * 1E:F1:A0:4B:8B:A5:8A:B9:45:89:AC:49:8C:89:82:A7:83:F2:4E:A7:30:7E:01:59:A0:C3:A7:3B:37:7D:87:CC
+ */
+export declare const Google_Hardware_Attestation_Root_2 = "-----BEGIN CERTIFICATE-----\nMIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\nBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAz\nNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS\nSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7\ntv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj\nnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq\nC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ\noVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O\nJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg\nsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi\nigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M\nRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E\naDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um\nAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1Ud\nIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYD\nVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnu\nXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83U\nh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cno\nL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2ok\nQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vA\nD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAI\nmMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoW\nFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91\noeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09o\njm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUB\nZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCH\nex0SdDrx+tWUDqG8At2JHA==\n-----END CERTIFICATE-----\n";

package/{dist → script}/services/defaultRootCerts/android-key.js

@@ -86,4 +86,3 @@ ZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCH
 ex0SdDrx+tWUDqG8At2JHA==
 -----END CERTIFICATE-----
 `;
-//# sourceMappingURL=android-key.js.map