@simplewebauthn/server 7.4.0 → 8.0.0-alpha.0

package/script/authentication/verifyAuthenticationResponse.d.ts

@@ -0,0 +1,66 @@
+import type { AuthenticationResponseJSON, AuthenticatorDevice, CredentialDeviceType, UserVerificationRequirement } from '../deps.js';
+import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions.js';
+export type VerifyAuthenticationResponseOpts = {
+    response: AuthenticationResponseJSON;
+    expectedChallenge: string | ((challenge: string) => boolean);
+    expectedOrigin: string | string[];
+    expectedRPID: string | string[];
+    authenticator: AuthenticatorDevice;
+    requireUserVerification?: boolean;
+    advancedFIDOConfig?: {
+        userVerification?: UserVerificationRequirement;
+    };
+};
+/**
+ * Verify that the user has legitimately completed the login process
+ *
+ * **Options:**
+ *
+ * @param response Response returned by **@simplewebauthn/browser**'s `startAssertion()`
+ * @param expectedChallenge The base64url-encoded `options.challenge` returned by
+ * `generateAuthenticationOptions()`
+ * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param authenticator An internal {@link AuthenticatorDevice} matching the credential's ID
+ * @param requireUserVerification (Optional) Enforce user verification by the authenticator
+ * (via PIN, fingerprint, etc...)
+ * @param advancedFIDOConfig (Optional) Options for satisfying more stringent FIDO RP feature
+ * requirements
+ * @param advancedFIDOConfig.userVerification (Optional) Enable alternative rules for evaluating the
+ * User Presence and User Verified flags in authenticator data: UV (and UP) flags are optional
+ * unless this value is `"required"`
+ */
+export declare function verifyAuthenticationResponse(options: VerifyAuthenticationResponseOpts): Promise<VerifiedAuthenticationResponse>;
+/**
+ * Result of authentication verification
+ *
+ * @param verified If the authentication response could be verified
+ * @param authenticationInfo.credentialID The ID of the authenticator used during authentication.
+ * Should be used to identify which DB authenticator entry needs its `counter` updated to the value
+ * below
+ * @param authenticationInfo.newCounter The number of times the authenticator identified above
+ * reported it has been used. **Should be kept in a DB for later reference to help prevent replay
+ * attacks!**
+ * @param authenticationInfo.credentialDeviceType Whether this is a single-device or multi-device
+ * credential. **Should be kept in a DB for later reference!**
+ * @param authenticationInfo.credentialBackedUp Whether or not the multi-device credential has been
+ * backed up. Always `false` for single-device credentials. **Should be kept in a DB for later
+ * reference!**
+ * @param authenticationInfo.origin The origin of the website that the authentication occurred on
+ * @param authenticationInfo.rpID The RP ID that the authentication occurred on
+ * @param authenticationInfo?.authenticatorExtensionResults The authenticator extensions returned
+ * by the browser
+ */
+export type VerifiedAuthenticationResponse = {
+    verified: boolean;
+    authenticationInfo: {
+        credentialID: Uint8Array;
+        newCounter: number;
+        userVerified: boolean;
+        credentialDeviceType: CredentialDeviceType;
+        credentialBackedUp: boolean;
+        origin: string;
+        rpID: string;
+        authenticatorExtensionResults?: AuthenticationExtensionsAuthenticatorOutputs;
+    };
+};

package/{dist → script}/authentication/verifyAuthenticationResponse.js

@@ -1,13 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifyAuthenticationResponse = void 0;
-const decodeClientDataJSON_1 = require("../helpers/decodeClientDataJSON");
-const toHash_1 = require("../helpers/toHash");
-const verifySignature_1 = require("../helpers/verifySignature");
-const parseAuthenticatorData_1 = require("../helpers/parseAuthenticatorData");
-const parseBackupFlags_1 = require("../helpers/parseBackupFlags");
-const matchExpectedRPID_1 = require("../helpers/matchExpectedRPID");
-const iso_1 = require("../helpers/iso");
+const decodeClientDataJSON_js_1 = require("../helpers/decodeClientDataJSON.js");
+const toHash_js_1 = require("../helpers/toHash.js");
+const verifySignature_js_1 = require("../helpers/verifySignature.js");
+const parseAuthenticatorData_js_1 = require("../helpers/parseAuthenticatorData.js");
+const parseBackupFlags_js_1 = require("../helpers/parseBackupFlags.js");
+const matchExpectedRPID_js_1 = require("../helpers/matchExpectedRPID.js");
+const index_js_1 = require("../helpers/iso/index.js");
 /**
  * Verify that the user has legitimately completed the login process
  *
@@ -45,10 +45,10 @@ async function verifyAuthenticationResponse(options) {
     if (!response) {
         throw new Error('Credential missing response');
     }
-    if (typeof (assertionResponse === null || assertionResponse === void 0 ? void 0 : assertionResponse.clientDataJSON) !== 'string') {
+    if (typeof assertionResponse?.clientDataJSON !== 'string') {
         throw new Error('Credential response clientDataJSON was not a string');
     }
-    const clientDataJSON = (0, decodeClientDataJSON_1.decodeClientDataJSON)(assertionResponse.clientDataJSON);
+    const clientDataJSON = (0, decodeClientDataJSON_js_1.decodeClientDataJSON)(assertionResponse.clientDataJSON);
     const { type, origin, challenge, tokenBinding } = clientDataJSON;
     // Make sure we're handling an authentication
     if (type !== 'webauthn.get') {
@@ -75,13 +75,14 @@ async function verifyAuthenticationResponse(options) {
             throw new Error(`Unexpected authentication response origin "${origin}", expected "${expectedOrigin}"`);
         }
     }
-    if (!iso_1.isoBase64URL.isBase64url(assertionResponse.authenticatorData)) {
+    if (!index_js_1.isoBase64URL.isBase64url(assertionResponse.authenticatorData)) {
         throw new Error('Credential response authenticatorData was not a base64url string');
     }
-    if (!iso_1.isoBase64URL.isBase64url(assertionResponse.signature)) {
+    if (!index_js_1.isoBase64URL.isBase64url(assertionResponse.signature)) {
         throw new Error('Credential response signature was not a base64url string');
     }
-    if (assertionResponse.userHandle && typeof assertionResponse.userHandle !== 'string') {
+    if (assertionResponse.userHandle &&
+        typeof assertionResponse.userHandle !== 'string') {
         throw new Error('Credential response userHandle was not a string');
     }
     if (tokenBinding) {
@@ -92,8 +93,8 @@ async function verifyAuthenticationResponse(options) {
             throw new Error(`Unexpected tokenBinding status ${tokenBinding.status}`);
         }
     }
-    const authDataBuffer = iso_1.isoBase64URL.toBuffer(assertionResponse.authenticatorData);
-    const parsedAuthData = (0, parseAuthenticatorData_1.parseAuthenticatorData)(authDataBuffer);
+    const authDataBuffer = index_js_1.isoBase64URL.toBuffer(assertionResponse.authenticatorData);
+    const parsedAuthData = (0, parseAuthenticatorData_js_1.parseAuthenticatorData)(authDataBuffer);
     const { rpIdHash, flags, counter, extensionsData } = parsedAuthData;
     // Make sure the response's RP ID is ours
     let expectedRPIDs = [];
@@ -103,7 +104,7 @@ async function verifyAuthenticationResponse(options) {
     else {
         expectedRPIDs = expectedRPID;
     }
-    const matchedRPID = await (0, matchExpectedRPID_1.matchExpectedRPID)(rpIdHash, expectedRPIDs);
+    const matchedRPID = await (0, matchExpectedRPID_js_1.matchExpectedRPID)(rpIdHash, expectedRPIDs);
     if (advancedFIDOConfig !== undefined) {
         const { userVerification: fidoUserVerification } = advancedFIDOConfig;
         /**
@@ -115,7 +116,8 @@ async function verifyAuthenticationResponse(options) {
                 throw new Error('User verification required, but user could not be verified');
             }
         }
-        else if (fidoUserVerification === 'preferred' || fidoUserVerification === 'discouraged') {
+        else if (fidoUserVerification === 'preferred' ||
+            fidoUserVerification === 'discouraged') {
             // Ignore `flags.uv`
         }
     }
@@ -132,19 +134,20 @@ async function verifyAuthenticationResponse(options) {
             throw new Error('User verification required, but user could not be verified');
         }
     }
-    const clientDataHash = await (0, toHash_1.toHash)(iso_1.isoBase64URL.toBuffer(assertionResponse.clientDataJSON));
-    const signatureBase = iso_1.isoUint8Array.concat([authDataBuffer, clientDataHash]);
-    const signature = iso_1.isoBase64URL.toBuffer(assertionResponse.signature);
-    if ((counter > 0 || authenticator.counter > 0) && counter <= authenticator.counter) {
+    const clientDataHash = await (0, toHash_js_1.toHash)(index_js_1.isoBase64URL.toBuffer(assertionResponse.clientDataJSON));
+    const signatureBase = index_js_1.isoUint8Array.concat([authDataBuffer, clientDataHash]);
+    const signature = index_js_1.isoBase64URL.toBuffer(assertionResponse.signature);
+    if ((counter > 0 || authenticator.counter > 0) &&
+        counter <= authenticator.counter) {
         // Error out when the counter in the DB is greater than or equal to the counter in the
         // dataStruct. It's related to how the authenticator maintains the number of times its been
         // used for this client. If this happens, then someone's somehow increased the counter
         // on the device without going through this site
         throw new Error(`Response counter value ${counter} was lower than expected ${authenticator.counter}`);
     }
-    const { credentialDeviceType, credentialBackedUp } = (0, parseBackupFlags_1.parseBackupFlags)(flags);
+    const { credentialDeviceType, credentialBackedUp } = (0, parseBackupFlags_js_1.parseBackupFlags)(flags);
     const toReturn = {
-        verified: await (0, verifySignature_1.verifySignature)({
+        verified: await (0, verifySignature_js_1.verifySignature)({
             signature,
             data: signatureBase,
             credentialPublicKey: authenticator.credentialPublicKey,
@@ -163,4 +166,3 @@ async function verifyAuthenticationResponse(options) {
     return toReturn;
 }
 exports.verifyAuthenticationResponse = verifyAuthenticationResponse;
-//# sourceMappingURL=verifyAuthenticationResponse.js.map

package/script/deps.d.ts

@@ -0,0 +1,10 @@
+export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/typescript-types';
+export * as cborx from 'cbor-x';
+export { fetch as crossFetch } from 'cross-fetch';
+export { default as debug } from 'debug';
+export type { Debugger } from '@types/debug';
+export { AsnParser, AsnSerializer } from '@peculiar/asn1-schema';
+export { AuthorityKeyIdentifier, BasicConstraints, Certificate, CertificateList, CRLDistributionPoints, ExtendedKeyUsage, id_ce_authorityKeyIdentifier, id_ce_basicConstraints, id_ce_cRLDistributionPoints, id_ce_extKeyUsage, id_ce_subjectAltName, id_ce_subjectKeyIdentifier, Name, SubjectAlternativeName, SubjectKeyIdentifier, } from '@peculiar/asn1-x509';
+export { ECDSASigValue, ECParameters, id_ecPublicKey, id_secp256r1, id_secp384r1, } from '@peculiar/asn1-ecc';
+export { RSAPublicKey } from '@peculiar/asn1-rsa';
+export { id_ce_keyDescription, KeyDescription } from '@peculiar/asn1-android';

package/script/deps.js

@@ -0,0 +1,68 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeyDescription = exports.id_ce_keyDescription = exports.RSAPublicKey = exports.id_secp384r1 = exports.id_secp256r1 = exports.id_ecPublicKey = exports.ECParameters = exports.ECDSASigValue = exports.SubjectKeyIdentifier = exports.SubjectAlternativeName = exports.Name = exports.id_ce_subjectKeyIdentifier = exports.id_ce_subjectAltName = exports.id_ce_extKeyUsage = exports.id_ce_cRLDistributionPoints = exports.id_ce_basicConstraints = exports.id_ce_authorityKeyIdentifier = exports.ExtendedKeyUsage = exports.CRLDistributionPoints = exports.CertificateList = exports.Certificate = exports.BasicConstraints = exports.AuthorityKeyIdentifier = exports.AsnSerializer = exports.AsnParser = exports.debug = exports.crossFetch = exports.cborx = void 0;
+// cbor (a.k.a. cbor-x in Node land)
+exports.cborx = __importStar(require("cbor-x"));
+// cross-fetch
+var cross_fetch_1 = require("cross-fetch");
+Object.defineProperty(exports, "crossFetch", { enumerable: true, get: function () { return cross_fetch_1.fetch; } });
+// debug
+var debug_1 = require("debug");
+Object.defineProperty(exports, "debug", { enumerable: true, get: function () { return __importDefault(debug_1).default; } });
+// @peculiar libraries
+var asn1_schema_1 = require("@peculiar/asn1-schema");
+Object.defineProperty(exports, "AsnParser", { enumerable: true, get: function () { return asn1_schema_1.AsnParser; } });
+Object.defineProperty(exports, "AsnSerializer", { enumerable: true, get: function () { return asn1_schema_1.AsnSerializer; } });
+var asn1_x509_1 = require("@peculiar/asn1-x509");
+Object.defineProperty(exports, "AuthorityKeyIdentifier", { enumerable: true, get: function () { return asn1_x509_1.AuthorityKeyIdentifier; } });
+Object.defineProperty(exports, "BasicConstraints", { enumerable: true, get: function () { return asn1_x509_1.BasicConstraints; } });
+Object.defineProperty(exports, "Certificate", { enumerable: true, get: function () { return asn1_x509_1.Certificate; } });
+Object.defineProperty(exports, "CertificateList", { enumerable: true, get: function () { return asn1_x509_1.CertificateList; } });
+Object.defineProperty(exports, "CRLDistributionPoints", { enumerable: true, get: function () { return asn1_x509_1.CRLDistributionPoints; } });
+Object.defineProperty(exports, "ExtendedKeyUsage", { enumerable: true, get: function () { return asn1_x509_1.ExtendedKeyUsage; } });
+Object.defineProperty(exports, "id_ce_authorityKeyIdentifier", { enumerable: true, get: function () { return asn1_x509_1.id_ce_authorityKeyIdentifier; } });
+Object.defineProperty(exports, "id_ce_basicConstraints", { enumerable: true, get: function () { return asn1_x509_1.id_ce_basicConstraints; } });
+Object.defineProperty(exports, "id_ce_cRLDistributionPoints", { enumerable: true, get: function () { return asn1_x509_1.id_ce_cRLDistributionPoints; } });
+Object.defineProperty(exports, "id_ce_extKeyUsage", { enumerable: true, get: function () { return asn1_x509_1.id_ce_extKeyUsage; } });
+Object.defineProperty(exports, "id_ce_subjectAltName", { enumerable: true, get: function () { return asn1_x509_1.id_ce_subjectAltName; } });
+Object.defineProperty(exports, "id_ce_subjectKeyIdentifier", { enumerable: true, get: function () { return asn1_x509_1.id_ce_subjectKeyIdentifier; } });
+Object.defineProperty(exports, "Name", { enumerable: true, get: function () { return asn1_x509_1.Name; } });
+Object.defineProperty(exports, "SubjectAlternativeName", { enumerable: true, get: function () { return asn1_x509_1.SubjectAlternativeName; } });
+Object.defineProperty(exports, "SubjectKeyIdentifier", { enumerable: true, get: function () { return asn1_x509_1.SubjectKeyIdentifier; } });
+var asn1_ecc_1 = require("@peculiar/asn1-ecc");
+Object.defineProperty(exports, "ECDSASigValue", { enumerable: true, get: function () { return asn1_ecc_1.ECDSASigValue; } });
+Object.defineProperty(exports, "ECParameters", { enumerable: true, get: function () { return asn1_ecc_1.ECParameters; } });
+Object.defineProperty(exports, "id_ecPublicKey", { enumerable: true, get: function () { return asn1_ecc_1.id_ecPublicKey; } });
+Object.defineProperty(exports, "id_secp256r1", { enumerable: true, get: function () { return asn1_ecc_1.id_secp256r1; } });
+Object.defineProperty(exports, "id_secp384r1", { enumerable: true, get: function () { return asn1_ecc_1.id_secp384r1; } });
+var asn1_rsa_1 = require("@peculiar/asn1-rsa");
+Object.defineProperty(exports, "RSAPublicKey", { enumerable: true, get: function () { return asn1_rsa_1.RSAPublicKey; } });
+var asn1_android_1 = require("@peculiar/asn1-android");
+Object.defineProperty(exports, "id_ce_keyDescription", { enumerable: true, get: function () { return asn1_android_1.id_ce_keyDescription; } });
+Object.defineProperty(exports, "KeyDescription", { enumerable: true, get: function () { return asn1_android_1.KeyDescription; } });

package/script/helpers/convertAAGUIDToString.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Convert the aaguid buffer in authData into a UUID string
+ */
+export declare function convertAAGUIDToString(aaguid: Uint8Array): string;

package/{dist → script}/helpers/convertAAGUIDToString.js

@@ -1,13 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.convertAAGUIDToString = void 0;
-const iso_1 = require("./iso");
+const index_js_1 = require("./iso/index.js");
 /**
  * Convert the aaguid buffer in authData into a UUID string
  */
 function convertAAGUIDToString(aaguid) {
     // Raw Hex: adce000235bcc60a648b0b25f1f05503
-    const hex = iso_1.isoUint8Array.toHex(aaguid);
+    const hex = index_js_1.isoUint8Array.toHex(aaguid);
     const segments = [
         hex.slice(0, 8),
         hex.slice(8, 12),
@@ -19,4 +19,3 @@ function convertAAGUIDToString(aaguid) {
     return segments.join('-');
 }
 exports.convertAAGUIDToString = convertAAGUIDToString;
-//# sourceMappingURL=convertAAGUIDToString.js.map

package/script/helpers/convertCOSEtoPKCS.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Takes COSE-encoded public key and converts it to PKCS key
+ */
+export declare function convertCOSEtoPKCS(cosePublicKey: Uint8Array): Uint8Array;

package/{dist → script}/helpers/convertCOSEtoPKCS.js

@@ -1,8 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.convertCOSEtoPKCS = void 0;
-const iso_1 = require("./iso");
-const cose_1 = require("./cose");
+const index_js_1 = require("./iso/index.js");
+const cose_js_1 = require("./cose.js");
 /**
  * Takes COSE-encoded public key and converts it to PKCS key
  */
@@ -10,17 +10,16 @@ function convertCOSEtoPKCS(cosePublicKey) {
     // This is a little sloppy, I'm using COSEPublicKeyEC2 since it could have both x and y, but when
     // there's no y it means it's probably better typed as COSEPublicKeyOKP. I'll leave this for now
     // and revisit it later if it ever becomes an actual problem.
-    const struct = iso_1.isoCBOR.decodeFirst(cosePublicKey);
+    const struct = index_js_1.isoCBOR.decodeFirst(cosePublicKey);
     const tag = Uint8Array.from([0x04]);
-    const x = struct.get(cose_1.COSEKEYS.x);
-    const y = struct.get(cose_1.COSEKEYS.y);
+    const x = struct.get(cose_js_1.COSEKEYS.x);
+    const y = struct.get(cose_js_1.COSEKEYS.y);
     if (!x) {
         throw new Error('COSE public key was missing x');
     }
     if (y) {
-        return iso_1.isoUint8Array.concat([tag, x, y]);
+        return index_js_1.isoUint8Array.concat([tag, x, y]);
     }
-    return iso_1.isoUint8Array.concat([tag, x]);
+    return index_js_1.isoUint8Array.concat([tag, x]);
 }
 exports.convertCOSEtoPKCS = convertCOSEtoPKCS;
-//# sourceMappingURL=convertCOSEtoPKCS.js.map

package/script/helpers/convertCertBufferToPEM.d.ts

@@ -0,0 +1,5 @@
+import type { Base64URLString } from '../deps.js';
+/**
+ * Convert buffer to an OpenSSL-compatible PEM text format.
+ */
+export declare function convertCertBufferToPEM(certBuffer: Uint8Array | Base64URLString): string;

package/{dist → script}/helpers/convertCertBufferToPEM.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.convertCertBufferToPEM = void 0;
-const iso_1 = require("./iso");
+const index_js_1 = require("./iso/index.js");
 /**
  * Convert buffer to an OpenSSL-compatible PEM text format.
  */
@@ -11,10 +11,10 @@ function convertCertBufferToPEM(certBuffer) {
      * Get certBuffer to a base64 representation
      */
     if (typeof certBuffer === 'string') {
-        if (iso_1.isoBase64URL.isBase64url(certBuffer)) {
-            b64cert = iso_1.isoBase64URL.toBase64(certBuffer);
+        if (index_js_1.isoBase64URL.isBase64url(certBuffer)) {
+            b64cert = index_js_1.isoBase64URL.toBase64(certBuffer);
         }
-        else if (iso_1.isoBase64URL.isBase64(certBuffer)) {
+        else if (index_js_1.isoBase64URL.isBase64(certBuffer)) {
             b64cert = certBuffer;
         }
         else {
@@ -22,7 +22,7 @@ function convertCertBufferToPEM(certBuffer) {
         }
     }
     else {
-        b64cert = iso_1.isoBase64URL.fromBuffer(certBuffer, 'base64');
+        b64cert = index_js_1.isoBase64URL.fromBuffer(certBuffer, 'base64');
     }
     let PEMKey = '';
     for (let i = 0; i < Math.ceil(b64cert.length / 64); i += 1) {
@@ -33,4 +33,3 @@ function convertCertBufferToPEM(certBuffer) {
     return PEMKey;
 }
 exports.convertCertBufferToPEM = convertCertBufferToPEM;
-//# sourceMappingURL=convertCertBufferToPEM.js.map

package/script/helpers/convertPEMToBytes.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Take a certificate in PEM format and convert it to bytes
+ */
+export declare function convertPEMToBytes(pem: string): Uint8Array;

package/{dist → script}/helpers/convertPEMToBytes.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.convertPEMToBytes = void 0;
-const iso_1 = require("./iso");
+const index_js_1 = require("./iso/index.js");
 /**
  * Take a certificate in PEM format and convert it to bytes
  */
@@ -10,7 +10,6 @@ function convertPEMToBytes(pem) {
         .replace('-----BEGIN CERTIFICATE-----', '')
         .replace('-----END CERTIFICATE-----', '')
         .replace(/[\n ]/g, '');
-    return iso_1.isoBase64URL.toBuffer(certBase64, 'base64');
+    return index_js_1.isoBase64URL.toBuffer(certBase64, 'base64');
 }
 exports.convertPEMToBytes = convertPEMToBytes;
-//# sourceMappingURL=convertPEMToBytes.js.map

package/script/helpers/convertX509PublicKeyToCOSE.d.ts

@@ -0,0 +1,2 @@
+import { COSEPublicKey } from './cose.js';
+export declare function convertX509PublicKeyToCOSE(x509Certificate: Uint8Array): COSEPublicKey;

package/{dist → script}/helpers/convertX509PublicKeyToCOSE.js

@@ -1,37 +1,34 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.convertX509PublicKeyToCOSE = void 0;
-const asn1_schema_1 = require("@peculiar/asn1-schema");
-const asn1_x509_1 = require("@peculiar/asn1-x509");
-const asn1_ecc_1 = require("@peculiar/asn1-ecc");
-const asn1_rsa_1 = require("@peculiar/asn1-rsa");
-const cose_1 = require("./cose");
-const mapX509SignatureAlgToCOSEAlg_1 = require("./mapX509SignatureAlgToCOSEAlg");
+const deps_js_1 = require("../deps.js");
+const cose_js_1 = require("./cose.js");
+const mapX509SignatureAlgToCOSEAlg_js_1 = require("./mapX509SignatureAlgToCOSEAlg.js");
 function convertX509PublicKeyToCOSE(x509Certificate) {
     let cosePublicKey = new Map();
     /**
      * Time to extract the public key from an X.509 certificate
      */
-    const x509 = asn1_schema_1.AsnParser.parse(x509Certificate, asn1_x509_1.Certificate);
+    const x509 = deps_js_1.AsnParser.parse(x509Certificate, deps_js_1.Certificate);
     const { tbsCertificate } = x509;
     const { subjectPublicKeyInfo, signature: _tbsSignature } = tbsCertificate;
     const signatureAlgorithm = _tbsSignature.algorithm;
     const publicKeyAlgorithmID = subjectPublicKeyInfo.algorithm.algorithm;
-    if (publicKeyAlgorithmID === asn1_ecc_1.id_ecPublicKey) {
+    if (publicKeyAlgorithmID === deps_js_1.id_ecPublicKey) {
         /**
          * EC2 Public Key
          */
         if (!subjectPublicKeyInfo.algorithm.parameters) {
             throw new Error('Certificate public key was missing parameters (EC2)');
         }
-        const ecParameters = asn1_schema_1.AsnParser.parse(new Uint8Array(subjectPublicKeyInfo.algorithm.parameters), asn1_ecc_1.ECParameters);
+        const ecParameters = deps_js_1.AsnParser.parse(new Uint8Array(subjectPublicKeyInfo.algorithm.parameters), deps_js_1.ECParameters);
         let crv = -999;
         const { namedCurve } = ecParameters;
-        if (namedCurve === asn1_ecc_1.id_secp256r1) {
-            crv = cose_1.COSECRV.P256;
+        if (namedCurve === deps_js_1.id_secp256r1) {
+            crv = cose_js_1.COSECRV.P256;
         }
-        else if (namedCurve === asn1_ecc_1.id_secp384r1) {
-            crv = cose_1.COSECRV.P384;
+        else if (namedCurve === deps_js_1.id_secp384r1) {
+            crv = cose_js_1.COSECRV.P384;
         }
         else {
             throw new Error(`Certificate public key contained unexpected namedCurve ${namedCurve} (EC2)`);
@@ -43,30 +40,30 @@ function convertX509PublicKeyToCOSE(x509Certificate) {
             // Public key is in "uncompressed form", so we can split the remaining bytes in half
             let pointer = 1;
             const halfLength = (subjectPublicKey.length - 1) / 2;
-            x = subjectPublicKey.slice(pointer, (pointer += halfLength));
+            x = subjectPublicKey.slice(pointer, pointer += halfLength);
             y = subjectPublicKey.slice(pointer);
         }
         else {
             throw new Error('TODO: Figure out how to handle public keys in "compressed form"');
         }
         const coseEC2PubKey = new Map();
-        coseEC2PubKey.set(cose_1.COSEKEYS.kty, cose_1.COSEKTY.EC2);
-        coseEC2PubKey.set(cose_1.COSEKEYS.alg, (0, mapX509SignatureAlgToCOSEAlg_1.mapX509SignatureAlgToCOSEAlg)(signatureAlgorithm));
-        coseEC2PubKey.set(cose_1.COSEKEYS.crv, crv);
-        coseEC2PubKey.set(cose_1.COSEKEYS.x, x);
-        coseEC2PubKey.set(cose_1.COSEKEYS.y, y);
+        coseEC2PubKey.set(cose_js_1.COSEKEYS.kty, cose_js_1.COSEKTY.EC2);
+        coseEC2PubKey.set(cose_js_1.COSEKEYS.alg, (0, mapX509SignatureAlgToCOSEAlg_js_1.mapX509SignatureAlgToCOSEAlg)(signatureAlgorithm));
+        coseEC2PubKey.set(cose_js_1.COSEKEYS.crv, crv);
+        coseEC2PubKey.set(cose_js_1.COSEKEYS.x, x);
+        coseEC2PubKey.set(cose_js_1.COSEKEYS.y, y);
         cosePublicKey = coseEC2PubKey;
     }
     else if (publicKeyAlgorithmID === '1.2.840.113549.1.1.1') {
         /**
          * RSA public key
          */
-        const rsaPublicKey = asn1_schema_1.AsnParser.parse(subjectPublicKeyInfo.subjectPublicKey, asn1_rsa_1.RSAPublicKey);
+        const rsaPublicKey = deps_js_1.AsnParser.parse(subjectPublicKeyInfo.subjectPublicKey, deps_js_1.RSAPublicKey);
         const coseRSAPubKey = new Map();
-        coseRSAPubKey.set(cose_1.COSEKEYS.kty, cose_1.COSEKTY.RSA);
-        coseRSAPubKey.set(cose_1.COSEKEYS.alg, (0, mapX509SignatureAlgToCOSEAlg_1.mapX509SignatureAlgToCOSEAlg)(signatureAlgorithm));
-        coseRSAPubKey.set(cose_1.COSEKEYS.n, new Uint8Array(rsaPublicKey.modulus));
-        coseRSAPubKey.set(cose_1.COSEKEYS.e, new Uint8Array(rsaPublicKey.publicExponent));
+        coseRSAPubKey.set(cose_js_1.COSEKEYS.kty, cose_js_1.COSEKTY.RSA);
+        coseRSAPubKey.set(cose_js_1.COSEKEYS.alg, (0, mapX509SignatureAlgToCOSEAlg_js_1.mapX509SignatureAlgToCOSEAlg)(signatureAlgorithm));
+        coseRSAPubKey.set(cose_js_1.COSEKEYS.n, new Uint8Array(rsaPublicKey.modulus));
+        coseRSAPubKey.set(cose_js_1.COSEKEYS.e, new Uint8Array(rsaPublicKey.publicExponent));
         cosePublicKey = coseRSAPubKey;
     }
     else {
@@ -75,4 +72,3 @@ function convertX509PublicKeyToCOSE(x509Certificate) {
     return cosePublicKey;
 }
 exports.convertX509PublicKeyToCOSE = convertX509PublicKeyToCOSE;
-//# sourceMappingURL=convertX509PublicKeyToCOSE.js.map

package/script/helpers/cose.d.ts

@@ -0,0 +1,98 @@
+/**
+ * Fundamental values that are needed to discern the more specific COSE public key types below.
+ *
+ * The use of `Maps` here is due to CBOR encoding being used with public keys, and the CBOR "Map"
+ * type is being decoded to JavaScript's `Map` type instead of, say, a basic Object as us JS
+ * developers might prefer.
+ *
+ * These types are an unorthodox way of saying "these Maps should involve these discrete lists of
+ * keys", but it works.
+ */
+export type COSEPublicKey = {
+    get(key: COSEKEYS.kty): COSEKTY | undefined;
+    get(key: COSEKEYS.alg): COSEALG | undefined;
+    set(key: COSEKEYS.kty, value: COSEKTY): void;
+    set(key: COSEKEYS.alg, value: COSEALG): void;
+};
+export type COSEPublicKeyOKP = COSEPublicKey & {
+    get(key: COSEKEYS.crv): number | undefined;
+    get(key: COSEKEYS.x): Uint8Array | undefined;
+    set(key: COSEKEYS.crv, value: number): void;
+    set(key: COSEKEYS.x, value: Uint8Array): void;
+};
+export type COSEPublicKeyEC2 = COSEPublicKey & {
+    get(key: COSEKEYS.crv): number | undefined;
+    get(key: COSEKEYS.x): Uint8Array | undefined;
+    get(key: COSEKEYS.y): Uint8Array | undefined;
+    set(key: COSEKEYS.crv, value: number): void;
+    set(key: COSEKEYS.x, value: Uint8Array): void;
+    set(key: COSEKEYS.y, value: Uint8Array): void;
+};
+export type COSEPublicKeyRSA = COSEPublicKey & {
+    get(key: COSEKEYS.n): Uint8Array | undefined;
+    get(key: COSEKEYS.e): Uint8Array | undefined;
+    set(key: COSEKEYS.n, value: Uint8Array): void;
+    set(key: COSEKEYS.e, value: Uint8Array): void;
+};
+export declare function isCOSEPublicKeyOKP(cosePublicKey: COSEPublicKey): cosePublicKey is COSEPublicKeyOKP;
+export declare function isCOSEPublicKeyEC2(cosePublicKey: COSEPublicKey): cosePublicKey is COSEPublicKeyEC2;
+export declare function isCOSEPublicKeyRSA(cosePublicKey: COSEPublicKey): cosePublicKey is COSEPublicKeyRSA;
+/**
+ * COSE Keys
+ *
+ * https://www.iana.org/assignments/cose/cose.xhtml#key-common-parameters
+ * https://www.iana.org/assignments/cose/cose.xhtml#key-type-parameters
+ */
+export declare enum COSEKEYS {
+    kty = 1,
+    alg = 3,
+    crv = -1,
+    x = -2,
+    y = -3,
+    n = -1,
+    e = -2
+}
+/**
+ * COSE Key Types
+ *
+ * https://www.iana.org/assignments/cose/cose.xhtml#key-type
+ */
+export declare enum COSEKTY {
+    OKP = 1,
+    EC2 = 2,
+    RSA = 3
+}
+export declare function isCOSEKty(kty: number | undefined): kty is COSEKTY;
+/**
+ * COSE Curves
+ *
+ * https://www.iana.org/assignments/cose/cose.xhtml#elliptic-curves
+ */
+export declare enum COSECRV {
+    P256 = 1,
+    P384 = 2,
+    P521 = 3,
+    ED25519 = 6,
+    SECP256K1 = 8
+}
+export declare function isCOSECrv(crv: number | undefined): crv is COSECRV;
+/**
+ * COSE Algorithms
+ *
+ * https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ */
+export declare enum COSEALG {
+    ES256 = -7,
+    EdDSA = -8,
+    ES384 = -35,
+    ES512 = -36,
+    PS256 = -37,
+    PS384 = -38,
+    PS512 = -39,
+    ES256K = -47,
+    RS256 = -257,
+    RS384 = -258,
+    RS512 = -259,
+    RS1 = -65535
+}
+export declare function isCOSEAlg(alg: number | undefined): alg is COSEALG;

package/{dist → script}/helpers/cose.js

@@ -58,6 +58,7 @@ var COSECRV;
     COSECRV[COSECRV["P384"] = 2] = "P384";
     COSECRV[COSECRV["P521"] = 3] = "P521";
     COSECRV[COSECRV["ED25519"] = 6] = "ED25519";
+    COSECRV[COSECRV["SECP256K1"] = 8] = "SECP256K1";
 })(COSECRV = exports.COSECRV || (exports.COSECRV = {}));
 function isCOSECrv(crv) {
     return Object.values(COSECRV).indexOf(crv) >= 0;
@@ -87,4 +88,3 @@ function isCOSEAlg(alg) {
     return Object.values(COSEALG).indexOf(alg) >= 0;
 }
 exports.isCOSEAlg = isCOSEAlg;
-//# sourceMappingURL=cose.js.map

package/script/helpers/decodeAttestationObject.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Convert an AttestationObject buffer to a proper object
+ *
+ * @param base64AttestationObject Attestation Object buffer
+ */
+export declare function decodeAttestationObject(attestationObject: Uint8Array): AttestationObject;
+export type AttestationFormat = 'fido-u2f' | 'packed' | 'android-safetynet' | 'android-key' | 'tpm' | 'apple' | 'none';
+export type AttestationObject = {
+    get(key: 'fmt'): AttestationFormat;
+    get(key: 'attStmt'): AttestationStatement;
+    get(key: 'authData'): Uint8Array;
+};
+/**
+ * `AttestationStatement` will be an instance of `Map`, but these keys help make finite the list of
+ * possible values within it.
+ */
+export type AttestationStatement = {
+    get(key: 'sig'): Uint8Array | undefined;
+    get(key: 'x5c'): Uint8Array[] | undefined;
+    get(key: 'response'): Uint8Array | undefined;
+    get(key: 'alg'): number | undefined;
+    get(key: 'ver'): string | undefined;
+    get(key: 'certInfo'): Uint8Array | undefined;
+    get(key: 'pubArea'): Uint8Array | undefined;
+    readonly size: number;
+};
+export declare const _decodeAttestationObjectInternals: {
+    stubThis: (value: AttestationObject) => AttestationObject;
+};