@simplewebauthn/server 7.4.0 → 8.0.0

package/{dist → script}/registration/verifications/tpm/parseCertInfo.js

@@ -1,50 +1,50 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.parseCertInfo = void 0;
-const constants_1 = require("./constants");
-const iso_1 = require("../../../helpers/iso");
+const constants_js_1 = require("./constants.js");
+const index_js_1 = require("../../../helpers/iso/index.js");
 /**
  * Cut up a TPM attestation's certInfo into intelligible chunks
  */
 function parseCertInfo(certInfo) {
     let pointer = 0;
-    const dataView = iso_1.isoUint8Array.toDataView(certInfo);
+    const dataView = index_js_1.isoUint8Array.toDataView(certInfo);
     // Get a magic constant
     const magic = dataView.getUint32(pointer);
     pointer += 4;
     // Determine the algorithm used for attestation
     const typeBuffer = dataView.getUint16(pointer);
     pointer += 2;
-    const type = constants_1.TPM_ST[typeBuffer];
+    const type = constants_js_1.TPM_ST[typeBuffer];
     // The name of a parent entity, can be ignored
     const qualifiedSignerLength = dataView.getUint16(pointer);
     pointer += 2;
-    const qualifiedSigner = certInfo.slice(pointer, (pointer += qualifiedSignerLength));
+    const qualifiedSigner = certInfo.slice(pointer, pointer += qualifiedSignerLength);
     // Get the expected hash of `attsToBeSigned`
     const extraDataLength = dataView.getUint16(pointer);
     pointer += 2;
-    const extraData = certInfo.slice(pointer, (pointer += extraDataLength));
+    const extraData = certInfo.slice(pointer, pointer += extraDataLength);
     // Information about the TPM device's internal clock, can be ignored
-    const clock = certInfo.slice(pointer, (pointer += 8));
+    const clock = certInfo.slice(pointer, pointer += 8);
     const resetCount = dataView.getUint32(pointer);
     pointer += 4;
     const restartCount = dataView.getUint32(pointer);
     pointer += 4;
-    const safe = !!certInfo.slice(pointer, (pointer += 1));
+    const safe = !!certInfo.slice(pointer, pointer += 1);
     const clockInfo = { clock, resetCount, restartCount, safe };
     // TPM device firmware version
-    const firmwareVersion = certInfo.slice(pointer, (pointer += 8));
+    const firmwareVersion = certInfo.slice(pointer, pointer += 8);
     // Attested Name
     const attestedNameLength = dataView.getUint16(pointer);
     pointer += 2;
-    const attestedName = certInfo.slice(pointer, (pointer += attestedNameLength));
-    const attestedNameDataView = iso_1.isoUint8Array.toDataView(attestedName);
+    const attestedName = certInfo.slice(pointer, pointer += attestedNameLength);
+    const attestedNameDataView = index_js_1.isoUint8Array.toDataView(attestedName);
     // Attested qualified name, can be ignored
     const qualifiedNameLength = dataView.getUint16(pointer);
     pointer += 2;
-    const qualifiedName = certInfo.slice(pointer, (pointer += qualifiedNameLength));
+    const qualifiedName = certInfo.slice(pointer, pointer += qualifiedNameLength);
     const attested = {
-        nameAlg: constants_1.TPM_ALG[attestedNameDataView.getUint16(0)],
+        nameAlg: constants_js_1.TPM_ALG[attestedNameDataView.getUint16(0)],
         nameAlgBuffer: attestedName.slice(0, 2),
         name: attestedName,
         qualifiedName,
@@ -60,4 +60,3 @@ function parseCertInfo(certInfo) {
     };
 }
 exports.parseCertInfo = parseCertInfo;
-//# sourceMappingURL=parseCertInfo.js.map

package/script/registration/verifications/tpm/parsePubArea.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Break apart a TPM attestation's pubArea buffer
+ *
+ * See 12.2.4 TPMT_PUBLIC here:
+ * https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-00.96-130315.pdf
+ */
+export declare function parsePubArea(pubArea: Uint8Array): ParsedPubArea;
+type ParsedPubArea = {
+    type: 'TPM_ALG_RSA' | 'TPM_ALG_ECC';
+    nameAlg: string;
+    objectAttributes: {
+        fixedTPM: boolean;
+        stClear: boolean;
+        fixedParent: boolean;
+        sensitiveDataOrigin: boolean;
+        userWithAuth: boolean;
+        adminWithPolicy: boolean;
+        noDA: boolean;
+        encryptedDuplication: boolean;
+        restricted: boolean;
+        decrypt: boolean;
+        signOrEncrypt: boolean;
+    };
+    authPolicy: Uint8Array;
+    parameters: {
+        rsa?: RSAParameters;
+        ecc?: ECCParameters;
+    };
+    unique: Uint8Array;
+};
+type RSAParameters = {
+    symmetric: string;
+    scheme: string;
+    keyBits: number;
+    exponent: number;
+};
+type ECCParameters = {
+    symmetric: string;
+    scheme: string;
+    curveID: string;
+    kdf: string;
+};
+export {};

package/{dist → script}/registration/verifications/tpm/parsePubArea.js

@@ -1,8 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.parsePubArea = void 0;
-const constants_1 = require("./constants");
-const iso_1 = require("../../../helpers/iso");
+const constants_js_1 = require("./constants.js");
+const index_js_1 = require("../../../helpers/iso/index.js");
 /**
  * Break apart a TPM attestation's pubArea buffer
  *
@@ -11,10 +11,10 @@ const iso_1 = require("../../../helpers/iso");
  */
 function parsePubArea(pubArea) {
     let pointer = 0;
-    const dataView = iso_1.isoUint8Array.toDataView(pubArea);
-    const type = constants_1.TPM_ALG[dataView.getUint16(pointer)];
+    const dataView = index_js_1.isoUint8Array.toDataView(pubArea);
+    const type = constants_js_1.TPM_ALG[dataView.getUint16(pointer)];
     pointer += 2;
-    const nameAlg = constants_1.TPM_ALG[dataView.getUint16(pointer)];
+    const nameAlg = constants_js_1.TPM_ALG[dataView.getUint16(pointer)];
     pointer += 2;
     // Get some authenticator attributes(?)
     // const objectAttributesInt = pubArea.slice(pointer, (pointer += 4)).readUInt32BE(0);
@@ -36,14 +36,14 @@ function parsePubArea(pubArea) {
     // Slice out the authPolicy of dynamic length
     const authPolicyLength = dataView.getUint16(pointer);
     pointer += 2;
-    const authPolicy = pubArea.slice(pointer, (pointer += authPolicyLength));
+    const authPolicy = pubArea.slice(pointer, pointer += authPolicyLength);
     // Extract additional curve params according to type
     const parameters = {};
     let unique = Uint8Array.from([]);
     if (type === 'TPM_ALG_RSA') {
-        const symmetric = constants_1.TPM_ALG[dataView.getUint16(pointer)];
+        const symmetric = constants_js_1.TPM_ALG[dataView.getUint16(pointer)];
         pointer += 2;
-        const scheme = constants_1.TPM_ALG[dataView.getUint16(pointer)];
+        const scheme = constants_js_1.TPM_ALG[dataView.getUint16(pointer)];
         pointer += 2;
         const keyBits = dataView.getUint16(pointer);
         pointer += 2;
@@ -57,16 +57,16 @@ function parsePubArea(pubArea) {
         // const uniqueLength = pubArea.slice(pointer, (pointer += 2)).readUInt16BE(0);
         const uniqueLength = dataView.getUint16(pointer);
         pointer += 2;
-        unique = pubArea.slice(pointer, (pointer += uniqueLength));
+        unique = pubArea.slice(pointer, pointer += uniqueLength);
     }
     else if (type === 'TPM_ALG_ECC') {
-        const symmetric = constants_1.TPM_ALG[dataView.getUint16(pointer)];
+        const symmetric = constants_js_1.TPM_ALG[dataView.getUint16(pointer)];
         pointer += 2;
-        const scheme = constants_1.TPM_ALG[dataView.getUint16(pointer)];
+        const scheme = constants_js_1.TPM_ALG[dataView.getUint16(pointer)];
         pointer += 2;
-        const curveID = constants_1.TPM_ECC_CURVE[dataView.getUint16(pointer)];
+        const curveID = constants_js_1.TPM_ECC_CURVE[dataView.getUint16(pointer)];
         pointer += 2;
-        const kdf = constants_1.TPM_ALG[dataView.getUint16(pointer)];
+        const kdf = constants_js_1.TPM_ALG[dataView.getUint16(pointer)];
         pointer += 2;
         parameters.ecc = { symmetric, scheme, curveID, kdf };
         /**
@@ -76,12 +76,12 @@ function parsePubArea(pubArea) {
         // Retrieve X
         const uniqueXLength = dataView.getUint16(pointer);
         pointer += 2;
-        const uniqueX = pubArea.slice(pointer, (pointer += uniqueXLength));
+        const uniqueX = pubArea.slice(pointer, pointer += uniqueXLength);
         // Retrieve Y
         const uniqueYLength = dataView.getUint16(pointer);
         pointer += 2;
-        const uniqueY = pubArea.slice(pointer, (pointer += uniqueYLength));
-        unique = iso_1.isoUint8Array.concat([uniqueX, uniqueY]);
+        const uniqueY = pubArea.slice(pointer, pointer += uniqueYLength);
+        unique = index_js_1.isoUint8Array.concat([uniqueX, uniqueY]);
     }
     else {
         throw new Error(`Unexpected type "${type}" (TPM)`);
@@ -96,4 +96,3 @@ function parsePubArea(pubArea) {
     };
 }
 exports.parsePubArea = parsePubArea;
-//# sourceMappingURL=parsePubArea.js.map

package/script/registration/verifications/tpm/verifyAttestationTPM.d.ts

@@ -0,0 +1,2 @@
+import type { AttestationFormatVerifierOpts } from '../../verifyRegistrationResponse.js';
+export declare function verifyAttestationTPM(options: AttestationFormatVerifierOpts): Promise<boolean>;

package/{dist → script}/registration/verifications/tpm/verifyAttestationTPM.js

@@ -1,24 +1,22 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifyAttestationTPM = void 0;
-const asn1_schema_1 = require("@peculiar/asn1-schema");
-const asn1_x509_1 = require("@peculiar/asn1-x509");
-const decodeCredentialPublicKey_1 = require("../../../helpers/decodeCredentialPublicKey");
-const cose_1 = require("../../../helpers/cose");
-const toHash_1 = require("../../../helpers/toHash");
-const convertCertBufferToPEM_1 = require("../../../helpers/convertCertBufferToPEM");
-const validateCertificatePath_1 = require("../../../helpers/validateCertificatePath");
-const getCertificateInfo_1 = require("../../../helpers/getCertificateInfo");
-const verifySignature_1 = require("../../../helpers/verifySignature");
-const iso_1 = require("../../../helpers/iso");
-const metadataService_1 = require("../../../services/metadataService");
-const verifyAttestationWithMetadata_1 = require("../../../metadata/verifyAttestationWithMetadata");
-const constants_1 = require("./constants");
-const parseCertInfo_1 = require("./parseCertInfo");
-const parsePubArea_1 = require("./parsePubArea");
+const deps_js_1 = require("../../../deps.js");
+const decodeCredentialPublicKey_js_1 = require("../../../helpers/decodeCredentialPublicKey.js");
+const cose_js_1 = require("../../../helpers/cose.js");
+const toHash_js_1 = require("../../../helpers/toHash.js");
+const convertCertBufferToPEM_js_1 = require("../../../helpers/convertCertBufferToPEM.js");
+const validateCertificatePath_js_1 = require("../../../helpers/validateCertificatePath.js");
+const getCertificateInfo_js_1 = require("../../../helpers/getCertificateInfo.js");
+const verifySignature_js_1 = require("../../../helpers/verifySignature.js");
+const index_js_1 = require("../../../helpers/iso/index.js");
+const metadataService_js_1 = require("../../../services/metadataService.js");
+const verifyAttestationWithMetadata_js_1 = require("../../../metadata/verifyAttestationWithMetadata.js");
+const constants_js_1 = require("./constants.js");
+const parseCertInfo_js_1 = require("./parseCertInfo.js");
+const parsePubArea_js_1 = require("./parsePubArea.js");
 async function verifyAttestationTPM(options) {
-    var _a;
-    const { aaguid, attStmt, authData, credentialPublicKey, clientDataHash, rootCertificates } = options;
+    const { aaguid, attStmt, authData, credentialPublicKey, clientDataHash, rootCertificates, } = options;
     const ver = attStmt.get('ver');
     const sig = attStmt.get('sig');
     const alg = attStmt.get('alg');
@@ -37,7 +35,7 @@ async function verifyAttestationTPM(options) {
     if (!alg) {
         throw new Error(`Attestation statement did not contain alg (TPM)`);
     }
-    if (!(0, cose_1.isCOSEAlg)(alg)) {
+    if (!(0, cose_js_1.isCOSEAlg)(alg)) {
         throw new Error(`Attestation statement contained invalid alg ${alg} (TPM)`);
     }
     if (!x5c) {
@@ -49,24 +47,24 @@ async function verifyAttestationTPM(options) {
     if (!certInfo) {
         throw new Error('Attestation statement did not contain certInfo (TPM)');
     }
-    const parsedPubArea = (0, parsePubArea_1.parsePubArea)(pubArea);
+    const parsedPubArea = (0, parsePubArea_js_1.parsePubArea)(pubArea);
     const { unique, type: pubType, parameters } = parsedPubArea;
     // Verify that the public key specified by the parameters and unique fields of pubArea is
     // identical to the credentialPublicKey in the attestedCredentialData in authenticatorData.
-    const cosePublicKey = (0, decodeCredentialPublicKey_1.decodeCredentialPublicKey)(credentialPublicKey);
+    const cosePublicKey = (0, decodeCredentialPublicKey_js_1.decodeCredentialPublicKey)(credentialPublicKey);
     if (pubType === 'TPM_ALG_RSA') {
-        if (!(0, cose_1.isCOSEPublicKeyRSA)(cosePublicKey)) {
-            throw new Error(`Credential public key with kty ${cosePublicKey.get(cose_1.COSEKEYS.kty)} did not match ${pubType}`);
+        if (!(0, cose_js_1.isCOSEPublicKeyRSA)(cosePublicKey)) {
+            throw new Error(`Credential public key with kty ${cosePublicKey.get(cose_js_1.COSEKEYS.kty)} did not match ${pubType}`);
         }
-        const n = cosePublicKey.get(cose_1.COSEKEYS.n);
-        const e = cosePublicKey.get(cose_1.COSEKEYS.e);
+        const n = cosePublicKey.get(cose_js_1.COSEKEYS.n);
+        const e = cosePublicKey.get(cose_js_1.COSEKEYS.e);
         if (!n) {
             throw new Error('COSE public key missing n (TPM|RSA)');
         }
         if (!e) {
             throw new Error('COSE public key missing e (TPM|RSA)');
         }
-        if (!iso_1.isoUint8Array.areEqual(unique, n)) {
+        if (!index_js_1.isoUint8Array.areEqual(unique, n)) {
             throw new Error('PubArea unique is not same as credentialPublicKey (TPM|RSA)');
         }
         if (!parameters.rsa) {
@@ -82,12 +80,12 @@ async function verifyAttestationTPM(options) {
         }
     }
     else if (pubType === 'TPM_ALG_ECC') {
-        if (!(0, cose_1.isCOSEPublicKeyEC2)(cosePublicKey)) {
-            throw new Error(`Credential public key with kty ${cosePublicKey.get(cose_1.COSEKEYS.kty)} did not match ${pubType}`);
+        if (!(0, cose_js_1.isCOSEPublicKeyEC2)(cosePublicKey)) {
+            throw new Error(`Credential public key with kty ${cosePublicKey.get(cose_js_1.COSEKEYS.kty)} did not match ${pubType}`);
         }
-        const crv = cosePublicKey.get(cose_1.COSEKEYS.crv);
-        const x = cosePublicKey.get(cose_1.COSEKEYS.x);
-        const y = cosePublicKey.get(cose_1.COSEKEYS.y);
+        const crv = cosePublicKey.get(cose_js_1.COSEKEYS.crv);
+        const x = cosePublicKey.get(cose_js_1.COSEKEYS.x);
+        const y = cosePublicKey.get(cose_js_1.COSEKEYS.y);
         if (!crv) {
             throw new Error('COSE public key missing crv (TPM|ECC)');
         }
@@ -97,14 +95,14 @@ async function verifyAttestationTPM(options) {
         if (!y) {
             throw new Error('COSE public key missing y (TPM|ECC)');
         }
-        if (!iso_1.isoUint8Array.areEqual(unique, iso_1.isoUint8Array.concat([x, y]))) {
+        if (!index_js_1.isoUint8Array.areEqual(unique, index_js_1.isoUint8Array.concat([x, y]))) {
             throw new Error('PubArea unique is not same as public key x and y (TPM|ECC)');
         }
         if (!parameters.ecc) {
             throw new Error(`Parsed pubArea type is ECC, but missing parameters.ecc (TPM|ECC)`);
         }
         const pubAreaCurveID = parameters.ecc.curveID;
-        const pubAreaCurveIDMapToCOSECRV = constants_1.TPM_ECC_CURVE_COSE_CRV_MAP[pubAreaCurveID];
+        const pubAreaCurveIDMapToCOSECRV = constants_js_1.TPM_ECC_CURVE_COSE_CRV_MAP[pubAreaCurveID];
         if (pubAreaCurveIDMapToCOSECRV !== crv) {
             throw new Error(`Public area key curve ID "${pubAreaCurveID}" mapped to "${pubAreaCurveIDMapToCOSECRV}" which did not match public key crv of "${crv}" (TPM|ECC)`);
         }
@@ -112,7 +110,7 @@ async function verifyAttestationTPM(options) {
     else {
         throw new Error(`Unsupported pubArea.type "${pubType}"`);
     }
-    const parsedCertInfo = (0, parseCertInfo_1.parseCertInfo)(certInfo);
+    const parsedCertInfo = (0, parseCertInfo_js_1.parseCertInfo)(certInfo);
     const { magic, type: certType, attested, extraData } = parsedCertInfo;
     if (magic !== 0xff544347) {
         throw new Error(`Unexpected magic value "${magic}", expected "0xff544347" (TPM)`);
@@ -121,19 +119,22 @@ async function verifyAttestationTPM(options) {
         throw new Error(`Unexpected type "${certType}", expected "TPM_ST_ATTEST_CERTIFY" (TPM)`);
     }
     // Hash pubArea to create pubAreaHash using the nameAlg in attested
-    const pubAreaHash = await (0, toHash_1.toHash)(pubArea, attestedNameAlgToCOSEAlg(attested.nameAlg));
+    const pubAreaHash = await (0, toHash_js_1.toHash)(pubArea, attestedNameAlgToCOSEAlg(attested.nameAlg));
     // Concatenate attested.nameAlg and pubAreaHash to create attestedName.
-    const attestedName = iso_1.isoUint8Array.concat([attested.nameAlgBuffer, pubAreaHash]);
+    const attestedName = index_js_1.isoUint8Array.concat([
+        attested.nameAlgBuffer,
+        pubAreaHash,
+    ]);
     // Check that certInfo.attested.name is equals to attestedName.
-    if (!iso_1.isoUint8Array.areEqual(attested.name, attestedName)) {
+    if (!index_js_1.isoUint8Array.areEqual(attested.name, attestedName)) {
         throw new Error(`Attested name comparison failed (TPM)`);
     }
     // Concatenate authData with clientDataHash to create attToBeSigned
-    const attToBeSigned = iso_1.isoUint8Array.concat([authData, clientDataHash]);
+    const attToBeSigned = index_js_1.isoUint8Array.concat([authData, clientDataHash]);
     // Hash attToBeSigned using the algorithm specified in attStmt.alg to create attToBeSignedHash
-    const attToBeSignedHash = await (0, toHash_1.toHash)(attToBeSigned, alg);
+    const attToBeSignedHash = await (0, toHash_js_1.toHash)(attToBeSigned, alg);
     // Check that certInfo.extraData is equals to attToBeSignedHash.
-    if (!iso_1.isoUint8Array.areEqual(extraData, attToBeSignedHash)) {
+    if (!index_js_1.isoUint8Array.areEqual(extraData, attToBeSignedHash)) {
         throw new Error('CertInfo extra data did not equal hashed attestation (TPM)');
     }
     /**
@@ -143,7 +144,7 @@ async function verifyAttestationTPM(options) {
         throw new Error('No certificates present in x5c array (TPM)');
     }
     // Pick a leaf AIK certificate of the x5c array and parse it.
-    const leafCertInfo = (0, getCertificateInfo_1.getCertificateInfo)(x5c[0]);
+    const leafCertInfo = (0, getCertificateInfo_js_1.getCertificateInfo)(x5c[0]);
     const { basicConstraintsCA, version, subject, notAfter, notBefore } = leafCertInfo;
     if (basicConstraintsCA) {
         throw new Error('Certificate basic constraints CA was not `false` (TPM)');
@@ -169,18 +170,18 @@ async function verifyAttestationTPM(options) {
     /**
      * Plumb the depths of the certificate's ASN.1-formatted data for some values we need to verify
      */
-    const parsedCert = asn1_schema_1.AsnParser.parse(x5c[0], asn1_x509_1.Certificate);
+    const parsedCert = deps_js_1.AsnParser.parse(x5c[0], deps_js_1.Certificate);
     if (!parsedCert.tbsCertificate.extensions) {
         throw new Error('Certificate was missing extensions (TPM)');
     }
     let subjectAltNamePresent;
     let extKeyUsage;
-    parsedCert.tbsCertificate.extensions.forEach(ext => {
-        if (ext.extnID === asn1_x509_1.id_ce_subjectAltName) {
-            subjectAltNamePresent = asn1_schema_1.AsnParser.parse(ext.extnValue, asn1_x509_1.SubjectAlternativeName);
+    parsedCert.tbsCertificate.extensions.forEach((ext) => {
+        if (ext.extnID === deps_js_1.id_ce_subjectAltName) {
+            subjectAltNamePresent = deps_js_1.AsnParser.parse(ext.extnValue, deps_js_1.SubjectAlternativeName);
         }
-        else if (ext.extnID === asn1_x509_1.id_ce_extKeyUsage) {
-            extKeyUsage = asn1_schema_1.AsnParser.parse(ext.extnValue, asn1_x509_1.ExtendedKeyUsage);
+        else if (ext.extnID === deps_js_1.id_ce_extKeyUsage) {
+            extKeyUsage = deps_js_1.AsnParser.parse(ext.extnValue, deps_js_1.ExtendedKeyUsage);
         }
     });
     // Check that certificate contains subjectAltName (2.5.29.17) extension,
@@ -189,7 +190,7 @@ async function verifyAttestationTPM(options) {
     }
     // TPM-specific values are buried within `directoryName`, so first make sure there are values
     // there.
-    if (!((_a = subjectAltNamePresent[0].directoryName) === null || _a === void 0 ? void 0 : _a[0].length)) {
+    if (!subjectAltNamePresent[0].directoryName?.[0].length) {
         throw new Error('Certificate subjectAltName extension directoryName was empty (TPM)');
     }
     const { tcgAtTpmManufacturer, tcgAtTpmModel, tcgAtTpmVersion } = getTcgAtTpmValues(subjectAltNamePresent[0].directoryName);
@@ -200,7 +201,7 @@ async function verifyAttestationTPM(options) {
         throw new Error('Certificate did not contain ExtendedKeyUsage extension (TPM)');
     }
     // Check that tcpaTpmManufacturer (2.23.133.2.1) field is set to a valid manufacturer ID.
-    if (!constants_1.TPM_MANUFACTURERS[tcgAtTpmManufacturer]) {
+    if (!constants_js_1.TPM_MANUFACTURERS[tcgAtTpmManufacturer]) {
         throw new Error(`Could not match TPM manufacturer "${tcgAtTpmManufacturer}" (TPM)`);
     }
     // Check that certificate contains extKeyUsage (2.5.29.37) extension and it must contain
@@ -211,10 +212,10 @@ async function verifyAttestationTPM(options) {
     // TODO: If certificate contains id-fido-gen-ce-aaguid(1.3.6.1.4.1.45724.1.1.4) extension, check
     // that it’s value is set to the same AAGUID as in authData.
     // Run some metadata checks if a statement exists for this authenticator
-    const statement = await metadataService_1.MetadataService.getStatement(aaguid);
+    const statement = await metadataService_js_1.MetadataService.getStatement(aaguid);
     if (statement) {
         try {
-            await (0, verifyAttestationWithMetadata_1.verifyAttestationWithMetadata)({
+            await (0, verifyAttestationWithMetadata_js_1.verifyAttestationWithMetadata)({
                 statement,
                 credentialPublicKey,
                 x5c,
@@ -229,7 +230,7 @@ async function verifyAttestationTPM(options) {
     else {
         try {
             // Try validating the certificate path using the root certificates set via SettingsService
-            await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
+            await (0, validateCertificatePath_js_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_js_1.convertCertBufferToPEM), rootCertificates);
         }
         catch (err) {
             const _err = err;
@@ -238,7 +239,7 @@ async function verifyAttestationTPM(options) {
     }
     // Verify signature over certInfo with the public key extracted from AIK certificate.
     // In the wise words of Yuriy Ackermann: "Get Martini friend, you are done!"
-    return (0, verifySignature_1.verifySignature)({
+    return (0, verifySignature_js_1.verifySignature)({
         signature: sig,
         data: certInfo,
         x509Certificate: x5c[0],
@@ -284,8 +285,8 @@ function getTcgAtTpmValues(root) {
      *
      * Both structures have been seen in the wild and need to be supported
      */
-    root.forEach(relName => {
-        relName.forEach(attr => {
+    root.forEach((relName) => {
+        relName.forEach((attr) => {
             if (attr.type === oidManufacturer) {
                 tcgAtTpmManufacturer = attr.value.toString();
             }
@@ -314,14 +315,13 @@ function getTcgAtTpmValues(root) {
  */
 function attestedNameAlgToCOSEAlg(alg) {
     if (alg === 'TPM_ALG_SHA256') {
-        return cose_1.COSEALG.ES256;
+        return cose_js_1.COSEALG.ES256;
     }
     else if (alg === 'TPM_ALG_SHA384') {
-        return cose_1.COSEALG.ES384;
+        return cose_js_1.COSEALG.ES384;
     }
     else if (alg === 'TPM_ALG_SHA512') {
-        return cose_1.COSEALG.ES512;
+        return cose_js_1.COSEALG.ES512;
     }
     throw new Error(`Unexpected TPM attested name alg ${alg}`);
 }
-//# sourceMappingURL=verifyAttestationTPM.js.map

package/script/registration/verifications/verifyAttestationAndroidKey.d.ts

@@ -0,0 +1,5 @@
+import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse.js';
+/**
+ * Verify an attestation response with fmt 'android-key'
+ */
+export declare function verifyAttestationAndroidKey(options: AttestationFormatVerifierOpts): Promise<boolean>;

package/{dist → script}/registration/verifications/verifyAttestationAndroidKey.js

@@ -1,23 +1,20 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifyAttestationAndroidKey = void 0;
-const asn1_schema_1 = require("@peculiar/asn1-schema");
-const asn1_x509_1 = require("@peculiar/asn1-x509");
-const asn1_android_1 = require("@peculiar/asn1-android");
-const convertCertBufferToPEM_1 = require("../../helpers/convertCertBufferToPEM");
-const validateCertificatePath_1 = require("../../helpers/validateCertificatePath");
-const verifySignature_1 = require("../../helpers/verifySignature");
-const convertCOSEtoPKCS_1 = require("../../helpers/convertCOSEtoPKCS");
-const cose_1 = require("../../helpers/cose");
-const iso_1 = require("../../helpers/iso");
-const metadataService_1 = require("../../services/metadataService");
-const verifyAttestationWithMetadata_1 = require("../../metadata/verifyAttestationWithMetadata");
+const deps_js_1 = require("../../deps.js");
+const convertCertBufferToPEM_js_1 = require("../../helpers/convertCertBufferToPEM.js");
+const validateCertificatePath_js_1 = require("../../helpers/validateCertificatePath.js");
+const verifySignature_js_1 = require("../../helpers/verifySignature.js");
+const convertCOSEtoPKCS_js_1 = require("../../helpers/convertCOSEtoPKCS.js");
+const cose_js_1 = require("../../helpers/cose.js");
+const index_js_1 = require("../../helpers/iso/index.js");
+const metadataService_js_1 = require("../../services/metadataService.js");
+const verifyAttestationWithMetadata_js_1 = require("../../metadata/verifyAttestationWithMetadata.js");
 /**
  * Verify an attestation response with fmt 'android-key'
  */
 async function verifyAttestationAndroidKey(options) {
-    var _a;
-    const { authData, clientDataHash, attStmt, credentialPublicKey, aaguid, rootCertificates } = options;
+    const { authData, clientDataHash, attStmt, credentialPublicKey, aaguid, rootCertificates, } = options;
     const x5c = attStmt.get('x5c');
     const sig = attStmt.get('sig');
     const alg = attStmt.get('alg');
@@ -30,27 +27,27 @@ async function verifyAttestationAndroidKey(options) {
     if (!alg) {
         throw new Error(`Attestation statement did not contain alg (AndroidKey)`);
     }
-    if (!(0, cose_1.isCOSEAlg)(alg)) {
+    if (!(0, cose_js_1.isCOSEAlg)(alg)) {
         throw new Error(`Attestation statement contained invalid alg ${alg} (AndroidKey)`);
     }
     // Check that credentialPublicKey matches the public key in the attestation certificate
     // Find the public cert in the certificate as PKCS
-    const parsedCert = asn1_schema_1.AsnParser.parse(x5c[0], asn1_x509_1.Certificate);
+    const parsedCert = deps_js_1.AsnParser.parse(x5c[0], deps_js_1.Certificate);
     const parsedCertPubKey = new Uint8Array(parsedCert.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey);
     // Convert the credentialPublicKey to PKCS
-    const credPubKeyPKCS = (0, convertCOSEtoPKCS_1.convertCOSEtoPKCS)(credentialPublicKey);
-    if (!iso_1.isoUint8Array.areEqual(credPubKeyPKCS, parsedCertPubKey)) {
+    const credPubKeyPKCS = (0, convertCOSEtoPKCS_js_1.convertCOSEtoPKCS)(credentialPublicKey);
+    if (!index_js_1.isoUint8Array.areEqual(credPubKeyPKCS, parsedCertPubKey)) {
         throw new Error('Credential public key does not equal leaf cert public key (AndroidKey)');
     }
     // Find Android KeyStore Extension in certificate extensions
-    const extKeyStore = (_a = parsedCert.tbsCertificate.extensions) === null || _a === void 0 ? void 0 : _a.find(ext => ext.extnID === asn1_android_1.id_ce_keyDescription);
+    const extKeyStore = parsedCert.tbsCertificate.extensions?.find((ext) => ext.extnID === deps_js_1.id_ce_keyDescription);
     if (!extKeyStore) {
         throw new Error('Certificate did not contain extKeyStore (AndroidKey)');
     }
-    const parsedExtKeyStore = asn1_schema_1.AsnParser.parse(extKeyStore.extnValue, asn1_android_1.KeyDescription);
+    const parsedExtKeyStore = deps_js_1.AsnParser.parse(extKeyStore.extnValue, deps_js_1.KeyDescription);
     // Verify extKeyStore values
     const { attestationChallenge, teeEnforced, softwareEnforced } = parsedExtKeyStore;
-    if (!iso_1.isoUint8Array.areEqual(new Uint8Array(attestationChallenge.buffer), clientDataHash)) {
+    if (!index_js_1.isoUint8Array.areEqual(new Uint8Array(attestationChallenge.buffer), clientDataHash)) {
         throw new Error('Attestation challenge was not equal to client data hash (AndroidKey)');
     }
     // Ensure that the key is strictly bound to the caller app identifier (shouldn't contain the
@@ -61,10 +58,10 @@ async function verifyAttestationAndroidKey(options) {
     if (softwareEnforced.allApplications !== undefined) {
         throw new Error('teeEnforced contained "allApplications [600]" tag (AndroidKey)');
     }
-    const statement = await metadataService_1.MetadataService.getStatement(aaguid);
+    const statement = await metadataService_js_1.MetadataService.getStatement(aaguid);
     if (statement) {
         try {
-            await (0, verifyAttestationWithMetadata_1.verifyAttestationWithMetadata)({
+            await (0, verifyAttestationWithMetadata_js_1.verifyAttestationWithMetadata)({
                 statement,
                 credentialPublicKey,
                 x5c,
@@ -79,15 +76,15 @@ async function verifyAttestationAndroidKey(options) {
     else {
         try {
             // Try validating the certificate path using the root certificates set via SettingsService
-            await (0, validateCertificatePath_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_1.convertCertBufferToPEM), rootCertificates);
+            await (0, validateCertificatePath_js_1.validateCertificatePath)(x5c.map(convertCertBufferToPEM_js_1.convertCertBufferToPEM), rootCertificates);
         }
         catch (err) {
             const _err = err;
             throw new Error(`${_err.message} (AndroidKey)`);
         }
     }
-    const signatureBase = iso_1.isoUint8Array.concat([authData, clientDataHash]);
-    return (0, verifySignature_1.verifySignature)({
+    const signatureBase = index_js_1.isoUint8Array.concat([authData, clientDataHash]);
+    return (0, verifySignature_js_1.verifySignature)({
         signature: sig,
         data: signatureBase,
         x509Certificate: x5c[0],
@@ -95,4 +92,3 @@ async function verifyAttestationAndroidKey(options) {
     });
 }
 exports.verifyAttestationAndroidKey = verifyAttestationAndroidKey;
-//# sourceMappingURL=verifyAttestationAndroidKey.js.map

package/script/registration/verifications/verifyAttestationAndroidSafetyNet.d.ts

@@ -0,0 +1,5 @@
+import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse.js';
+/**
+ * Verify an attestation response with fmt 'android-safetynet'
+ */
+export declare function verifyAttestationAndroidSafetyNet(options: AttestationFormatVerifierOpts): Promise<boolean>;