@simplewebauthn/server 7.4.0 → 8.0.0

package/esm/registration/verifications/verifyAttestationAndroidKey.js

@@ -0,0 +1,90 @@
+import { AsnParser, Certificate, id_ce_keyDescription, KeyDescription } from '../../deps.js';
+import { convertCertBufferToPEM } from '../../helpers/convertCertBufferToPEM.js';
+import { validateCertificatePath } from '../../helpers/validateCertificatePath.js';
+import { verifySignature } from '../../helpers/verifySignature.js';
+import { convertCOSEtoPKCS } from '../../helpers/convertCOSEtoPKCS.js';
+import { isCOSEAlg } from '../../helpers/cose.js';
+import { isoUint8Array } from '../../helpers/iso/index.js';
+import { MetadataService } from '../../services/metadataService.js';
+import { verifyAttestationWithMetadata } from '../../metadata/verifyAttestationWithMetadata.js';
+/**
+ * Verify an attestation response with fmt 'android-key'
+ */
+export async function verifyAttestationAndroidKey(options) {
+    const { authData, clientDataHash, attStmt, credentialPublicKey, aaguid, rootCertificates, } = options;
+    const x5c = attStmt.get('x5c');
+    const sig = attStmt.get('sig');
+    const alg = attStmt.get('alg');
+    if (!x5c) {
+        throw new Error('No attestation certificate provided in attestation statement (AndroidKey)');
+    }
+    if (!sig) {
+        throw new Error('No attestation signature provided in attestation statement (AndroidKey)');
+    }
+    if (!alg) {
+        throw new Error(`Attestation statement did not contain alg (AndroidKey)`);
+    }
+    if (!isCOSEAlg(alg)) {
+        throw new Error(`Attestation statement contained invalid alg ${alg} (AndroidKey)`);
+    }
+    // Check that credentialPublicKey matches the public key in the attestation certificate
+    // Find the public cert in the certificate as PKCS
+    const parsedCert = AsnParser.parse(x5c[0], Certificate);
+    const parsedCertPubKey = new Uint8Array(parsedCert.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey);
+    // Convert the credentialPublicKey to PKCS
+    const credPubKeyPKCS = convertCOSEtoPKCS(credentialPublicKey);
+    if (!isoUint8Array.areEqual(credPubKeyPKCS, parsedCertPubKey)) {
+        throw new Error('Credential public key does not equal leaf cert public key (AndroidKey)');
+    }
+    // Find Android KeyStore Extension in certificate extensions
+    const extKeyStore = parsedCert.tbsCertificate.extensions?.find((ext) => ext.extnID === id_ce_keyDescription);
+    if (!extKeyStore) {
+        throw new Error('Certificate did not contain extKeyStore (AndroidKey)');
+    }
+    const parsedExtKeyStore = AsnParser.parse(extKeyStore.extnValue, KeyDescription);
+    // Verify extKeyStore values
+    const { attestationChallenge, teeEnforced, softwareEnforced } = parsedExtKeyStore;
+    if (!isoUint8Array.areEqual(new Uint8Array(attestationChallenge.buffer), clientDataHash)) {
+        throw new Error('Attestation challenge was not equal to client data hash (AndroidKey)');
+    }
+    // Ensure that the key is strictly bound to the caller app identifier (shouldn't contain the
+    // [600] tag)
+    if (teeEnforced.allApplications !== undefined) {
+        throw new Error('teeEnforced contained "allApplications [600]" tag (AndroidKey)');
+    }
+    if (softwareEnforced.allApplications !== undefined) {
+        throw new Error('teeEnforced contained "allApplications [600]" tag (AndroidKey)');
+    }
+    const statement = await MetadataService.getStatement(aaguid);
+    if (statement) {
+        try {
+            await verifyAttestationWithMetadata({
+                statement,
+                credentialPublicKey,
+                x5c,
+                attestationStatementAlg: alg,
+            });
+        }
+        catch (err) {
+            const _err = err;
+            throw new Error(`${_err.message} (AndroidKey)`);
+        }
+    }
+    else {
+        try {
+            // Try validating the certificate path using the root certificates set via SettingsService
+            await validateCertificatePath(x5c.map(convertCertBufferToPEM), rootCertificates);
+        }
+        catch (err) {
+            const _err = err;
+            throw new Error(`${_err.message} (AndroidKey)`);
+        }
+    }
+    const signatureBase = isoUint8Array.concat([authData, clientDataHash]);
+    return verifySignature({
+        signature: sig,
+        data: signatureBase,
+        x509Certificate: x5c[0],
+        hashAlgorithm: alg,
+    });
+}

package/{dist → esm}/registration/verifications/verifyAttestationAndroidSafetyNet.d.ts

@@ -1,4 +1,4 @@
-import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse';
+import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse.js';
 /**
  * Verify an attestation response with fmt 'android-safetynet'
  */

package/esm/registration/verifications/verifyAttestationAndroidSafetyNet.js

@@ -0,0 +1,112 @@
+import { toHash } from '../../helpers/toHash.js';
+import { verifySignature } from '../../helpers/verifySignature.js';
+import { getCertificateInfo } from '../../helpers/getCertificateInfo.js';
+import { validateCertificatePath } from '../../helpers/validateCertificatePath.js';
+import { convertCertBufferToPEM } from '../../helpers/convertCertBufferToPEM.js';
+import { isoBase64URL, isoUint8Array } from '../../helpers/iso/index.js';
+import { MetadataService } from '../../services/metadataService.js';
+import { verifyAttestationWithMetadata } from '../../metadata/verifyAttestationWithMetadata.js';
+/**
+ * Verify an attestation response with fmt 'android-safetynet'
+ */
+export async function verifyAttestationAndroidSafetyNet(options) {
+    const { attStmt, clientDataHash, authData, aaguid, rootCertificates, verifyTimestampMS = true, credentialPublicKey, } = options;
+    const alg = attStmt.get('alg');
+    const response = attStmt.get('response');
+    const ver = attStmt.get('ver');
+    if (!ver) {
+        throw new Error('No ver value in attestation (SafetyNet)');
+    }
+    if (!response) {
+        throw new Error('No response was included in attStmt by authenticator (SafetyNet)');
+    }
+    // Prepare to verify a JWT
+    const jwt = isoUint8Array.toUTF8String(response);
+    const jwtParts = jwt.split('.');
+    const HEADER = JSON.parse(isoBase64URL.toString(jwtParts[0]));
+    const PAYLOAD = JSON.parse(isoBase64URL.toString(jwtParts[1]));
+    const SIGNATURE = jwtParts[2];
+    /**
+     * START Verify PAYLOAD
+     */
+    const { nonce, ctsProfileMatch, timestampMs } = PAYLOAD;
+    if (verifyTimestampMS) {
+        // Make sure timestamp is in the past
+        let now = Date.now();
+        if (timestampMs > Date.now()) {
+            throw new Error(`Payload timestamp "${timestampMs}" was later than "${now}" (SafetyNet)`);
+        }
+        // Consider a SafetyNet attestation valid within a minute of it being performed
+        const timestampPlusDelay = timestampMs + 60 * 1000;
+        now = Date.now();
+        if (timestampPlusDelay < now) {
+            throw new Error(`Payload timestamp "${timestampPlusDelay}" has expired (SafetyNet)`);
+        }
+    }
+    const nonceBase = isoUint8Array.concat([authData, clientDataHash]);
+    const nonceBuffer = await toHash(nonceBase);
+    const expectedNonce = isoBase64URL.fromBuffer(nonceBuffer, 'base64');
+    if (nonce !== expectedNonce) {
+        throw new Error('Could not verify payload nonce (SafetyNet)');
+    }
+    if (!ctsProfileMatch) {
+        throw new Error('Could not verify device integrity (SafetyNet)');
+    }
+    /**
+     * END Verify PAYLOAD
+     */
+    /**
+     * START Verify Header
+     */
+    // `HEADER.x5c[0]` is definitely a base64 string
+    const leafCertBuffer = isoBase64URL.toBuffer(HEADER.x5c[0], 'base64');
+    const leafCertInfo = getCertificateInfo(leafCertBuffer);
+    const { subject } = leafCertInfo;
+    // Ensure the certificate was issued to this hostname
+    // See https://developer.android.com/training/safetynet/attestation#verify-attestation-response
+    if (subject.CN !== 'attest.android.com') {
+        throw new Error('Certificate common name was not "attest.android.com" (SafetyNet)');
+    }
+    const statement = await MetadataService.getStatement(aaguid);
+    if (statement) {
+        try {
+            await verifyAttestationWithMetadata({
+                statement,
+                credentialPublicKey,
+                x5c: HEADER.x5c,
+                attestationStatementAlg: alg,
+            });
+        }
+        catch (err) {
+            const _err = err;
+            throw new Error(`${_err.message} (SafetyNet)`);
+        }
+    }
+    else {
+        try {
+            // Try validating the certificate path using the root certificates set via SettingsService
+            await validateCertificatePath(HEADER.x5c.map(convertCertBufferToPEM), rootCertificates);
+        }
+        catch (err) {
+            const _err = err;
+            throw new Error(`${_err.message} (SafetyNet)`);
+        }
+    }
+    /**
+     * END Verify Header
+     */
+    /**
+     * START Verify Signature
+     */
+    const signatureBaseBuffer = isoUint8Array.fromUTF8String(`${jwtParts[0]}.${jwtParts[1]}`);
+    const signatureBuffer = isoBase64URL.toBuffer(SIGNATURE);
+    const verified = await verifySignature({
+        signature: signatureBuffer,
+        data: signatureBaseBuffer,
+        x509Certificate: leafCertBuffer,
+    });
+    /**
+     * END Verify Signature
+     */
+    return verified;
+}

package/{dist → esm}/registration/verifications/verifyAttestationApple.d.ts

@@ -1,2 +1,2 @@
-import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse';
+import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse.js';
 export declare function verifyAttestationApple(options: AttestationFormatVerifierOpts): Promise<boolean>;

package/esm/registration/verifications/verifyAttestationApple.js

@@ -0,0 +1,57 @@
+import { AsnParser, Certificate } from '../../deps.js';
+import { validateCertificatePath } from '../../helpers/validateCertificatePath.js';
+import { convertCertBufferToPEM } from '../../helpers/convertCertBufferToPEM.js';
+import { toHash } from '../../helpers/toHash.js';
+import { convertCOSEtoPKCS } from '../../helpers/convertCOSEtoPKCS.js';
+import { isoUint8Array } from '../../helpers/iso/index.js';
+export async function verifyAttestationApple(options) {
+    const { attStmt, authData, clientDataHash, credentialPublicKey, rootCertificates, } = options;
+    const x5c = attStmt.get('x5c');
+    if (!x5c) {
+        throw new Error('No attestation certificate provided in attestation statement (Apple)');
+    }
+    /**
+     * Verify certificate path
+     */
+    try {
+        await validateCertificatePath(x5c.map(convertCertBufferToPEM), rootCertificates);
+    }
+    catch (err) {
+        const _err = err;
+        throw new Error(`${_err.message} (Apple)`);
+    }
+    /**
+     * Compare nonce in certificate extension to computed nonce
+     */
+    const parsedCredCert = AsnParser.parse(x5c[0], Certificate);
+    const { extensions, subjectPublicKeyInfo } = parsedCredCert.tbsCertificate;
+    if (!extensions) {
+        throw new Error('credCert missing extensions (Apple)');
+    }
+    const extCertNonce = extensions.find((ext) => ext.extnID === '1.2.840.113635.100.8.2');
+    if (!extCertNonce) {
+        throw new Error('credCert missing "1.2.840.113635.100.8.2" extension (Apple)');
+    }
+    const nonceToHash = isoUint8Array.concat([authData, clientDataHash]);
+    const nonce = await toHash(nonceToHash);
+    /**
+     * Ignore the first six ASN.1 structure bytes that define the nonce as an OCTET STRING. Should
+     * trim off <Buffer 30 24 a1 22 04 20>
+     *
+     * TODO: Try and get @peculiar (GitHub) to add a schema for "1.2.840.113635.100.8.2" when we
+     * find out where it's defined (doesn't seem to be publicly documented at the moment...)
+     */
+    const extNonce = new Uint8Array(extCertNonce.extnValue.buffer).slice(6);
+    if (!isoUint8Array.areEqual(nonce, extNonce)) {
+        throw new Error(`credCert nonce was not expected value (Apple)`);
+    }
+    /**
+     * Verify credential public key matches the Subject Public Key of credCert
+     */
+    const credPubKeyPKCS = convertCOSEtoPKCS(credentialPublicKey);
+    const credCertSubjectPublicKey = new Uint8Array(subjectPublicKeyInfo.subjectPublicKey);
+    if (!isoUint8Array.areEqual(credPubKeyPKCS, credCertSubjectPublicKey)) {
+        throw new Error('Credential public key does not equal credCert public key (Apple)');
+    }
+    return true;
+}

package/{dist → esm}/registration/verifications/verifyAttestationFIDOU2F.d.ts

@@ -1,4 +1,4 @@
-import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse';
+import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse.js';
 /**
  * Verify an attestation response with fmt 'fido-u2f'
  */

package/esm/registration/verifications/verifyAttestationFIDOU2F.js

@@ -0,0 +1,48 @@
+import { convertCOSEtoPKCS } from '../../helpers/convertCOSEtoPKCS.js';
+import { convertCertBufferToPEM } from '../../helpers/convertCertBufferToPEM.js';
+import { validateCertificatePath } from '../../helpers/validateCertificatePath.js';
+import { verifySignature } from '../../helpers/verifySignature.js';
+import { isoUint8Array } from '../../helpers/iso/index.js';
+import { COSEALG } from '../../helpers/cose.js';
+/**
+ * Verify an attestation response with fmt 'fido-u2f'
+ */
+export async function verifyAttestationFIDOU2F(options) {
+    const { attStmt, clientDataHash, rpIdHash, credentialID, credentialPublicKey, aaguid, rootCertificates, } = options;
+    const reservedByte = Uint8Array.from([0x00]);
+    const publicKey = convertCOSEtoPKCS(credentialPublicKey);
+    const signatureBase = isoUint8Array.concat([
+        reservedByte,
+        rpIdHash,
+        clientDataHash,
+        credentialID,
+        publicKey,
+    ]);
+    const sig = attStmt.get('sig');
+    const x5c = attStmt.get('x5c');
+    if (!x5c) {
+        throw new Error('No attestation certificate provided in attestation statement (FIDOU2F)');
+    }
+    if (!sig) {
+        throw new Error('No attestation signature provided in attestation statement (FIDOU2F)');
+    }
+    // FIDO spec says that aaguid _must_ equal 0x00 here to be legit
+    const aaguidToHex = Number.parseInt(isoUint8Array.toHex(aaguid), 16);
+    if (aaguidToHex !== 0x00) {
+        throw new Error(`AAGUID "${aaguidToHex}" was not expected value`);
+    }
+    try {
+        // Try validating the certificate path using the root certificates set via SettingsService
+        await validateCertificatePath(x5c.map(convertCertBufferToPEM), rootCertificates);
+    }
+    catch (err) {
+        const _err = err;
+        throw new Error(`${_err.message} (FIDOU2F)`);
+    }
+    return verifySignature({
+        signature: sig,
+        data: signatureBase,
+        x509Certificate: x5c[0],
+        hashAlgorithm: COSEALG.ES256,
+    });
+}

package/{dist → esm}/registration/verifications/verifyAttestationPacked.d.ts

@@ -1,4 +1,4 @@
-import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse';
+import type { AttestationFormatVerifierOpts } from '../verifyRegistrationResponse.js';
 /**
  * Verify an attestation response with fmt 'packed'
  */

package/esm/registration/verifications/verifyAttestationPacked.js

@@ -0,0 +1,105 @@
+import { isCOSEAlg } from '../../helpers/cose.js';
+import { convertCertBufferToPEM } from '../../helpers/convertCertBufferToPEM.js';
+import { validateCertificatePath } from '../../helpers/validateCertificatePath.js';
+import { getCertificateInfo } from '../../helpers/getCertificateInfo.js';
+import { verifySignature } from '../../helpers/verifySignature.js';
+import { isoUint8Array } from '../../helpers/iso/index.js';
+import { MetadataService } from '../../services/metadataService.js';
+import { verifyAttestationWithMetadata } from '../../metadata/verifyAttestationWithMetadata.js';
+/**
+ * Verify an attestation response with fmt 'packed'
+ */
+export async function verifyAttestationPacked(options) {
+    const { attStmt, clientDataHash, authData, credentialPublicKey, aaguid, rootCertificates, } = options;
+    const sig = attStmt.get('sig');
+    const x5c = attStmt.get('x5c');
+    const alg = attStmt.get('alg');
+    if (!sig) {
+        throw new Error('No attestation signature provided in attestation statement (Packed)');
+    }
+    if (!alg) {
+        throw new Error('Attestation statement did not contain alg (Packed)');
+    }
+    if (!isCOSEAlg(alg)) {
+        throw new Error(`Attestation statement contained invalid alg ${alg} (Packed)`);
+    }
+    const signatureBase = isoUint8Array.concat([authData, clientDataHash]);
+    let verified = false;
+    if (x5c) {
+        const { subject, basicConstraintsCA, version, notBefore, notAfter } = getCertificateInfo(x5c[0]);
+        const { OU, CN, O, C } = subject;
+        if (OU !== 'Authenticator Attestation') {
+            throw new Error('Certificate OU was not "Authenticator Attestation" (Packed|Full)');
+        }
+        if (!CN) {
+            throw new Error('Certificate CN was empty (Packed|Full)');
+        }
+        if (!O) {
+            throw new Error('Certificate O was empty (Packed|Full)');
+        }
+        if (!C || C.length !== 2) {
+            throw new Error('Certificate C was not two-character ISO 3166 code (Packed|Full)');
+        }
+        if (basicConstraintsCA) {
+            throw new Error('Certificate basic constraints CA was not `false` (Packed|Full)');
+        }
+        if (version !== 2) {
+            throw new Error('Certificate version was not `3` (ASN.1 value of 2) (Packed|Full)');
+        }
+        let now = new Date();
+        if (notBefore > now) {
+            throw new Error(`Certificate not good before "${notBefore.toString()}" (Packed|Full)`);
+        }
+        now = new Date();
+        if (notAfter < now) {
+            throw new Error(`Certificate not good after "${notAfter.toString()}" (Packed|Full)`);
+        }
+        // TODO: If certificate contains id-fido-gen-ce-aaguid(1.3.6.1.4.1.45724.1.1.4) extension, check
+        // that it’s value is set to the same AAGUID as in authData.
+        // If available, validate attestation alg and x5c with info in the metadata statement
+        const statement = await MetadataService.getStatement(aaguid);
+        if (statement) {
+            // The presence of x5c means this is a full attestation. Check to see if attestationTypes
+            // includes packed attestations.
+            if (statement.attestationTypes.indexOf('basic_full') < 0) {
+                throw new Error('Metadata does not indicate support for full attestations (Packed|Full)');
+            }
+            try {
+                await verifyAttestationWithMetadata({
+                    statement,
+                    credentialPublicKey,
+                    x5c,
+                    attestationStatementAlg: alg,
+                });
+            }
+            catch (err) {
+                const _err = err;
+                throw new Error(`${_err.message} (Packed|Full)`);
+            }
+        }
+        else {
+            try {
+                // Try validating the certificate path using the root certificates set via SettingsService
+                await validateCertificatePath(x5c.map(convertCertBufferToPEM), rootCertificates);
+            }
+            catch (err) {
+                const _err = err;
+                throw new Error(`${_err.message} (Packed|Full)`);
+            }
+        }
+        verified = await verifySignature({
+            signature: sig,
+            data: signatureBase,
+            x509Certificate: x5c[0],
+        });
+    }
+    else {
+        verified = await verifySignature({
+            signature: sig,
+            data: signatureBase,
+            credentialPublicKey,
+            hashAlgorithm: alg,
+        });
+    }
+    return verified;
+}

package/{dist → esm}/registration/verifyRegistrationResponse.d.ts

@@ -1,6 +1,6 @@
-import { RegistrationResponseJSON, COSEAlgorithmIdentifier, CredentialDeviceType } from '@simplewebauthn/typescript-types';
-import { AttestationFormat, AttestationStatement } from '../helpers/decodeAttestationObject';
-import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions';
+import type { COSEAlgorithmIdentifier, CredentialDeviceType, RegistrationResponseJSON } from '../deps.js';
+import { AttestationFormat, AttestationStatement } from '../helpers/decodeAttestationObject.js';
+import { AuthenticationExtensionsAuthenticatorOutputs } from '../helpers/decodeAuthenticatorExtensions.js';
 export type VerifyRegistrationResponseOpts = {
     response: RegistrationResponseJSON;
     expectedChallenge: string | ((challenge: string) => boolean);

package/esm/registration/verifyRegistrationResponse.js

@@ -0,0 +1,198 @@
+import { decodeAttestationObject, } from '../helpers/decodeAttestationObject.js';
+import { decodeClientDataJSON } from '../helpers/decodeClientDataJSON.js';
+import { parseAuthenticatorData } from '../helpers/parseAuthenticatorData.js';
+import { toHash } from '../helpers/toHash.js';
+import { decodeCredentialPublicKey } from '../helpers/decodeCredentialPublicKey.js';
+import { COSEKEYS } from '../helpers/cose.js';
+import { convertAAGUIDToString } from '../helpers/convertAAGUIDToString.js';
+import { parseBackupFlags } from '../helpers/parseBackupFlags.js';
+import { matchExpectedRPID } from '../helpers/matchExpectedRPID.js';
+import { isoBase64URL } from '../helpers/iso/index.js';
+import { SettingsService } from '../services/settingsService.js';
+import { supportedCOSEAlgorithmIdentifiers } from './generateRegistrationOptions.js';
+import { verifyAttestationFIDOU2F } from './verifications/verifyAttestationFIDOU2F.js';
+import { verifyAttestationPacked } from './verifications/verifyAttestationPacked.js';
+import { verifyAttestationAndroidSafetyNet } from './verifications/verifyAttestationAndroidSafetyNet.js';
+import { verifyAttestationTPM } from './verifications/tpm/verifyAttestationTPM.js';
+import { verifyAttestationAndroidKey } from './verifications/verifyAttestationAndroidKey.js';
+import { verifyAttestationApple } from './verifications/verifyAttestationApple.js';
+/**
+ * Verify that the user has legitimately completed the registration process
+ *
+ * **Options:**
+ *
+ * @param response Response returned by **@simplewebauthn/browser**'s `startAuthentication()`
+ * @param expectedChallenge The base64url-encoded `options.challenge` returned by
+ * `generateRegistrationOptions()`
+ * @param expectedOrigin Website URL (or array of URLs) that the registration should have occurred on
+ * @param expectedRPID RP ID (or array of IDs) that was specified in the registration options
+ * @param requireUserVerification (Optional) Enforce user verification by the authenticator
+ * (via PIN, fingerprint, etc...)
+ * @param supportedAlgorithmIDs Array of numeric COSE algorithm identifiers supported for
+ * attestation by this RP. See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ */
+export async function verifyRegistrationResponse(options) {
+    const { response, expectedChallenge, expectedOrigin, expectedRPID, requireUserVerification = true, supportedAlgorithmIDs = supportedCOSEAlgorithmIdentifiers, } = options;
+    const { id, rawId, type: credentialType, response: attestationResponse } = response;
+    // Ensure credential specified an ID
+    if (!id) {
+        throw new Error('Missing credential ID');
+    }
+    // Ensure ID is base64url-encoded
+    if (id !== rawId) {
+        throw new Error('Credential ID was not base64url-encoded');
+    }
+    // Make sure credential type is public-key
+    if (credentialType !== 'public-key') {
+        throw new Error(`Unexpected credential type ${credentialType}, expected "public-key"`);
+    }
+    const clientDataJSON = decodeClientDataJSON(attestationResponse.clientDataJSON);
+    const { type, origin, challenge, tokenBinding } = clientDataJSON;
+    // Make sure we're handling an registration
+    if (type !== 'webauthn.create') {
+        throw new Error(`Unexpected registration response type: ${type}`);
+    }
+    // Ensure the device provided the challenge we gave it
+    if (typeof expectedChallenge === 'function') {
+        if (!expectedChallenge(challenge)) {
+            throw new Error(`Custom challenge verifier returned false for registration response challenge "${challenge}"`);
+        }
+    }
+    else if (challenge !== expectedChallenge) {
+        throw new Error(`Unexpected registration response challenge "${challenge}", expected "${expectedChallenge}"`);
+    }
+    // Check that the origin is our site
+    if (Array.isArray(expectedOrigin)) {
+        if (!expectedOrigin.includes(origin)) {
+            throw new Error(`Unexpected registration response origin "${origin}", expected one of: ${expectedOrigin.join(', ')}`);
+        }
+    }
+    else {
+        if (origin !== expectedOrigin) {
+            throw new Error(`Unexpected registration response origin "${origin}", expected "${expectedOrigin}"`);
+        }
+    }
+    if (tokenBinding) {
+        if (typeof tokenBinding !== 'object') {
+            throw new Error(`Unexpected value for TokenBinding "${tokenBinding}"`);
+        }
+        if (['present', 'supported', 'not-supported'].indexOf(tokenBinding.status) < 0) {
+            throw new Error(`Unexpected tokenBinding.status value of "${tokenBinding.status}"`);
+        }
+    }
+    const attestationObject = isoBase64URL.toBuffer(attestationResponse.attestationObject);
+    const decodedAttestationObject = decodeAttestationObject(attestationObject);
+    const fmt = decodedAttestationObject.get('fmt');
+    const authData = decodedAttestationObject.get('authData');
+    const attStmt = decodedAttestationObject.get('attStmt');
+    const parsedAuthData = parseAuthenticatorData(authData);
+    const { aaguid, rpIdHash, flags, credentialID, counter, credentialPublicKey, extensionsData, } = parsedAuthData;
+    // Make sure the response's RP ID is ours
+    let matchedRPID;
+    if (expectedRPID) {
+        let expectedRPIDs = [];
+        if (typeof expectedRPID === 'string') {
+            expectedRPIDs = [expectedRPID];
+        }
+        else {
+            expectedRPIDs = expectedRPID;
+        }
+        matchedRPID = await matchExpectedRPID(rpIdHash, expectedRPIDs);
+    }
+    // Make sure someone was physically present
+    if (!flags.up) {
+        throw new Error('User not present during registration');
+    }
+    // Enforce user verification if specified
+    if (requireUserVerification && !flags.uv) {
+        throw new Error('User verification required, but user could not be verified');
+    }
+    if (!credentialID) {
+        throw new Error('No credential ID was provided by authenticator');
+    }
+    if (!credentialPublicKey) {
+        throw new Error('No public key was provided by authenticator');
+    }
+    if (!aaguid) {
+        throw new Error('No AAGUID was present during registration');
+    }
+    const decodedPublicKey = decodeCredentialPublicKey(credentialPublicKey);
+    const alg = decodedPublicKey.get(COSEKEYS.alg);
+    if (typeof alg !== 'number') {
+        throw new Error('Credential public key was missing numeric alg');
+    }
+    // Make sure the key algorithm is one we specified within the registration options
+    if (!supportedAlgorithmIDs.includes(alg)) {
+        const supported = supportedAlgorithmIDs.join(', ');
+        throw new Error(`Unexpected public key alg "${alg}", expected one of "${supported}"`);
+    }
+    const clientDataHash = await toHash(isoBase64URL.toBuffer(attestationResponse.clientDataJSON));
+    const rootCertificates = SettingsService.getRootCertificates({
+        identifier: fmt,
+    });
+    // Prepare arguments to pass to the relevant verification method
+    const verifierOpts = {
+        aaguid,
+        attStmt,
+        authData,
+        clientDataHash,
+        credentialID,
+        credentialPublicKey,
+        rootCertificates,
+        rpIdHash,
+    };
+    /**
+     * Verification can only be performed when attestation = 'direct'
+     */
+    let verified = false;
+    if (fmt === 'fido-u2f') {
+        verified = await verifyAttestationFIDOU2F(verifierOpts);
+    }
+    else if (fmt === 'packed') {
+        verified = await verifyAttestationPacked(verifierOpts);
+    }
+    else if (fmt === 'android-safetynet') {
+        verified = await verifyAttestationAndroidSafetyNet(verifierOpts);
+    }
+    else if (fmt === 'android-key') {
+        verified = await verifyAttestationAndroidKey(verifierOpts);
+    }
+    else if (fmt === 'tpm') {
+        verified = await verifyAttestationTPM(verifierOpts);
+    }
+    else if (fmt === 'apple') {
+        verified = await verifyAttestationApple(verifierOpts);
+    }
+    else if (fmt === 'none') {
+        if (attStmt.size > 0) {
+            throw new Error('None attestation had unexpected attestation statement');
+        }
+        // This is the weaker of the attestations, so there's nothing else to really check
+        verified = true;
+    }
+    else {
+        throw new Error(`Unsupported Attestation Format: ${fmt}`);
+    }
+    const toReturn = {
+        verified,
+    };
+    if (toReturn.verified) {
+        const { credentialDeviceType, credentialBackedUp } = parseBackupFlags(flags);
+        toReturn.registrationInfo = {
+            fmt,
+            counter,
+            aaguid: convertAAGUIDToString(aaguid),
+            credentialID,
+            credentialPublicKey,
+            credentialType,
+            attestationObject,
+            userVerified: flags.uv,
+            credentialDeviceType,
+            credentialBackedUp,
+            origin: clientDataJSON.origin,
+            rpID: matchedRPID,
+            authenticatorExtensionResults: extensionsData,
+        };
+    }
+    return toReturn;
+}