npm - @simplewebauthn/server - Versions diffs - 8.2.0 → 8.3.3 - Mend

@simplewebauthn/server 8.2.0 → 8.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/esm/deps.d.ts +1 -1
package/esm/deps.js +1 -1
package/esm/helpers/parseAuthenticatorData.js +7 -0
package/package.json +2 -2
package/script/deps.d.ts +1 -1
package/script/deps.js +1 -1
package/script/helpers/parseAuthenticatorData.js +7 -0

package/esm/deps.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/typescript-types';
-export * as cborx from 'cbor-x';
+export * as cborx from 'cbor-x/encode';
 export { default as base64 } from '@hexagon/base64';
 export { fetch as crossFetch } from 'cross-fetch';
 export { AsnParser, AsnSerializer } from '@peculiar/asn1-schema';

package/esm/deps.js CHANGED Viewed

@@ -1,5 +1,5 @@
 // cbor (a.k.a. cbor-x in Node land)
-export * as cborx from 'cbor-x';
+export * as cborx from 'cbor-x/encode';
 // b64 (a.k.a. @hexagon/base64 in Node land)
 export { default as base64 } from '@hexagon/base64';
 // cross-fetch

package/esm/helpers/parseAuthenticatorData.js CHANGED Viewed

@@ -46,13 +46,20 @@ export function parseAuthenticatorData(authData) {
         // Bytes decode to `{ 1: "OKP", 3: -8, -1: "Ed25519" }` (it's missing key -2 a.k.a. COSEKEYS.x)
         const badEdDSACBOR = isoUint8Array.fromHex('a301634f4b500327206745643235353139');
         const bytesAtCurrentPosition = authData.slice(pointer, pointer + badEdDSACBOR.byteLength);
+        let foundBadCBOR = false;
         if (isoUint8Array.areEqual(badEdDSACBOR, bytesAtCurrentPosition)) {
             // Change the bad CBOR 0xa3 to 0xa4 so that the credential public key can be recognized
+            foundBadCBOR = true;
             authData[pointer] = 0xa4;
         }
         // Decode the next CBOR item in the buffer, then re-encode it back to a Buffer
         const firstDecoded = isoCBOR.decodeFirst(authData.slice(pointer));
         const firstEncoded = Uint8Array.from(isoCBOR.encode(firstDecoded));
+        if (foundBadCBOR) {
+            // Restore the bit we changed so that `authData` is the same as it came in and won't break
+            // signature verification.
+            authData[pointer] = 0xa3;
+        }
         credentialPublicKey = firstEncoded;
         pointer += firstEncoded.byteLength;
     }

package/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "module": "./esm/index.js",
   "main": "./script/index.js",
   "name": "@simplewebauthn/server",
-  "version": "8.2.0",
+  "version": "8.3.3",
   "description": "SimpleWebAuthn for Servers",
   "license": "MIT",
   "author": "Matthew Miller <matthew@millerti.me>",
@@ -55,7 +55,7 @@
     "@peculiar/asn1-rsa": "^2.3.6",
     "@peculiar/asn1-schema": "^2.3.6",
     "@peculiar/asn1-x509": "^2.3.6",
-    "@simplewebauthn/typescript-types": "^8.0.0",
+    "@simplewebauthn/typescript-types": "^8.3.3",
     "cbor-x": "^1.5.2",
     "cross-fetch": "^4.0.0"
   },

package/script/deps.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 export type { AttestationConveyancePreference, AuthenticationExtensionsClientInputs, AuthenticationResponseJSON, AuthenticatorDevice, AuthenticatorSelectionCriteria, Base64URLString, COSEAlgorithmIdentifier, CredentialDeviceType, Crypto, PublicKeyCredentialCreationOptionsJSON, PublicKeyCredentialDescriptorFuture, PublicKeyCredentialParameters, PublicKeyCredentialRequestOptionsJSON, RegistrationResponseJSON, UserVerificationRequirement, } from '@simplewebauthn/typescript-types';
-export * as cborx from 'cbor-x';
+export * as cborx from 'cbor-x/encode';
 export { default as base64 } from '@hexagon/base64';
 export { fetch as crossFetch } from 'cross-fetch';
 export { AsnParser, AsnSerializer } from '@peculiar/asn1-schema';

package/script/deps.js CHANGED Viewed

@@ -28,7 +28,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.KeyDescription = exports.id_ce_keyDescription = exports.RSAPublicKey = exports.id_secp384r1 = exports.id_secp256r1 = exports.id_ecPublicKey = exports.ECParameters = exports.ECDSASigValue = exports.SubjectKeyIdentifier = exports.SubjectAlternativeName = exports.Name = exports.id_ce_subjectKeyIdentifier = exports.id_ce_subjectAltName = exports.id_ce_extKeyUsage = exports.id_ce_cRLDistributionPoints = exports.id_ce_basicConstraints = exports.id_ce_authorityKeyIdentifier = exports.ExtendedKeyUsage = exports.CRLDistributionPoints = exports.CertificateList = exports.Certificate = exports.BasicConstraints = exports.AuthorityKeyIdentifier = exports.AsnSerializer = exports.AsnParser = exports.crossFetch = exports.base64 = exports.cborx = void 0;
 // cbor (a.k.a. cbor-x in Node land)
-exports.cborx = __importStar(require("cbor-x"));
+exports.cborx = __importStar(require("cbor-x/encode"));
 // b64 (a.k.a. @hexagon/base64 in Node land)
 var base64_1 = require("@hexagon/base64");
 Object.defineProperty(exports, "base64", { enumerable: true, get: function () { return __importDefault(base64_1).default; } });

package/script/helpers/parseAuthenticatorData.js CHANGED Viewed

@@ -49,13 +49,20 @@ function parseAuthenticatorData(authData) {
         // Bytes decode to `{ 1: "OKP", 3: -8, -1: "Ed25519" }` (it's missing key -2 a.k.a. COSEKEYS.x)
         const badEdDSACBOR = index_js_1.isoUint8Array.fromHex('a301634f4b500327206745643235353139');
         const bytesAtCurrentPosition = authData.slice(pointer, pointer + badEdDSACBOR.byteLength);
+        let foundBadCBOR = false;
         if (index_js_1.isoUint8Array.areEqual(badEdDSACBOR, bytesAtCurrentPosition)) {
             // Change the bad CBOR 0xa3 to 0xa4 so that the credential public key can be recognized
+            foundBadCBOR = true;
             authData[pointer] = 0xa4;
         }
         // Decode the next CBOR item in the buffer, then re-encode it back to a Buffer
         const firstDecoded = index_js_1.isoCBOR.decodeFirst(authData.slice(pointer));
         const firstEncoded = Uint8Array.from(index_js_1.isoCBOR.encode(firstDecoded));
+        if (foundBadCBOR) {
+            // Restore the bit we changed so that `authData` is the same as it came in and won't break
+            // signature verification.
+            authData[pointer] = 0xa3;
+        }
         credentialPublicKey = firstEncoded;
         pointer += firstEncoded.byteLength;
     }