@simplewebauthn/server 8.3.2 → 8.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/esm/helpers/parseAuthenticatorData.js +7 -0
  2. package/package.json +2 -2
  3. package/script/helpers/parseAuthenticatorData.js +7 -0
package/esm/helpers/parseAuthenticatorData.js CHANGED
@@ -46,13 +46,20 @@ export function parseAuthenticatorData(authData) {
46
46
  // Bytes decode to `{ 1: "OKP", 3: -8, -1: "Ed25519" }` (it's missing key -2 a.k.a. COSEKEYS.x)
47
47
  const badEdDSACBOR = isoUint8Array.fromHex('a301634f4b500327206745643235353139');
48
48
  const bytesAtCurrentPosition = authData.slice(pointer, pointer + badEdDSACBOR.byteLength);
49
+ let foundBadCBOR = false;
49
50
  if (isoUint8Array.areEqual(badEdDSACBOR, bytesAtCurrentPosition)) {
50
51
  // Change the bad CBOR 0xa3 to 0xa4 so that the credential public key can be recognized
52
+ foundBadCBOR = true;
51
53
  authData[pointer] = 0xa4;
52
54
  }
53
55
  // Decode the next CBOR item in the buffer, then re-encode it back to a Buffer
54
56
  const firstDecoded = isoCBOR.decodeFirst(authData.slice(pointer));
55
57
  const firstEncoded = Uint8Array.from(isoCBOR.encode(firstDecoded));
58
+ if (foundBadCBOR) {
59
+ // Restore the bit we changed so that `authData` is the same as it came in and won't break
60
+ // signature verification.
61
+ authData[pointer] = 0xa3;
62
+ }
56
63
  credentialPublicKey = firstEncoded;
57
64
  pointer += firstEncoded.byteLength;
58
65
  }
package/package.json CHANGED
@@ -2,7 +2,7 @@
2
2
  "module": "./esm/index.js",
3
3
  "main": "./script/index.js",
4
4
  "name": "@simplewebauthn/server",
5
- "version": "8.3.2",
5
+ "version": "8.3.3",
6
6
  "description": "SimpleWebAuthn for Servers",
7
7
  "license": "MIT",
8
8
  "author": "Matthew Miller <matthew@millerti.me>",
@@ -55,7 +55,7 @@
55
55
  "@peculiar/asn1-rsa": "^2.3.6",
56
56
  "@peculiar/asn1-schema": "^2.3.6",
57
57
  "@peculiar/asn1-x509": "^2.3.6",
58
- "@simplewebauthn/typescript-types": "^8.0.0",
58
+ "@simplewebauthn/typescript-types": "^8.3.3",
59
59
  "cbor-x": "^1.5.2",
60
60
  "cross-fetch": "^4.0.0"
61
61
  },
package/script/helpers/parseAuthenticatorData.js CHANGED
@@ -49,13 +49,20 @@ function parseAuthenticatorData(authData) {
49
49
  // Bytes decode to `{ 1: "OKP", 3: -8, -1: "Ed25519" }` (it's missing key -2 a.k.a. COSEKEYS.x)
50
50
  const badEdDSACBOR = index_js_1.isoUint8Array.fromHex('a301634f4b500327206745643235353139');
51
51
  const bytesAtCurrentPosition = authData.slice(pointer, pointer + badEdDSACBOR.byteLength);
52
+ let foundBadCBOR = false;
52
53
  if (index_js_1.isoUint8Array.areEqual(badEdDSACBOR, bytesAtCurrentPosition)) {
53
54
  // Change the bad CBOR 0xa3 to 0xa4 so that the credential public key can be recognized
55
+ foundBadCBOR = true;
54
56
  authData[pointer] = 0xa4;
55
57
  }
56
58
  // Decode the next CBOR item in the buffer, then re-encode it back to a Buffer
57
59
  const firstDecoded = index_js_1.isoCBOR.decodeFirst(authData.slice(pointer));
58
60
  const firstEncoded = Uint8Array.from(index_js_1.isoCBOR.encode(firstDecoded));
61
+ if (foundBadCBOR) {
62
+ // Restore the bit we changed so that `authData` is the same as it came in and won't break
63
+ // signature verification.
64
+ authData[pointer] = 0xa3;
65
+ }
59
66
  credentialPublicKey = firstEncoded;
60
67
  pointer += firstEncoded.byteLength;
61
68
  }