ox 0.12.4 → 0.13.1

package/_esm/webauthn/Credential.js

@@ -0,0 +1,95 @@
+import * as Base64 from '../core/Base64.js';
+import * as PublicKey from '../core/PublicKey.js';
+import { base64UrlOptions, bufferSourceToBytes, bytesToArrayBuffer, responseKeys, } from './internal/utils.js';
+/**
+ * Serializes a credential into a JSON-serializable
+ * format.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration, Credential } from 'ox/webauthn'
+ *
+ * const credential = await Registration.create({ name: 'Example' })
+ *
+ * const serialized = Credential.serialize(credential) // [!code focus]
+ *
+ * // `serialized` is JSON-serializable — send it to a server, store it, etc.
+ * const json = JSON.stringify(serialized)
+ * ```
+ *
+ * @param credential - The credential to serialize.
+ * @returns The serialized credential.
+ */
+export function serialize(credential) {
+    const { attestationObject, clientDataJSON, id, publicKey, raw } = credential;
+    const response = {};
+    for (const key of responseKeys) {
+        const value = raw.response[key];
+        if (value instanceof ArrayBuffer)
+            response[key] = Base64.fromBytes(new Uint8Array(value), base64UrlOptions);
+    }
+    return {
+        attestationObject: Base64.fromBytes(new Uint8Array(attestationObject), base64UrlOptions),
+        clientDataJSON: Base64.fromBytes(new Uint8Array(clientDataJSON), base64UrlOptions),
+        id,
+        publicKey: PublicKey.toHex(publicKey),
+        raw: {
+            id: raw.id,
+            type: raw.type,
+            authenticatorAttachment: raw.authenticatorAttachment,
+            rawId: Base64.fromBytes(bufferSourceToBytes(raw.rawId), base64UrlOptions),
+            response: response,
+        },
+    };
+}
+/**
+ * Deserializes a serialized credential.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Credential } from 'ox/webauthn'
+ *
+ * const credential = Credential.deserialize({ // [!code focus]
+ *   attestationObject: 'o2NmbXRkbm9uZQ...', // [!code focus]
+ *   clientDataJSON: 'eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0', // [!code focus]
+ *   id: 'm1-bMPuAqpWhCxHZQZTT6e-lSPntQbh3opIoGe7g4Qs', // [!code focus]
+ *   publicKey: '0x04ab891400140fc4f8e941ce0ff90e419de9470acaca613bbd717a4775435031a7d884318e919fd3b3e5a631d866d8a380b44063e70f0c381ee16e0652f7f97554', // [!code focus]
+ *   raw: { // [!code focus]
+ *     id: 'm1-bMPuAqpWhCxHZQZTT6e-lSPntQbh3opIoGe7g4Qs', // [!code focus]
+ *     type: 'public-key', // [!code focus]
+ *     authenticatorAttachment: 'platform', // [!code focus]
+ *     rawId: 'm1-bMPuAqpWhCxHZQZTT6e-lSPntQbh3opIoGe7g4Qs', // [!code focus]
+ *     response: { // [!code focus]
+ *       clientDataJSON: 'eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0', // [!code focus]
+ *     }, // [!code focus]
+ *   }, // [!code focus]
+ * }) // [!code focus]
+ * ```
+ *
+ * @param credential - The serialized credential.
+ * @returns The deserialized credential.
+ */
+export function deserialize(credential) {
+    const { attestationObject, clientDataJSON, id, publicKey, raw } = credential;
+    const response = Object.create(null);
+    for (const key of responseKeys) {
+        const value = raw.response[key];
+        if (value)
+            response[key] = bytesToArrayBuffer(Base64.toBytes(value));
+    }
+    return {
+        attestationObject: bytesToArrayBuffer(Base64.toBytes(attestationObject)),
+        clientDataJSON: bytesToArrayBuffer(Base64.toBytes(clientDataJSON)),
+        id,
+        publicKey: PublicKey.from(publicKey),
+        raw: {
+            id: raw.id,
+            type: raw.type,
+            authenticatorAttachment: raw.authenticatorAttachment,
+            rawId: bytesToArrayBuffer(Base64.toBytes(raw.rawId)),
+            response: response,
+            getClientExtensionResults: () => ({}),
+        },
+    };
+}
+//# sourceMappingURL=Credential.js.map

package/_esm/webauthn/Credential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Credential.js","sourceRoot":"","sources":["../../webauthn/Credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAA;AAI3C,OAAO,KAAK,SAAS,MAAM,sBAAsB,CAAA;AACjD,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,YAAY,GACb,MAAM,qBAAqB,CAAA;AAqB5B;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,SAAS,CAAC,UAAsB;IAC9C,MAAM,EAAE,iBAAiB,EAAE,cAAc,EAAE,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,UAAU,CAAA;IAE5E,MAAM,QAAQ,GAAG,EAA4B,CAAA;IAC7C,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAI,GAAG,CAAC,QAA+C,CAAC,GAAG,CAAC,CAAA;QACvE,IAAI,KAAK,YAAY,WAAW;YAC9B,QAAQ,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC,CAAA;IAC7E,CAAC;IAED,OAAO;QACL,iBAAiB,EAAE,MAAM,CAAC,SAAS,CACjC,IAAI,UAAU,CAAC,iBAAiB,CAAC,EACjC,gBAAgB,CACjB;QACD,cAAc,EAAE,MAAM,CAAC,SAAS,CAC9B,IAAI,UAAU,CAAC,cAAc,CAAC,EAC9B,gBAAgB,CACjB;QACD,EAAE;QACF,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC;QACrC,GAAG,EAAE;YACH,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,uBAAuB,EAAE,GAAG,CAAC,uBAAuB;YACpD,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,mBAAmB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,gBAAgB,CAAC;YACzE,QAAQ,EAAE,QAAwD;SACnE;KACF,CAAA;AACH,CAAC;AASD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,UAAU,WAAW,CAAC,UAA4B;IACtD,MAAM,EAAE,iBAAiB,EAAE,cAAc,EAAE,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,UAAU,CAAA;IAE5E,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAgC,CAAA;IACnE,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAI,GAAG,CAAC,QAA8C,CAAC,GAAG,CAAC,CAAA;QACtE,IAAI,KAAK;YAAE,QAAQ,CAAC,GAAG,CAAC,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAA;IACtE,CAAC;IAED,OAAO;QACL,iBAAiB,EAAE,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QACxE,cAAc,EAAE,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QAClE,EAAE;QACF,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC;QACpC,GAAG,EAAE;YACH,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,uBAAuB,EAAE,GAAG,CAAC,uBAAuB;YACpD,KAAK,EAAE,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACpD,QAAQ,EAAE,QAAkD;YAC5D,yBAAyB,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;SACtC;KACF,CAAA;AACH,CAAC"}

package/_esm/webauthn/Registration.js

@@ -0,0 +1,512 @@
+import * as Base64 from '../core/Base64.js';
+import * as Bytes from '../core/Bytes.js';
+import * as Cbor from '../core/Cbor.js';
+import * as CoseKey from '../core/CoseKey.js';
+import * as Errors from '../core/Errors.js';
+import * as Hash from '../core/Hash.js';
+import * as Hex from '../core/Hex.js';
+import * as internal from '../core/internal/webauthn.js';
+import * as P256 from '../core/P256.js';
+import * as PublicKey from '../core/PublicKey.js';
+import * as Signature from '../core/Signature.js';
+import { base64UrlOptions, bufferSourceToBytes, bytesToArrayBuffer, deserializeExtensions, responseKeys, serializeExtensions, } from './internal/utils.js';
+export const createChallenge = Uint8Array.from([
+    105, 171, 180, 181, 160, 222, 75, 198, 42, 42, 32, 31, 141, 37, 186, 233,
+]);
+/**
+ * Creates a new WebAuthn P256 Credential, which can be stored and later used for signing.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const credential = await Registration.create({ name: 'Example' }) // [!code focus]
+ * // @log: {
+ * // @log:   id: 'oZ48...',
+ * // @log:   publicKey: { x: 51421...5123n, y: 12345...6789n },
+ * // @log:   raw: PublicKeyCredential {},
+ * // @log: }
+ * ```
+ *
+ * @param options - Credential creation options.
+ * @returns A WebAuthn P256 credential.
+ */
+export async function create(options) {
+    const { createFn = window.navigator.credentials.create.bind(window.navigator.credentials), ...rest } = options;
+    const creationOptions = 'publicKey' in rest
+        ? rest
+        : getOptions(rest);
+    try {
+        const credential = (await createFn(creationOptions));
+        if (!credential)
+            throw new CreateFailedError();
+        const response = credential.response;
+        const publicKey = await internal.parseCredentialPublicKey(response);
+        return {
+            attestationObject: response.attestationObject,
+            clientDataJSON: response.clientDataJSON,
+            id: credential.id,
+            publicKey,
+            raw: credential,
+        };
+    }
+    catch (error) {
+        throw new CreateFailedError({
+            cause: error,
+        });
+    }
+}
+/**
+ * Returns the creation options for a P256 WebAuthn Credential to be used with
+ * the Web Authentication API.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const options = Registration.getOptions({ name: 'Example' })
+ *
+ * const credential = await window.navigator.credentials.create(options)
+ * ```
+ *
+ * @param options - Options.
+ * @returns The credential creation options.
+ */
+export function getOptions(options) {
+    const { attestation = 'none', authenticatorSelection = {
+        residentKey: 'preferred',
+        requireResidentKey: false,
+        userVerification: 'required',
+    }, challenge = createChallenge, excludeCredentialIds, extensions, name: name_, rp = {
+        id: window.location.hostname,
+        name: window.document.title,
+    }, user, } = options;
+    const name = (user?.name ?? name_);
+    return {
+        publicKey: {
+            attestation,
+            authenticatorSelection,
+            challenge: typeof challenge === 'string' ? Bytes.fromHex(challenge) : challenge,
+            ...(excludeCredentialIds
+                ? {
+                    excludeCredentials: excludeCredentialIds?.map((id) => ({
+                        id: Base64.toBytes(id),
+                        type: 'public-key',
+                    })),
+                }
+                : {}),
+            pubKeyCredParams: [
+                {
+                    type: 'public-key',
+                    alg: -7, // p256
+                },
+            ],
+            rp,
+            user: {
+                id: user?.id ?? Hash.keccak256(Bytes.fromString(name), { as: 'Bytes' }),
+                name,
+                displayName: user?.displayName ?? name,
+            },
+            ...(extensions && { extensions }),
+        },
+    };
+}
+/**
+ * Serializes a registration response into a JSON-serializable
+ * format, converting `ArrayBuffer` fields to base64url strings
+ * and the public key to a hex string.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const credential = await Registration.create({ name: 'Example' })
+ * const response = Registration.verify({
+ *   credential,
+ *   challenge: '0x...',
+ *   origin: 'https://example.com',
+ *   rpId: 'example.com',
+ * })
+ *
+ * const serialized = Registration.serializeResponse(response) // [!code focus]
+ *
+ * // `serialized` is JSON-serializable — send it to a server, store it, etc.
+ * const json = JSON.stringify(serialized)
+ * ```
+ *
+ * @param response - The registration response to serialize.
+ * @returns The serialized registration response.
+ */
+export function serializeResponse(response) {
+    const { credential, ...rest } = response;
+    const rawResponse = {};
+    for (const key of responseKeys) {
+        const value = credential.raw.response[key];
+        if (value instanceof ArrayBuffer)
+            rawResponse[key] = Base64.fromBytes(new Uint8Array(value), base64UrlOptions);
+    }
+    return {
+        ...rest,
+        credential: {
+            attestationObject: Base64.fromBytes(new Uint8Array(credential.attestationObject), base64UrlOptions),
+            clientDataJSON: Base64.fromBytes(new Uint8Array(credential.clientDataJSON), base64UrlOptions),
+            id: credential.id,
+            publicKey: PublicKey.toHex(credential.publicKey),
+            raw: {
+                id: credential.raw.id,
+                type: credential.raw.type,
+                authenticatorAttachment: credential.raw.authenticatorAttachment,
+                rawId: Base64.fromBytes(bufferSourceToBytes(credential.raw.rawId), base64UrlOptions),
+                response: rawResponse,
+            },
+        },
+    };
+}
+/**
+ * Serializes credential creation options into a JSON-serializable
+ * format, converting `BufferSource` fields to base64url strings.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const options = Registration.getOptions({ name: 'Example' })
+ *
+ * const serialized = Registration.serializeOptions(options) // [!code focus]
+ *
+ * // `serialized` is JSON-serializable — send it to a server, store it, etc.
+ * const json = JSON.stringify(serialized)
+ * ```
+ *
+ * @param options - The credential creation options to serialize.
+ * @returns The serialized credential creation options.
+ */
+export function serializeOptions(options) {
+    const publicKey = options.publicKey;
+    if (!publicKey)
+        return {};
+    const { challenge, excludeCredentials, extensions, user, ...rest } = publicKey;
+    return {
+        publicKey: {
+            ...rest,
+            challenge: Hex.fromBytes(bufferSourceToBytes(challenge)),
+            ...(excludeCredentials && {
+                excludeCredentials: excludeCredentials.map(({ id, ...rest }) => ({
+                    ...rest,
+                    id: Base64.fromBytes(bufferSourceToBytes(id), base64UrlOptions),
+                })),
+            }),
+            ...(extensions && {
+                extensions: serializeExtensions(extensions),
+            }),
+            user: {
+                ...user,
+                id: Base64.fromBytes(bufferSourceToBytes(user.id), base64UrlOptions),
+            },
+        },
+    };
+}
+/**
+ * Deserializes credential creation options that can be passed to
+ * `navigator.credentials.create()`.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const options = Registration.getOptions({ name: 'Example' })
+ * const serialized = Registration.serializeOptions(options)
+ *
+ * // ... send to server and back ...
+ *
+ * const deserialized = Registration.deserializeOptions(serialized) // [!code focus]
+ * const credential = await window.navigator.credentials.create(deserialized)
+ * ```
+ *
+ * @param options - The serialized credential creation options.
+ * @returns The deserialized credential creation options.
+ */
+export function deserializeOptions(options) {
+    const publicKey = options.publicKey;
+    if (!publicKey)
+        return {};
+    const { challenge, excludeCredentials, extensions, user, ...rest } = publicKey;
+    return {
+        publicKey: {
+            ...rest,
+            challenge: Bytes.fromHex(challenge),
+            ...(excludeCredentials && {
+                excludeCredentials: excludeCredentials.map(({ id, ...rest }) => ({
+                    ...rest,
+                    id: Base64.toBytes(id),
+                })),
+            }),
+            ...(extensions && {
+                extensions: deserializeExtensions(extensions),
+            }),
+            user: {
+                ...user,
+                id: Base64.toBytes(user.id),
+            },
+        },
+    };
+}
+/**
+ * Deserializes a serialized registration response.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const response = Registration.deserializeResponse({ // [!code focus]
+ *   credential: { // [!code focus]
+ *     attestationObject: 'o2NmbXRkbm9uZQ...', // [!code focus]
+ *     clientDataJSON: 'eyJ0eXBlIjoid2Vi...', // [!code focus]
+ *     id: 'm1-bMPuAqpWhCxHZQZTT6e-lSPntQbh3opIoGe7g4Qs', // [!code focus]
+ *     publicKey: '0x04ab891400...', // [!code focus]
+ *     raw: { id: '...', type: 'public-key', authenticatorAttachment: 'platform', rawId: '...', response: { clientDataJSON: 'eyJ0eXBlIjoid2Vi...' } }, // [!code focus]
+ *   }, // [!code focus]
+ *   counter: 0, // [!code focus]
+ * }) // [!code focus]
+ * ```
+ *
+ * @param response - The serialized registration response.
+ * @returns The deserialized registration response.
+ */
+export function deserializeResponse(response) {
+    const { credential, ...rest } = response;
+    const rawResponse = {};
+    for (const [key, value] of Object.entries(credential.raw.response))
+        rawResponse[key] = bytesToArrayBuffer(Base64.toBytes(value));
+    return {
+        ...rest,
+        credential: {
+            attestationObject: bytesToArrayBuffer(Base64.toBytes(credential.attestationObject)),
+            clientDataJSON: bytesToArrayBuffer(Base64.toBytes(credential.clientDataJSON)),
+            id: credential.id,
+            publicKey: PublicKey.from(credential.publicKey),
+            raw: {
+                id: credential.raw.id,
+                type: credential.raw.type,
+                authenticatorAttachment: credential.raw.authenticatorAttachment,
+                rawId: bytesToArrayBuffer(Base64.toBytes(credential.raw.rawId)),
+                response: rawResponse,
+                getClientExtensionResults: () => ({}),
+            },
+        },
+    };
+}
+/**
+ * Verifies a WebAuthn registration (credential creation) response. Validates the
+ * `clientDataJSON`, `attestationObject`, authenticator flags, challenge, origin, and
+ * relying party ID, then extracts the credential ID and public key.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Registration } from 'ox/webauthn'
+ *
+ * const credential = await Registration.create({ name: 'Example' })
+ *
+ * const result = Registration.verify({ // [!code focus]
+ *   credential, // [!code focus]
+ *   challenge: '0x69abb4b5a0de4bc62a2a201f8d25bae9', // [!code focus]
+ *   origin: 'https://example.com', // [!code focus]
+ *   rpId: 'example.com', // [!code focus]
+ * }) // [!code focus]
+ * // @log: {
+ * // @log:   credential: {
+ * // @log:     id: 'oZ48...',
+ * // @log:     publicKey: { prefix: 4, x: 51421...5123n, y: 12345...6789n },
+ * // @log:   },
+ * // @log:   counter: 0,
+ * // @log:   userVerified: true,
+ * // @log: }
+ * ```
+ *
+ * @param options - Verification options.
+ * @returns The verified registration result.
+ */
+export function verify(options) {
+    const { attestation = 'none', credential, origin, rpId, userVerification = 'required', } = options;
+    // 1. Decode and validate clientDataJSON
+    const clientDataJSONBytes = new Uint8Array(credential.clientDataJSON);
+    const clientDataJSON = Bytes.toString(clientDataJSONBytes);
+    const clientData = JSON.parse(clientDataJSON);
+    if (clientData.type !== 'webauthn.create')
+        throw new VerifyError(`Expected clientData.type "webauthn.create", got "${clientData.type}"`);
+    // Validate challenge
+    const challengeResult = (() => {
+        if (typeof options.challenge === 'function')
+            return options.challenge(clientData.challenge);
+        const challengeBytes = typeof options.challenge === 'string'
+            ? Bytes.fromHex(options.challenge)
+            : options.challenge;
+        const challenge = Base64.fromBytes(challengeBytes, base64UrlOptions);
+        return clientData.challenge === challenge;
+    })();
+    if (!challengeResult)
+        throw new VerifyError('Challenge mismatch');
+    // Validate origin
+    const origins = Array.isArray(origin) ? origin : [origin];
+    if (!origins.includes(clientData.origin))
+        throw new VerifyError(`Origin mismatch: expected ${JSON.stringify(origin)}, got "${clientData.origin}"`);
+    // 2. Decode attestationObject via CBOR
+    const attestationObjectBytes = new Uint8Array(credential.attestationObject);
+    const attestation_ = Cbor.decode(attestationObjectBytes);
+    // 3. Parse authenticatorData
+    const authData = attestation_.authData;
+    const rpIdHash = authData.slice(0, 32);
+    const expectedRpIdHash = Hash.sha256(Hex.fromString(rpId), { as: 'Bytes' });
+    if (!Bytes.isEqual(rpIdHash, expectedRpIdHash))
+        throw new VerifyError('rpId hash mismatch');
+    const flags = authData[32];
+    const up = (flags & 0x01) !== 0;
+    const uv = (flags & 0x04) !== 0;
+    const at = (flags & 0x40) !== 0;
+    const be = (flags & 0x08) !== 0;
+    const bs = (flags & 0x10) !== 0;
+    if (!up)
+        throw new VerifyError('User presence flag not set');
+    if (!at)
+        throw new VerifyError('Attested credential data flag not set');
+    if (userVerification === 'required' && !uv)
+        throw new VerifyError('User verification flag not set');
+    // If the BE bit is not set, the BS bit must not be set.
+    if (!be && bs)
+        throw new VerifyError('Backup state (BS) flag is set but backup eligibility (BE) flag is not');
+    // Minimum authData length: 37 (rpIdHash + flags + counter) + 16 (AAGUID) + 2 (credIdLen)
+    if (authData.length < 55)
+        throw new VerifyError('authData too short for attested credential data');
+    // Counter (4 bytes, big-endian, starting at offset 33)
+    const counter = ((authData[33] << 24) |
+        (authData[34] << 16) |
+        (authData[35] << 8) |
+        authData[36]) >>>
+        0;
+    // Credential ID length (2 bytes at offset 53, big-endian)
+    const credIdLen = (authData[53] << 8) | authData[54];
+    if (55 + credIdLen > authData.length)
+        throw new VerifyError('credIdLen exceeds authData bounds');
+    // Credential ID (variable length starting at offset 55)
+    const credentialId = authData.slice(55, 55 + credIdLen);
+    // Verify credential ID consistency if caller-supplied id is present
+    if (credential.id !== undefined) {
+        const expectedId = Base64.fromBytes(credentialId, base64UrlOptions);
+        if (credential.id !== expectedId)
+            throw new VerifyError(`Credential ID mismatch: supplied "${credential.id}" does not match authData "${expectedId}"`);
+    }
+    // 4. Parse and validate COSE public key
+    const ed = (flags & 0x80) !== 0;
+    const coseKeyBytes = authData.slice(55 + credIdLen);
+    const coseKeyHex = Hex.fromBytes(coseKeyBytes);
+    const coseKeyData = Cbor.decode(coseKeyHex);
+    // Validate key type is EC2 (2), algorithm is ES256 (-7), and curve is P-256 (1)
+    if (coseKeyData['1'] !== 2 ||
+        coseKeyData['3'] !== -7 ||
+        coseKeyData['-1'] !== 1)
+        throw new VerifyError('COSE key must be EC2 (kty=2) with ES256 algorithm (alg=-7) on P-256 curve (crv=1)');
+    const publicKey = CoseKey.toPublicKey(coseKeyHex);
+    // Verify no unexpected trailing bytes after the COSE key.
+    // Re-encode the extracted public key as a COSE key to determine its expected length.
+    const expectedCoseKeyLen = Bytes.fromHex(CoseKey.fromPublicKey(publicKey)).length;
+    const trailingBytes = coseKeyBytes.length - expectedCoseKeyLen;
+    if (trailingBytes > 0 && !ed)
+        throw new VerifyError(`authData contains ${trailingBytes} unexpected trailing byte(s) after COSE key`);
+    // 5. Verify attestation statement (cryptographic binding of authData + clientDataJSON)
+    const clientDataHash = Hash.sha256(Bytes.fromString(clientDataJSON), {
+        as: 'Bytes',
+    });
+    const verificationData = Bytes.concat(authData, clientDataHash);
+    const { fmt, attStmt } = attestation_;
+    if (fmt === 'none') {
+        // "none" format has no attestation signature; only accept if caller opts in
+        if (attestation === 'required')
+            throw new VerifyError('Attestation format is "none" but attestation verification is required. ' +
+                'Set `attestation: "none"` to accept unattested credentials.');
+    }
+    else if (fmt === 'packed') {
+        // Packed attestation: verify signature over authData || clientDataHash
+        const sig = attStmt.sig;
+        const alg = attStmt.alg;
+        if (!(sig instanceof Uint8Array) || typeof alg !== 'number')
+            throw new VerifyError('Invalid packed attestation statement: missing sig or alg');
+        if (alg !== -7)
+            throw new VerifyError(`Unsupported attestation algorithm: ${alg} (expected -7 / ES256)`);
+        if (attStmt.x5c) {
+            // Full attestation with certificate chain is not supported
+            throw new VerifyError('Packed attestation with x5c certificate chain is not supported. ' +
+                'Use self attestation (no x5c) or set `attestation: "none"`.');
+        }
+        // Self attestation: verify using the credential public key
+        const attSignature = Signature.fromDerBytes(sig);
+        const verified = P256.verify({
+            hash: true,
+            payload: verificationData,
+            publicKey,
+            signature: attSignature,
+        });
+        if (!verified)
+            throw new VerifyError('Attestation signature verification failed');
+    }
+    else {
+        throw new VerifyError(`Unsupported attestation format: "${fmt}"`);
+    }
+    // 6. Build credential ID string
+    const id = credential.id ?? Base64.fromBytes(credentialId, base64UrlOptions);
+    // 7. Build raw credential
+    const raw = credential.raw ?? {
+        authenticatorAttachment: null,
+        getClientExtensionResults: () => ({}),
+        id,
+        rawId: bytesToArrayBuffer(credentialId),
+        response: {
+            attestationObject: credential.attestationObject,
+            clientDataJSON: credential.clientDataJSON,
+        },
+        type: 'public-key',
+    };
+    return {
+        credential: {
+            attestationObject: credential.attestationObject,
+            clientDataJSON: credential.clientDataJSON,
+            id,
+            publicKey,
+            raw,
+        },
+        counter,
+        ...(uv ? { userVerified: true } : {}),
+        ...(be ? { backedUp: bs } : {}),
+        ...(be
+            ? {
+                deviceType: bs ? 'multiDevice' : 'singleDevice',
+            }
+            : {}),
+    };
+}
+/** Thrown when WebAuthn registration verification fails. */
+export class VerifyError extends Errors.BaseError {
+    constructor() {
+        super(...arguments);
+        Object.defineProperty(this, "name", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: 'Registration.VerifyError'
+        });
+    }
+}
+/** Thrown when a WebAuthn P256 credential creation fails. */
+export class CreateFailedError extends Errors.BaseError {
+    constructor({ cause } = {}) {
+        super('Failed to create credential.', {
+            cause,
+        });
+        Object.defineProperty(this, "name", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: 'Registration.CreateFailedError'
+        });
+    }
+}
+//# sourceMappingURL=Registration.js.map

package/_esm/webauthn/Registration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Registration.js","sourceRoot":"","sources":["../../webauthn/Registration.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAA;AAC3C,OAAO,KAAK,KAAK,MAAM,kBAAkB,CAAA;AACzC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAA;AACvC,OAAO,KAAK,OAAO,MAAM,oBAAoB,CAAA;AAC7C,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAA;AAC3C,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAA;AACvC,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAA;AAErC,OAAO,KAAK,QAAQ,MAAM,8BAA8B,CAAA;AACxD,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAA;AACvC,OAAO,KAAK,SAAS,MAAM,sBAAsB,CAAA;AACjD,OAAO,KAAK,SAAS,MAAM,sBAAsB,CAAA;AAEjD,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,qBAAqB,EACrB,YAAY,EACZ,mBAAmB,GACpB,MAAM,qBAAqB,CAAA;AAG5B,MAAM,CAAC,MAAM,eAAe,GAAG,UAAU,CAAC,IAAI,CAAC;IAC7C,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG;CACzE,CAAC,CAAA;AAWF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,OAAuB;IAEvB,MAAM,EACJ,QAAQ,GAAG,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CACjD,MAAM,CAAC,SAAS,CAAC,WAAW,CAC7B,EACD,GAAG,IAAI,EACR,GAAG,OAAO,CAAA;IACX,MAAM,eAAe,GACnB,WAAW,IAAI,IAAI;QACjB,CAAC,CAAE,IAAwC;QAC3C,CAAC,CAAC,UAAU,CAAC,IAAa,CAAC,CAAA;IAC/B,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,CAAC,MAAM,QAAQ,CAChC,eAAwB,CACzB,CAA8B,CAAA;QAC/B,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,iBAAiB,EAAE,CAAA;QAE9C,MAAM,QAAQ,GACZ,UAAU,CAAC,QAAkD,CAAA;QAC/D,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,wBAAwB,CAAC,QAAQ,CAAC,CAAA;QAEnE,OAAO;YACL,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB;YAC7C,cAAc,EAAE,QAAQ,CAAC,cAAc;YACvC,EAAE,EAAE,UAAU,CAAC,EAAE;YACjB,SAAS;YACT,GAAG,EAAE,UAAU;SAChB,CAAA;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,iBAAiB,CAAC;YAC1B,KAAK,EAAE,KAAc;SACtB,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AA0BD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,UAAU,CACxB,OAA2B;IAE3B,MAAM,EACJ,WAAW,GAAG,MAAM,EACpB,sBAAsB,GAAG;QACvB,WAAW,EAAE,WAAW;QACxB,kBAAkB,EAAE,KAAK;QACzB,gBAAgB,EAAE,UAAU;KAC7B,EACD,SAAS,GAAG,eAAe,EAC3B,oBAAoB,EACpB,UAAU,EACV,IAAI,EAAE,KAAK,EACX,EAAE,GAAG;QACH,EAAE,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ;QAC5B,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK;KAC5B,EACD,IAAI,GACL,GAAG,OAAO,CAAA;IACX,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,IAAI,IAAI,KAAK,CAAE,CAAA;IACnC,OAAO;QACL,SAAS,EAAE;YACT,WAAW;YACX,sBAAsB;YACtB,SAAS,EACP,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS;YACtE,GAAG,CAAC,oBAAoB;gBACtB,CAAC,CAAC;oBACE,kBAAkB,EAAE,oBAAoB,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;wBACrD,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;wBACtB,IAAI,EAAE,YAAY;qBACnB,CAAC,CAAC;iBACJ;gBACH,CAAC,CAAC,EAAE,CAAC;YACP,gBAAgB,EAAE;gBAChB;oBACE,IAAI,EAAE,YAAY;oBAClB,GAAG,EAAE,CAAC,CAAC,EAAE,OAAO;iBACjB;aACF;YACD,EAAE;YACF,IAAI,EAAE;gBACJ,EAAE,EAAE,IAAI,EAAE,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC;gBACvE,IAAI;gBACJ,WAAW,EAAE,IAAI,EAAE,WAAW,IAAI,IAAI;aACvC;YACD,GAAG,CAAC,UAAU,IAAI,EAAE,UAAU,EAAE,CAAC;SAClC;KACF,CAAA;AACH,CAAC;AAkFD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAkB;IAClD,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,EAAE,GAAG,QAAQ,CAAA;IAExC,MAAM,WAAW,GAAG,EAA4B,CAAA;IAChD,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,MAAM,KAAK,GACT,UAAU,CAAC,GAAG,CAAC,QAChB,CAAC,GAAG,CAAC,CAAA;QACN,IAAI,KAAK,YAAY,WAAW;YAC9B,WAAW,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,SAAS,CACjC,IAAI,UAAU,CAAC,KAAK,CAAC,EACrB,gBAAgB,CACjB,CAAA;IACL,CAAC;IAED,OAAO;QACL,GAAG,IAAI;QACP,UAAU,EAAE;YACV,iBAAiB,EAAE,MAAM,CAAC,SAAS,CACjC,IAAI,UAAU,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAC5C,gBAAgB,CACjB;YACD,cAAc,EAAE,MAAM,CAAC,SAAS,CAC9B,IAAI,UAAU,CAAC,UAAU,CAAC,cAAc,CAAC,EACzC,gBAAgB,CACjB;YACD,EAAE,EAAE,UAAU,CAAC,EAAE;YACjB,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC;YAChD,GAAG,EAAE;gBACH,EAAE,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE;gBACrB,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC,IAAI;gBACzB,uBAAuB,EAAE,UAAU,CAAC,GAAG,CAAC,uBAAuB;gBAC/D,KAAK,EAAE,MAAM,CAAC,SAAS,CACrB,mBAAmB,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,EACzC,gBAAgB,CACjB;gBACD,QAAQ,EAAE,WAA2D;aACtE;SACF;KACF,CAAA;AACH,CAAC;AASD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAwC;IAExC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IACnC,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,CAAA;IAEzB,MAAM,EAAE,SAAS,EAAE,kBAAkB,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,IAAI,EAAE,GAAG,SAAS,CAAA;IAE9E,OAAO;QACL,SAAS,EAAE;YACT,GAAG,IAAI;YACP,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;YACxD,GAAG,CAAC,kBAAkB,IAAI;gBACxB,kBAAkB,EAAE,kBAAkB,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;oBAC/D,GAAG,IAAI;oBACP,EAAE,EAAE,MAAM,CAAC,SAAS,CAAC,mBAAmB,CAAC,EAAE,CAAC,EAAE,gBAAgB,CAAC;iBAChE,CAAC,CAAC;aACJ,CAAC;YACF,GAAG,CAAC,UAAU,IAAI;gBAChB,UAAU,EAAE,mBAAmB,CAAC,UAAU,CAAC;aAC5C,CAAC;YACF,IAAI,EAAE;gBACJ,GAAG,IAAI;gBACP,EAAE,EAAE,MAAM,CAAC,SAAS,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,gBAAgB,CAAC;aACrE;SACF;KACF,CAAA;AACH,CAAC;AAMD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAA8C;IAE9C,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IACnC,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,CAAA;IAEzB,MAAM,EAAE,SAAS,EAAE,kBAAkB,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,IAAI,EAAE,GAAG,SAAS,CAAA;IAE9E,OAAO;QACL,SAAS,EAAE;YACT,GAAG,IAAI;YACP,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YACnC,GAAG,CAAC,kBAAkB,IAAI;gBACxB,kBAAkB,EAAE,kBAAkB,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;oBAC/D,GAAG,IAAI;oBACP,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;iBACvB,CAAC,CAAC;aACJ,CAAC;YACF,GAAG,CAAC,UAAU,IAAI;gBAChB,UAAU,EAAE,qBAAqB,CAAC,UAAU,CAAC;aAC9C,CAAC;YACF,IAAI,EAAE;gBACJ,GAAG,IAAI;gBACP,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;aAC5B;SACF;KACF,CAAA;AACH,CAAC;AAMD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAwB;IAC1D,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,EAAE,GAAG,QAAQ,CAAA;IAExC,MAAM,WAAW,GAAgC,EAAE,CAAA;IACnD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC;QAChE,WAAW,CAAC,GAAG,CAAC,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAA;IAE9D,OAAO;QACL,GAAG,IAAI;QACP,UAAU,EAAE;YACV,iBAAiB,EAAE,kBAAkB,CACnC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAC7C;YACD,cAAc,EAAE,kBAAkB,CAChC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,cAAc,CAAC,CAC1C;YACD,EAAE,EAAE,UAAU,CAAC,EAAE;YACjB,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;YAC/C,GAAG,EAAE;gBACH,EAAE,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE;gBACrB,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC,IAAI;gBACzB,uBAAuB,EAAE,UAAU,CAAC,GAAG,CAAC,uBAAuB;gBAC/D,KAAK,EAAE,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBAC/D,QAAQ,EAAE,WAAqD;gBAC/D,yBAAyB,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;aACtC;SACF;KACF,CAAA;AACH,CAAC;AASD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,UAAU,MAAM,CAAC,OAAuB;IAC5C,MAAM,EACJ,WAAW,GAAG,MAAM,EACpB,UAAU,EACV,MAAM,EACN,IAAI,EACJ,gBAAgB,GAAG,UAAU,GAC9B,GAAG,OAAO,CAAA;IAEX,wCAAwC;IACxC,MAAM,mBAAmB,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,cAAc,CAAC,CAAA;IACrE,MAAM,cAAc,GAAG,KAAK,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAA;IAC1D,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAA;IAE7C,IAAI,UAAU,CAAC,IAAI,KAAK,iBAAiB;QACvC,MAAM,IAAI,WAAW,CACnB,oDAAoD,UAAU,CAAC,IAAI,GAAG,CACvE,CAAA;IAEH,qBAAqB;IACrB,MAAM,eAAe,GAAG,CAAC,GAAG,EAAE;QAC5B,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,UAAU;YACzC,OAAO,OAAO,CAAC,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,CAAA;QAChD,MAAM,cAAc,GAClB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC;YAClC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAA;QACvB,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAAA;QACpE,OAAO,UAAU,CAAC,SAAS,KAAK,SAAS,CAAA;IAC3C,CAAC,CAAC,EAAE,CAAA;IACJ,IAAI,CAAC,eAAe;QAAE,MAAM,IAAI,WAAW,CAAC,oBAAoB,CAAC,CAAA;IAEjE,kBAAkB;IAClB,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAA;IACzD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;QACtC,MAAM,IAAI,WAAW,CACnB,6BAA6B,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,UAAU,CAAC,MAAM,GAAG,CAClF,CAAA;IAEH,uCAAuC;IACvC,MAAM,sBAAsB,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAA;IAC3E,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAI7B,sBAAsB,CAAC,CAAA;IAE1B,6BAA6B;IAC7B,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAA;IACtC,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IACtC,MAAM,gBAAgB,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,CAAA;IAE3E,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,gBAAgB,CAAC;QAC5C,MAAM,IAAI,WAAW,CAAC,oBAAoB,CAAC,CAAA;IAE7C,MAAM,KAAK,GAAG,QAAQ,CAAC,EAAE,CAAE,CAAA;IAC3B,MAAM,EAAE,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/B,MAAM,EAAE,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/B,MAAM,EAAE,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/B,MAAM,EAAE,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/B,MAAM,EAAE,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAA;IAE/B,IAAI,CAAC,EAAE;QAAE,MAAM,IAAI,WAAW,CAAC,4BAA4B,CAAC,CAAA;IAC5D,IAAI,CAAC,EAAE;QAAE,MAAM,IAAI,WAAW,CAAC,uCAAuC,CAAC,CAAA;IACvE,IAAI,gBAAgB,KAAK,UAAU,IAAI,CAAC,EAAE;QACxC,MAAM,IAAI,WAAW,CAAC,gCAAgC,CAAC,CAAA;IAEzD,wDAAwD;IACxD,IAAI,CAAC,EAAE,IAAI,EAAE;QACX,MAAM,IAAI,WAAW,CACnB,uEAAuE,CACxE,CAAA;IAEH,yFAAyF;IACzF,IAAI,QAAQ,CAAC,MAAM,GAAG,EAAE;QACtB,MAAM,IAAI,WAAW,CAAC,iDAAiD,CAAC,CAAA;IAE1E,uDAAuD;IACvD,MAAM,OAAO,GACX,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAE,IAAI,EAAE,CAAC;QACpB,CAAC,QAAQ,CAAC,EAAE,CAAE,IAAI,EAAE,CAAC;QACrB,CAAC,QAAQ,CAAC,EAAE,CAAE,IAAI,CAAC,CAAC;QACpB,QAAQ,CAAC,EAAE,CAAE,CAAC;QAChB,CAAC,CAAA;IAEH,0DAA0D;IAC1D,MAAM,SAAS,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAE,IAAI,CAAC,CAAC,GAAG,QAAQ,CAAC,EAAE,CAAE,CAAA;IACtD,IAAI,EAAE,GAAG,SAAS,GAAG,QAAQ,CAAC,MAAM;QAClC,MAAM,IAAI,WAAW,CAAC,mCAAmC,CAAC,CAAA;IAE5D,wDAAwD;IACxD,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,GAAG,SAAS,CAAC,CAAA;IAEvD,oEAAoE;IACpE,IAAI,UAAU,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,UAAU,GAAG,MAAM,CAAC,SAAS,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAA;QACnE,IAAI,UAAU,CAAC,EAAE,KAAK,UAAU;YAC9B,MAAM,IAAI,WAAW,CACnB,qCAAqC,UAAU,CAAC,EAAE,8BAA8B,UAAU,GAAG,CAC9F,CAAA;IACL,CAAC;IAED,wCAAwC;IACxC,MAAM,EAAE,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/B,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,GAAG,SAAS,CAAC,CAAA;IACnD,MAAM,UAAU,GAAG,GAAG,CAAC,SAAS,CAAC,YAAY,CAAC,CAAA;IAC9C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAA0B,UAAU,CAAC,CAAA;IACpE,gFAAgF;IAChF,IACE,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC;QACtB,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACvB,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC;QAEvB,MAAM,IAAI,WAAW,CACnB,mFAAmF,CACpF,CAAA;IACH,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC,CAAA;IAEjD,0DAA0D;IAC1D,qFAAqF;IACrF,MAAM,kBAAkB,GAAG,KAAK,CAAC,OAAO,CACtC,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,CACjC,CAAC,MAAM,CAAA;IACR,MAAM,aAAa,GAAG,YAAY,CAAC,MAAM,GAAG,kBAAkB,CAAA;IAC9D,IAAI,aAAa,GAAG,CAAC,IAAI,CAAC,EAAE;QAC1B,MAAM,IAAI,WAAW,CACnB,qBAAqB,aAAa,6CAA6C,CAChF,CAAA;IAEH,uFAAuF;IACvF,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE;QACnE,EAAE,EAAE,OAAO;KACZ,CAAC,CAAA;IACF,MAAM,gBAAgB,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAA;IAE/D,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,YAAY,CAAA;IACrC,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnB,4EAA4E;QAC5E,IAAI,WAAW,KAAK,UAAU;YAC5B,MAAM,IAAI,WAAW,CACnB,yEAAyE;gBACvE,6DAA6D,CAChE,CAAA;IACL,CAAC;SAAM,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,uEAAuE;QACvE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAA;QACvB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAA;QACvB,IAAI,CAAC,CAAC,GAAG,YAAY,UAAU,CAAC,IAAI,OAAO,GAAG,KAAK,QAAQ;YACzD,MAAM,IAAI,WAAW,CACnB,0DAA0D,CAC3D,CAAA;QACH,IAAI,GAAG,KAAK,CAAC,CAAC;YACZ,MAAM,IAAI,WAAW,CACnB,sCAAsC,GAAG,wBAAwB,CAClE,CAAA;QACH,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YAChB,2DAA2D;YAC3D,MAAM,IAAI,WAAW,CACnB,kEAAkE;gBAChE,6DAA6D,CAChE,CAAA;QACH,CAAC;QACD,2DAA2D;QAC3D,MAAM,YAAY,GAAG,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,CAAA;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC;YAC3B,IAAI,EAAE,IAAI;YACV,OAAO,EAAE,gBAAgB;YACzB,SAAS;YACT,SAAS,EAAE,YAAY;SACxB,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ;YACX,MAAM,IAAI,WAAW,CAAC,2CAA2C,CAAC,CAAA;IACtE,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,WAAW,CAAC,oCAAoC,GAAG,GAAG,CAAC,CAAA;IACnE,CAAC;IAED,gCAAgC;IAChC,MAAM,EAAE,GAAG,UAAU,CAAC,EAAE,IAAI,MAAM,CAAC,SAAS,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAA;IAE5E,0BAA0B;IAC1B,MAAM,GAAG,GAAG,UAAU,CAAC,GAAG,IAAI;QAC5B,uBAAuB,EAAE,IAAI;QAC7B,yBAAyB,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;QACrC,EAAE;QACF,KAAK,EAAE,kBAAkB,CAAC,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,iBAAiB,EAAE,UAAU,CAAC,iBAAiB;YAC/C,cAAc,EAAE,UAAU,CAAC,cAAc;SACjC;QACV,IAAI,EAAE,YAAY;KACnB,CAAA;IAED,OAAO;QACL,UAAU,EAAE;YACV,iBAAiB,EAAE,UAAU,CAAC,iBAAiB;YAC/C,cAAc,EAAE,UAAU,CAAC,cAAc;YACzC,EAAE;YACF,SAAS;YACT,GAAG;SACJ;QACD,OAAO;QACP,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9C,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/B,GAAG,CAAC,EAAE;YACJ,CAAC,CAAC;gBACE,UAAU,EAAE,EAAE,CAAC,CAAC,CAAE,aAAuB,CAAC,CAAC,CAAE,cAAwB;aACtE;YACH,CAAC,CAAC,EAAE,CAAC;KACR,CAAA;AACH,CAAC;AAiDD,4DAA4D;AAC5D,MAAM,OAAO,WAAY,SAAQ,MAAM,CAAC,SAAS;IAAjD;;QACoB;;;;mBAAO,0BAA0B;WAAA;IACrD,CAAC;CAAA;AAED,6DAA6D;AAC7D,MAAM,OAAO,iBAAkB,SAAQ,MAAM,CAAC,SAAgB;IAG5D,YAAY,EAAE,KAAK,KAAoC,EAAE;QACvD,KAAK,CAAC,8BAA8B,EAAE;YACpC,KAAK;SACN,CAAC,CAAA;QALc;;;;mBAAO,gCAAgC;WAAA;IAMzD,CAAC;CACF"}

package/_esm/webauthn/Types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=Types.js.map

package/_esm/webauthn/Types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Types.js","sourceRoot":"","sources":["../../webauthn/Types.ts"],"names":[],"mappings":""}

package/_esm/webauthn/index.js

@@ -0,0 +1,31 @@
+/**
+ * Utility functions and types for WebAuthn authentication ceremonies (signing and verification).
+ *
+ * @category WebAuthn
+ */
+export * as Authentication from './Authentication.js';
+/**
+ * Utility functions for constructing and parsing authenticator data and client data JSON.
+ *
+ * @category WebAuthn
+ */
+export * as Authenticator from './Authenticator.js';
+/**
+ * Utility functions and types for WebAuthn P256 credentials.
+ *
+ * @category WebAuthn
+ */
+export * as Credential from './Credential.js';
+/**
+ * Utility functions and types for WebAuthn registration ceremonies (credential creation and verification).
+ *
+ * @category WebAuthn
+ */
+export * as Registration from './Registration.js';
+/**
+ * WebAuthn type definitions.
+ *
+ * @category WebAuthn
+ */
+export * as Types from './Types.js';
+//# sourceMappingURL=index.js.map