diff options
| author | Matthew Miller <matthew@millerti.me> | 2020-07-10 15:54:25 -0700 |
|---|---|---|
| committer | Matthew Miller <matthew@millerti.me> | 2020-07-10 15:54:25 -0700 |
| commit | 28a92f306afd1252fab3c575a50b0b75f9259f11 (patch) | |
| tree | 4b8992536ae254f510bbbc873792522da2186cb0 | |
| parent | 189039e0eb7559184831f4e895f7f5703d485f22 (diff) | |
Update verifyTPM to use parser for SubjectAltName
| -rw-r--r-- | packages/server/src/attestation/verifications/tpm/verifyTPM.ts | 48 |
1 files changed, 17 insertions, 31 deletions
diff --git a/packages/server/src/attestation/verifications/tpm/verifyTPM.ts b/packages/server/src/attestation/verifications/tpm/verifyTPM.ts index b9351ea..611b485 100644 --- a/packages/server/src/attestation/verifications/tpm/verifyTPM.ts +++ b/packages/server/src/attestation/verifications/tpm/verifyTPM.ts @@ -1,3 +1,6 @@ +import { AsnParser } from '@peculiar/asn1-schema'; +import { Certificate, id_ce_subjectAltName, SubjectAlternativeName } from '@peculiar/asn1-x509'; + import type { AttestationStatement } from '../../../helpers/decodeAttestationObject'; import decodeCredentialPublicKey from '../../../helpers/decodeCredentialPublicKey'; import { COSEKEYS, COSEALGHASH } from '../../../helpers/convertCOSEtoPKCS'; @@ -203,13 +206,25 @@ export default async function verifyTPM(options: Options): Promise<boolean> { */ const certASN1 = leafCertToASN1Object(x5c[0]); - const subjectAltNamePresent = getASN1SubjectAltNamePresent(certASN1); const tcgAtTpmManufacturer = getASN1TcgAtTpmManufacturer(certASN1); const tcgAtTpmModel = getASN1TcgAtTpmModel(certASN1); const tcgAtTpmVersion = getASN1TcgAtTpmVersion(certASN1); const extKeyUsage = getASN1ExtKeyUsage(certASN1); - // Check that certificate contains subjectAltName(2.5.29.17) extension, + const parsedCert = AsnParser.parse(x5c[0], Certificate); + + if (!parsedCert.tbsCertificate.extensions) { + throw new Error('Certificate was missing extensions (TPM)'); + } + + let subjectAltNamePresent: SubjectAlternativeName | undefined; + parsedCert.tbsCertificate.extensions.forEach(ext => { + if (ext.extnID === id_ce_subjectAltName) { + subjectAltNamePresent = AsnParser.parse(ext.extnValue.slice(0), SubjectAlternativeName); + } + }); + + // Check that certificate contains subjectAltName (2.5.29.17) extension, if (!subjectAltNamePresent) { throw new Error('Certificate did not contain subjectAltName extension (TPM)'); } @@ -247,35 +262,6 @@ export default async function verifyTPM(options: Options): Promise<boolean> { return verifySignature(sig, certInfo, leafCertPEM, hashAlg); } -function getASN1SubjectAltNamePresent(certASN1: ASN1Object): boolean { - const oid = '2.5.29.17'; - const ext = findOID(certASN1, oid); - - if (!ext) { - return false; - } - - /** - * Return "true" (as an actual boolean) from the following data structure - * { - * "type": "SEQUENCE", - * "data": [ - * { - * "type": "OBJECT_IDENTIFIER", - * "data": "2.5.29.17\nsubjectAltName\nX.509 extension" - * }, - * { - * "type": "BOOLEAN", - * "data": "true" - * }, - * // ...snip... - * ] - * } - */ - - return (ext.data as JASN1[])[1].data === 'true'; -} - function getASN1TcgAtTpmManufacturer(certASN1: ASN1Object): string { const oid = '2.23.133.2.1'; const ext = findOID(certASN1, oid); |