Use TypeScript to enforce existence of COSE info

Also updates `alg` for secp256k1_ecdsa_sha256_raw and secp256k1_ecdsa_sha256_der

1 files changed, 25 insertions, 41 deletions

diff --git a/packages/server/src/metadata/verifyAttestationWithMetadata.ts b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
index 0e7c736..9577a2e 100644
--- a/packages/server/src/metadata/verifyAttestationWithMetadata.ts
+++ b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
@@ -1,6 +1,6 @@
 import { Base64URLString } from '@simplewebauthn/typescript-types';
 
-import { MetadataStatement, AlgSign } from '../metadata/mdsTypes';
+import type { MetadataStatement, AlgSign } from '../metadata/mdsTypes';
 import { convertCertBufferToPEM } from '../helpers/convertCertBufferToPEM';
 import { validateCertificatePath } from '../helpers/validateCertificatePath';
 import { decodeCredentialPublicKey } from '../helpers/decodeCredentialPublicKey';
@@ -18,9 +18,10 @@ export async function verifyAttestationWithMetadata(
   // Make sure the alg in the attestation statement matches one of the ones specified in metadata
   const keypairCOSEAlgs: Set<COSEInfo> = new Set();
   statement.authenticationAlgorithms.forEach(algSign => {
-    // Convert algSign string to { kty, alg, crv }
-    const algSignCOSEINFO = algSignToCOSEInfo(algSign);
+    // Map algSign string to { kty, alg, crv }
+    const algSignCOSEINFO = algSignToCOSEInfoMap[algSign];
 
+    // Keeping this statement here just in case MDS returns something unexpected
     if (algSignCOSEINFO) {
       keypairCOSEAlgs.add(algSignCOSEINFO);
     }
@@ -110,42 +111,25 @@ type COSEInfo = {
  *
  * Values pulled from `ALG_KEY_COSE` definitions in the FIDO Registry of Predefined Values
  *
- * https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html#authentication-algorithms
+ * https://fidoalliance.org/specs/common-specs/fido-registry-v2.2-ps-20220523.html#authentication-algorithms
  */
-function algSignToCOSEInfo(algSign: AlgSign): COSEInfo | undefined {
-  switch (algSign) {
-    case 'secp256r1_ecdsa_sha256_raw':
-    case 'secp256r1_ecdsa_sha256_der':
-      return { kty: 2, alg: -7, crv: 1 };
-    case 'rsassa_pss_sha256_raw':
-    case 'rsassa_pss_sha256_der':
-      return { kty: 3, alg: -37 };
-    case 'secp256k1_ecdsa_sha256_raw':
-    case 'secp256k1_ecdsa_sha256_der':
-      return { kty: 2, alg: 7, crv: 8 };
-    case 'rsassa_pss_sha384_raw':
-      return { kty: 3, alg: -38 };
-    case 'rsassa_pkcsv15_sha256_raw':
-      return { kty: 3, alg: -257 };
-    case 'rsassa_pkcsv15_sha384_raw':
-      return { kty: 3, alg: -258 };
-    case 'rsassa_pkcsv15_sha512_raw':
-      return { kty: 3, alg: -259 };
-    case 'rsassa_pkcsv15_sha1_raw':
-      return { kty: 3, alg: -65535 };
-    case 'secp384r1_ecdsa_sha384_raw':
-      return { kty: 2, alg: -35, crv: 2 };
-    case 'secp512r1_ecdsa_sha256_raw':
-      return { kty: 2, alg: -36, crv: 3 };
-    case 'ed25519_eddsa_sha512_raw':
-      return { kty: 1, alg: -8, crv: 6 };
-    case 'rsa_emsa_pkcs1_sha256_raw':
-    case 'rsa_emsa_pkcs1_sha256_der':
-      return { kty: 3, alg: -257 };
-    // TODO: COSE info wasn't readily available for these, these seem rare...
-    // case 'sm2_sm3_raw':
-    //   return {};
-    default:
-      return undefined;
-  }
-}
+export const algSignToCOSEInfoMap: { [key in AlgSign]: COSEInfo } = {
+  secp256r1_ecdsa_sha256_raw: { kty: 2, alg: -7, crv: 1 },
+  secp256r1_ecdsa_sha256_der: { kty: 2, alg: -7, crv: 1 },
+  rsassa_pss_sha256_raw: { kty: 3, alg: -37 },
+  rsassa_pss_sha256_der: { kty: 3, alg: -37 },
+  secp256k1_ecdsa_sha256_raw: { kty: 2, alg: -47, crv: 8 },
+  secp256k1_ecdsa_sha256_der: { kty: 2, alg: -47, crv: 8 },
+  rsassa_pss_sha384_raw: { kty: 3, alg: -38 },
+  rsassa_pkcsv15_sha256_raw: { kty: 3, alg: -257 },
+  rsassa_pkcsv15_sha384_raw: { kty: 3, alg: -258 },
+  rsassa_pkcsv15_sha512_raw: { kty: 3, alg: -259 },
+  rsassa_pkcsv15_sha1_raw: { kty: 3, alg: -65535 },
+  secp384r1_ecdsa_sha384_raw: { kty: 2, alg: -35, crv: 2 },
+  secp512r1_ecdsa_sha256_raw: { kty: 2, alg: -36, crv: 3 },
+  ed25519_eddsa_sha512_raw: { kty: 1, alg: -8, crv: 6 },
+  rsa_emsa_pkcs1_sha256_raw: { kty: 3, alg: -257 },
+  rsa_emsa_pkcs1_sha256_der: { kty: 3, alg: -257 },
+  // TODO: COSE info wasn't readily available for this, it seems rare...
+  sm2_sm3_raw: { kty: 999, alg: 999, crv: 999 },
+};