Merge pull request #43 from MasterKale/bugfix/custom-atte-option-algos

bugfix/custom-atte-option-algos

3 files changed, 30 insertions, 11 deletions

diff --git a/packages/server/src/attestation/generateAttestationOptions.test.ts b/packages/server/src/attestation/generateAttestationOptions.test.ts
index 6c95ad2..6c31856 100644
--- a/packages/server/src/attestation/generateAttestationOptions.test.ts
+++ b/packages/server/src/attestation/generateAttestationOptions.test.ts
@@ -140,3 +140,19 @@ test('should generate a challenge if one is not provided', () => {
   // base64url-encoded 16-byte buffer from mocked `generateChallenge()`
   expect(options.challenge).toEqual('AQIDBAUGBwgJCgsMDQ4PEA');
 });
+
+test('should use custom supported algorithm IDs as-is when provided', () => {
+  const options = generateAttestationOptions({
+    rpID: 'not.real',
+    serviceName: 'SimpleWebAuthn',
+    userID: '1234',
+    userName: 'usernameHere',
+    supportedAlgorithmIDs: [-7, -8, -65535],
+  });
+
+  expect(options.pubKeyCredParams).toEqual([
+    { alg: -7, type: 'public-key' },
+    { alg: -8, type: 'public-key' },
+    { alg: -65535, type: 'public-key' },
+  ]);
+});
diff --git a/packages/server/src/attestation/generateAttestationOptions.ts b/packages/server/src/attestation/generateAttestationOptions.ts
index 772a658..f2d41f2 100644
--- a/packages/server/src/attestation/generateAttestationOptions.ts
+++ b/packages/server/src/attestation/generateAttestationOptions.ts
@@ -51,6 +51,12 @@ export const supportedCOSEAlgorithmIdentifiers: COSEAlgorithmIdentifier[] = [
 ];
 
 /**
+ * Filter out known bad/deprecated/etc... algorithm ID's so they're not used for new attestations.
+ * See https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ */
+const defaultSupportedAlgorithmIDs = supportedCOSEAlgorithmIdentifiers.filter(id => id !== -65535);
+
+/**
  * Prepare a value to pass into navigator.credentials.create(...) for authenticator "registration"
  *
  * **Options:**
@@ -88,19 +94,16 @@ export default function generateAttestationOptions(
     suggestedTransports = ['usb', 'ble', 'nfc', 'internal'],
     authenticatorSelection,
     extensions,
-    supportedAlgorithmIDs = supportedCOSEAlgorithmIdentifiers,
+    supportedAlgorithmIDs = defaultSupportedAlgorithmIDs,
   } = options;
 
   /**
-   * Filter out known bad/deprecated/etc... algorithm ID's before preparing pubKeyCredParams
-   * from the array of algorithm ID's
+   * Prepare pubKeyCredParams from the array of algorithm ID's
    */
-  const pubKeyCredParams: PublicKeyCredentialParameters[] = supportedAlgorithmIDs
-    .filter(id => id !== -65535)
-    .map(id => ({
-      alg: id,
-      type: 'public-key',
-    }));
+  const pubKeyCredParams: PublicKeyCredentialParameters[] = supportedAlgorithmIDs.map(id => ({
+    alg: id,
+    type: 'public-key',
+  }));
 
   return {
     challenge: base64url.encode(challenge),
diff --git a/packages/server/src/attestation/verifications/tpm/verifyTPM.ts b/packages/server/src/attestation/verifications/tpm/verifyTPM.ts
index 2a4b46f..70366aa 100644
--- a/packages/server/src/attestation/verifications/tpm/verifyTPM.ts
+++ b/packages/server/src/attestation/verifications/tpm/verifyTPM.ts
@@ -220,9 +220,9 @@ export default async function verifyTPM(options: Options): Promise<boolean> {
   let extKeyUsage: ExtendedKeyUsage | undefined;
   parsedCert.tbsCertificate.extensions.forEach(ext => {
     if (ext.extnID === id_ce_subjectAltName) {
-      subjectAltNamePresent = AsnParser.parse(ext.extnValue.slice(0), SubjectAlternativeName);
+      subjectAltNamePresent = AsnParser.parse(ext.extnValue, SubjectAlternativeName);
     } else if (ext.extnID === id_ce_extKeyUsage) {
-      extKeyUsage = AsnParser.parse(ext.extnValue.slice(0), ExtendedKeyUsage);
+      extKeyUsage = AsnParser.parse(ext.extnValue, ExtendedKeyUsage);
     }
   });